RH362 - ch04s05

Bookmark this page

Lab: Implementing an Identity Management Topology

Scale out an Identity Management infrastructure by adding replica servers and assigning server roles.

Outcomes

Delete a replica server.
Manage replication agreements and server roles.

As the student user on the workstation machine, use the lab command to prepare your environment for this exercise, and to ensure that all required resources are available.

[student@workstation ~]$ lab start topology-review

Instructions

Delete the replica1 machine from the topology.

[student@workstation ~]$ ssh idm
[student@idm ~]$ kinit admin
Password for admin@LAB.EXAMPLE.COM: RedHat123^

Remove the replica1 machine.

The operation takes a few minutes to complete.

[student@idm ~]$ ipa server-del
Server name: replica1.lab.example.com
Removing replica1.lab.example.com from replication topology, please wait...
---------------------------------------------
Deleted IPA server "replica1.lab.example.com"
---------------------------------------------

[student@idm ~]$ logout
Connection to idm closed.
[student@workstation ~]$ ssh replica1
[student@replica1 ~]$ sudo ipa-server-install --uninstall
[sudo] password for student: student
...output omitted...
This is a NON REVERSIBLE operation and will delete all data and configuration!
It is highly recommended to take a backup of existing data and configuration using ipa-backup utility before proceeding.

Are you sure you want to continue with the uninstall procedure? [no]: yes

...output omitted...
Client uninstall complete.
The ipa-client-install command was successful
The ipa-server-install command was successful

Reboot the replica1 machine to ensure the processes are cleaned up after the uninstallation.

[student@replica1 ~]$ sudo shutdown -r now
Connection to replica1 closed by remote host.
Connection to replica1 closed.
[student@workstation ~]$

Review the current domain configuration. Ensure that there are no replication agreements with the replica1 machine.

[student@workstation ~]$ ssh idm
[student@idm ~]$ kinit admin
Password for admin@LAB.EXAMPLE.COM: RedHat123^

Review the current domain configuration.

Only the idm machine appears as a CA server.

[student@idm ~]$ ipa config-show
...output omitted...
  IPA masters: idm.lab.example.com, replica2.lab.example.com
  IPA master capable of PKINIT: idm.lab.example.com, replica2.lab.example.com
  IPA CA servers: idm.lab.example.com
  IPA CA renewal master: idm.lab.example.com
  IPA DNS servers: idm.lab.example.com, replica2.lab.example.com

Review the topology segments.

[student@idm ~]$ ipa topologysegment-find domain
-----------------
1 segment matched
-----------------
  Segment name: idm.lab.example.com-to-replica2.lab.example.com
  Left node: idm.lab.example.com
  Right node: replica2.lab.example.com
  Connectivity: both
----------------------------
Number of entries returned 1
----------------------------
[student@idm ~]$ ipa topologysegment-find ca
------------------
0 segments matched
------------------
----------------------------
Number of entries returned 0
----------------------------

Install a replica on the replica1 machine. Do not install the DNS service on this new replica.

Open a new terminal tab, log in to the replica1 machine, and become the root user.

[student@workstation ~]$ ssh replica1
[student@replica1 ~]$ sudo -i
[sudo] password for student: student
[root@replica1 ~]#

Verify that the required package is installed and the required firewall services are enabled.

[root@replica1 ~]# dnf install ipa-server
Last metadata expiration check: 3:29:43 ago on Wed May 24 13:56:05 2023.
Package ipa-server-4.10.0-6.el9.x86_64 is already installed.
Dependencies resolved.
Nothing to do.
Complete!
[root@replica1 ~]# firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0
  sources:
  services: cockpit dhcpv6-client dns freeipa-ldap freeipa-ldaps ssh
  ports:
  protocols:
  forward: yes
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

Review the DNS configuration and ensure that you can resolve the idm machine.

[root@replica1 ~]# nmcli con show System\ eth0 | grep ipv4.dns
ipv4.dns:                               172.25.250.8
[root@replica1 ~]# dig idm.lab.example.com
...output omitted...
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60771
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
...output omitted...
;; QUESTION SECTION:
;idm.lab.example.com.		IN	A

;; ANSWER SECTION:
idm.lab.example.com.	1200	IN	A	172.25.250.8

;; Query time: 3 msec
;; SERVER: 172.25.250.8#53(172.25.250.8)
;; WHEN: Wed May 24 17:28:30 EDT 2023
;; MSG SIZE  rcvd: 92

Install the replica.

[root@replica1 ~]# ipa-replica-install --admin-password RedHat123^
...output omitted...

Discovery was successful!
Client hostname: replica1.lab.example.com
Realm: LAB.EXAMPLE.COM
DNS Domain: lab.example.com
IPA Server: replica2.lab.example.com
BaseDN: dc=lab,dc=example,dc=com

...output omitted...

The ipa-replica-install command was successful

On the first tab, verify the domain configuration. The replica1 machine must not have CA or DNS roles assigned.

