RH362 - ch04s03

IdM replicas in the topology can perform different tasks depending on the assigned role. The assigned role of a replica determines the services that the server hosts. For example, a replica might have one or all the following roles:

Certificate Authority (CA) server
DNS server
Key Recovery Authority (KRA) server
Active Directory trust agent or trust controller

Some roles can be added at any time. If you are planning to assign the CA server or DNS server role to a replica, then make sure you configure the replica to support these services when you perform the installation. This configuration adds all the required DNS entries and establishes the topology with the desired server roles.

CA Server Role

The CA renewal server role manages the maintenance and renewal of IdM TLS certificates. The CA, CA subsystem, and KRA certificates play a crucial role in IdM deployment. IdM stores these certificates in the Network Security Services (NSS) and LDAP databases. IdM verifies that the certificates stored in these two locations match, and if they do not match, the IdM framework and IdM CA show authentication failures.

All replicas with the CA role run the certmonger service, which uses the dogtag-ipa-ca-renew-agent helper agent. This agent ensures that the replica is synced with the CA renewal server configuration and the latest system certificates stored in the ca_renewal LDAP entries.

The KRA Certificate System component stores key pairs that allow the recovery of lost certificates by generating the same certificates from the stored keys.

DNS Server Role

IdM uses the DNS server to perform dynamic service discovery. The client installation utility uses the information from the DNS server to configure the client machine automatically. Clients enrolled to an IdM domain use DNS information to find servers and services within the domain.

Active Directory Roles

The AD trust controller and AD trust agent roles are used when you integrate IdM with AD. Replicas with the AD trust controller role can perform identity lookups against AD domain controllers. AD-enrolled machines communicate with IdM trust controllers for Kerberos authentication requests. Active Directory clients only discover domain controllers that can respond to AD-specific protocol requests, such as IdM trust controllers.

Replicas with the AD trust agent role can only resolve identity lookups and cannot process Kerberos authentication requests.

IdM integration with AD is discussed in a later chapter.

Managing IdM Server Roles

You can view the list of supported server roles in the web UI by navigating to IPA Server → Topology → Server Roles.

Figure 4.4: Server roles

A role can have a status of absent or enabled.

Absent: No server in the topology is performing that particular role.
Enabled: One or more servers are performing that role in the topology.

You can also list the server role configuration in the topology by using the ipa config-show command:

[user@host ~]# ipa config-show
...output omitted...
  IPA masters: host.example.com
  IPA CA servers: host.example.com
  IPA NTP servers: host.example.com
  IPA CA renewal master: host.example.com
  IPA master capable of PKINIT: host.example.com
  Domain resolution order: example.com

To list the roles assigned to a specific server, use the ipa server-show command.

[root@host ~]# ipa server-show host.example.com
  Server name: host.example.com
  Managed suffixes: domain, ca
  Min domain level: 1
  Max domain level: 1
  Enabled server roles: CA server, DNS server, IPA master

To find all servers with a specific role enabled, use the --servrole option.

[user@host ~]# ipa server-find --servrole "DNS server"
---------------------
2 IPA servers matched
---------------------
  Server name: host.example.com
  Min domain level: 0
  Max domain level: 1

  Server name: server1.example.com
  Min domain level: 0
  Max domain level: 1
----------------------------
Number of entries returned 2
----------------------------

Adding Server Roles

In some scenarios, you might not install services such as DNS or CA on a new replica to reduce resource consumption. When a topology increases the number of clients, you might want to increase the number of servers that provide the required service. You can do so by assigning the role to a replica.

Adding a new role requires installing the associated service on the replica server. For example, to enable the DNS service on a replica, you must install the IdM DNS service by using the ipa-dns-install command:

[root@server ~]# ipa-dns-install
The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will setup DNS for the IPA Server.

This includes:
  * Configure DNS (bind)
  * Configure SoftHSM (required by DNSSEC)
  * Configure ipa-dnskeysyncd (required by DNSSEC)

NOTE: DNSSEC zone signing is not enabled by default


To accept the default shown in brackets, press the Enter key.

Do you want to configure DNS forwarders? [yes]: no
Do you want to search for missing reverse zones? [yes]: Enter

...output omitted...

Updating DNS system records
==============================================================================
Setup complete

Global DNS configuration in LDAP server is empty
You can use 'dnsconfig-mod' command to set global DNS options that
would override settings in local named.conf files


You must make sure these network ports are open:
TCP Ports:
  * 53: bind
UDP Ports:
  * 53: bind

You can use the ipa-kra-install and ipa-ca-install commands to install the Key Recovery Authority and the Certificate Authority services, respectively.

Removing Server Roles

To remove a server role you must delete the replica from the topology.

Removing a replica from the topology is an irreversible action. The only way to introduce a deleted replica back into the topology is to install a new replica on that server.

Before you remove a replica from the topology, ensure that the roles assigned to the replica are assigned to other servers.

To remove a replica from the topology, use the ipa server-del command. Then, uninstall the replica with the ipa-server-install --uninstall command:

[user@host ~]# ipa server-del
Server name: server1.example.com
Removing server1.example.com from replication topology, please wait...
----------------------------------------------------------
Deleted IPA server "server1.example.com"
----------------------------------------------------------
[root@server1 ~]# ipa-server-install --uninstall

This is a NON REVERSIBLE operation and will delete all data and configuration!
It is highly recommended to take a backup of existing data and configuration using ipa-backup utility before proceeding.

Are you sure you want to continue with the uninstall procedure? [no]: yes

Updating DNS system records
---------------------------------------------
Deleted IPA server "server1.example.com"
---------------------------------------------
Shutting down all IPA services
Unconfiguring ntpd
Configuring certmonger to stop tracking system certificates for KRA
Configuring certmonger to stop tracking system certificates for CA
Unconfiguring named
...output omitted...
Client uninstall complete.
The ipa-client-install command was successful

You can use the ipa-replica-manage clean-ruv command to remove remaining replica update vectors from the LDAP entries. Provide the replica update vector's ID as an argument.

[user@host ~]# ipa-replica-manage list-ruv
Directory Manager password: password

Replica Update Vectors:
        host.example.com:389: 4
        server1.example.com:389: 9
        server2.example.com:389: 10
Certificate Server Replica Update Vectors:
        host.example.com:389: 6
[user@host ~]# ipa-replica-manage clean-ruv 9
Directory Manager password: password

Clean the Replication Update Vector for server1.example.com:389

Cleaning the wrong replica ID will cause that server to no
longer replicate so it may miss updates while the process
is running. It would need to be re-initialize to maintain
consistency. Be very careful.
Continue to clean? [no]: yes
Background task created to clean replication data. This may take a while.
Cleanup task created

References

Further information is available in the chapter on Managing role-based access controls in IdM using the CLI in the Managing IdM users, groups, hosts, and access control rules at https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html-single/managing_idm_users_groups_hosts_and_access_control_rules/index#managing-role-based-access-controls-in-idm-using-the-cli_managing-users-groups-hosts

Discuss Red Hat Security: Identity Management and Authentication

Go to community

Welcome to the Red Hat Security: Identity Management and Active Directory Integration group!

Syed

26 wrz 2023

We are excited to launch a space dedicated to the Red Hat Training course Red Hat Security: Identity Management and Active Directory Integration! To gain the most value from this group - click the "Join Group" button in the upper right hand corner of the group home page.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to RH362.Read more about Red Hat Security: Identity Management and Active Directory Integration here.

215

Revision: rh362-9.1-4c6fdb8