infrastructure

Replication Topology

Manage replication topology and agreements between IPA servers. Topology management defines data replication paths for domain and CA data. Features include replication agreement creation and deletion, topology segment management, suffix specification (domain, ca), direction control (both, left-right, right-left), and replication reinitalization for maintaining consistent multi-master replication infrastructure.

9 commands
infrastructure

Management of a replication topology at domain level 1.

IPA server’s data is stored in LDAP server in two suffixes:

  • domain suffix, e.g., ‘dc=example,dc=com’, contains all domain related data
  • ca suffix, ‘o=ipaca’, is present only on server with CA installed. It contains data for Certificate Server component

Data stored on IPA servers is replicated to other IPA servers. The way it is replicated is defined by replication agreements. Replication agreements needs to be set for both suffixes separately. On domain level 0 they are managed using ipa-replica-manage and ipa-csreplica-manage tools. With domain level 1 they are managed centrally using [ipa topology*]{.title-ref} commands.

Agreements are represented by topology segments. By default topology segment represents 2 replication agreements - one for each direction, e.g., A to B and B to A. Creation of unidirectional segments is not allowed.

To verify that no server is disconnected in the topology of the given suffix, use:

ipa topologysuffix-verify $suffix

Examples:

Find all IPA servers:

ipa server-find

Find all suffixes:

ipa topologysuffix-find

Add topology segment to ‘domain’ suffix:

ipa topologysegment-add domain --left IPA_SERVER_A --right IPA_SERVER_B

Add topology segment to ‘ca’ suffix:

ipa topologysegment-add ca --left IPA_SERVER_A --right IPA_SERVER_B

List all topology segments in ‘domain’ suffix:

ipa topologysegment-find domain

List all topology segments in ‘ca’ suffix:

ipa topologysegment-find ca

Delete topology segment in ‘domain’ suffix:

ipa topologysegment-del domain segment_name

Delete topology segment in ‘ca’ suffix:

ipa topologysegment-del ca segment_name

Verify topology of ‘domain’ suffix:

ipa topologysuffix-verify domain

Verify topology of ‘ca’ suffix:

ipa topologysuffix-verify ca

Use Cases

1. Adding New Replica to Existing Topology

When deploying a new IPA server, create topology segments to integrate it into the replication mesh.

# After installing new replica ipa04.example.com
# Connect it to two existing servers for redundancy

# Add domain suffix replication
ipa topologysegment-add domain ipa01-to-ipa04 \
  --leftnode=ipa01.example.com \
  --rightnode=ipa04.example.com

ipa topologysegment-add domain ipa02-to-ipa04 \
  --leftnode=ipa02.example.com \
  --rightnode=ipa04.example.com

# If CA is installed, add CA suffix replication
ipa topologysegment-add ca ipa01-to-ipa04 \
  --leftnode=ipa01.example.com \
  --rightnode=ipa04.example.com

# Verify new server is connected
ipa topologysuffix-verify domain
ipa topologysuffix-verify ca

2. Verifying Topology Health Before Maintenance

Before performing server maintenance or decommissioning, verify topology remains connected.

# Check current topology state
ipa topologysuffix-verify domain
ipa topologysuffix-verify ca

# List all segments involving server to be maintained
ipa topologysegment-find domain --leftnode=ipa03.example.com
ipa topologysegment-find domain --rightnode=ipa03.example.com

# Verify remaining topology if server removed
# (manually check if other servers would still be connected)

# List all servers to see total count
ipa server-find --sizelimit=0

3. Creating Geographic Hub-Spoke Topology

Design topology with regional hub servers to minimize WAN replication traffic.

# Hub servers in each datacenter
# DC1: ipa01.example.com (hub)
# DC2: ipa04.example.com (hub)
# Spoke servers connect only to local hub

# Connect hubs (crosses WAN)
ipa topologysegment-add domain dc1-to-dc2 \
  --leftnode=ipa01.example.com \
  --rightnode=ipa04.example.com

# DC1 spokes connect to DC1 hub only
ipa topologysegment-add domain ipa01-to-ipa02 \
  --leftnode=ipa01.example.com \
  --rightnode=ipa02.example.com

ipa topologysegment-add domain ipa01-to-ipa03 \
  --leftnode=ipa01.example.com \
  --rightnode=ipa03.example.com

# DC2 spokes connect to DC2 hub only
ipa topologysegment-add domain ipa04-to-ipa05 \
  --leftnode=ipa04.example.com \
  --rightnode=ipa05.example.com

# Verify all servers connected
ipa topologysuffix-verify domain

4. Reinitializing Corrupted Replica

If a replica has replication errors or data inconsistency, perform full reinitialization.

