Replication Topology
Manage replication topology and agreements between IPA servers. Topology management defines data replication paths for domain and CA data. Features include replication agreement creation and deletion, topology segment management, suffix specification (domain, ca), direction control (both, left-right, right-left), and replication reinitalization for maintaining consistent multi-master replication infrastructure.
Management of a replication topology at domain level 1.
IPA server’s data is stored in LDAP server in two suffixes:
- domain suffix, e.g., ‘dc=example,dc=com’, contains all domain related data
- ca suffix, ‘o=ipaca’, is present only on server with CA installed. It contains data for Certificate Server component
Data stored on IPA servers is replicated to other IPA servers. The way it is replicated is defined by replication agreements. Replication agreements needs to be set for both suffixes separately. On domain level 0 they are managed using ipa-replica-manage and ipa-csreplica-manage tools. With domain level 1 they are managed centrally using [ipa topology*]{.title-ref} commands.
Agreements are represented by topology segments. By default topology segment represents 2 replication agreements - one for each direction, e.g., A to B and B to A. Creation of unidirectional segments is not allowed.
To verify that no server is disconnected in the topology of the given suffix, use:
ipa
topologysuffix-verify$suffix
Examples:
Find all IPA servers:
ipa server-findFind all suffixes:
ipa topologysuffix-findAdd topology segment to ‘domain’ suffix:
ipa topologysegment-add domain --left IPA_SERVER_A --right IPA_SERVER_BAdd topology segment to ‘ca’ suffix:
ipa topologysegment-add ca --left IPA_SERVER_A --right IPA_SERVER_BList all topology segments in ‘domain’ suffix:
ipa topologysegment-find domainList all topology segments in ‘ca’ suffix:
ipa topologysegment-find caDelete topology segment in ‘domain’ suffix:
ipa topologysegment-del domain segment_nameDelete topology segment in ‘ca’ suffix:
ipa topologysegment-del ca segment_nameVerify topology of ‘domain’ suffix:
ipa topologysuffix-verify domainVerify topology of ‘ca’ suffix:
ipa topologysuffix-verify ca
Use Cases
1. Adding New Replica to Existing Topology
When deploying a new IPA server, create topology segments to integrate it into the replication mesh.
# After installing new replica ipa04.example.com
# Connect it to two existing servers for redundancy
# Add domain suffix replication
ipa topologysegment-add domain ipa01-to-ipa04 \
--leftnode=ipa01.example.com \
--rightnode=ipa04.example.com
ipa topologysegment-add domain ipa02-to-ipa04 \
--leftnode=ipa02.example.com \
--rightnode=ipa04.example.com
# If CA is installed, add CA suffix replication
ipa topologysegment-add ca ipa01-to-ipa04 \
--leftnode=ipa01.example.com \
--rightnode=ipa04.example.com
# Verify new server is connected
ipa topologysuffix-verify domain
ipa topologysuffix-verify ca
2. Verifying Topology Health Before Maintenance
Before performing server maintenance or decommissioning, verify topology remains connected.
# Check current topology state
ipa topologysuffix-verify domain
ipa topologysuffix-verify ca
# List all segments involving server to be maintained
ipa topologysegment-find domain --leftnode=ipa03.example.com
ipa topologysegment-find domain --rightnode=ipa03.example.com
# Verify remaining topology if server removed
# (manually check if other servers would still be connected)
# List all servers to see total count
ipa server-find --sizelimit=0
3. Creating Geographic Hub-Spoke Topology
Design topology with regional hub servers to minimize WAN replication traffic.
# Hub servers in each datacenter
# DC1: ipa01.example.com (hub)
# DC2: ipa04.example.com (hub)
# Spoke servers connect only to local hub
# Connect hubs (crosses WAN)
ipa topologysegment-add domain dc1-to-dc2 \
--leftnode=ipa01.example.com \
--rightnode=ipa04.example.com
# DC1 spokes connect to DC1 hub only
ipa topologysegment-add domain ipa01-to-ipa02 \
--leftnode=ipa01.example.com \
--rightnode=ipa02.example.com
ipa topologysegment-add domain ipa01-to-ipa03 \
--leftnode=ipa01.example.com \
--rightnode=ipa03.example.com
# DC2 spokes connect to DC2 hub only
ipa topologysegment-add domain ipa04-to-ipa05 \
--leftnode=ipa04.example.com \
--rightnode=ipa05.example.com
# Verify all servers connected
ipa topologysuffix-verify domain
4. Reinitializing Corrupted Replica
If a replica has replication errors or data inconsistency, perform full reinitialization.
