Description

Advanced replication and topography testing, with three servers.

Setup

1. You will need at least 3 machines to do this testing but if you have more that is good too. Start on one server and perform an IPA Installation (see QA:Testcase_freeipa_trust_server_installation). Let's assume that first server was named srv1 (srv1.ipa.example.org). Now set up the second machine as a replica named srv2, according to QA:Testcase_freeipa_replication (ensuring you pass --setup-ca). In this test, we will deploy a second replica named srv3, and run some further tests related to server topography.

How to test

1. Following QA:Testcase_freeipa_replication again, deploy srv3 as a replica of srv2 - use --server srv2.ipa.example.org

   This will result in a replication topology of: srv1 <-> srv2 <-> srv3

   Entries added on any of the three servers should appear on both of the others

2. Test a replication failure, by shutting down srv2:

   ipactl stop

3. Now go on srv1 and create a new user:

   ipa user-add --first=John --last=Doe jdoe

4. Switch to srv3 and check that jdoe has not been replicated yet:

   ipa user-show jdoe

   Expect the result ipa: ERROR: jdoe: user not found

5. Go to srv2 and restart ipa:

   ipactl start

6. Verify that after a ipa is fully started on srv2 that the jdoe user is available:

   ipa user-show jdoe

7. Do the same on srv3 to verify that replication has been restored and all servers are now synchronized.
8. Check the reported list of all replicating servers in your domain with ipa-replica-manage list

   This should show srv1, srv2, and srv3

9. Check which is the replication peers of srv2: ipa-replica-manage list srv2.ipa.example.org

   This should show srv1 and srv3; for srv1 and srv3 you should get the only srv2.

10. Test creating a new replication link between srv1 and srv3. On srv1, run ipa-replica-manage connect srv3.ipa.example.org
11. Now repeat the 'replication failure' test from above, with a different username; this time, even with srv2 down, the new user should appear on srv3 immediately.
12. Test breaking the link between srv2 and srv3. On srv2, run ipa-replica-manage disconnect srv2.ipa.example.org srv3.ipa.example.org
13. Now run the 'replication failure' tests again, but taking down srv1, and making the changes on srv2. The changes should not be visible on srv3 until srv1 is up again.
14. Test forcing an immediate synchronization: from srv1, run ipa-replica-manage force-sync --from srv2.ipa.example.org
15. Test full re-initialization of a replica (sometimes necessary if compounded replication failures have occurred). From srv1, run ipa-replica-manage re-initialize --from srv2.ipa.example.org
16. If you still have spare test machines available, you can now test installing clients via the realm CLI, kickstart and/or cockpit. Test enrolling clients against all servers, and verify they work as expected whichever servers are up.
17. Test removing and decommissioning a replica.

    On srv1: ipa-replica-manage del srv3.ipa.example.org

    On srv1: ipa-csreplica-manage del srv3.ipa.example.org

    On srv3: ipa-server-install --uninstall

Expected Results

1. All enrolments should complete successfully with no errors.
2. The test commands should show the expected output and results noted above; all commands not explicitly expected to fail should succeed.
3. Client tests should succeed (according to their own expected results) as long as either server is available (assuming appropriate DNS configuration).
4. Replica removal/decommissioning should work smoothly; the remaining servers should continue to work as expected, and should not attempt to synchronize with srv3 anymore. srv3 should no longer attempt to act as a FreeIPA server in any way.