# Check replication status first
ipa-replica-manage list-ruv

# Reinitialize ipa03 from ipa01 for domain suffix
# Find the segment name first
ipa topologysegment-find domain --leftnode=ipa01.example.com --rightnode=ipa03.example.com

# Reinitialize right node (ipa03) from left node (ipa01)
ipa topologysegment-reinitialize domain ipa01.example.com-to-ipa03.example.com --right

# Monitor replication status
watch -n 5 'ipa-replica-manage list-ruv'

# For CA suffix if needed
ipa topologysegment-find ca --leftnode=ipa01.example.com --rightnode=ipa03.example.com
ipa topologysegment-reinitialize ca ipa01.example.com-to-ipa03.example.com --right

5. Safely Removing Server from Topology

Before decommissioning a server, remove all its topology segments.

# List all segments involving server being removed
ipa topologysegment-find domain | grep ipa03.example.com
ipa topologysegment-find ca | grep ipa03.example.com

# Delete each segment (both domain and ca)
ipa topologysegment-del domain ipa01.example.com-to-ipa03.example.com
ipa topologysegment-del domain ipa02.example.com-to-ipa03.example.com
ipa topologysegment-del ca ipa01.example.com-to-ipa03.example.com

# Verify topology still connected without this server
ipa topologysuffix-verify domain
ipa topologysuffix-verify ca

# Now safe to run server-del
ipa server-del ipa03.example.com

6. Creating Redundant Replication Paths

Add multiple replication paths for high availability and faster convergence.

# Create full mesh for critical 3-server deployment
# Each server replicates with every other server

# ipa01 <-> ipa02
ipa topologysegment-add domain ipa01-to-ipa02 \
  --leftnode=ipa01.example.com \
  --rightnode=ipa02.example.com

# ipa01 <-> ipa03
ipa topologysegment-add domain ipa01-to-ipa03 \
  --leftnode=ipa01.example.com \
  --rightnode=ipa03.example.com

# ipa02 <-> ipa03
ipa topologysegment-add domain ipa02-to-ipa03 \
  --leftnode=ipa02.example.com \
  --rightnode=ipa03.example.com

# Repeat for CA suffix
ipa topologysegment-add ca ipa01-to-ipa02 \
  --leftnode=ipa01.example.com \
  --rightnode=ipa02.example.com

ipa topologysegment-add ca ipa01-to-ipa03 \
  --leftnode=ipa01.example.com \
  --rightnode=ipa03.example.com

ipa topologysegment-add ca ipa02-to-ipa03 \
  --leftnode=ipa02.example.com \
  --rightnode=ipa03.example.com

7. Auditing Replication Topology Configuration

Review current topology design and document replication paths.

# Export complete topology configuration
echo "=== Domain Suffix Topology ===" > topology-report.txt
ipa topologysegment-find domain --all >> topology-report.txt

echo -e "\n=== CA Suffix Topology ===" >> topology-report.txt
ipa topologysegment-find ca --all >> topology-report.txt

# Verify both suffixes
echo -e "\n=== Domain Verification ===" >> topology-report.txt
ipa topologysuffix-verify domain >> topology-report.txt

echo -e "\n=== CA Verification ===" >> topology-report.txt
ipa topologysuffix-verify ca >> topology-report.txt

# List all IPA servers
echo -e "\n=== All IPA Servers ===" >> topology-report.txt
ipa server-find --sizelimit=0 >> topology-report.txt

cat topology-report.txt

Adjust replication timeout for geographically distributed servers with high latency.

