[Freeipa-devel] [PATCH 0069] ipa-replica-install support caless install with promotion.
David Kupka
dkupka at redhat.com
Fri Nov 27 06:57:06 UTC 2015
On 26/11/15 15:22, David Kupka wrote:
> On 26/11/15 15:13, David Kupka wrote:
>> On 26/11/15 15:01, David Kupka wrote:
>>> https://fedorahosted.org/freeipa/ticket/5441
>>>
>>>
>> Replaced accidentally inserted tabs.
>>
>>
>>
> Fixed indentation I screwed up when replacing tabs :-/
>
>
>
Hello everyone!
I did not realize that not many people know how to verify this.
You need (at least) 2 servers, master and replica and certificates for
them. Easiest way to get the certificates is to use Honza's almighty
script (attached).
Before you run it, edit variables on first few lines to match your
environment. When it is run it creates directory (nssdb in your `pwd` by
default) populated by various certificate.
Both certificates used (replica.p12 and server.p12) must be signed by
the same CA (located in the same ca* subdirectory).
To install CA-less IPA server on master:
[master] # ipa-server-install -r EXAMPLE.TEST --http-cert-file
/path/to//server.p12 --http-pin password --dirsrv-cert-file
/path/to/server.p12 --dirsrv-pin password
Since domain-level is set to 1 ipa-client must be installed first on
future replica.
[replica] # ipa-client-install
Note: In case client can't auto-discover IPA server you need to provide
--domain and --server options.
After successful installation of ipa-client you can promote it to master:
[replica] # ipa-replica-install --http-cert-file /path/to/replica.p12
--http-pin password --dirsrv-cert-file /path/to/replica.p12 --dirsrv-pin
password
--
David Kupka
-------------- next part --------------
A non-text attachment was scrubbed...
Name: makepki.sh
Type: application/x-shellscript
Size: 4886 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20151127/860f5e83/attachment.bin>
More information about the Freeipa-devel
mailing list