[student@idm ~]$ ipa config-show
...output omitted...
  IPA masters: idm.lab.example.com, replica1.lab.example.com, replica2.lab.example.com
  IPA master capable of PKINIT: idm.lab.example.com, replica1.lab.example.com, replica2.lab.example.com
  IPA CA servers: idm.lab.example.com
  IPA CA renewal master: idm.lab.example.com
  IPA DNS servers: idm.lab.example.com, replica2.lab.example.com

Review the current replication agreements in the topology. Create any missing replication agreements to ensure that the topology is resilient.

Review the replication agreements.

Note

The replication agreements in your environment might be different. Analyze the current topology and detect what server loss disconnects the topology. You can view the IdM web UI for a graphical representation of the topology.

In the following example, the loss of the replica2 machine disconnects the topology because there are no segments between the idm and replica1 machines.

[student@idm ~]$ ipa topologysegment-find domain
------------------
2 segments matched
------------------
  Segment name: idm.lab.example.com-to-replica2.lab.example.com
  Left node: idm.lab.example.com
  Right node: replica2.lab.example.com
  Connectivity: both

  Segment name: replica1.lab.example.com-to-replica2.lab.example.com
  Left node: replica1.lab.example.com
  Right node: replica2.lab.example.com
  Connectivity: both
----------------------------
Number of entries returned 2
----------------------------

Create any missing replication agreements to ensure that the topology is resilient.

[student@idm ~]$ ipa topologysegment-add domain \
  idm.lab.example.com-to-replica1.lab.example.com \
  --leftnode=idm.lab.example.com \
  --rightnode=replica1.lab.example.com
---------------------------------------------------------------
Added segment "idm.lab.example.com-to-replica1.lab.example.com"
---------------------------------------------------------------
  Segment name: idm.lab.example.com-to-replica1.lab.example.com
  Left node: idm.lab.example.com
  Right node: replica1.lab.example.com
  Connectivity: both

Review the new topology segment.

[student@idm ~]$ ipa topologysegment-find domain
------------------
3 segments matched
------------------
  Segment name: idm.lab.example.com-to-replica1.lab.example.com
  Left node: idm.lab.example.com
  Right node: replica1.lab.example.com
  Connectivity: both

  Segment name: idm.lab.example.com-to-replica2.lab.example.com
  Left node: idm.lab.example.com
  Right node: replica2.lab.example.com
  Connectivity: both

  Segment name: replica1.lab.example.com-to-replica2.lab.example.com
  Left node: replica1.lab.example.com
  Right node: replica2.lab.example.com
  Connectivity: both
----------------------------
Number of entries returned 3
----------------------------

Assign the DNS server role to the replica1 machine.

On the second terminal, install the IdM DNS service. Set 172.25.250.8 as the DNS forwarder and search for missing reverse zones.

[root@replica1 ~]# ipa-dns-install

The log file for this installation can be found in /var/log/ipaserver-dns-install.log
==============================================================================
This program will setup DNS for the IPA Server.

...output omitted...

Do you want to configure DNS forwarders? [yes]: Enter
Following DNS servers are configured in /etc/resolv.conf: 172.25.250.8
Do you want to configure these servers as DNS forwarders? [yes]: Enter
All detected DNS servers were added. You can enter additional addresses now:
Enter an IP address for a DNS forwarder, or press Enter to skip: Enter
DNS forwarders: 172.25.250.8
Checking DNS forwarders, please wait ...
Do you want to search for missing reverse zones? [yes]: Enter

The following operations may take some minutes to complete.
Please wait until the prompt is returned.

...output omitted...
Setup complete
...output omitted...

Authenticate to IdM as the admin user and review the domain configuration.

Ensure that the replica1 machine has the DNS server role enabled.

[root@replica1 ~]# kinit admin
Password for admin@LAB.EXAMPLE.COM: RedHat123^
[root@replica1 ~]# ipa config-show
...output omitted...
  IPA masters: idm.lab.example.com, replica1.lab.example.com, replica2.lab.example.com
  IPA master capable of PKINIT: idm.lab.example.com, replica1.lab.example.com, replica2.lab.example.com
  IPA CA servers: idm.lab.example.com
  IPA CA renewal master: idm.lab.example.com
  IPA DNS servers: idm.lab.example.com, replica1.lab.example.com, replica2.lab.example.com

Log out of the replica1 machine and close the second tab.

[student@replica1 ~]$ logout
Connection to replica1 closed.

Log out from the idm machine.

[student@idm ~]$ logout
Connection to idm closed.
[student@workstation ~]$

Evaluation

As the student user on the workstation machine, use the lab command to grade your work. Correct any reported failures and rerun the command until successful.

[student@workstation ~]$ lab grade topology-review

Finish

On the workstation machine, change to the student user home directory and use the lab command to complete this exercise. This step is important to ensure that resources from previous exercises do not impact upcoming exercises.

[student@workstation ~]$ lab finish topology-review

Discuss Red Hat Security: Identity Management and Authentication

Go to community

Welcome to the Red Hat Security: Identity Management and Active Directory Integration group!

Syed

26 wrz 2023

We are excited to launch a space dedicated to the Red Hat Training course Red Hat Security: Identity Management and Active Directory Integration! To gain the most value from this group - click the "Join Group" button in the upper right hand corner of the group home page.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to RH362.Read more about Red Hat Security: Identity Management and Active Directory Integration here.

215

Revision: rh362-9.1-4c6fdb8