# Check replication status first
ipa-replica-manage list-ruv
# Reinitialize ipa03 from ipa01 for domain suffix
# Find the segment name first
ipa topologysegment-find domain --leftnode=ipa01.example.com --rightnode=ipa03.example.com
# Reinitialize right node (ipa03) from left node (ipa01)
ipa topologysegment-reinitialize domain ipa01.example.com-to-ipa03.example.com --right
# Monitor replication status
watch -n 5 'ipa-replica-manage list-ruv'
# For CA suffix if needed
ipa topologysegment-find ca --leftnode=ipa01.example.com --rightnode=ipa03.example.com
ipa topologysegment-reinitialize ca ipa01.example.com-to-ipa03.example.com --right
5. Safely Removing Server from Topology
Before decommissioning a server, remove all its topology segments.
# List all segments involving server being removed
ipa topologysegment-find domain | grep ipa03.example.com
ipa topologysegment-find ca | grep ipa03.example.com
# Delete each segment (both domain and ca)
ipa topologysegment-del domain ipa01.example.com-to-ipa03.example.com
ipa topologysegment-del domain ipa02.example.com-to-ipa03.example.com
ipa topologysegment-del ca ipa01.example.com-to-ipa03.example.com
# Verify topology still connected without this server
ipa topologysuffix-verify domain
ipa topologysuffix-verify ca
# Now safe to run server-del
ipa server-del ipa03.example.com
6. Creating Redundant Replication Paths
Add multiple replication paths for high availability and faster convergence.
# Create full mesh for critical 3-server deployment
# Each server replicates with every other server
# ipa01 <-> ipa02
ipa topologysegment-add domain ipa01-to-ipa02 \
--leftnode=ipa01.example.com \
--rightnode=ipa02.example.com
# ipa01 <-> ipa03
ipa topologysegment-add domain ipa01-to-ipa03 \
--leftnode=ipa01.example.com \
--rightnode=ipa03.example.com
# ipa02 <-> ipa03
ipa topologysegment-add domain ipa02-to-ipa03 \
--leftnode=ipa02.example.com \
--rightnode=ipa03.example.com
# Repeat for CA suffix
ipa topologysegment-add ca ipa01-to-ipa02 \
--leftnode=ipa01.example.com \
--rightnode=ipa02.example.com
ipa topologysegment-add ca ipa01-to-ipa03 \
--leftnode=ipa01.example.com \
--rightnode=ipa03.example.com
ipa topologysegment-add ca ipa02-to-ipa03 \
--leftnode=ipa02.example.com \
--rightnode=ipa03.example.com
7. Auditing Replication Topology Configuration
Review current topology design and document replication paths.
# Export complete topology configuration
echo "=== Domain Suffix Topology ===" > topology-report.txt
ipa topologysegment-find domain --all >> topology-report.txt
echo -e "\n=== CA Suffix Topology ===" >> topology-report.txt
ipa topologysegment-find ca --all >> topology-report.txt
# Verify both suffixes
echo -e "\n=== Domain Verification ===" >> topology-report.txt
ipa topologysuffix-verify domain >> topology-report.txt
echo -e "\n=== CA Verification ===" >> topology-report.txt
ipa topologysuffix-verify ca >> topology-report.txt
# List all IPA servers
echo -e "\n=== All IPA Servers ===" >> topology-report.txt
ipa server-find --sizelimit=0 >> topology-report.txt
cat topology-report.txt
8. Configuring Replication Timeout for Slow Links
Adjust replication timeout for geographically distributed servers with high latency.
# Default timeout may be too short for WAN links
# Increase timeout to 120 seconds for cross-datacenter segment
# Find the segment to modify
ipa topologysegment-find domain --leftnode=ipa01.example.com --rightnode=ipa04.example.com
# Modify timeout (in seconds)
ipa topologysegment-mod domain ipa01.example.com-to-ipa04.example.com \
--timeout=120
# Verify change
ipa topologysegment-show domain ipa01.example.com-to-ipa04.example.com --all
9. Managing CA Topology Separately
CA suffix topology can differ from domain suffix (not all servers need CA).
