Fault tolerance, setting up FreeIPA replication on Centos 7

Replication is a process by which we mean copying data from one source to another (or to many others) and vice versa. During replication, changes made in one copy of an object can be propagated to other copies.

A series of articles on installing and configuring the FreeIPA server and client

  • Installing and configuring the FreeIPA server in Centos 7
  • Fault tolerance, setting up FreeIPA replication on Centos 7

Server preparation

As in the previous article, you need to:

  • configure synchronization with an NTP server
  • add FreeIPA server entries to / etc / hosts
  • register in /etc/resolv.conf ip-addresses of FreeIPA-servers

The FreeIPA server name must be full (FQDN), let’s set it:

[[email protected] ~]$ sudo hostnamectl set-hostname srv-ipa-02.domain.local
[[email protected] ~]$ sudo hostnamectl status
   Static hostname: srv-ipa-02.domain.local
...

Install the necessary software:

[[email protected] ~]$ sudo yum install bind-utils ipa-client ipa-server-dns

Replication setup

We configure the FreeIPA client, start this process with our parameters

[[email protected] ~]$ sudo ipa-client-install 
 --mkhomedir --domain="domain.local" 
 --server="srv-ipa-01.domain.local" 
 --server="srv-ipa-02.domain.local" 
 --realm="DOMAIN.LOCAL" 
 --principal="admin" 
 --password="%PASSWORD%" 
 --enable-dns-updates -U 
 --force-join 
 --force-ntpd

Let’s start the process of creating a replica

[[email protected] ~]$ sudo ipa-replica-install
Password for [email protected]:
[[email protected] ~]$ sudo ipa-ca-install
Directory Manager (existing master) password:

If we are using FreeIPA as DNS, we will start the dns server installation process

[[email protected] ~]$ sudo ipa-dns-install
Do you want to configure DNS forwarders? [yes]: yes
Do you want to search for missing reverse zones? [yes]: yes

We configure the firewall, open the necessary ports

[[email protected] ~]$ sudo firewall-cmd --permanent --zone=public --add-service={ntp,http,https,ldap,ldaps,kerberos,kpasswd,dns}
[[email protected] ~]$ sudo firewall-cmd --permanent --zone=public --add-port=53/tcp
[[email protected] ~]$ sudo firewall-cmd --permanent --zone=public --add-port=53/udp
[[email protected] ~]$ sudo firewall-cmd --reload

Check

To check if a replicating server has been added, go to the web interface of the main or replicating FreeIPA server (you need to register the ip-address and domain name in the hosts file): IPA Servers – Topology – Topology Graph

Sidebar