mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-29 10:21:18 -06:00
146 lines
6.2 KiB
Groff
146 lines
6.2 KiB
Groff
.\" A man page for ipa-replica-manage
|
|
.\" Copyright (C) 2008 Red Hat, Inc.
|
|
.\"
|
|
.\" This program is free software; you can redistribute it and/or modify
|
|
.\" it under the terms of the GNU General Public License as published by
|
|
.\" the Free Software Foundation, either version 3 of the License, or
|
|
.\" (at your option) any later version.
|
|
.\"
|
|
.\" This program is distributed in the hope that it will be useful, but
|
|
.\" WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
.\" General Public License for more details.
|
|
.\"
|
|
.\" You should have received a copy of the GNU General Public License
|
|
.\" along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
.\"
|
|
.\" Author: Rob Crittenden <rcritten@redhat.com>
|
|
.\"
|
|
.TH "ipa-replica-manage" "1" "Mar 14 2008" "FreeIPA" "FreeIPA Manual Pages"
|
|
.SH "NAME"
|
|
ipa\-replica\-manage \- Manage an IPA replica
|
|
.SH "SYNOPSIS"
|
|
ipa\-replica\-manage [\fIOPTION\fR]... [connect|disconnect|del|list|re\-initialize|force\-sync]
|
|
.SH "DESCRIPTION"
|
|
Manages the replication agreements of an IPA server.
|
|
.TP
|
|
\fBconnect\fR [SERVER_A] <SERVER_B>
|
|
\- Adds a new replication agreement between SERVER_A/localhost and SERVER_B
|
|
.TP
|
|
\fBdisconnect\fR [SERVER_A] <SERVER_B>
|
|
\- Removes a replication agreement between SERVER_A/localhost and SERVER_B
|
|
.TP
|
|
\fBdel\fR <SERVER>
|
|
\- Removes all replication agreements and data about SERVER
|
|
.TP
|
|
\fBlist\fR [SERVER]
|
|
\- Lists all the servers or the list of agreements of SERVER
|
|
.TP
|
|
\fBre\-initialize\fR
|
|
\- Forces a full re\-initialization of the IPA server retrieving data from the server specified with the \-\-from option
|
|
.TP
|
|
\fBforce\-sync\fR
|
|
\- Immediately flush any data to be replicated from a server specified with the \-\-from option
|
|
.TP
|
|
The connect and disconnect options are used to manage the replication topology. When a replica is created it is only connected with the master that created it. The connect option may be used to connect it to other existing replicas.
|
|
.TP
|
|
The disconnect option cannot be used to remove the last link of a replica. To remove a replica from the topology use the del option.
|
|
.TP
|
|
If a replica is deleted and then re\-added within a short time\-frame then the 389\-ds instance on the master that created it should be restarted before re\-installing the replica. The master will have the old service principals cached which will cause replication to fail.
|
|
.SH "OPTIONS"
|
|
.TP
|
|
\fB\-H\fR \fIHOST\fR, \fB\-\-host\fR=\fIHOST\fR
|
|
The IPA server to manage.
|
|
The default is the machine on which the command is run
|
|
Not honoured by the re\-initialize command.
|
|
.TP
|
|
\fB\-p\fR \fIDM_PASSWORD\fR, \fB\-\-password\fR=\fIDM_PASSWORD\fR
|
|
The Directory Manager password to use for authentication
|
|
.TP
|
|
\fB\-v\fR, \fB\-\-verbose\fR
|
|
Provide additional information
|
|
.TP
|
|
\fB\-f\fR, \fB\-\-force\fR
|
|
Ignore some types of errors
|
|
.TP
|
|
\fB\-\-binddn\fR=\fIADMIN_DN\fR
|
|
Bind DN to use with remote server (default is cn=Directory Manager) \- Be careful to quote this value on the command line
|
|
.TP
|
|
\fB\-\-bindpw\fR=\fIADMIN_PWD\fR
|
|
Password for Bind DN to use with remote server (default is the DM_PASSWORD above)
|
|
.TP
|
|
\fB\-\-winsync\fR
|
|
Specifies to create/use a Windows Sync Agreement
|
|
.TP
|
|
\fB\-\-cacert\fR=\fI/path/to/cacertfile\fR
|
|
Full path and filename of CA certificate to use with TLS/SSL to the remote server \- this CA certificate will be installed in the directory server's certificate database
|
|
.TP
|
|
\fB\-\-win\-subtree\fR=\fIcn=Users,dc=example,dc=com\fR
|
|
DN of Windows subtree containing the users you want to sync (default cn=Users,<domain suffix> \- this is typically what Windows AD uses as the default value) \- Be careful to quote this value on the command line
|
|
.TP
|
|
\fB\-\-passsync\fR=\fIPASSSYNC_PWD\fR
|
|
Password for the Windows PassSync user. Required when using \-\-winsync. This does not mean you have to use the PassSync service.
