Unit 7: Replica installation#


FreeIPA is designed to be run in a replicated multi-master environment. In this unit, we will install a replica of the existing master. For recommended production topologies, see https://www.freeipa.org/page/Deployment_Recommendations#Servers.2FReplicas.

If you have disabled the allow_all HBAC rule, add a new rule that will allow ``admin`` to access the ``sshd`` service on any host.

Client installation#

The first step of replica creation is to enrol the machine that will become the replica. SSH to the replica VM and enrol it per Unit 2: Enrolling client machines

Replica promotion#

Now promote the client to server. We will set up the replica without the CA or DNS role. In a production deployment there should be at least one instance of these services in each data centre. These roles can be configured later via ipa-ca-install(1) and ipa-dns-install(1).

[replica]$ sudo ipa-replica-install
Password for admin@IPADEMO.LOCAL:
ipaserver.install.server.replicainstall: ERROR    Reverse DNS resolution of address (server.ipademo.local) failed. Clients may not function properly. Please check your DNS setup. (Note that this check queries IPA DNS directly and ignores /etc/hosts.)
Continue? [no]: yes
Run connection check to master
Connection check OK
Configuring directory server (dirsrv). Estimated time: 30 seconds
  [1/41]: creating directory server instance
  [2/41]: enabling ldapi

The rest of the replica installation process is almost identical to server installation. One important difference is the initial replication of data to the new Directory Server instance:

[28/41]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress, 4 seconds elapsed
Update succeeded

After ipa-replica-install finishes, the replica is operational. LDAP changes on any server will be replicated to all other servers.

You can proceed to Unit 8: Sudo rule management or return to the curriculum overview to see all the available topics.