Red Hat Summit Red Hat SummitSupportoConsoleSviluppatoriInizia una provaContatti

Questo contenuto non è disponibile nella lingua selezionata.

Chapter 21. Installing an IdM replica

The following sections describe how to install an Identity Management (IdM) replica interactively, by using the command line (CLI). The replica installation process copies the configuration of the existing server and installs the replica based on that configuration.

Note

See Installing an Identity Management server using an Ansible playbook. Use Ansible roles to consistently install and customize multiple replicas.

Interactive and non-interactive methods that do not use Ansible are useful in topologies where, for example, the replica preparation is delegated to a user or a third party. You can also use these methods in geographically distributed topologies where you do not have access from the Ansible controller node.

21.1. Prerequisites
Copia collegamento

  • You are installing one IdM replica at a time. The installation of multiple replicas at the same time is not supported.

  • Ensure your system is prepared for IdM replica installation.

    Important

    If this preparation is not performed, installing an IdM replica will fail.

21.2. Installing an IdM replica with integrated DNS and a CA
Copia collegamento

Follow this procedure to install an Identity Management (IdM) replica:

  • With integrated DNS
  • With a certificate authority (CA)

You can do this to, for example, replicate the CA service for resiliency after installing an IdM server with an integrated CA.

Important

When configuring a replica with a CA, the CA configuration of the replica must mirror the CA configuration of the other server.

For example, if the server includes an integrated IdM CA as the root CA, the new replica must also be installed with an integrated CA as the root CA. No other CA configuration is available in this case.

Including the --setup-ca option in the ipa-replica-install command copies the CA configuration of the initial server.

Prerequisites

Procedure

  1. Enter ipa-replica-install with these options:

    • --setup-dns to configure the replica as a DNS server

    • --forwarder to specify a per-server forwarder, or --no-forwarder if you do not want to use any per-server forwarders. To specify multiple per-server forwarders for failover reasons, use --forwarder multiple times.

      Note

      The ipa-replica-install utility accepts a number of other options related to DNS settings, such as --no-reverse or --no-host-dns. For more information about them, see the ipa-replica-install(1) man page.

    • --setup-ca to include a CA on the replica

    For example, to set up a replica with an integrated DNS server and a CA that forwards all DNS requests not managed by the IdM servers to the DNS server running on IP 192.0.2.1: 

    # ipa-replica-install --setup-dns --forwarder 192.0.2.1 --setup-ca
    Copy to Clipboard Toggle word wrap

  2. After the installation completes, add a DNS delegation from the parent domain to the IdM DNS domain. For example, if the IdM DNS domain is idm.example.com, add a name server (NS) record to the example.com parent domain.

    Important

    Repeat this step each time after you install an IdM DNS server.

Next steps

  • In large deployments, you might want to tune specific parameters of IdM replicas for better performance. Consult the Tuning Performance in Identity Management title to find tuning instructions to best suit your scenario.

21.3. Installing an IdM replica with integrated DNS and no CA
Copia collegamento

Follow this procedure to install an Identity Management (IdM) replica:

  • With integrated DNS
  • Without a certificate authority (CA) in an IdM environment in which a CA is already installed. The replica will forward all certificate operations to the IdM server with a CA installed.
Note

In contrast, when installing a replica with integrated DNS and without a CA in a CA-less IdM environment, you must specify certificate files using additional options, specifically:

  • --dirsrv-cert-file
  • --dirsrv-pin
  • --http-cert-file
  • --http-pin

You must also specify one of the following options:

  • --no-pkinit
  • --pkinit-cert-file and --pkinit-pin

For example: 

ipa-replica-install --setup-dns --forwarder 192.0.2.1 --dirsrv-cert-file /tmp/server.crt --dirsrv-cert-file /tmp/server.key --dirsrv-pin secret --http-cert-file /tmp/server.crt --http-cert-file /tmp/server.key --http-pin secret --no-pkinit
Copy to Clipboard Toggle word wrap

For details about the files, see Certificates required to install an IdM server without a CA.

Prerequisites

Procedure

  1. Enter ipa-replica-install with these options:

    • --setup-dns to configure the replica as a DNS server
    • --forwarder to specify a per-server forwarder, or --no-forwarder if you do not want to use any per-server forwarders. To specify multiple per-server forwarders for failover reasons, use --forwarder multiple times.

    For example, to set up a replica with an integrated DNS server that forwards all DNS requests not managed by the IdM servers to the DNS server running on IP 192.0.2.1: 

    # ipa-replica-install --setup-dns --forwarder 192.0.2.1
    Copy to Clipboard Toggle word wrap
    Note

    The ipa-replica-install utility accepts a number of other options related to DNS settings, such as --no-reverse or --no-host-dns. For more information about them, see the ipa-replica-install(1) man page.

  2. After the installation completes, add a DNS delegation from the parent domain to the IdM DNS domain. For example, if the IdM DNS domain is idm.example.com, add a name server (NS) record to the example.com parent domain.

    Important

    Repeat this step each time after you install an IdM DNS server.

Next steps

  • In large deployments, you might want to tune specific parameters of IdM replicas for better performance. Consult the Tuning Performance in Identity Management title to find tuning instructions to best suit your scenario.

21.4. Installing an IdM replica without integrated DNS and with a CA
Copia collegamento

Follow this procedure to install an Identity Management (IdM) replica:

  • Without integrated DNS
  • With a certificate authority (CA)
Important

When configuring a replica with a CA, the CA configuration of the replica must mirror the CA configuration of the other server.

For example, if the server includes an integrated IdM CA as the root CA, the new replica must also be installed with an integrated CA as the root CA. No other CA configuration is available in this case.

