- You will need at least 2 machines to do replication testing but if you have more that is good too. Start on one server and perform an IPA Installation (see QA:Testcase_freeipa_trust_server_installation). Let's assume that first server was named srv1 (srv1.ipa.example.org), and we will deploy a replica named srv2 (srv2.ipa.example.org).
How to test
- If the first server is acting as the DNS server for the domain, configure the replica system to use it as its DNS server for now
- Install the FreeIPA server package group:
dnf -y groupinstall freeipa-server
- Enrol the system as a replica, interactively:
- or with all options on the command line:
ipa-replica-install [--setup-dns] [--setup-ca] [--server srv1.ipa.example.org] -U --principal admin --admin-password password
- It's probably best to enable DNS if the first server had it enabled, and to enable CA support so that this server can operate independently of the first server if it goes down. should not be needed if the first server is acting as a DNS server.
- Verify entries created on srv1 are available on srv2:
ipa user-show admin
getent passwd admin
- Now try the reverse - add some entries on srv2 and they should show up on srv1:
ipa user-add --first=Glen --last=Jones gjones
ipa group-add --desc='Office assistants' assistants
- On srv1 run:
ipa user-show gjones
ipa group-show assistants
- To open all firewall ports typically required for FreeIPA using firewalld, run these commands:
for i in freeipa-ldap freeipa-ldaps dns; do firewall-cmd --permanent --add-service $i; done
systemctl restart firewalld.service
- If you have extra test systems available, you can now test installing clients via the realm CLI, kickstart and/or cockpit. Test enrolling clients against both servers, and verify they work as expected whether both servers are up or either one is down. You may also go on to test more advanced replication features in QA:Testcase freeipa replication advanced.
- The enrolment should complete successfully with no errors.
- The test commands should show expected output indicating the users and groups are present.
- Client tests should succeed (according to their own expected results) as long as either server is available (assuming appropriate DNS configuration).