Firewall update to add `freeipa-replication` needed for replication to work

[rx294]

Firewall rules needs to updated to include freeipa-replication service to get replication to work. If not its runs into replication errors

tested on Rocky8

error logs on Master side when Replica tries to connect

[08/Feb/2022:14:03:46.217730965 +0000] - ERR - NSMMReplicationPlugin - bind_and_check_pwp - agmt="cn=meToipa-replica2-do-nyc2.infra.quicknode.com" (ipa-replica2-do-nyc2:389) - Replication bind with GSSAPI auth failed: LDAP error -1 (Can't contact LDAP server) ()
[08/Feb/2022:14:03:46.343523462 +0000] - WARN - NSMMReplicationPlugin - repl5_tot_run - Unable to acquire replica for total update, error: -1, retrying in 1 seconds.
[08/Feb/2022:14:03:47.346284913 +0000] - WARN - NSMMReplicationPlugin - repl5_tot_run - Unable to acquire replica for total update, error: -1, retrying in 2 seconds.
[08/Feb/2022:14:03:49.350027137 +0000] - WARN - NSMMReplicationPlugin - repl5_tot_run - Unable to acquire replica for total update, error: -1, retrying in 3 seconds.
[08/Feb/2022:14:03:52.354660346 +0000] - WARN - NSMMReplicationPlugin - repl5_tot_run - Unable to acquire replica for total update, error: -1, retrying in 4 seconds.
[08/Feb/2022:14:03:56.360396490 +0000] - WARN - NSMMReplicationPlugin - repl5_tot_run - Unable to acquire replica for total update, error: -1, retrying in 5 seconds.

Resolution:

add freeipa-replication service here

https://github.com/freeipa/ansible-freeipa/blob/b598470c2bba5e7cb0792074792e1aa5ff67f6fa/roles/ipareplica/tasks/install.yml#L124

[rjeffman]

This is weird, as it seems default 389-ds port (389) is not open, and no query would work.

The freeipa-replication port has been deprecated and is not used since a long time ago.

Is there any chance that you set ipareplica_setup_firewalld: no?

If ipareplica_setup_firewalld is yes, then we explicitly add all basic port for IPA (which include required ports for replication):

https://github.com/freeipa/ansible-freeipa/blob/ad37bed37be0b428e5579eeda01c2761bd8ed2c1/roles/ipareplica/tasks/install.yml#L143-L144

I have a cluster setup with ansible-freeipa where replication works without any issue.

[rx294]

@rjeffman That IS weird... yes I have ipareplica_setup_firewalld to yes... I verified all the firewalld services in the role are infact being applied...

my replication issue was resolved by adding --add-service= freeipa-replication to the local copy of the role...without changing anything else...

I am working on on Rocky/Centos8 if that applies..

[rx294]

Wondering if this is relevent If there is an existing Dogtag Certificate System or Red Hat Certificate System instance on the replica machine, make sure that port 7389 is free. This port is used by the master FreeIPA server to communicate with the replica. https://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/Setting_up_IPA_Replicas.html

I am installing on standard instance out of Rocky instance out of digital ocean.

[rjeffman]

This document is too old, as in "how it is still available". It is 18 versions old (around 10 years old).

Please, use documentation on https://freeipa.org or the RHEL documentation

Unfortunately I don't have time to try to reproduce your issue in the next few days, and that's why all I could do is tell you about my experience setting up a cluster (both Fedora and CentOS) with ansible-freeipa.

[abbra]

@rx294 please do not use Fedora's documentation. You may notice that is is for Fedora version 17. It is not up to date and is obsolete, in general. We have no control over what is posted by the Fedora Project and old documentation is not removed by the Fedora Project. Basically, ignore that documentation. Instead, RHEL IdM documentation is what you need to follow. Please use https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8 and check 'Identity Management' checkbox on the left side. This will filter Identity Management through all RHEL documents.

If you want to know about firewall settings, you can look at:

• IPA server port requirements: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/installing_identity_management/preparing-the-system-for-ipa-server-installation_installing-identity-management#port-requirements-for-idm_preparing-the-system-for-ipa-server-installation
• IPA client port requirements: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/installing_identity_management/preparing-the-system-for-ipa-client-installation_installing-identity-management#port-requirements-for-ipa-clients_preparing-the-system-for-ipa-client-installation

Finally, if you want a whole view, look at my draft document at https://vda.li/drafts/firewall-considerations.txt

[rx294]

@rjeffman @abbra thank you for the quick respones... i should have noted the age... I will investigate further... thank you.