# Scenario: Only 2 of 4 servers have CA installed
# List servers with CA role
ipa server-role-find --role="CA server" --status=enabled
# Create CA topology only between CA servers
ipa topologysegment-add ca ca-ipa01-to-ca-ipa02 \
--leftnode=ipa01.example.com \
--rightnode=ipa02.example.com
# Verify CA topology (should only show CA servers)
ipa topologysuffix-verify ca
# Domain topology can include all servers
ipa topologysuffix-verify domain
10. Troubleshooting Disconnected Topology
Identify and fix topology disconnection issues.
# Verify topology - will report if disconnected
ipa topologysuffix-verify domain
# If disconnected, list all segments to find gaps
ipa topologysegment-find domain
# Check each server's segment count
for server in $(ipa server-find --pkey-only | grep "Server name:" | awk '{print $3}'); do
echo "=== $server ==="
ipa topologysegment-find domain --leftnode="$server" | grep "Segment name:"
ipa topologysegment-find domain --rightnode="$server" | grep "Segment name:"
done
# Add missing segment to reconnect isolated server
ipa topologysegment-add domain new-segment \
--leftnode=connected-server.example.com \
--rightnode=isolated-server.example.com
# Re-verify
ipa topologysuffix-verify domain
Security Considerations
1. Replication Agreement Exposure
Topology segments create bidirectional LDAP connections between servers. These connections carry sensitive directory data and must be protected.
- Replication traffic uses TLS encryption but servers authenticate with machine credentials
- Compromise of any IPA server exposes the entire replicated dataset to attacker
- Segments crossing untrusted networks should use additional network security (VPN, dedicated circuits)
- Segment creation requires administrative privileges; audit topology changes
2. Topology Manipulation Attacks
Attackers with topology management permissions could disrupt replication or create unauthorized segments.
- Deleting critical segments can isolate servers and prevent updates from propagating
- Creating unauthorized segments could replicate data to compromised servers
- Restrict topology management to highly trusted administrators
- Monitor topology changes with IdM audit logging
3. CA Data Replication Risks
CA suffix contains Certificate Authority private keys and certificate data, requiring extra protection.
- CA topology should be more restricted than domain topology
- Only servers requiring CA functionality should participate in CA replication
- CA servers require additional hardening and monitoring
- Loss of CA data confidentiality compromises entire PKI infrastructure
4. Replication Initialization Security
Full reinitialization transfers complete suffix contents over the network.
- Reinitialization involves bulk data transfer that could be intercepted on untrusted networks
- Compromised server used as reinitialization source propagates corrupted data
- Only reinitialize from verified trusted servers
- Monitor network during reinitialization for anomalies
5. Topology Verification Bypass
Administrators might skip topology verification, creating single points of failure.
- Disconnected topology means changes don’t reach all servers
- Servers with excessive agreements (4+) suffer performance degradation
- Always verify topology after changes with
topologysuffix-verify - Automate topology health checks in monitoring systems
6. Server Decommissioning Residual Data
Improperly removed servers may leave orphaned replication metadata and credentials.
- Deleted servers that still have active segments create replication errors
- Orphaned RUVs (replication update vectors) accumulate over time
- Always remove all topology segments before running
server-del - Clean up replication metadata with
ipa-replica-manage clean-ruvif needed
7. Unencrypted Replication Data in Memory
Replication data passes through LDAP server memory in unencrypted form.
- Memory dumps or swap files may contain sensitive replicated data
- Server compromise provides access to all replicated directory contents
- Disable swap on IPA servers or use encrypted swap
- Harden server OS and restrict physical access
8. Excessive Replication Agreements
Too many topology segments per server degrades performance and creates attack surface.
- IPA recommends maximum 4 replication agreements per server per suffix
- Excessive agreements increase CPU load, network traffic, and replication lag
- Full mesh topology doesn’t scale beyond ~10 servers
- Use hub-spoke design for larger deployments
9. Replication Conflicts and Convergence
Simultaneous updates to same object on different servers create replication conflicts.
