OnWorks favicon

ipa-replica-manage - Online in the Cloud

Run ipa-replica-manage in OnWorks free hosting provider over Ubuntu Online, Fedora Online, Windows online emulator or MAC OS online emulator

This is the command ipa-replica-manage that can be run in the OnWorks free hosting provider using one of our multiple free online workstations such as Ubuntu Online, Fedora Online, Windows online emulator or MAC OS online emulator



ipa-replica-manage - Manage an IPA replica


ipa-replica-manage [OPTION]... [COMMAND]


Manages the replication agreements of an IPA server.

To manage IPA replication agreements in a domain at domain level 1, use IPA CLI or Web UI,
see `ipa help topology` for additional information.

The available commands are:

connect [SERVER_A] <SERVER_B>
- Adds a new replication agreement between SERVER_A/localhost and SERVER_B. At
domain level 1 applicable only for winsync agreements.

disconnect [SERVER_A] <SERVER_B>
- Removes a replication agreement between SERVER_A/localhost and SERVER_B. At
domain level 1 applicable only for winsync agreements.

del <SERVER>
- Removes all replication agreements and data about SERVER. At domain level 1 it
removes data and agreements for both suffixes - domain and ca.

list [SERVER]
- Lists all the servers or the list of agreements of SERVER

- Forces a full re-initialization of the IPA server retrieving data from the server
specified with the --from option

- Immediately flush any data to be replicated from a server specified with the
--from option

- List the replication IDs on this server.

clean-ruv [REPLICATION_ID]
- Run the CLEANALLRUV task to remove a replication ID.

- Cleans all RUVs and CS-RUVs that are left in the system from uninstalled

abort-clean-ruv [REPLICATION_ID]
- Abort a running CLEANALLRUV task. With --force option the task does not wait for
all the replica servers to have been sent the abort task, or be online, before

- List all running CLEANALLRUV and abort CLEANALLRUV tasks.

dnarange-show [SERVER]
- List the DNA ranges

dnarange-set SERVER START-END
- Set the DNA range on a master

dnanextrange-show [SERVER]
- List the next DNA ranges

dnanextrange-set SERVER START-END
- Set the DNA next range on a master

The connect and disconnect options are used to manage the replication topology. When a
replica is created it is only connected with the master that created it. The connect
option may be used to connect it to other existing replicas.

The disconnect option cannot be used to remove the last link of a replica. To remove a
replica from the topology use the del option.

If a replica is deleted and then re-added within a short time-frame then the 389-ds
instance on the master that created it should be restarted before re-installing the
replica. The master will have the old service principals cached which will cause
replication to fail.

Each IPA master server has a unique replication ID. This ID is used by 389-ds-base when
storing information about replication status. The output consists of the masters and their
respective replication ID. See clean-ruv

When a master is removed, all other masters need to remove its replication ID from the
list of masters. Normally this occurs automatically when a master is deleted with
ipa-replica-manage. If one or more masters was down or unreachable when ipa-replica-manage
was executed then this replica ID may still exist. The clean-ruv command may be used to
clean up an unused replication ID.

NOTE: clean-ruv is VERY DANGEROUS. Execution against the wrong replication ID can result
in inconsistent data on that master. The master should be re-initialized from another if
this happens.

The replication topology is examined when a master is deleted and will attempt to prevent
a master from being orphaned. For example, if your topology is A <-> B <-> C and you
attempt to delete master B it will fail because that would leave masters and A and C

The list of masters is stored in cn=masters,cn=ipa,cn=etc,dc=example,dc=com. This should
be cleaned up automatically when a master is deleted. If it occurs that you have deleted
the master and all the agreements but these entries still exist then you will not be able
to re-install IPA on it, the installation will fail with:

An IPA master host cannot be deleted or disabled using standard commands (host-del, for

An orphaned master may be cleaned up using the del directive with the --cleanup option.
This will remove the entries from cn=masters,cn=ipa,cn=etc that otherwise prevent host-del
from working, its dna profile, s4u2proxy configuration, service principals and remove it
from the default DUA profile defaultServerList.