# Default timeout may be too short for WAN links
# Increase timeout to 120 seconds for cross-datacenter segment

# Find the segment to modify
ipa topologysegment-find domain --leftnode=ipa01.example.com --rightnode=ipa04.example.com

# Modify timeout (in seconds)
ipa topologysegment-mod domain ipa01.example.com-to-ipa04.example.com \
  --timeout=120

# Verify change
ipa topologysegment-show domain ipa01.example.com-to-ipa04.example.com --all

9. Managing CA Topology Separately

CA suffix topology can differ from domain suffix (not all servers need CA).

# Scenario: Only 2 of 4 servers have CA installed
# List servers with CA role
ipa server-role-find --role="CA server" --status=enabled

# Create CA topology only between CA servers
ipa topologysegment-add ca ca-ipa01-to-ca-ipa02 \
  --leftnode=ipa01.example.com \
  --rightnode=ipa02.example.com

# Verify CA topology (should only show CA servers)
ipa topologysuffix-verify ca

# Domain topology can include all servers
ipa topologysuffix-verify domain

10. Troubleshooting Disconnected Topology

Identify and fix topology disconnection issues.

# Verify topology - will report if disconnected
ipa topologysuffix-verify domain

# If disconnected, list all segments to find gaps
ipa topologysegment-find domain

# Check each server's segment count
for server in $(ipa server-find --pkey-only | grep "Server name:" | awk '{print $3}'); do
  echo "=== $server ==="
  ipa topologysegment-find domain --leftnode="$server" | grep "Segment name:"
  ipa topologysegment-find domain --rightnode="$server" | grep "Segment name:"
done

# Add missing segment to reconnect isolated server
ipa topologysegment-add domain new-segment \
  --leftnode=connected-server.example.com \
  --rightnode=isolated-server.example.com

# Re-verify
ipa topologysuffix-verify domain

Security Considerations

1. Replication Agreement Exposure

Topology segments create bidirectional LDAP connections between servers. These connections carry sensitive directory data and must be protected.

  • Replication traffic uses TLS encryption but servers authenticate with machine credentials
  • Compromise of any IPA server exposes the entire replicated dataset to attacker
  • Segments crossing untrusted networks should use additional network security (VPN, dedicated circuits)
  • Segment creation requires administrative privileges; audit topology changes

2. Topology Manipulation Attacks

Attackers with topology management permissions could disrupt replication or create unauthorized segments.

  • Deleting critical segments can isolate servers and prevent updates from propagating
  • Creating unauthorized segments could replicate data to compromised servers
  • Restrict topology management to highly trusted administrators
  • Monitor topology changes with IdM audit logging

3. CA Data Replication Risks

CA suffix contains Certificate Authority private keys and certificate data, requiring extra protection.

  • CA topology should be more restricted than domain topology
  • Only servers requiring CA functionality should participate in CA replication
  • CA servers require additional hardening and monitoring
  • Loss of CA data confidentiality compromises entire PKI infrastructure

4. Replication Initialization Security

Full reinitialization transfers complete suffix contents over the network.

  • Reinitialization involves bulk data transfer that could be intercepted on untrusted networks
  • Compromised server used as reinitialization source propagates corrupted data
  • Only reinitialize from verified trusted servers
  • Monitor network during reinitialization for anomalies

5. Topology Verification Bypass

Administrators might skip topology verification, creating single points of failure.

  • Disconnected topology means changes don’t reach all servers
  • Servers with excessive agreements (4+) suffer performance degradation
  • Always verify topology after changes with topologysuffix-verify
  • Automate topology health checks in monitoring systems

6. Server Decommissioning Residual Data

Improperly removed servers may leave orphaned replication metadata and credentials.

  • Deleted servers that still have active segments create replication errors
  • Orphaned RUVs (replication update vectors) accumulate over time
  • Always remove all topology segments before running server-del
  • Clean up replication metadata with ipa-replica-manage clean-ruv if needed

7. Unencrypted Replication Data in Memory

Replication data passes through LDAP server memory in unencrypted form.

  • Memory dumps or swap files may contain sensitive replicated data
  • Server compromise provides access to all replicated directory contents
  • Disable swap on IPA servers or use encrypted swap
  • Harden server OS and restrict physical access

8. Excessive Replication Agreements

Too many topology segments per server degrades performance and creates attack surface.