- Conflicts resolved automatically but may not match administrative intent
- Attacker could exploit conflict resolution to inject preferred values
- Minimize multi-master write scenarios where possible
- Monitor replication conflicts with
ipa-replica-manage list-ruv
10. Cross-Site Topology Security
WAN-spanning replication segments cross network boundaries with varying trust levels.
- Internet-facing replication requires careful firewall configuration
- Segments crossing untrusted networks should use VPN or dedicated circuits
- High-latency links may require timeout adjustments that affect failure detection
- Document network security requirements for each segment
11. Topology State Inconsistency
Topology metadata replicated through domain suffix; corruption creates inconsistent state.
- Inconsistent topology view across servers causes operational confusion
- Manual segment creation on one server may not propagate correctly if replication broken
- Always verify topology on multiple servers after changes
- Use
ipa-replica-managelow-level tools only as last resort with vendor support
12. Privilege Escalation via Topology Manipulation
Topology management permissions are highly privileged and must be tightly controlled.
- User with topology permissions can isolate servers to prevent policy updates
- Could replicate to compromised server to exfiltrate directory data
- Restrict “System: Modify Replication Topology” permission to minimal administrators
- Audit all topology command execution
Troubleshooting
1. Topology Verification Reports Disconnected Servers
Symptom: ipa topologysuffix-verify domain reports servers are not connected in replication graph.
Diagnosis:
# Check which servers are disconnected
ipa topologysuffix-verify domain
# List all segments to find missing connections
ipa topologysegment-find domain
# Check if disconnected server exists
ipa server-find
Resolution:
- Add topology segment connecting disconnected server to existing topology
- If server was decommissioned, remove it with
ipa server-del - Verify all servers have at least one segment
2. Cannot Create Topology Segment - Server Not Found
Symptom: ipa topologysegment-add fails with “server not found” error.
Diagnosis:
# Verify both servers exist in IPA
ipa server-show ipa01.example.com
ipa server-show ipa02.example.com
# Check exact hostname spelling
ipa server-find
Resolution:
- Use exact fully-qualified server names as shown in
ipa server-find - Server must be enrolled as IPA server, not just client
- Install replica with
ipa-replica-installbefore adding segments
3. Topology Verification Reports Too Many Agreements
Symptom: ipa topologysuffix-verify warns servers have more than recommended number of agreements (4).
Diagnosis:
# Count segments per server
for server in $(ipa server-find --pkey-only | grep "Server name:" | awk '{print $3}'); do
left=$(ipa topologysegment-find domain --leftnode="$server" --pkey-only | grep "Segment name:" | wc -l)
right=$(ipa topologysegment-find domain --rightnode="$server" --pkey-only | grep "Segment name:" | wc -l)
total=$((left + right))
echo "$server: $total agreements"
done
Resolution:
- Remove unnecessary segments to reduce to maximum 4 per server
- Redesign topology as hub-spoke instead of full mesh
- Retain segments providing redundant paths; remove redundant redundancy
4. Replication Initialization Fails
Symptom: ipa topologysegment-reinitialize command completes but replication still broken.
Diagnosis:
# Check LDAP replication status on both servers
ssh ipa01.example.com
ipa-replica-manage list
# Check for RUV inconsistencies
ipa-replica-manage list-ruv
# Review DS error logs
ssh ipa01.example.com
tail -100 /var/log/dirsrv/slapd-EXAMPLE-COM/errors
Resolution:
- Ensure both servers are running and network connected
- Check firewall permits LDAP (389/tcp, 636/tcp) between servers
- Try reinitialization in opposite direction
- If RUV corrupted, may require
ipa-replica-manage clean-ruv(contact support)
5. Cannot Delete Topology Segment
Symptom: ipa topologysegment-del fails with error that deletion would disconnect topology.
Diagnosis:
# Verify current topology
ipa topologysuffix-verify domain
# Check if this is the only segment for a server
ipa topologysegment-find domain --leftnode=affected-server.example.com
ipa topologysegment-find domain --rightnode=affected-server.example.com
Resolution:
- IPA prevents deletions that would disconnect servers
- Add alternate segment path before deleting this one
- If decommissioning server, remove server first with
ipa server-del - For override (dangerous), use
--continueflag
6. CA Topology Segment Creation Fails - CA Not Installed
Symptom: Cannot create CA suffix segment; error indicates server lacks CA.
