FreeIPA介绍

主要特点
* 集成安全信息管理解决方案,结合了Linux(Fedora),389 Directory Server,MIT Kerberos,NTP,DNS,Dogtag证书系统,SSSD等。
* 建立在众所周知的开源组件和标准协议之上
* 重点关注易于管理和自动化安装和配置任务。
* 完全多主复制,实现更高的冗余和可扩展性
* 可扩展的管理界面(CLI,Web UI,XMLRPC和JSONRPC API)和Python SDK

主要为了管理用户系统,其他平台可以通过LDAP协议获取账户信息。例如jumpserver。


部署

  • 系统要求: fedora 28 (本次部署用的此系统,用centos7.5没部署上,强烈建议用此系统。此系统和centos一样)
  • FreeIPA: 4.7版本
  • IP: 192.168.100.23

本次部署 用的本机当DNS (也可以用外网DNS,或者自建的DNS,下面执行的命令不一样,请注意)


部署fedora 很简单。

hostnamectl set-hostname server.zhuxu.co   ##这个名字可以根据实际需要修改,请不要加  - 

cat /etc/hosts
192.168.100.23 server.zhuxu.co  server

yum install -y ipa-server bind bind-dyndb-ldap ipa-server-dns

cat /etc/resolv.conf   
search zhuxu.con
nameserver 127.0.0.1

ipa-server-install --setup-dns         ##如果指定DNS,加 参数 --forwarder=X.X.X.X

Server host name [server.zhuxu.co]:  回车
Please confirm the domain name [zhuxu.co]:回车
Please provide a realm name [ZHUXU.CO]:回车

Directory Manager password: 密码
Password (confirm): 密码

The IPA server requires an administrative user, named 'admin'.
This user is a regular system account used for IPA server administration.

IPA admin password: 登录密码
Password (confirm): 登录密码

Checking DNS domain zhuxu.co., please wait ...
Do you want to configure DNS forwarders? [yes]: no
No DNS forwarders configured
Do you want to search for missing reverse zones? [yes]: yes
Reverse record for IP address 192.168.100.23 already exists

The IPA Master Server will be configured with:
Hostname:       server.zhuxu.co
IP address(es): 192.168.100.23
Domain name:    zhuxu.co
Realm name:     ZHUXU.CO

The CA will be configured with:
Subject DN:   CN=Certificate Authority,O=ZHUXU.CO
Subject base: O=ZHUXU.CO
Chaining:     self-signed

BIND DNS server will be configured to serve IPA domain with:
Forwarders:       No forwarders
Forward policy:   only
Reverse zone(s):  No reverse zone

Continue to configure the system with these values? [no]:  yes

The following operations may take some minutes to complete.
Please wait until the prompt is returned
成功显示如下

The ipa-client-install command was successful

==============================================================================
Setup complete

Next steps:
    1. You must make sure these network ports are open:
        TCP Ports:
          * 80, 443: HTTP/HTTPS
          * 389, 636: LDAP/LDAPS
          * 88, 464: kerberos
          * 53: bind
        UDP Ports:
          * 88, 464: kerberos
          * 53: bind
          * 123: ntp

    2. You can now obtain a kerberos ticket using the command: 'kinit admin'
       This ticket will allow you to use the IPA tools (e.g., ipa user-add)
       and the web user interface.

Be sure to back up the CA certificates stored in /root/cacert.p12
These files are required to create replicas. The password for these
files is the Directory Manager password
The ipa-server-install command was successful

本地测试


[root@server ~]# kinit admin                  ###必须要登陆admin 才能管理域
Password for [email protected]:
[root@server ~]# ipa user-find --all           ###查看所有域用户的信息
--------------
1 user matched
--------------
  dn: uid=admin,cn=users,cn=accounts,dc=zhuxu,dc=co
  User login: admin
  Last name: Administrator
  Full name: Administrator
  Home directory: /home/admin
  GECOS: Administrator
  Login shell: /bin/bash
  Principal alias: [email protected]
  User password expiration: 20181122134155Z
  UID: 1919200000
  GID: 1919200000
  Account disabled: False
  Preserved user: False
  Member of groups: admins, trust admins
  ipauniqueid: ded602aa-a7a2-11e8-a94d-000c298c2968
  krbextradata: AAIjC4Bbcm9vdC9hZG1pbkBaSFVYVS5DTwA=
  krblastpwdchange: 20180824134155Z
  objectclass: top, person, posixaccount, krbprincipalaux, krbticketpolicyaux, inetuser, ipaobject, ipasshuser,
               ipaSshGroupOfPubKeys
----------------------------
Number of entries returned 1
----------------------------
ipactl --help
Usage: ipactl start|stop|restart|status

Options:
  -h, --help            show this help message and exit
  -d, --debug           Display debugging information
  -f, --force           Force IPA to start. Combine options --skip-version-
                        check and --ignore-service-failures
  --ignore-service-failures
                        If any service start fails, do not rollback the
                        services, continue with the operation
  --skip-version-check  skip version check

网页访问

https://server.zhuxu.co/ipa/ui/

登录admin

FreeIPA 4.7.0 服务端 部署_第1张图片


参考:https://blog.51cto.com/zhuxu91313/2150779