Linux RHEL7 IPA

主機設定

[root@localhost ~]# hostnamectl set-hostname ipa1.example.corp

[root@localhost ~]# init 6

[root@ipa1 ~]# echo 192.168.100.107 ipa1.example.corp >> /etc/hosts

[root@ipa1 ~]# yum -y install ipa-server bind bind-dyndb-ldap

IPA 安裝

[root@ipa1 ~]# ipa-server-install --setup-dns

The log fileforthis installation can be found in/var/log/ipaserver-install.log

==============================================================================

This program will setup the IPA Server.

This includes:

  * Configure a stand-alone CA (dogtag) forcertificate management

  * Configure the Network Time Daemon (ntpd)

  * Create and configure an instance of Directory Server

  * Create and configure a Kerberos Key Distribution Center (KDC)

  * Configure Apache (httpd)

  * Configure DNS (bind)

To accept the default shown inbrackets, press the Enter key.

Existing BIND configuration detected, overwrite? [no]: y

Enter the fully qualified domain name of the computer

on whichyou're setting up server software. Using the form

.

Example: master.example.com.

Server host name [ipa1.example.corp]:

Warning: skipping DNS resolution of host ipa1.example.corp

The domain name has been determined based on the host name.

Please confirm the domain name [example.corp]:

The kerberos protocol requires a Realm name to be defined.

This is typically the domain name converted to uppercase.

Please provide a realm name [EXAMPLE.CORP]:

Certain directory server operations require an administrative user.

This user is referred to as the Directory Manager and has full access

to the Directory forsystem management tasks and will be added to the

instance of directory server created forIPA.

The password must be at least 8 characters long.

Directory Manager password:

Password (confirm):

The IPA server requires an administrative user, named 'admin'.

This user is a regular system account used forIPA server administration.

IPA admin password:

Password (confirm):

Do you want to configure DNS forwarders? [yes]: y

Enter the IP address of DNS forwarder to use, or press Enter to finish.

Enter IP address fora DNS forwarder: 8.8.8.8

DNS forwarder 8.8.8.8 added

Enter IP address fora DNS forwarder:

Checking forwarders, please wait ...

Do you want to configure the reverse zone? [yes]:

Please specify the reverse zone name [100.168.192.in-addr.arpa.]:

Using reverse zone(s) 100.168.192.in-addr.arpa.

The IPA Master Server will be configured with:

Hostname:       ipa1.example.corp

IP address(es): 192.168.100.107

Domain name:    example.corp

Realm name:     EXAMPLE.CORP

BIND DNS server will be configured to serve IPA domain with:

Forwarders:    8.8.8.8

Reverse zone(s):  100.168.192.in-addr.arpa.

Continue to configure the system with these values? [no]: y

The following operations may take some minutes to complete.

Please wait untilthe prompt is returned.

Configuring NTP daemon (ntpd)

  [1/4]: stopping ntpd

  [2/4]: writing configuration

  [3/4]: configuring ntpd to start on boot

  [4/4]: starting ntpd

Done configuring NTP daemon (ntpd).

Configuring directory server (dirsrv): Estimated time1 minute

  [1/38]: creating directory server user

  [2/38]: creating directory server instance

  [3/38]: adding default schema

  [4/38]: enabling memberof plugin

  [5/38]: enabling winsync plugin

  [6/38]: configuring replication version plugin

  [7/38]: enabling IPA enrollment plugin

  [8/38]: enabling ldapi

  [9/38]: configuring uniqueness plugin

  [10/38]: configuring uuid plugin

  [11/38]: configuring modrdn plugin

  [12/38]: configuring DNS plugin

  [13/38]: enabling entryUSN plugin

  [14/38]: configuring lockout plugin

  [15/38]: creating indices

  [16/38]: enabling referential integrity plugin

  [17/38]: configuring certmap.conf

  [18/38]: configure autobind forroot

  [19/38]: configure new location formanaged entries

  [20/38]: configure dirsrv ccache

  [21/38]: enableSASL mapping fallback

  [22/38]: restarting directory server

  [23/38]: adding default layout

  [24/38]: adding delegation layout

  [25/38]: creating container formanaged entries

  [26/38]: configuring user private groups

  [27/38]: configuring netgroups from hostgroups

  [28/38]: creating default Sudo bind user

  [29/38]: creating default Auto Member layout

  [30/38]: adding range check plugin

  [31/38]: creating default HBAC rule allow_all

  [32/38]: initializing group membership

  [33/38]: adding master entry

  [34/38]: configuring Posix uid/gidgeneration

  [35/38]: adding replication acis

  [36/38]: enabling compatibility plugin

  [37/38]: tuning directory server

  [38/38]: configuring directory to start on boot

Done configuring directory server (dirsrv).