|
|
.TP
|
|
\fB\-\-from\fR=\fISERVER\fR
|
|
The server to pull the data from, used by the re\-initialize and force\-sync commands.
|
|
.SH "EXAMPLES"
|
|
.TP
|
|
List all masters:
|
|
# ipa\-replica\-manage list
|
|
srv1.example.com
|
|
srv2.example.com
|
|
srv3.example.com
|
|
srv4.example.com
|
|
.TP
|
|
List a server's replication agreements.
|
|
# ipa\-replica\-manage list srv1.example.com
|
|
srv2.example.com
|
|
srv3.example.com
|
|
.TP
|
|
Re\-initialize a replica:
|
|
# ipa\-replica\-manage re\-initialize \-\-from srv2.example.com
|
|
|
|
This will re\-initialize the data on the server where you execute the command, retrieving the data from the srv2.example.com replica
|
|
.TP
|
|
Add a new replication agreement:
|
|
# ipa replica\-manage connect srv2.example.com srv4.example.com
|
|
.TP
|
|
Remove an existing replication agreement:
|
|
# ipa replica\-manage disconnect srv1.example.com srv3.example.com
|
|
.TP
|
|
Completely remove a replica:
|
|
# ipa replica\-manage del srv4.example.com
|
|
.TP
|
|
Using connect/disconnect you can manage the replication topology.
|
|
.SH "WINSYNC"
|
|
Creating a Windows AD Synchronization agreement is similar to creating an IPA replication agreement, there are just a couple of extra steps.
|
|
|
|
A special user entry is created for the PassSync service. The DN of this entry is uid=passsync,cn=sysaccounts,cn=etc,<basedn>. You are not required to use PassSync to use a Windows synchronization agreement but setting a password for the user is required.
|
|
|
|
The following examples use the AD administrator account as the synchronization user. This is not mandatory but the user must have read\-access to the subtree.
|
|
|
|
.TP
|
|
1. Transfer the base64\-encoded Windows AD CA Certficate to your IPA Server
|
|
.TP
|
|
2. Remove any existing kerberos credentials
|
|
# kdestroy
|
|
.TP
|
|
3) Add the winsync replication agreement
|
|
# ipa\-replica\-manage connect \-\-winsync \-\-passsync=<bindpwd_for_syncuser_that will_be_used_for_agreement> \-\-cacert=/path/to/adscacert/WIN\-CA.cer \-\-binddn "cn=administrator,cn=users,dc=ad,dc=example,dc=com" \-\-bindpw <ads_administrator_password> \-v <adserver.fqdn>
|
|
.TP
|
|
You will be prompted to supply the Directory Manager's password.
|
|
.TP
|
|
Create a winsync replication agreement:
|
|
|
|
# ipa\-replica\-manage connect \-\-winsync \-\-passsync=MySecret
|
|
\-\-cacert=/root/WIN\-CA.cer \-\-binddn "cn=administrator,cn=users,dc=ad,dc=example,dc=com"
|
|
\-\-bindpw MySecret \-v windows.ad.example.com
|
|
|
|
.TP
|
|
Remove a winsync replication agreement:
|
|
# ipa\-replica\-manage disconnect windows.ad.example.com
|
|
.SH "EXIT STATUS"
|
|
0 if the command was successful
|
|
|
|
1 if an error occurred
|