1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
|
.\" A man page for ipa-replica-manage
.\" Copyright (C) 2008 Red Hat, Inc.
.\"
.\" This program is free software; you can redistribute it and/or modify
.\" it under the terms of the GNU General Public License as published by
.\" the Free Software Foundation, either version 3 of the License, or
.\" (at your option) any later version.
.\"
.\" This program is distributed in the hope that it will be useful, but
.\" WITHOUT ANY WARRANTY; without even the implied warranty of
.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
.\" General Public License for more details.
.\"
.\" You should have received a copy of the GNU General Public License
.\" along with this program. If not, see <http://www.gnu.org/licenses/>.
.\"
.\" Author: Rob Crittenden <rcritten@redhat.com>
.\"
.TH "ipa-replica-manage" "1" "Mar 14 2008" "FreeIPA" "FreeIPA Manual Pages"
.SH "NAME"
ipa\-replica\-manage \- Manage an IPA replica
.SH "SYNOPSIS"
ipa\-replica\-manage [\fIOPTION\fR]... [connect|disconnect|del|list|re\-initialize|force\-sync]
.SH "DESCRIPTION"
Manages the replication agreements of an IPA server.
.TP
\fBconnect\fR [SERVER_A] <SERVER_B>
\- Adds a new replication agreement between SERVER_A/localhost and SERVER_B
.TP
\fBdisconnect\fR [SERVER_A] <SERVER_B>
\- Removes a replication agreement between SERVER_A/localhost and SERVER_B
.TP
\fBdel\fR <SERVER>
\- Removes all replication agreements and data about SERVER
.TP
\fBlist\fR [SERVER]
\- Lists all the servers or the list of agreements of SERVER
.TP
\fBre\-initialize\fR
\- Forces a full re\-initialization of the IPA server retrieving data from the server specified with the \-\-from option
.TP
\fBforce\-sync\fR
\- Immediately flush any data to be replicated from a server specified with the \-\-from option
.TP
The connect and disconnect options are used to manage the replication topology. When a replica is created it is only connected with the master that created it. The connect option may be used to connect it to other existing replicas.
.TP
The disconnect option cannot be used to remove the last link of a replica. To remove a replica from the topology use the del option.
.TP
If a replica is deleted and then re\-added within a short time\-frame then the 389\-ds instance on the master that created it should be restarted before re\-installing the replica. The master will have the old service principals cached which will cause replication to fail.
.SH "OPTIONS"
.TP
\fB\-H\fR \fIHOST\fR, \fB\-\-host\fR=\fIHOST\fR
The IPA server to manage.
The default is the machine on which the command is run
Not honoured by the re\-initialize command.
.TP
\fB\-p\fR \fIDM_PASSWORD\fR, \fB\-\-password\fR=\fIDM_PASSWORD\fR
The Directory Manager password to use for authentication
.TP
\fB\-v\fR, \fB\-\-verbose\fR
Provide additional information
.TP
\fB\-f\fR, \fB\-\-force\fR
Ignore some types of errors, don't prompt when deleting a master
.TP
\fB\-\-binddn\fR=\fIADMIN_DN\fR
Bind DN to use with remote server (default is cn=Directory Manager) \- Be careful to quote this value on the command line
.TP
\fB\-\-bindpw\fR=\fIADMIN_PWD\fR
Password for Bind DN to use with remote server (default is the DM_PASSWORD above)
.TP
\fB\-\-winsync\fR
Specifies to create/use a Windows Sync Agreement
.TP
\fB\-\-cacert\fR=\fI/path/to/cacertfile\fR
Full path and filename of CA certificate to use with TLS/SSL to the remote server \- this CA certificate will be installed in the directory server's certificate database
.TP
\fB\-\-win\-subtree\fR=\fIcn=Users,dc=example,dc=com\fR
DN of Windows subtree containing the users you want to sync (default cn=Users,<domain suffix> \- this is typically what Windows AD uses as the default value) \- Be careful to quote this value on the command line
.TP
\fB\-\-passsync\fR=\fIPASSSYNC_PWD\fR
Password for the Windows PassSync user. Required when using \-\-winsync. This does not mean you have to use the PassSync service.
.TP
\fB\-\-from\fR=\fISERVER\fR
The server to pull the data from, used by the re\-initialize and force\-sync commands.
.SH "EXAMPLES"
.TP
List all masters:
# ipa\-replica\-manage list
srv1.example.com
srv2.example.com
srv3.example.com
srv4.example.com
.TP
List a server's replication agreements.
# ipa\-replica\-manage list srv1.example.com
srv2.example.com
srv3.example.com
.TP
Re\-initialize a replica:
# ipa\-replica\-manage re\-initialize \-\-from srv2.example.com
This will re\-initialize the data on the server where you execute the command, retrieving the data from the srv2.example.com replica
.TP
Add a new replication agreement:
# ipa replica\-manage connect srv2.example.com srv4.example.com
.TP
Remove an existing replication agreement:
# ipa replica\-manage disconnect srv1.example.com srv3.example.com
.TP
Completely remove a replica:
# ipa replica\-manage del srv4.example.com
.TP
Using connect/disconnect you can manage the replication topology.
.SH "WINSYNC"
Creating a Windows AD Synchronization agreement is similar to creating an IPA replication agreement, there are just a couple of extra steps.
A special user entry is created for the PassSync service. The DN of this entry is uid=passsync,cn=sysaccounts,cn=etc,<basedn>. You are not required to use PassSync to use a Windows synchronization agreement but setting a password for the user is required.
The following examples use the AD administrator account as the synchronization user. This is not mandatory but the user must have read\-access to the subtree.
.TP
1. Transfer the base64\-encoded Windows AD CA Certficate to your IPA Server
.TP
2. Remove any existing kerberos credentials
# kdestroy
.TP
3) Add the winsync replication agreement
# ipa\-replica\-manage connect \-\-winsync \-\-passsync=<bindpwd_for_syncuser_that will_be_used_for_agreement> \-\-cacert=/path/to/adscacert/WIN\-CA.cer \-\-binddn "cn=administrator,cn=users,dc=ad,dc=example,dc=com" \-\-bindpw <ads_administrator_password> \-v <adserver.fqdn>
.TP
You will be prompted to supply the Directory Manager's password.
.TP
Create a winsync replication agreement:
# ipa\-replica\-manage connect \-\-winsync \-\-passsync=MySecret
\-\-cacert=/root/WIN\-CA.cer \-\-binddn "cn=administrator,cn=users,dc=ad,dc=example,dc=com"
\-\-bindpw MySecret \-v windows.ad.example.com
.TP
Remove a winsync replication agreement:
# ipa\-replica\-manage disconnect windows.ad.example.com
.SH "EXIT STATUS"
0 if the command was successful
1 if an error occurred
|