Configuring certificate server (pki-tomcatd): Estimated time3 minutes 30 seconds

  [1/27]: creating certificate server user

  [2/27]: configuring certificate server instance

  [3/27]: stopping certificate server instance to update CS.cfg

  [4/27]: backing up CS.cfg

  [5/27]: disabling nonces

  [6/27]: setup CRL publishing

  [7/27]: enablePKIX certificate path discovery and validation

  [8/27]: starting certificate server instance

  [9/27]: creating RA agent certificate database

  [10/27]: importing CA chain to RA certificate database

  [11/27]: fixing RA database permissions

  [12/27]: setting up signing cert profile

  [13/27]: setcertificate subject base

  [14/27]: enabling Subject Key Identifier

  [15/27]: enabling Subject Alternative Name

  [16/27]: enabling CRL and OCSP extensions forcertificates

  [17/27]: setting audit signing renewal to 2 years

  [18/27]: configuring certificate server to start on boot

  [19/27]: restarting certificate server

  [20/27]: requesting RA certificate from CA

  [21/27]: issuing RA agent certificate

  [22/27]: adding RA agent as a trusted user

  [23/27]: configure certmonger forrenewals

  [24/27]: configure certificate renewals

  [25/27]: configure RA certificate renewal

  [26/27]: configure Server-Cert certificate renewal

  [27/27]: Configure HTTP to proxy connections

Done configuring certificate server (pki-tomcatd).

Configuring directory server (dirsrv): Estimated time10 seconds

  [1/3]: configuring ssl fords instance

  [2/3]: restarting directory server

  [3/3]: adding CA certificate entry

Done configuring directory server (dirsrv).

Configuring Kerberos KDC (krb5kdc): Estimated time30 seconds

  [1/10]: adding sasl mappings to the directory

  [2/10]: adding kerberos container to the directory

  [3/10]: configuring KDC

  [4/10]: initialize kerberos container

WARNING: Your system is running out of entropy, you may experience long delays

  [5/10]: adding default ACIs

  [6/10]: creating a keytab forthe directory

  [7/10]: creating a keytab forthe machine

  [8/10]: adding the password extension to the directory

  [9/10]: starting the KDC

  [10/10]: configuring KDC to start on boot

Done configuring Kerberos KDC (krb5kdc).

Configuring kadmin

  [1/2]: starting kadmin

  [2/2]: configuring kadmin to start on boot

Done configuring kadmin.

Configuring ipa_memcached

  [1/2]: starting ipa_memcached

  [2/2]: configuring ipa_memcached to start on boot

Done configuring ipa_memcached.

Configuring ipa-otpd

  [1/2]: starting ipa-otpd

  [2/2]: configuring ipa-otpd to start on boot

Done configuring ipa-otpd.

Configuring the web interface (httpd): Estimated time1 minute

  [1/16]: setting mod_nss port to 443

  [2/16]: setting mod_nss protocol list to TLSv1.0 - TLSv1.1

  [3/16]: setting mod_nss password file

  [4/16]: enabling mod_nss renegotiate

  [5/16]: adding URL rewriting rules

  [6/16]: configuring httpd

  [7/16]: configure certmonger forrenewals

  [8/16]: setting up ssl

  [9/16]: importing CA certificates from LDAP

  [10/16]: setting up browser autoconfig

  [11/16]: publish CA cert

  [12/16]: creating a keytab forhttpd

  [13/16]: clean up any existing httpd ccache

  [14/16]: configuring SELinux forhttpd

  [15/16]: restarting httpd

  [16/16]: configuring httpd to start on boot

Done configuring the web interface (httpd).

Applying LDAP updates

Restarting Directory server to apply updates

  [1/2]: stopping directory server

  [2/2]: starting directory server

Done.

Restarting the directory server

Restarting the KDC

Restarting the certificate server

Configuring DNS (named)

  [1/12]: generating rndc key file

  [2/12]: adding DNS container

  [3/12]: setting up our zone

  [4/12]: setting up reverse zone

  [5/12]: setting up our own record

  [6/12]: setting up records forother masters

  [7/12]: adding NS record to the zones

  [8/12]: setting up CA record

  [9/12]: setting up kerberos principal

  [10/12]: setting up named.conf

  [11/12]: configuring named to start on boot

  [12/12]: changing resolv.conf to point to ourselves

Done configuring DNS (named).

