Red Hat Identity Management
-
So I'm setting up an Identity Management system at work to replace an old NIS system running on Solaris. When I started they were planning on using openLDAP but it was going to be a pain to manage. IdM makes everything pretty easy. The server setup is fairly easy, just answer some basic questions.
I'm running the server on a CentOS 7 VM with 1GB of RAM and a 10GB disk. They recommend 2GB for 20,000 users and 100 groups.
First make sure your hostname points to your ip address in your
/etc/hostsfile. Then:yum install ipa-server ipa-server-dnsThe log file for this installation can be found in /var/log/ipaserver-install.log ============================================================================== This program will set up the IPA Server. This includes: * Configure a stand-alone CA (dogtag) for certificate management * Configure the Network Time Daemon (ntpd) * Create and configure an instance of Directory Server * Create and configure a Kerberos Key Distribution Center (KDC) * Configure Apache (httpd) To accept the default shown in brackets, press the Enter key. Do you want to configure integrated DNS (BIND)? [no]: yes Enter the fully qualified domain name of the computer on which you're setting up server software. Using the form <hostname>.<domainname> Example: master.example.com. Server host name [idmserver.pa.jhbcomputers.com]: Warning: skipping DNS resolution of host idmserver.pa.jhbcomputers.com The domain name has been determined based on the host name. Please confirm the domain name [pa.jhbcomputers.com]: The kerberos protocol requires a Realm name to be defined. This is typically the domain name converted to uppercase. Please provide a realm name [PA.JHBCOMPUTERS.COM]: Certain directory server operations require an administrative user. This user is referred to as the Directory Manager and has full access to the Directory for system management tasks and will be added to the instance of directory server created for IPA. The password must be at least 8 characters long. Directory Manager password: Password (confirm): The IPA server requires an administrative user, named 'admin'. This user is a regular system account used for IPA server administration. IPA admin password: Password (confirm): Existing BIND configuration detected, overwrite? [no]: yes Do you want to configure DNS forwarders? [yes]: no No DNS forwarders configured Do you want to configure the reverse zone? [yes]: Please specify the reverse zone name [0.0.10.in-addr.arpa.]: Using reverse zone(s) 0.0.10.in-addr.arpa. The IPA Master Server will be configured with: Hostname: idmserver.pa.jhbcomputers.com IP address(es): 10.0.0.4 Domain name: pa.jhbcomputers.com Realm name: PA.JHBCOMPUTERS.COM BIND DNS server will be configured to serve IPA domain with: Forwarders: No forwarders Reverse zone(s): 0.0.10.in-addr.arpa. Continue to configure the system with these values? [no]: yesThen it configures everything. You get a giant output as it does it, it's too long to post here.
At the end you get this:
Setup complete Next steps: 1. You must make sure these network ports are open: TCP Ports: * 80, 443: HTTP/HTTPS * 389, 636: LDAP/LDAPS * 88, 464: kerberos * 53: bind UDP Ports: * 88, 464: kerberos * 53: bind * 123: ntp 2. You can now obtain a kerberos ticket using the command: 'kinit admin' This ticket will allow you to use the IPA tools (e.g., ipa user-add) and the web user interface. Be sure to back up the CA certificates stored in /root/cacert.p12 These files are required to create replicas. The password for these files is the Directory Manager passwordThen:
firewall-cmd --permanent --zone=public --add-service=http firewall-cmd --permanent --zone=public --add-service=https firewall-cmd --permanent --zone=public --add-service=ldap firewall-cmd --permanent --zone=public --add-service=ldaps firewall-cmd --permanent --zone=public --add-service=kerberos firewall-cmd --permanent --zone=public --add-port=53/tcp firewall-cmd --permanent --zone=public --add-port=88/udp firewall-cmd --permanent --zone=public --add-port=464/udp firewall-cmd --permanent --zone=public --add-port=53/udp firewall-cmd --permanent --zone=public --add-port=123/udpThen just go to https://hostname
I'll go into setting up a client and some other info about the system later.
-
Cool, thanks
-
What was so difficult about OpenLDAP?
-
@Dashrender said:
What was so difficult about OpenLDAP?
To change anything you need to use ldif files that you generate. Plus I was having issues with getting autofs to work since it's stored in LDAP and not in auto.master and auto.whatever files. This just does everything: LDAP, Kerberos, AutoFS, Certificate CA, NTP, DNS, and will integrate with PAM easily.
And now we can give managers the ability to add users to their projects rather than the employee coming to one of us when we have to get approval from a manger anyway.
-
This is also a lot easier to set up replication. A replication server takes the same amount of effort and replication from the small amount of tests I've done is almost real time.
-
Clients are even easier to set up.
yum install ipa-client ipa-client-admintoolsThe admintools package is only if you want to do cli administration from that client.
Make sure the loopback address in your
/etc/hostsfile doesn't use the name localhost. It needs the FQDN. The actual hostname also must be a FQDN.Set the new IdM server as your DNS server.
Then just run
ipa-client-install --enable-dns-updatesThe --enable-dns-updates flag only works if the IdM server has the integrated DNS set up, but it adds the client to both forward and reverse DNS.
All you need is the admin password. Here's the output:
Discovery was successful! Client hostname: idmclient.pa.jhbcomputers.com Realm: PA.JHBCOMPUTERS.COM DNS Domain: pa.jhbcomputers.com IPA Server: idmserver.pa.jhbcomputers.com BaseDN: dc=pa,dc=jhbcomputers,dc=com Continue to configure the system with these values? [no]: yes Synchronizing time with KDC... Attempting to sync time using ntpd. Will timeout after 15 seconds User authorized to enroll computers: admin Password for [email protected]: Successfully retrieved CA cert Subject: CN=Certificate Authority,O=PA.JHBCOMPUTERS.COM Issuer: CN=Certificate Authority,O=PA.JHBCOMPUTERS.COM Valid From: Mon Apr 11 22:36:21 2016 UTC Valid Until: Fri Apr 11 22:36:21 2036 UTC Enrolled in IPA realm PA.JHBCOMPUTERS.COM Created /etc/ipa/default.conf New SSSD config will be created Configured sudoers in /etc/nsswitch.conf Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm PA.JHBCOMPUTERS.COM trying https://idmserver.pa.jhbcomputers.com/ipa/json Forwarding 'ping' to json server 'https://idmserver.pa.jhbcomputers.com/ipa/json' Forwarding 'ca_is_enabled' to json server 'https://idmserver.pa.jhbcomputers.com/ipa/json' Systemwide CA database updated. Added CA certificates to the default NSS database. Hostname (idmclient.pa.jhbcomputers.com) does not have A/AAAA record. Missing reverse record(s) for address(es): 10.0.0.152. Forwarding 'host_mod' to json server 'https://idmserver.pa.jhbcomputers.com/ipa/json' SSSD enabled Configured /etc/openldap/ldap.conf NTP enabled Configured /etc/ssh/ssh_config /etc/ssh/sshd_config not found, skipping configuration Configuring pa.jhbcomputers.com as NIS domain. Client configuration complete.SSSD will cache credentials and automount locations so if the server would go down, you can still authenticate and even mount your home folder from an NFS share.
Now you can switch to a user in the IdM system.
[root@idmclient /]# su hooksjy bash-4.2$ id uid=472000001(hooksjy) gid=472000001(hooksjy) groups=472000001(hooksjy) bash-4.2$I didn't set up any skeleton info for the user but I can authenticate
-
Some other pluses for this are easy setup for HBAC, Sudo and sudo command priveleges (host based and user based), SELinux user maps, and easier password policy management.