-H HOST, --host=HOST
The IPA server to manage. The default is the machine on which the command is run
Not honoured by the re-initialize command.

The Directory Manager password to use for authentication

-v, --verbose
Provide additional information

-f, --force
Ignore some types of errors, don't prompt when deleting a master

-c, --no-lookup
Do not perform DNS lookup checks.

-c, --cleanup
When deleting a master with the --force flag, remove leftover references to an
already deleted master.

Bind DN to use with remote server (default is cn=Directory Manager) - Be careful to
quote this value on the command line

Password for Bind DN to use with remote server (default is the DM_PASSWORD above)

Specifies to create/use a Windows Sync Agreement

Full path and filename of CA certificate to use with TLS/SSL to the remote server -
this CA certificate will be installed in the directory server's certificate

DN of Windows subtree containing the users you want to sync (default
cn=Users,<domain suffix> - this is typically what Windows AD uses as the default
value) - Be careful to quote this value on the command line

Password for the IPA system user used by the Windows PassSync plugin to synchronize
passwords. Required when using --winsync. This does not mean you have to use the
PassSync service.

The server to pull the data from, used by the re-initialize and force-sync


IPA uses the 389-ds Distributed Numeric Assignment (DNA) Plugin to allocate POSIX ids for
users and groups. A range is created when IPA is installed and half the range is assigned
to the first IPA master for the purposes of allocation.

New IPA masters do not automatically get a DNA range assignment. A range assignment is
done only when a user or POSIX group is added on that master.

The DNA plugin also supports an "on-deck" or next range configuration. When the primary
range is exhaused, rather than going to another master to ask for more, it will use its
on-deck range if one is defined. Each master can have only one range and one on-deck range

When a master is removed an attempt is made to save its DNA range(s) onto another master
in its on-deck range. IPA will not attempt to extend or merge ranges. If there are no
available on-deck range slots then this is reported to the user. The range is effectively
lost unless it is manually merged into the range of another master.

The DNA range and on-deck (next) values can be managed using the dnarange-set and
dnanextrange-set commands. The rules for managing these ranges are:
- The range must be completely contained within a local range as defined by the ipa
idrange command.

- The range cannot overlap the DNA range or on-deck range on another IPA master.

- The range cannot overlap the ID range of an AD Trust.

- The primary DNA range cannot be removed.

- An on-deck range range can be removed by setting it to 0-0. The assumption is
that the range will be manually moved or merged elsewhere.

The range and next range of a specific master can be displayed by passing the FQDN of that
master to the dnarange-show or dnanextrange-show command.

Performing range changes as a delegated administrator (e.g. not using the Directory
Manager password) requires additional 389-ds ACIs. These are installed in upgraded masters
but not existing ones. The changs are made in cn=config which is not replicated. The
result is that DNA ranges cannot be managed on non-upgraded masters as a delegated


List all masters:
# ipa-replica-manage list

List a server's replication agreements.
# ipa-replica-manage list srv1.example.com

Re-initialize a replica:
# ipa-replica-manage re-initialize --from srv2.example.com

This will re-initialize the data on the server where you execute the command,
retrieving the data from the srv2.example.com replica

Add a new replication agreement:
# ipa-replica-manage connect srv2.example.com srv4.example.com

Remove an existing replication agreement:
# ipa-replica-manage disconnect srv1.example.com srv3.example.com

Completely remove a replica:
# ipa-replica-manage del srv4.example.com

Using connect/disconnect you can manage the replication topology.

List the replication IDs in use:
# ipa-replica-manage list-ruv
srv1.example.com:389: 7
srv2.example.com:389: 4

Remove references to an orphaned and deleted master:
# ipa-replica-manage del --force --cleanup master.example.com


Creating a Windows AD Synchronization agreement is similar to creating an IPA replication
agreement, there are just a couple of extra steps.