Restarting named

Global DNS configuration inLDAP server is empty

You can use 'dnsconfig-mod'commandto setglobal DNS options that

would override settings inlocalnamed.conf files

Restarting the web server

==============================================================================

Setup complete

Next steps:

        1. You must makesure these network ports are open:

                TCP Ports:

                  * 80, 443: HTTP/HTTPS

                  * 389, 636: LDAP/LDAPS

                  * 88, 464: kerberos

                  * 53: bind

                UDP Ports:

                  * 88, 464: kerberos

                  * 53: bind

                  * 123: ntp

        2. You can now obtain a kerberos ticket using the command: 'kinit admin'

           This ticket will allow you to use the IPA tools (e.g., ipa user-add)

           and the web user interface.

Be sure to back up the CA certificate stored in/root/cacert.p12

This fileis required to create replicas. The password forthis

fileis the Directory Manager password

防火牆設定

1[root@ipa1 ~]# systemctl stop firewalld

Web Console

https://ipa1.example.corp/ipa

#需先寫入Hosts file

登入IPA

[root@ipa1 ~]# kinit admin

Password [email protected]:

[root@ipa1 ~]# klist

Ticket cache: KEYRING:persistent:0:0

Default principal: [email protected]

Valid starting       Expires              Service principal

2015-07-21T14:32:06  2015-07-22T14:32:03  krbtgt/[email protected]

[root@ipa1 ~]# ipa config-mod --defaultshell=/bin/bash

  Maximum username length: 32

  Home directory base: /home

  Default shell: /bin/bash

  Default usersgroup: ipausers

  Default e-mail domain: example.corp

  Search timelimit: 2

  Search size limit: 100

  User search fields: uid,givenname,sn,telephonenumber,ou,title

  Group search fields: cn,description

  Enable migration mode: FALSE

  Certificate Subject base: O=EXAMPLE.CORP

  Password Expiration Notification (days): 4

  Password plugin features: AllowNThash

  SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023

  Default SELinux user: unconfined_u:s0-s0:c0.c1023

  Default PAC types: nfs:NONE, MS-PAC

新增使用者

[root@ipa1 ~]# ipa user-add User1 --first=User1 --last=User1 --password

Password:

Enter Password again to verify:

------------------

Added user "user1"

------------------

  User login: user1

  First name: User1

  Last name: User1

  Full name: User1 User1

  Display name: User1 User1

  Initials: UU

  Home directory: /home/user1

  GECOS: User1 User1

  Login shell: /bin/bash

  Kerberos principal: [email protected]

  Email address: [email protected]

  UID: 175400001

  GID: 175400001

  Password: True

  Member of groups: ipausers

  Kerberos keys available: True

備份

[root@ipa1 ~]# ipa-backup

Preparing backup on ipa1.example.corp

Stopping IPA services

Backing up ipaca inEXAMPLE-CORP to LDIF

Backing up userRoot inEXAMPLE-CORP to LDIF

Backing up EXAMPLE-CORP

Backing up files

Backed up to /var/lib/ipa/backup/ipa-full-2015-07-21-14-50-28

Starting IPA service

The ipa-backup commandwas successful

還原

[root@ipa1 ~]# ipa-restore --data /var/lib/ipa/backup/ipa-full-2015-07-21-14-50-28

Directory Manager (existing master) password:

Preparing restore from /var/lib/ipa/backup/ipa-full-2015-07-21-14-50-28on ipa1.example.corp

Performing DATA restore from FULL backup

Restoring data will overwrite existing live data. Continue to restore? [no]: y

Each master will individually need to be re-initialized or

re-created from this one. The replication agreements on

masters running IPA 3.1 or earlier will need to be manually

re-enabled. See the manpage fordetails.

Disabling all replication.

Stopping Directory Server

Restoring from userRoot inEXAMPLE-CORP

Restoring from ipaca inEXAMPLE-CORP

Starting Directory Server

The ipa-restore commandwas successful

重開服務

[root@ipa1 ~]# systemctl restart krb5kdc.service

[root@ipa1 ~]# /usr/sbin/ipactl start

Existing service filedetected!

Assuming stale, cleaning and proceeding

Starting Directory Service

Starting krb5kdc Service

Starting kadmin Service

Starting named Service

Starting ipa_memcached Service

Starting httpd Service

Starting pki-tomcatd Service

Starting ipa-otpd Service

ipa: INFO: The ipactl commandwas successful

IPA Cluster

[root@ipa2 ~]# echo 192.168.100.107 ipa1.example.corp >> /etc/hosts

[root@ipa2 ~]# echo 192.168.100.109 ipa2.example.corp >> /etc/hosts