  • IPA recommends maximum 4 replication agreements per server per suffix
  • Excessive agreements increase CPU load, network traffic, and replication lag
  • Full mesh topology doesn’t scale beyond ~10 servers
  • Use hub-spoke design for larger deployments

9. Replication Conflicts and Convergence

Simultaneous updates to same object on different servers create replication conflicts.

  • Conflicts resolved automatically but may not match administrative intent
  • Attacker could exploit conflict resolution to inject preferred values
  • Minimize multi-master write scenarios where possible
  • Monitor replication conflicts with ipa-replica-manage list-ruv

10. Cross-Site Topology Security

WAN-spanning replication segments cross network boundaries with varying trust levels.

  • Internet-facing replication requires careful firewall configuration
  • Segments crossing untrusted networks should use VPN or dedicated circuits
  • High-latency links may require timeout adjustments that affect failure detection
  • Document network security requirements for each segment

11. Topology State Inconsistency

Topology metadata replicated through domain suffix; corruption creates inconsistent state.

  • Inconsistent topology view across servers causes operational confusion
  • Manual segment creation on one server may not propagate correctly if replication broken
  • Always verify topology on multiple servers after changes
  • Use ipa-replica-manage low-level tools only as last resort with vendor support

12. Privilege Escalation via Topology Manipulation

Topology management permissions are highly privileged and must be tightly controlled.

  • User with topology permissions can isolate servers to prevent policy updates
  • Could replicate to compromised server to exfiltrate directory data
  • Restrict “System: Modify Replication Topology” permission to minimal administrators
  • Audit all topology command execution

Troubleshooting

1. Topology Verification Reports Disconnected Servers

Symptom: ipa topologysuffix-verify domain reports servers are not connected in replication graph.

Diagnosis:

# Check which servers are disconnected
ipa topologysuffix-verify domain

# List all segments to find missing connections
ipa topologysegment-find domain

# Check if disconnected server exists
ipa server-find

Resolution:

  • Add topology segment connecting disconnected server to existing topology
  • If server was decommissioned, remove it with ipa server-del
  • Verify all servers have at least one segment

2. Cannot Create Topology Segment - Server Not Found

Symptom: ipa topologysegment-add fails with “server not found” error.

Diagnosis:

# Verify both servers exist in IPA
ipa server-show ipa01.example.com
ipa server-show ipa02.example.com

# Check exact hostname spelling
ipa server-find

Resolution:

  • Use exact fully-qualified server names as shown in ipa server-find
  • Server must be enrolled as IPA server, not just client
  • Install replica with ipa-replica-install before adding segments

3. Topology Verification Reports Too Many Agreements

Symptom: ipa topologysuffix-verify warns servers have more than recommended number of agreements (4).

Diagnosis:

# Count segments per server
for server in $(ipa server-find --pkey-only | grep "Server name:" | awk '{print $3}'); do
  left=$(ipa topologysegment-find domain --leftnode="$server" --pkey-only | grep "Segment name:" | wc -l)
  right=$(ipa topologysegment-find domain --rightnode="$server" --pkey-only | grep "Segment name:" | wc -l)
  total=$((left + right))
  echo "$server: $total agreements"
done

Resolution:

  • Remove unnecessary segments to reduce to maximum 4 per server
  • Redesign topology as hub-spoke instead of full mesh
  • Retain segments providing redundant paths; remove redundant redundancy

4. Replication Initialization Fails

Symptom: ipa topologysegment-reinitialize command completes but replication still broken.

Diagnosis:

# Check LDAP replication status on both servers
ssh ipa01.example.com
ipa-replica-manage list

# Check for RUV inconsistencies
ipa-replica-manage list-ruv

# Review DS error logs
ssh ipa01.example.com
tail -100 /var/log/dirsrv/slapd-EXAMPLE-COM/errors

Resolution:

  • Ensure both servers are running and network connected
  • Check firewall permits LDAP (389/tcp, 636/tcp) between servers
  • Try reinitialization in opposite direction
  • If RUV corrupted, may require ipa-replica-manage clean-ruv (contact support)

5. Cannot Delete Topology Segment

Symptom: ipa topologysegment-del fails with error that deletion would disconnect topology.