A special user entry is created for the PassSync service. The DN of this entry is
uid=passsync,cn=sysaccounts,cn=etc,<basedn>. You are not required to use PassSync to use a
Windows synchronization agreement but setting a password for the user is required.

The following examples use the AD administrator account as the synchronization user. This
is not mandatory but the user must have read-access to the subtree.

1. Transfer the base64-encoded Windows AD CA Certificate to your IPA Server

2. Remove any existing kerberos credentials
# kdestroy

3. Add the winsync replication agreement
# ipa-replica-manage connect --winsync --passsync=<bindpwd_for_syncuser_that
will_be_used_for_agreement> --cacert=/path/to/adscacert/WIN-CA.cer --binddn
"cn=administrator,cn=users,dc=ad,dc=example,dc=com" --bindpw
<ads_administrator_password> -v <adserver.fqdn>

You will be prompted to supply the Directory Manager's password.

Create a winsync replication agreement:

# ipa-replica-manage connect --winsync --passsync=MySecret
--cacert=/root/WIN-CA.cer --binddn
"cn=administrator,cn=users,dc=ad,dc=example,dc=com" --bindpw MySecret -v

Remove a winsync replication agreement:
# ipa-replica-manage disconnect windows.ad.example.com


PassSync is a Windows service that runs on AD Domain Controllers to intercept password
changes. It sends these password changes to the IPA LDAP server over TLS. These password
changes bypass normal IPA password policy settings and the password is not set to
immediately expire. This is because by the time IPA receives the password change it has
already been accepted by AD so it is too late to reject it.

IPA maintains a list of DNs that are exempt from password policy. A special user is added
automatically when a winsync replication agreement is created. The DN of this user is
added to the exemption list stored in passSyncManagersDNs in the entry


0 if the command was successful

1 if an error occurred

Use ipa-replica-manage online using onworks.net services

Free Servers & Workstations

Download Windows & Linux apps

  • 1
    Join us in Gitter!
    Enable the URPMS repository in your
    system -
    Download unitedrpms
  • 2
    Boost C++ Libraries
    Boost C++ Libraries
    Boost provides free portable
    peer-reviewed C++ libraries. The
    emphasis is on portable libraries which
    work well with the C++ Standard Library.
    See http://www.bo...
    Download Boost C++ Libraries
  • 3
    VirtualGL redirects 3D commands from a
    Unix/Linux OpenGL application onto a
    server-side GPU and converts the
    rendered 3D images into a video stream
    with which ...
    Download VirtualGL
  • 4
    Library to enable user space
    application programs to communicate with
    USB devices. Audience: Developers, End
    Users/Desktop. Programming Language: C.
    Download libusb
  • 5
    SWIG is a software development tool
    that connects programs written in C and
    C++ with a variety of high-level
    programming languages. SWIG is used with
    Download SWIG
  • 6
    WooCommerce Nextjs React Theme
    WooCommerce Nextjs React Theme
    React WooCommerce theme, built with
    Next JS, Webpack, Babel, Node, and
    Express, using GraphQL and Apollo
    Client. WooCommerce Store in React(
    contains: Products...
    Download WooCommerce Nextjs React Theme
  • 7
    Package repo for ArchLabs This is an
    application that can also be fetched
    It has been hosted in OnWorks in...
    Download archlabs_repo
  • More »

Linux commands

  • 1
    acdc - Test an application ACD file ...
    Run acdce
  • 2
    acdcheck Use acdcheckp online using
    onworks.net services. ...
    Run acdcheckp
  • 3
    sim4dbutils - utilities to work with
    sim4db-generated alignment files
    convertPolishes - convert between sim4db
    and GFF3 formats filterPolishes - filter
    Run convertToAtac
  • 4
    sim4dbutils - utilities to work with
    sim4db-generated alignment files
    convertPolishes - convert between sim4db
    and GFF3 formats filterPolishes - filter
    Run convertToExtent
  • 5
    gbacorr - Compute
    auto/cross-correlation coefficients ...
    Run gbacorr
  • 6
    gbak � Backup/restore Firebird database
    Run gbak
  • More »