From Fedora Project Wiki

(revise test case to match current freeipa, limit to first replica server (will move extended bits to separate test cases))
(fix some command templates)
Line 17: Line 17:
#: {{command|getent passwd admin}}
#: {{command|getent passwd admin}}
# Now try the reverse - add some entries on srv2 and they should show up on srv1:
# Now try the reverse - add some entries on srv2 and they should show up on srv1:
#: {{command|ipa user-add --first=Glen --last=Jones gjones}}
#: {{command|1=ipa user-add --first=Glen --last=Jones gjones}}
#: {{command|ipa group-add --desc='Office assistants' assistants}}
#: {{command|1=ipa group-add --desc='Office assistants' assistants}}
# On srv1 run:
# On srv1 run:
#: {{command|ipa user-show gjones}}
#: {{command|ipa user-show gjones}}

Revision as of 21:50, 3 August 2018

Description

Replication testing.

Setup

  1. You will need at least 2 machines to do replication testing but if you have more that is good too. Start on one server and perform an IPA Installation (see QA:Testcase_freeipa_trust_server_installation). Let's assume that first server was named srv1 (srv1.ipa.example.org), and we will deploy a replica named srv2 (srv2.ipa.example.org).

How to test

  1. If the first server is acting as the DNS server for the domain, configure the replica system to use it as its DNS server for now
  2. Install the FreeIPA server package group: dnf -y groupinstall freeipa-server
  3. Enrol the system as a replica, interactively:
    ipa-replica-install [--setup-dns]
    or with all options on the command line:
    ipa-replica-install [--setup-dns] [--setup-ca] -U --principal admin --admin-password password
    It's probably best to enable DNS if the first server had it enabled, and to enable CA support so that this server can operate independently of the first server if it goes down.
  4. Verify entries created on srv1 are available on srv2:
    kinit admin
    ipa user-show admin
    id admin
    getent passwd admin
  5. Now try the reverse - add some entries on srv2 and they should show up on srv1:
    ipa user-add --first=Glen --last=Jones gjones
    ipa group-add --desc='Office assistants' assistants
  6. On srv1 run:
    ipa user-show gjones
    ipa group-show assistants
  7. To open all firewall ports typically required for FreeIPA using firewalld, run these commands:
    for i in freeipa-ldap freeipa-ldaps dns; do firewall-cmd --permanent --add-service $i; done
    systemctl restart firewalld.service
  8. If you have extra test systems available, you can now test installing clients via the realm CLI, kickstart and/or cockpit. Test enrolling clients against both servers, and verify they work as expected whether both servers are up or either one is down.

Expected Results

  1. The enrolment should complete successfully with no errors.
  2. The test commands should show expected output indicating the users and groups are present.
  3. Client tests should succeed (according to their own expected results) as long as either server is available (assuming appropriate DNS configuration).