第12章 安装 CA 中心(注意:红字)
1、IPA
IPA就是一个集成的安全信息管理解决方案,将之前单独的安全信息管理技术整合在一起,
形成一像windows AD的套件。
2、IPA架构图
3、部署IPA
1) 配置静态网卡设置
[root@teachers ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
HWADDR=00:0C:29:9B:80:0A
TYPE=Ethernet
UUID=615ae971-38df-4250-b036-b7ee78b14681
BOOTPROTO=static
IPADDR=10.10.10.221
NETMASK=255.255.255.0
GATEWAY=10.10.10.2
DNS1=10.10.10.221
2) 禁用NetworkManager 服务
[root@teachers ~]# service NetworkManager stop
Stopping NetworkManager daemon: [ OK ]
3) 关闭NetworkManager 启动服务
[root@teachers ~]# chkconfig --list NetworkManager
NetworkManager 0:off 1:off 2:off 3:off 4:off 5:off 6:off
4) 配置ntp服务器
[root@teachers ~]# vim /etc/ntp.conf
driftfile /var/lib/ntp/drift
server 127.127.1.0 # local clock
fudge 127.127.1.0 stratum 10
restrict default nomodify
restrict 10.10.0.0 mask 255.255.255.0 nomodify notrap
broadcastdelay 0.008
includefile /etc/ntp/crypto/pw
keys /etc/ntp/keys
重启NTP服务
[root@teachers ~]# service ntpd restart
Shutting down ntpd: [FAILED]
Starting ntpd: [ OK ]
[root@teachers ~]# date
Fri Jan 22 09:51:17 EST 2016
开机启动ntp服务
[root@teachers ~]# chkconfig ntpd on
[root@teachers ~]# chkconfig --list |grep ntpd
ntpd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
查看服务是否启用
[root@teachers ~]# netstat -ln|grep 123
udp 0 0 10.10.10.221:123 0.0.0.0:*
udp 0 0 127.0.0.1:123 0.0.0.0:*
udp 0 0 0.0.0.0:123 0.0.0.0:*
udp 0 0 fe80::20c:29ff:fe9b:800a:123 :::*
udp 0 0 ::1:123 :::*
udp 0 0 :::123 :::*
5) 同步时间服务器命令
[root@teachers ~]# ntpdate -u 10.10.10.221
22 Jan 16:29:12 ntpdate[2905]: adjust time server 10.10.10.221 offset -0.000024 sec
6) 使用yum源安装IPA
[root@teachers ~]# yum install ipa-server
7) 配置DNS SERVER
① 配置/etc/name.conf
options {
listen-on port 53 { 10.10.10.221; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { 10.10.10.0/24; };
};
zone "." IN {
type hint;
file "named.ca";
};
zone "example.com" IN {
type master;
file "example.com.zone";
};
zone "10.10.10.in-addr.arpa" IN {
type master;
file "10.10.10.in-addr.arpa.zone";
};
② 配置DNS正向解析
[root@teachers named]# cat /var/named/example.com.zone
$TTL 86400
@ IN SOA example.com root.example.com (
2016040500 ; serial (d. adams)
3H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum
@ IN NS example.com.
IN A 10.10.10.221
server IN A 10.10.10.221
teachers IN A 10.10.10.221
student IN A 10.10.10.223
③ 配置DNS反向解析
[root@teachers named]# cat /var/named/10.10.10.in-addr.arpa.zone
$TTL 86400
@ IN SOA example.com. root.example.com (
2016040500 ; serial (d. adams)
3H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum
@ IN NS example.com.
IN A 127.0.0.1
221 IN PTR server.example.com.
221 IN PTR teachers.example.com.
223 IN PTR student.example.com.
④ 测试named和DNS解析
[root@teachers named]# named-checkzone example.com example.com.zone
zone example.com/IN: loaded serial 2016040500
OK
[root@teachers named]# named-checkzone example.com 10.10.10.in-addr.arpa.zone
zone example.com/IN: loaded serial 2016040500
OK
[root@teachers named]# service named restart
Stopping named: .[ OK ]
Starting named: [ OK ]
[root@teachers named]# nslookup 10.10.10.221
Server: 10.10.10.221
Address: 10.10.10.221#53
221.10.10.10.in-addr.arpa name = server.example.com.
221.10.10.10.in-addr.arpa name = teachers.example.com.
8) 使用ipa-server-install安装 IPA-SERVER服务
[root@teachers ~]# ipa-server-install -r EXAMPLE.COM -n example.com -p redhat123 -a redhat123 --hostname=teachers.example.com -N --idstart=5000 --idmax=6000 -U
The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will set up the IPA Server.
This includes:
* Configure a stand-alone CA (dogtag) for certificate management
* Create and configure an instance of Directory Server
* Create and configure a Kerberos Key Distribution Center (KDC)
* Configure Apache (httpd)
Excluded by options:
* Configure the Network Time Daemon (ntpd)
To accept the default shown in brackets, press the Enter key.
The IPA Master Server will be configured with:
Hostname: teachers.example.com
IP address: 10.10.10.221
Domain name: example.com
Realm name: EXAMPLE.COM
Configuring directory server for the CA (pkids): Estimated time 30 seconds
[1/3]: creating directory server user
[2/3]: creating directory server instance
9) 安装ipa-server结束
Done configuring the web interface (httpd).
Applying LDAP updates
Restarting the directory server
Restarting the KDC
Sample zone file for bind has been created in /tmp/sample.zone.f9l46e.db
Restarting the web server
==============================================================================
Setup complete
Next steps:
1. You must make sure these network ports are open:
TCP Ports:
* 80, 443: HTTP/HTTPS
* 389, 636: LDAP/LDAPS
* 88, 464: kerberos
UDP Ports:
* 88, 464: kerberos
2. You can now obtain a kerberos ticket using the command: 'kinit admin'
This ticket will allow you to use the IPA tools (e.g., ipa user-add)
and the web user interface.
Be sure to back up the CA certificate stored in /root/cacert.p12
This file is required to create replicas. The password for this
file is the Directory Manager password
10) Web登录设置
11) 这里我们添加用户user01
[root@teachers ~]# ipa user-add user01 --first=user01 --last=testuser --password
Password:
Enter Password again to verify:
-------------------
Added user "user01"
-------------------
User login: user01
First name: user01
Last name: testuser
Full name: user01 testuser
Display name: user01 testuser
Initials: ut
Home directory: /home/user01
GECOS field: user01 testuser
Login shell: /bin/sh
Kerberos principal: [email protected]
Email address: [email protected]
UID: 5001
GID: 5001
Password: True
Kerberos keys available: True
12) Web页面查看