Diagnosis:

# Verify current topology
ipa topologysuffix-verify domain

# Check if this is the only segment for a server
ipa topologysegment-find domain --leftnode=affected-server.example.com
ipa topologysegment-find domain --rightnode=affected-server.example.com

Resolution:

  • IPA prevents deletions that would disconnect servers
  • Add alternate segment path before deleting this one
  • If decommissioning server, remove server first with ipa server-del
  • For override (dangerous), use --continue flag

6. CA Topology Segment Creation Fails - CA Not Installed

Symptom: Cannot create CA suffix segment; error indicates server lacks CA.

Diagnosis:

# Check which servers have CA installed
ipa server-role-find --role="CA server"

# Verify CA running on target servers
ssh ipa01.example.com
systemctl status pki-tomcatd@pki-tomcat

Resolution:

  • CA segments can only connect servers with CA role installed
  • Install CA on server with ipa-ca-install before creating CA segments
  • Review CA deployment design; not all servers need CA

7. Replication Lag Between Servers

Symptom: Changes made on one server take long time to appear on others.

Diagnosis:

# Check replication status and lag
ipa-replica-manage list --verbose

# Create test object and time replication
ipa user-add testuser99 --first=Test --last=User99
ssh ipa02.example.com
time until ipa user-show testuser99 2>/dev/null; do sleep 1; done

# Check network latency between servers
ping -c 10 ipa02.example.com

Resolution:

  • High network latency increases replication delay; adjust timeout if needed
  • Excessive replication agreements (4+) cause lag; reduce segment count
  • Check LDAP server CPU and memory; performance issues delay replication
  • Review DS access logs for slow operations

8. Segment Shows in Find but Not in Verify

Symptom: ipa topologysegment-find shows segment but topologysuffix-verify reports servers disconnected.

Diagnosis:

# Show segment details
ipa topologysegment-show domain segment-name --all

# Check actual LDAP replication agreements on servers
ssh ipa01.example.com
ipa-replica-manage list

ssh ipa02.example.com
ipa-replica-manage list

Resolution:

  • Segment metadata exists but underlying LDAP agreements may be broken
  • Delete and recreate segment
  • Check both servers are running and network reachable
  • Review DS error logs for replication failure messages

9. Cannot Modify Segment Timeout

Symptom: ipa topologysegment-mod --timeout fails or doesn’t take effect.

Diagnosis:

# Show current timeout value
ipa topologysegment-show domain segment-name --all | grep timeout

# Check if timeout value is valid (should be integer seconds)
ipa topologysegment-mod domain segment-name --timeout=120 --raw

Resolution:

  • Timeout must be positive integer (seconds)
  • Changes may require replication agreement restart to take effect
  • Verify change with --all flag to see raw LDAP attribute
  • Extremely high timeouts (>300s) may indicate network problem needing fixing instead

10. Topology Commands Require Both Suffix and Name

Symptom: Topology commands fail with “missing required argument” even when name provided.

Diagnosis:

# Note: topology commands require BOTH suffix and segment name
# Correct syntax:
ipa topologysegment-show domain segment-name
# Not:
ipa topologysegment-show segment-name

Resolution:

  • First argument is always suffix name (domain or ca)
  • Second argument is segment identifier
  • Use ipa topologysuffix-find to list valid suffix names
  • Use ipa topologysegment-find <suffix> to list segment names for that suffix

11. Domain Level 0 Topology Management Blocked

Symptom: Topology commands fail with message about domain level.

Diagnosis:

# Check domain level
ipa domainlevel-get

Resolution:

  • Topology management commands require domain level 1
  • Domain level 0 uses ipa-replica-manage and ipa-csreplica-manage tools instead
  • Upgrade to domain level 1 with ipa domainlevel-set 1 (irreversible)
  • Ensure all servers are recent IPA version before upgrading domain level

12. Replication Conflicts After Topology Changes

Symptom: After adding segments or reinitializing, LDAP shows replication conflicts.

Diagnosis:

# Search for conflict entries
ldapsearch -x -D "cn=Directory Manager" -W \
  -b "dc=example,dc=com" \
  "(nsds5ReplConflict=*)"

# Check RUV status
ipa-replica-manage list-ruv

Resolution:

  • Conflicts occur when same object modified simultaneously on multiple servers
  • IPA automatically resolves most conflicts; review and delete conflict entries
  • If widespread conflicts after reinitialization, indicates data inconsistency
  • May require ipa-replica-manage clean-ruv to reset replication metadata

13. Segment Name Auto-Generation Unclear

Symptom: Don’t know what name to use when creating segment.

