1ipa-replica-manage(1) FreeIPA Manual Pages ipa-replica-manage(1)
2
6 ipa-replica-manage - Manage an IPA replica
7
9 ipa-replica-manage [OPTION]... [connect|disconnect|del|list|re-ini‐
10 tialize|force-sync]
11
13 Manages the replication agreements of an IPA server.
14 connect [SERVER_A] <SERVER_B>
16 - Adds a new replication agreement between SERVER_A/localhost
17 and SERVER_B
18 disconnect [SERVER_A] <SERVER_B>
20 - Removes a replication agreement between SERVER_A/localhost and
21 SERVER_B
22 del <SERVER>
24 - Removes all replication agreements and data about SERVER
25 list [SERVER]
27 - Lists all the servers or the list of agreements of SERVER
28 re-initialize
30 - Forces a full re-initialization of the IPA server retrieving
31 data from the server specified with the --from option
32 force-sync
34 - Immediately flush any data to be replicated from a server
35 specified with the --from option
36 list-ruv
38 - List the replication IDs on this server.
39 clean-ruv [REPLICATION_ID]
41 - Run the CLEANALLRUV task to remove a replication ID.
42 abort-clean-ruv [REPLICATION_ID]
44 - Abort a running CLEANALLRUV task.
45 list-clean-ruv
47 - List all running CLEANALLRUV and abort CLEANALLRUV tasks.
48 The connect and disconnect options are used to manage the replication
50 topology. When a replica is created it is only connected with the mas‐
51 ter that created it. The connect option may be used to connect it to
52 other existing replicas.
53 The disconnect option cannot be used to remove the last link of a
55 replica. To remove a replica from the topology use the del option.
56 If a replica is deleted and then re-added within a short time-frame
58 then the 389-ds instance on the master that created it should be
59 restarted before re-installing the replica. The master will have the
60 old service principals cached which will cause replication to fail.
61 Each IPA master server has a unique replication ID. This ID is used by
63 389-ds-base when storing information about replication status. The out‐
64 put consists of the masters and their respective replication ID. See
65 clean-ruv
66 When a master is removed, all other masters need to remove its replica‐
68 tion ID from the list of masters. Normally this occurs automatically
69 when a master is deleted with ipa-replica-manage. If one or more mas‐
70 ters was down or unreachable when ipa-replica-manage was executed then
71 this replica ID may still exist. The clean-ruv command may be used to
72 clean up an unused replication ID.
73 NOTE: clean-ruv is VERY DANGEROUS. Execution against the wrong replica‐
75 tion ID can result in inconsistent data on that master. The master
76 should be re-initialized from another if this happens.
77 The replication topology is examined when a master is deleted and will
79 attempt to prevent a master from being orphaned. For example, if your
80 topology is A <-> B <-> C and you attempt to delete master B it will
81 fail because that would leave masters and A and C orphaned.
82 The list of masters is stored in cn=masters,cn=ipa,cn=etc,dc=exam‐
84 ple,dc=com. This should be cleaned up automatically when a master is
85 deleted. If it occurs that you have deleted the master and all the
86 agreements but these entries still exist then you will not be able to
87 re-install IPA on it, the installation will fail with:
88 An IPA master host cannot be deleted or disabled using standard com‐
90 mands (host-del, for example).
91 An orphaned master may be cleaned up using the del directive with the
93 --cleanup option. This will remove the entries from cn=mas‐
94 ters,cn=ipa,cn=etc that otherwise prevent host-del from working, its
95 dna profile, s4u2proxy configuration, service principals and remove it
96 from the default DUA profile defaultServerList.
97
99 -H HOST, --host=HOST
100 The IPA server to manage. The default is the machine on which
101 the command is run Not honoured by the re-initialize command.
102 -p DM_PASSWORD, --password=DM_PASSWORD
104 The Directory Manager password to use for authentication
105 -v, --verbose
107 Provide additional information
108 -f, --force
110 Ignore some types of errors, don't prompt when deleting a master
111 -c, --cleanup
113 When deleting a master with the --force flag, remove leftover
114 references to an already deleted master.
