搭建freeIPA服务器实现用户管理

一、什么是FreeIPA

        FreeIPA是一款集成的安全信息管理解决方案。FreeIPA包含Linux (Fedora),389 Directory Server MIT Kerberos, NTP, DNS, Dogtag (Certificate System)等等身份,认证和策略功能。

二、FreeIPA的用处

        在未部署统一身份管理系统时,管理员需要分别在每一台主机上为对应的系统管理员创建、维护账号和密码,无法进行统一的管理。当主机数量增加到一定程度后,也将难以进行有效的安全管理,对账号密码泄露等问题难以进行控制。统一身份认证系统可以帮助我们解决这一问题。Windows环境下可以使用域账号进行身份管理,而在Linux环境下,上文中我们部署的Freeipa已经提供了相关功能,可以快速、便捷的将linux系统接入,进行统一的身份认证和权限管理。

三、FreeIPA Cookie处理安全漏洞编辑

        FreeIPA中存在安全漏洞,该漏洞源于不正确处理Cookie信息时,IPA客户端在发送包含验证凭据的Cookie之前没有对服务器身份进行检查。允许攻击者诱使ipa命令行客户端连接伪造的服务器,可获取敏感会话验证凭据,获得管理员访问权限

四、FreeIPA实验

  1. 首先配置静态IP地址,避免IP发生变化,导致找不到服务器

    [root@local ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth0
    BOOTPROTO=static
    IPADDR=192.168.192.130
    NETMASK=255.255.255.0 
    GATEWAY=192.168.192.2
    DEVICE=eth0
    ONBOOT=yes
    
    #重启网卡,使其静态IP生效
    [root@local ~]# systemctl  restart  network
    
  2. 首先修改虚拟机的主机名,使用此主机名作为域名
    主机名很关键,如果与已被使用的一致,则等下配置IPA时会产生错误

    [root@local ~]# vim /etc/hosts
     #本地IP地址,主机名
    192.168.192.130  www.yyylllnnnnnn.com
    
    [root@local ~]# vim /etc/hostname
    www.yyylllnnnnnn.com
    
  3. 重启主机,使其主机名生效

    [root@local ~]#  reboot
    
  4. 安装ipa的工具

    [root@www ~]# yum install ipa-server ipa-server-dns.noarch -y
    
  5. 开始配置ipa

    [root@mail ~]# ipa-server-install
    The log file for this installation can be found in /var/log/ipaserver-install.log
    ==============================================================================
    This program will set up the IPA Server.
    
    This includes:
      * Configure a stand-alone CA (dogtag) for certificate management
      * Configure the Network Time Daemon (ntpd)
      * Create and configure an instance of Directory Server
      * Create and configure a Kerberos Key Distribution Center (KDC)
      * Configure Apache (httpd)
      * Configure the KDC to enable PKINIT
    
    To accept the default shown in brackets, press the Enter key.
    
    Do you want to configure integrated DNS (BIND)? [no]: yes       #是否要配置集成的DNS(绑定)?
    
    Enter the fully qualified domain name of the computer
    on which you're setting up server software. Using the form
    .
    Example: master.example.com.
    
    
    Server host name [www.yyylllnnnnnn.com]:                #服务器主机名[www.yyyllnnnnnn.com],这里默认即可
    
    Warning: skipping DNS resolution of host www.yyylllnnnnnn.com
    The domain name has been determined based on the host name.
    
    Please confirm the domain name [yyylllnnnnnn.com]:                   #请确认域名[yyyllnnnnnn.com],这里同样默认
    
    The kerberos protocol requires a Realm name to be defined.
    This is typically the domain name converted to uppercase.
    
    Please provide a realm name [YYYLLLNNNNNN.COM]:        #请提供领域名称,这里同样默认
    Certain directory server operations require an administrative user.
    This user is referred to as the Directory Manager and has full access
    to the Directory for system management tasks and will be added to the
    instance of directory server created for IPA.
    The password must be at least 8 characters long.
    
    Directory Manager password:
    Password must be at least 8 characters long
    Directory Manager password:                                    #目录管理器密码,输入密码,最少8位数,如果少了,会有提示
    Password (confirm):
    
    The IPA server requires an administrative user, named 'admin'.
    This user is a regular system account used for IPA server administration.
    