Diagnosis:
# Check which servers have CA installed
ipa server-role-find --role="CA server"
# Verify CA running on target servers
ssh ipa01.example.com
systemctl status pki-tomcatd@pki-tomcat
Resolution:
- CA segments can only connect servers with CA role installed
- Install CA on server with
ipa-ca-installbefore creating CA segments - Review CA deployment design; not all servers need CA
7. Replication Lag Between Servers
Symptom: Changes made on one server take long time to appear on others.
Diagnosis:
# Check replication status and lag
ipa-replica-manage list --verbose
# Create test object and time replication
ipa user-add testuser99 --first=Test --last=User99
ssh ipa02.example.com
time until ipa user-show testuser99 2>/dev/null; do sleep 1; done
# Check network latency between servers
ping -c 10 ipa02.example.com
Resolution:
- High network latency increases replication delay; adjust timeout if needed
- Excessive replication agreements (4+) cause lag; reduce segment count
- Check LDAP server CPU and memory; performance issues delay replication
- Review DS access logs for slow operations
8. Segment Shows in Find but Not in Verify
Symptom: ipa topologysegment-find shows segment but topologysuffix-verify reports servers disconnected.
Diagnosis:
# Show segment details
ipa topologysegment-show domain segment-name --all
# Check actual LDAP replication agreements on servers
ssh ipa01.example.com
ipa-replica-manage list
ssh ipa02.example.com
ipa-replica-manage list
Resolution:
- Segment metadata exists but underlying LDAP agreements may be broken
- Delete and recreate segment
- Check both servers are running and network reachable
- Review DS error logs for replication failure messages
9. Cannot Modify Segment Timeout
Symptom: ipa topologysegment-mod --timeout fails or doesn’t take effect.
Diagnosis:
# Show current timeout value
ipa topologysegment-show domain segment-name --all | grep timeout
# Check if timeout value is valid (should be integer seconds)
ipa topologysegment-mod domain segment-name --timeout=120 --raw
Resolution:
- Timeout must be positive integer (seconds)
- Changes may require replication agreement restart to take effect
- Verify change with
--allflag to see raw LDAP attribute - Extremely high timeouts (>300s) may indicate network problem needing fixing instead
10. Topology Commands Require Both Suffix and Name
Symptom: Topology commands fail with “missing required argument” even when name provided.
Diagnosis:
# Note: topology commands require BOTH suffix and segment name
# Correct syntax:
ipa topologysegment-show domain segment-name
# Not:
ipa topologysegment-show segment-name
Resolution:
- First argument is always suffix name (
domainorca) - Second argument is segment identifier
- Use
ipa topologysuffix-findto list valid suffix names - Use
ipa topologysegment-find <suffix>to list segment names for that suffix
11. Domain Level 0 Topology Management Blocked
Symptom: Topology commands fail with message about domain level.
Diagnosis:
# Check domain level
ipa domainlevel-get
Resolution:
- Topology management commands require domain level 1
- Domain level 0 uses
ipa-replica-manageandipa-csreplica-managetools instead - Upgrade to domain level 1 with
ipa domainlevel-set 1(irreversible) - Ensure all servers are recent IPA version before upgrading domain level
12. Replication Conflicts After Topology Changes
Symptom: After adding segments or reinitializing, LDAP shows replication conflicts.
Diagnosis:
# Search for conflict entries
ldapsearch -x -D "cn=Directory Manager" -W \
-b "dc=example,dc=com" \
"(nsds5ReplConflict=*)"
# Check RUV status
ipa-replica-manage list-ruv
Resolution:
- Conflicts occur when same object modified simultaneously on multiple servers
- IPA automatically resolves most conflicts; review and delete conflict entries
- If widespread conflicts after reinitialization, indicates data inconsistency
- May require
ipa-replica-manage clean-ruvto reset replication metadata
13. Segment Name Auto-Generation Unclear
Symptom: Don’t know what name to use when creating segment.