Diagnosis:

# Show existing segment naming pattern
ipa topologysegment-find domain --pkey-only

Resolution:

  • Segment names are arbitrary identifiers; use descriptive names
  • Common pattern: leftserver-to-rightserver (e.g., ipa01.example.com-to-ipa02.example.com)
  • Names must be unique within suffix
  • Segment name doesn’t affect functionality, only used for identification

14. Cannot See CA Topology - Permission Denied

Symptom: Domain admin can manage domain topology but not CA topology.

Diagnosis:

# Check user's privileges
ipa user-show admin --all | grep "memberof.*role"

# Check CA-specific permissions
ipa permission-find ca --raw

Resolution:

  • CA topology management requires CA admin privileges
  • Add user to “Certificate Manager Agents” or similar role
  • Full admin users should have both domain and CA topology permissions
  • Security team may restrict CA management to subset of admins

15. Server Shows in Topology But Not Responding

Symptom: Topology shows segment but cannot connect to server.

Diagnosis:

# Test server connectivity
ipa ping
ssh ipa02.example.com
systemctl status ipa

# Check if server entry exists but server decommissioned
ipa server-show ipa02.example.com
ping ipa02.example.com

Resolution:

  • Server entry exists in LDAP but server may be offline or decommissioned
  • Remove dead server: first delete its segments, then ipa server-del
  • If server temporarily offline, replication will resume when back online
  • Check DNS resolution for server hostname

Commands

topologysegment-add

Usage: ipa [global-options] topologysegment-add TOPOLOGYSUFFIX NAME [options]

Add a new segment.

Arguments

ArgumentRequiredDescription
TOPOLOGYSUFFIXyesSuffix name

NAME yes Arbitrary string identifying the segment

Options

OptionDescription
--leftnode LEFTNODELeft replication node - an IPA server
--rightnode RIGHTNODERight replication node - an IPA server
--stripattrs STRIPATTRSA space separated list of attributes which are removed from replication updates.
--replattrs REPLATTRSAttributes that are not replicated to a consumer server during a fractional update. E.g., `(objectclass=*) $ EXCLUDE accountlockout memberof
--replattrstotal REPLATTRSTOTALAttributes that are not replicated to a consumer server during a total update. E.g. (objectclass=*) $ EXCLUDE accountlockout
--timeout TIMEOUTNumber of seconds outbound LDAP operations waits for a response from the remote replica before timing out and failing
--setattr SETATTRSet an attribute to a name/value pair. Format is attr=value.
--addattr ADDATTRAdd an attribute/value pair. Format is attr=value. The attribute
--allRetrieve and print all attributes from the server. Affects command output.
--rawPrint entries as stored on the server. Only affects output format.

topologysegment-del

Usage: ipa [global-options] topologysegment-del TOPOLOGYSUFFIX NAME [options]

Delete a segment.

Arguments

ArgumentRequiredDescription
TOPOLOGYSUFFIXyesSuffix name

NAME yes Arbitrary string identifying the segment

Options

OptionDescription
--continueContinuous mode: Don’t stop on errors.

topologysegment-find

Usage: ipa [global-options] topologysegment-find TOPOLOGYSUFFIX [CRITERIA] [options]

Search for topology segments.

Arguments

ArgumentRequiredDescription
TOPOLOGYSUFFIXyesSuffix name

CRITERIA no A string searched in all relevant object attributes

Options

OptionDescription
--name NAMEArbitrary string identifying the segment
--leftnode LEFTNODELeft replication node - an IPA server
--rightnode RIGHTNODERight replication node - an IPA server
--stripattrs STRIPATTRSA space separated list of attributes which are removed from replication updates.
--replattrs REPLATTRSAttributes that are not replicated to a consumer server during a fractional update. E.g., `(objectclass=*) $ EXCLUDE accountlockout memberof
--replattrstotal REPLATTRSTOTALAttributes that are not replicated to a consumer server during a total update. E.g. (objectclass=*) $ EXCLUDE accountlockout
--timeout TIMEOUTNumber of seconds outbound LDAP operations waits for a response from the remote replica before timing out and failing
--timelimit TIMELIMITTime limit of search in seconds (0 is unlimited)
--sizelimit SIZELIMITMaximum number of entries returned (0 is unlimited)
--allRetrieve and print all attributes from the server. Affects command output.
--rawPrint entries as stored on the server. Only affects output format.
--pkey-onlyResults should contain primary key attribute only (“name”)

topologysegment-mod

Usage: ipa [global-options] topologysegment-mod TOPOLOGYSUFFIX NAME [options]

Modify a segment.