    IPA admin password:                                              #IPA管理员密码,这个密码是admin登录时使用的密码
    Password (confirm):
    
    Checking DNS domain yyylllnnnnnn.com., please wait ...
    Do you want to configure DNS forwarders? [yes]: yes          #是否要配置DNS转发器?
    Following DNS servers are configured in /etc/resolv.conf: 192.168.192.2
    Do you want to configure these servers as DNS forwarders? [yes]:
    All DNS servers from /etc/resolv.conf were added. You can enter additional addresses now                                                                                                      :
    Enter an IP address for a DNS forwarder, or press Enter to skip: 114.114.114.114       #输入DNS转发器的IP地址,或按Enter跳过 。这里可以默认,也可以选择再添加,我这里就选择再添加一条转发器的地址,下面8.8.8.8也是自己添加的
    DNS forwarder 114.114.114.114 added. You may add another.
    Enter an IP address for a DNS forwarder, or press Enter to skip: 8.8.8.8
    DNS forwarder 8.8.8.8 added. You may add another.
    Enter an IP address for a DNS forwarder, or press Enter to skip: 
    Checking DNS forwarders, please wait ...
    DNS server 192.168.192.2: answer to query '. SOA' is missing DNSSEC signatures (no RRSIG                                                                                                   data)
    Please fix forwarder configuration to enable DNSSEC support.
    (For BIND 9 add directive "dnssec-enable yes;" to "options {}")
    DNS server 114.114.114.114: answer to query '. SOA' is missing DNSSEC signatures (no RRS                                                                                                  IG data)
    Please fix forwarder configuration to enable DNSSEC support.
    (For BIND 9 add directive "dnssec-enable yes;" to "options {}")
    WARNING: DNSSEC validation will be disabled
    Do you want to search for missing reverse zones? [yes]: yes                   #是否要搜索缺少的反向区域?
    Do you want to create reverse zone for IP 192.168.192.130 [yes]: yes       #是否要为IP 192.168.192.130创建反向区域
    Please specify the reverse zone name [192.168.192.in-addr.arpa.]:          #请指定反向区域名称[192.168.192.in addr.arpa.]
    Using reverse zone(s) 192.168.192.in-addr.arpa.
    
    The IPA Master Server will be configured with:
    Hostname:       www.yyylllnnnnnn.com
    IP address(es): 192.168.192.130
    Domain name:    yyylllnnnnnn.com
    Realm name:     YYYLLLNNNNNN.COM
    
    BIND DNS server will be configured to serve IPA domain with:
    Forwarders:       192.168.192.2, 114.114.114.114, 8.8.8.8
    Forward policy:   only
    Reverse zone(s):  192.168.192.in-addr.arpa.
    
    Continue to configure the system with these values? [no]: yes             #是否继续使用这些值配置系统?
    
    The following operations may take some minutes to complete.
    Please wait until the prompt is returned.
    
    Configuring NTP daemon (ntpd)
    #然后就让其自动生成刚刚所配置的数据
    
  6. 修改物理机的hosts文件
    进入到 C:\Windows\System32\drivers\etc 选择hosts文件,加入IP和域名
    192.168.192.130 www.yyylllnnnnnn.com
    使用浏览器打开,输入域名或IP都可以 www.yyylllnnnnnn.com
    搭建freeIPA服务器实现用户管理_第1张图片
    选择“高级”
    搭建freeIPA服务器实现用户管理_第2张图片
    选择继续前往 www.yyylllnnnnnn.com,接下来选择“取消”,“取消”,两次取消,可以进入到以下页面
    搭建freeIPA服务器实现用户管理_第3张图片
    输入名字和密码即可,这里用户名是 admin ,密码是刚刚配的的IPA密码
    这是登录界面
    搭建freeIPA服务器实现用户管理_第4张图片
    可以在下面这个地方增加正反向域名
    搭建freeIPA服务器实现用户管理_第5张图片

你可能感兴趣的:(搭建freeIPA服务器实现用户管理)