Diagnosis:
# Show existing segment naming pattern
ipa topologysegment-find domain --pkey-only
Resolution:
- Segment names are arbitrary identifiers; use descriptive names
- Common pattern:
leftserver-to-rightserver(e.g.,ipa01.example.com-to-ipa02.example.com) - Names must be unique within suffix
- Segment name doesn’t affect functionality, only used for identification
14. Cannot See CA Topology - Permission Denied
Symptom: Domain admin can manage domain topology but not CA topology.
Diagnosis:
# Check user's privileges
ipa user-show admin --all | grep "memberof.*role"
# Check CA-specific permissions
ipa permission-find ca --raw
Resolution:
- CA topology management requires CA admin privileges
- Add user to “Certificate Manager Agents” or similar role
- Full admin users should have both domain and CA topology permissions
- Security team may restrict CA management to subset of admins
15. Server Shows in Topology But Not Responding
Symptom: Topology shows segment but cannot connect to server.
Diagnosis:
# Test server connectivity
ipa ping
ssh ipa02.example.com
systemctl status ipa
# Check if server entry exists but server decommissioned
ipa server-show ipa02.example.com
ping ipa02.example.com
Resolution:
- Server entry exists in LDAP but server may be offline or decommissioned
- Remove dead server: first delete its segments, then
ipa server-del - If server temporarily offline, replication will resume when back online
- Check DNS resolution for server hostname
Commands
topologysegment-add
Usage:
ipa [global-options] topologysegment-add TOPOLOGYSUFFIX NAME [options]
Add a new segment.
Arguments
| Argument | Required | Description |
|---|---|---|
TOPOLOGYSUFFIX | yes | Suffix name |
NAME yes Arbitrary string identifying the segment
Options
| Option | Description |
|---|---|
--leftnode LEFTNODE | Left replication node - an IPA server |
--rightnode RIGHTNODE | Right replication node - an IPA server |
--stripattrs STRIPATTRS | A space separated list of attributes which are removed from replication updates. |
--replattrs REPLATTRS | Attributes that are not replicated to a consumer server during a fractional update. E.g., `(objectclass=*) $ EXCLUDE accountlockout memberof |
--replattrstotal REPLATTRSTOTAL | Attributes that are not replicated to a consumer server during a total update. E.g. (objectclass=*) $ EXCLUDE accountlockout |
--timeout TIMEOUT | Number of seconds outbound LDAP operations waits for a response from the remote replica before timing out and failing |
--setattr SETATTR | Set an attribute to a name/value pair. Format is attr=value. |
--addattr ADDATTR | Add an attribute/value pair. Format is attr=value. The attribute |
--all | Retrieve and print all attributes from the server. Affects command output. |
--raw | Print entries as stored on the server. Only affects output format. |
topologysegment-del
Usage:
ipa [global-options] topologysegment-del TOPOLOGYSUFFIX NAME [options]
Delete a segment.
Arguments
| Argument | Required | Description |
|---|---|---|
TOPOLOGYSUFFIX | yes | Suffix name |
NAME yes Arbitrary string identifying the segment
Options
| Option | Description |
|---|---|
--continue | Continuous mode: Don’t stop on errors. |
topologysegment-find
Usage:
ipa [global-options] topologysegment-find TOPOLOGYSUFFIX [CRITERIA] [options]
Search for topology segments.
Arguments
| Argument | Required | Description |
|---|---|---|
TOPOLOGYSUFFIX | yes | Suffix name |
CRITERIA no A string searched in all relevant object
attributes
Options
| Option | Description |
|---|---|
--name NAME | Arbitrary string identifying the segment |
--leftnode LEFTNODE | Left replication node - an IPA server |
--rightnode RIGHTNODE | Right replication node - an IPA server |
--stripattrs STRIPATTRS | A space separated list of attributes which are removed from replication updates. |
--replattrs REPLATTRS | Attributes that are not replicated to a consumer server during a fractional update. E.g., `(objectclass=*) $ EXCLUDE accountlockout memberof |
--replattrstotal REPLATTRSTOTAL | Attributes that are not replicated to a consumer server during a total update. E.g. (objectclass=*) $ EXCLUDE accountlockout |
--timeout TIMEOUT | Number of seconds outbound LDAP operations waits for a response from the remote replica before timing out and failing |
--timelimit TIMELIMIT | Time limit of search in seconds (0 is unlimited) |
--sizelimit SIZELIMIT | Maximum number of entries returned (0 is unlimited) |
--all | Retrieve and print all attributes from the server. Affects command output. |
--raw | Print entries as stored on the server. Only affects output format. |
--pkey-only | Results should contain primary key attribute only (“name”) |
topologysegment-mod
Usage:
ipa [global-options] topologysegment-mod TOPOLOGYSUFFIX NAME [options]
Modify a segment.