Arguments

ArgumentRequiredDescription
TOPOLOGYSUFFIXyesSuffix name

NAME yes Arbitrary string identifying the segment

Options

OptionDescription
--stripattrs STRIPATTRSA space separated list of attributes which are removed from replication updates.
--replattrs REPLATTRSAttributes that are not replicated to a consumer server during a fractional update. E.g., `(objectclass=*) $ EXCLUDE accountlockout memberof
--replattrstotal REPLATTRSTOTALAttributes that are not replicated to a consumer server during a total update. E.g. (objectclass=*) $ EXCLUDE accountlockout
--timeout TIMEOUTNumber of seconds outbound LDAP operations waits for a response from the remote replica before timing out and failing
--setattr SETATTRSet an attribute to a name/value pair. Format is attr=value.
--addattr ADDATTRAdd an attribute/value pair. Format is attr=value. The attribute
--delattr DELATTRDelete an attribute/value pair. The option will be evaluated
--rightsDisplay the access rights of this entry (requires —all). See ipa man page for details.
--allRetrieve and print all attributes from the server. Affects command output.
--rawPrint entries as stored on the server. Only affects output format.

topologysegment-reinitialize

Usage: ipa [global-options] topologysegment-reinitialize TOPOLOGYSUFFIX NAME [options]

Request a full re-initialization of the node retrieving data from the other node.

Arguments

ArgumentRequiredDescription
TOPOLOGYSUFFIXyesSuffix name

NAME yes Arbitrary string identifying the segment

Options

OptionDescription
--leftInitialize left node
--rightInitialize right node
--stopStop already started refresh of chosen node(s)

topologysegment-show

Usage: ipa [global-options] topologysegment-show TOPOLOGYSUFFIX NAME [options]

Display a segment.

Arguments

ArgumentRequiredDescription
TOPOLOGYSUFFIXyesSuffix name

NAME yes Arbitrary string identifying the segment

Options

OptionDescription
--rightsDisplay the access rights of this entry (requires —all). See ipa man page for details.
--allRetrieve and print all attributes from the server. Affects command output.
--rawPrint entries as stored on the server. Only affects output format.

topologysuffix-find

Usage: ipa [global-options] topologysuffix-find [CRITERIA] [options]

Search for topology suffixes.

Arguments

Argument Required Description


CRITERIA no A string searched in all relevant object attributes

Options

OptionDescription
--name NAMESuffix name
--suffix-dn SUFFIX-DNManaged LDAP suffix DN
--timelimit TIMELIMITTime limit of search in seconds (0 is unlimited)
--sizelimit SIZELIMITMaximum number of entries returned (0 is unlimited)
--allRetrieve and print all attributes from the server. Affects command output.
--rawPrint entries as stored on the server. Only affects output format.
--pkey-onlyResults should contain primary key attribute only (“name”)

topologysuffix-show

Usage: ipa [global-options] topologysuffix-show NAME [options]

Show managed suffix.

Arguments

ArgumentRequiredDescription
NAMEyesSuffix name

Options

OptionDescription
--rightsDisplay the access rights of this entry (requires —all). See ipa man page for details.
--allRetrieve and print all attributes from the server. Affects command output.
--rawPrint entries as stored on the server. Only affects output format.

topologysuffix-verify

Usage: ipa [global-options] topologysuffix-verify NAME [options]

Verify replication topology for suffix.

Checks done:

  1. check if a topology is not disconnected. In other words if there are replication paths between all servers.
  2. check if servers don’t have more than the recommended number of replication agreements

Arguments

ArgumentRequiredDescription
NAMEyesSuffix name

Related Topics