Including the --setup-ca option in the ipa-replica-install command copies the CA configuration of the initial server.

Prerequisites

Procedure

  1. Enter ipa-replica-install with the --setup-ca option. 

    # ipa-replica-install --setup-ca
    Copy to Clipboard Toggle word wrap

  2. Add the newly created IdM DNS service records to your DNS server:

    1. Export the IdM DNS service records into a file in the nsupdate format: 

      $ ipa dns-update-system-records --dry-run --out dns_records_file.nsupdate
      Copy to Clipboard Toggle word wrap
    2. Submit a DNS update request to your DNS server using the nsupdate utility and the dns_records_file.nsupdate file. For more information, see Updating External DNS Records Using nsupdate in RHEL 7 documentation. Alternatively, refer to your DNS server documentation for adding DNS records.

Next steps

  • In large deployments, you might want to tune specific parameters of IdM replicas for better performance. Consult the Tuning Performance in Identity Management title to find tuning instructions to best suit your scenario.

21.5. Installing an IdM replica without integrated DNS and without a CA
Copia collegamento

Follow this procedure to install an Identity Management (IdM) replica:

  • Without integrated DNS
  • Without a certificate authority (CA) by providing the required certificates manually. The assumption here is that the first server was installed without a CA.
Important

You cannot install a server or replica using self-signed third-party server certificates because the imported certificate files must contain the full CA certificate chain of the CA that issued the LDAP and Apache server certificates.

Prerequisites

Procedure

  • Enter ipa-replica-install, and provide the required certificate files by adding these options:

    • --dirsrv-cert-file
    • --dirsrv-pin
    • --http-cert-file
    • --http-pin

    Additionally, you must specify either --no-pkinit or both --pkinit-cert-file and --pkinit-pin.

    For details about the files that are provided using these options, see Certificates required to install an IdM server without a CA.

    For example: 

    # ipa-replica-install \
    --dirsrv-cert-file /tmp/server.crt \
    --dirsrv-cert-file /tmp/server.key \
    --dirsrv-pin secret \
    --http-cert-file /tmp/server.crt \
    --http-cert-file /tmp/server.key \
    --http-pin secret \
    --no-pkinit
    Copy to Clipboard Toggle word wrap
    Note

    Do not add the --ca-cert-file option. The ipa-replica-install utility takes this part of the certificate information automatically from the first server you installed.

Next steps

  • In large deployments, you might want to tune specific parameters of IdM replicas for better performance. Consult the Tuning Performance in Identity Management title to find tuning instructions to best suit your scenario.

21.6. Installing an IdM hidden replica
Copia collegamento

A hidden (unadvertised) replica is an Identity Management (IdM) server that has all services running and available. However, it has no SRV records in DNS, and LDAP server roles are not enabled. Therefore, clients cannot use service discovery to detect these hidden replicas.

For further details about hidden replicas, see The hidden replica mode.

Prerequisites

Procedure

  • To install a hidden replica, use the following command: 

    ipa-replica-install --hidden-replica
    Copy to Clipboard Toggle word wrap

    Note that the command installs a replica without DNS SRV records and with disabled LDAP server roles.

    You can also change the mode of existing replica to hidden. For details, see Demoting or promoting hidden replicas

21.7. Testing an IdM replica
Copia collegamento

After creating a replica, check if the replica replicates data as expected. You can use the following procedure.

Procedure

  1. Create a user on the new replica: 

    [admin@new_replica ~]$ ipa user-add test_user
    Copy to Clipboard Toggle word wrap

  2. Make sure the user is visible on another replica: 

    [admin@another_replica ~]$ ipa user-show test_user
    Copy to Clipboard Toggle word wrap

21.8. Connections performed during an IdM replica installation
Copia collegamento

Requests performed during an IdM replica installation lists the operations performed by ipa-replica-install, the Identity Management (IdM) replica installation tool.

Expand
Table 21.1. Requests performed during an IdM replica installation
OperationProtocol usedPurpose

DNS resolution against the DNS resolvers configured on the client system

DNS

To discover the IP addresses of IdM servers

Requests to ports 88 (TCP/TCP6 and UDP/UDP6) on the discovered IdM servers

Kerberos

To obtain a Kerberos ticket

JSON-RPC calls to the IdM Apache-based web-service on the discovered or configured IdM servers

HTTPS

IdM client enrollment; replica keys retrieval and certificate issuance if required

Requests over TCP/TCP6 to port 389 on the IdM server, using SASL GSSAPI authentication, plain LDAP, or both

LDAP

IdM client enrollment; CA certificate chain retrieval; LDAP data replication

Requests over TCP/TCP6 to port 22 on IdM server

SSH

To check if the connection is working

(optionally) Access over port 8443 (TCP/TCP6) on the IdM servers

HTTPS

To administer the Certificate Authority on the IdM server (only during IdM server and replica installation)

Torna in cima
Red Hat logoGithubredditYoutubeTwitter

Formazione

Prova, acquista e vendi

Community

Informazioni sulla documentazione di Red Hat

Aiutiamo gli utenti Red Hat a innovarsi e raggiungere i propri obiettivi con i nostri prodotti e servizi grazie a contenuti di cui possono fidarsi. Esplora i nostri ultimi aggiornamenti.

Rendiamo l’open source più inclusivo

Red Hat si impegna a sostituire il linguaggio problematico nel codice, nella documentazione e nelle proprietà web. Per maggiori dettagli, visita il Blog di Red Hat.

Informazioni su Red Hat

Forniamo soluzioni consolidate che rendono più semplice per le aziende lavorare su piattaforme e ambienti diversi, dal datacenter centrale all'edge della rete.

Theme

© 2025 Red Hat