Arguments
| Argument | Required | Description |
|---|---|---|
TOPOLOGYSUFFIX | yes | Suffix name |
NAME yes Arbitrary string identifying the segment
Options
| Option | Description |
|---|---|
--stripattrs STRIPATTRS | A space separated list of attributes which are removed from replication updates. |
--replattrs REPLATTRS | Attributes that are not replicated to a consumer server during a fractional update. E.g., `(objectclass=*) $ EXCLUDE accountlockout memberof |
--replattrstotal REPLATTRSTOTAL | Attributes that are not replicated to a consumer server during a total update. E.g. (objectclass=*) $ EXCLUDE accountlockout |
--timeout TIMEOUT | Number of seconds outbound LDAP operations waits for a response from the remote replica before timing out and failing |
--setattr SETATTR | Set an attribute to a name/value pair. Format is attr=value. |
--addattr ADDATTR | Add an attribute/value pair. Format is attr=value. The attribute |
--delattr DELATTR | Delete an attribute/value pair. The option will be evaluated |
--rights | Display the access rights of this entry (requires —all). See ipa man page for details. |
--all | Retrieve and print all attributes from the server. Affects command output. |
--raw | Print entries as stored on the server. Only affects output format. |
topologysegment-reinitialize
Usage:
ipa [global-options] topologysegment-reinitialize TOPOLOGYSUFFIX NAME [options]
Request a full re-initialization of the node retrieving data from the other node.
Arguments
| Argument | Required | Description |
|---|---|---|
TOPOLOGYSUFFIX | yes | Suffix name |
NAME yes Arbitrary string identifying the segment
Options
| Option | Description |
|---|---|
--left | Initialize left node |
--right | Initialize right node |
--stop | Stop already started refresh of chosen node(s) |
topologysegment-show
Usage:
ipa [global-options] topologysegment-show TOPOLOGYSUFFIX NAME [options]
Display a segment.
Arguments
| Argument | Required | Description |
|---|---|---|
TOPOLOGYSUFFIX | yes | Suffix name |
NAME yes Arbitrary string identifying the segment
Options
| Option | Description |
|---|---|
--rights | Display the access rights of this entry (requires —all). See ipa man page for details. |
--all | Retrieve and print all attributes from the server. Affects command output. |
--raw | Print entries as stored on the server. Only affects output format. |
topologysuffix-find
Usage:
ipa [global-options] topologysuffix-find [CRITERIA] [options]
Search for topology suffixes.
Arguments
Argument Required Description
CRITERIA no A string searched in all relevant object
attributes
Options
| Option | Description |
|---|---|
--name NAME | Suffix name |
--suffix-dn SUFFIX-DN | Managed LDAP suffix DN |
--timelimit TIMELIMIT | Time limit of search in seconds (0 is unlimited) |
--sizelimit SIZELIMIT | Maximum number of entries returned (0 is unlimited) |
--all | Retrieve and print all attributes from the server. Affects command output. |
--raw | Print entries as stored on the server. Only affects output format. |
--pkey-only | Results should contain primary key attribute only (“name”) |
topologysuffix-show
Usage: ipa [global-options] topologysuffix-show NAME [options]
Show managed suffix.
Arguments
| Argument | Required | Description |
|---|---|---|
NAME | yes | Suffix name |
Options
| Option | Description |
|---|---|
--rights | Display the access rights of this entry (requires —all). See ipa man page for details. |
--all | Retrieve and print all attributes from the server. Affects command output. |
--raw | Print entries as stored on the server. Only affects output format. |
topologysuffix-verify
Usage: ipa [global-options] topologysuffix-verify NAME [options]
Verify replication topology for suffix.
Checks done:
- check if a topology is not disconnected. In other words if there are replication paths between all servers.
- check if servers don’t have more than the recommended number of replication agreements
Arguments
| Argument | Required | Description |
|---|---|---|
NAME | yes | Suffix name |