115 --binddn=ADMIN_DN
117 Bind DN to use with remote server (default is cn=Directory Man‐
118 ager) - Be careful to quote this value on the command line
119 --bindpw=ADMIN_PWD
121 Password for Bind DN to use with remote server (default is the
122 DM_PASSWORD above)
123 --winsync
125 Specifies to create/use a Windows Sync Agreement
126 --cacert=/path/to/cacertfile
128 Full path and filename of CA certificate to use with TLS/SSL to
129 the remote server - this CA certificate will be installed in the
130 directory server's certificate database
131 --win-subtree=cn=Users,dc=example,dc=com
133 DN of Windows subtree containing the users you want to sync
134 (default cn=Users,<domain suffix> - this is typically what Win‐
135 dows AD uses as the default value) - Be careful to quote this
136 value on the command line
137 --passsync=PASSSYNC_PWD
139 Password for the IPA system user used by the Windows PassSync
140 plugin to synchronize passwords. Required when using --winsync.
141 This does not mean you have to use the PassSync service.
142 --from=SERVER
144 The server to pull the data from, used by the re-initialize and
145 force-sync commands.
146
148 List all masters:
149 # ipa-replica-manage list
150 srv1.example.com
151 srv2.example.com
152 srv3.example.com
153 srv4.example.com
154 List a server's replication agreements.
156 # ipa-replica-manage list srv1.example.com
157 srv2.example.com
158 srv3.example.com
159 Re-initialize a replica:
161 # ipa-replica-manage re-initialize --from srv2.example.com
162 This will re-initialize the data on the server where you execute
164 the command, retrieving the data from the srv2.example.com
165 replica
166 Add a new replication agreement:
168 # ipa-replica-manage connect srv2.example.com srv4.example.com
169 Remove an existing replication agreement:
171 # ipa-replica-manage disconnect srv1.example.com srv3.exam‐
172 ple.com
173 Completely remove a replica:
175 # ipa-replica-manage del srv4.example.com
176 Using connect/disconnect you can manage the replication topology.
178 List the replication IDs in use:
180 # ipa-replica-manage list-ruv
181 srv1.example.com:389: 7
182 srv2.example.com:389: 4
183 Remove references to an orphaned and deleted master:
185 # ipa-replica-manage del --force --cleanup master.example.com
186
188 Creating a Windows AD Synchronization agreement is similar to creating
189 an IPA replication agreement, there are just a couple of extra steps.
190 A special user entry is created for the PassSync service. The DN of
192 this entry is uid=passsync,cn=sysaccounts,cn=etc,<basedn>. You are not
193 required to use PassSync to use a Windows synchronization agreement but
194 setting a password for the user is required.
195 The following examples use the AD administrator account as the synchro‐
197 nization user. This is not mandatory but the user must have read-access
198 to the subtree.
199 1. Transfer the base64-encoded Windows AD CA Certificate to your IPA
202 Server
203 2. Remove any existing kerberos credentials
205 # kdestroy
206 3) Add the winsync replication agreement
208 # ipa-replica-manage connect --winsync --passsync=<bind‐
209 pwd_for_syncuser_that will_be_used_for_agreement> --cac‐
210 ert=/path/to/adscacert/WIN-CA.cer --binddn "cn=administra‐
211 tor,cn=users,dc=ad,dc=example,dc=com" --bindpw <ads_administra‐
212 tor_password> -v <adserver.fqdn>
213 You will be prompted to supply the Directory Manager's password.
215 Create a winsync replication agreement:
217 # ipa-replica-manage connect --winsync --passsync=MySecret
219 --cacert=/root/WIN-CA.cer --binddn "cn=administra‐
220 tor,cn=users,dc=ad,dc=example,dc=com" --bindpw MySecret -v win‐
221 dows.ad.example.com
222 Remove a winsync replication agreement:
225 # ipa-replica-manage disconnect windows.ad.example.com
226
228 PassSync is a Windows service that runs on AD Domain Controllers to
229 intercept password changes. It sends these password changes to the IPA
230 LDAP server over TLS. These password changes bypass normal IPA password
231 policy settings and the password is not set to immediately expire. This
232 is because by the time IPA receives the password change it has already
233 been accepted by AD so it is too late to reject it.
234 IPA maintains a list of DNs that are excempt from password policy. A
236 special user is added automatically when a winsync replication agree‐
237 ment is created. The DN of this user is added to the excemption list
238 stored in passSyncManagersDNs in the entry cn=ipa_pwd_extop,cn=plug‐
239 ins,cn=config.
240
242 0 if the command was successful
243 1 if an error occurred
245FreeIPA Mar 14 2008 ipa-replica-manage(1)