FreeIPA是Linux开源安全解决方案,提供用户账户管理和集中身份验证。
FreeIPA在CentOS 7、Fedora和Ubuntu14.04 /16.04上能够非常直接地将计算机添加到您的IPA域中。其他操作系统可以使用SSSD或LDAP对FreeIPA进行身份验证。
freeIPA的部署:
1、设置主机名:
hostnamectl set-hostname ipaserver.changchunhua.cloud
2、升级软件和系统内核:
yum update -y
3、设置防火墙:
systemctl stop firewalld && systemctl disable firewalld
4、配置hosts文件:
- vim /etc/hosts
-
- 192.168.17.120 ipaserver.changchunhua.cloud ipaserver
5、配置随机数生成器:
- yum install -y rng-tools
- systemctl start rngd
- systemctl enable rngd
- systemctl status rngd
6、安装Bind软件并启动:
- yum -y install bind bind-utils bind-dyndb-ldap
- systemctl start named
- systemctl enable named
-
- systemctl status named
-
- vim /etc/resolv.conf
- nameserver 127.0.0.1
7、安装ipa-server软件包:
yum -y install ipa-server ipa-server-dns
8、配置ipa-server:
-
- [root@ipaserver ~]# ipa-server-install --allow-zone-overlap
-
- The log file for this installation can be found in /var/log/ipaserver-install.log
- ==============================================================================
- This program will set up the IPA Server.
-
- This includes:
- * Configure a stand-alone CA (dogtag) for certificate management
- * Configure the Network Time Daemon (ntpd)
- * Create and configure an instance of Directory Server
- * Create and configure a Kerberos Key Distribution Center (KDC)
- * Configure Apache (httpd)
- * Configure the KDC to enable PKINIT
-
- To accept the default shown in brackets, press the Enter key.
-
- Do you want to configure integrated DNS (BIND)? [no]: yes
-
- Enter the fully qualified domain name of the computer
- on which you're setting up server software. Using the form
. - Example: master.example.com.
- Server host name [ipaserver.changchunhua.cloud]:
- Warning: skipping DNS resolution of host ipaserver.changchunhua.cloud
- The domain name has been determined based on the host name.
- Please confirm the domain name [changchunhua.cloud]:
- The kerberos protocol requires a Realm name to be defined.
- This is typically the domain name converted to uppercase.
- Please provide a realm name [CHANGCHUNHUA.CLOUD]:
- Certain directory server operations require an administrative user.
- This user is referred to as the Directory Manager and has full access
- to the Directory for system management tasks and will be added to the
- instance of directory server created for IPA.
- The password must be at least 8 characters long.
- Directory Manager password:
- Password (confirm):
- The IPA server requires an administrative user, named 'admin'.
- This user is a regular system account used for IPA server administration.
- IPA admin password:
- Password (confirm):
- Checking DNS domain changchunhua.cloud., please wait ...
- Do you want to configure DNS forwarders? [yes]:
- Following DNS servers are configured in /etc/resolv.conf: 127.0.0.1, 8.8.8.8
- Do you want to configure these servers as DNS forwarders? [yes]:
- All DNS servers from /etc/resolv.conf were added. You can enter additional addresses now:
- Enter an IP address for a DNS forwarder, or press Enter to skip:
- Checking DNS forwarders, please wait ...
- Do you want to search for missing reverse zones? [yes]:
- Do you want to create reverse zone for IP 192.168.17.140 [yes]:
- Please specify the reverse zone name [17.168.192.in-addr.arpa.]:
- Using reverse zone(s) 17.168.192.in-addr.arpa.
- The IPA Master Server will be configured with:
- Hostname: ipaserver.changchunhua.cloud
- IP address(es): 192.168.17.140
- Domain name: changchunhua.cloud
- Realm name: CHANGCHUNHUA.CLOUD
- BIND DNS server will be configured to serve IPA domain with:
- Forwarders: 127.0.0.1, 8.8.8.8
- Forward policy: only
- Reverse zone(s): 17.168.192.in-addr.arpa.
- Continue to configure the system with these values? [no]: yes
- The following operations may take some minutes to complete.
- Please wait until the prompt is returned.
- Configuring NTP daemon (ntpd)
- [1/4]: stopping ntpd
- [2/4]: writing configuration
- [3/4]: configuring ntpd to start on boot
- [4/4]: starting ntpd
- Done configuring NTP daemon (ntpd).
- Configuring directory server (dirsrv). Estimated time: 30 seconds
- [1/45]: creating directory server instance
- [2/45]: enabling ldapi
- [3/45]: configure autobind for root
- [4/45]: stopping directory server
- [5/45]: updating configuration in dse.ldif
- [6/45]: starting directory server
- [7/45]: adding default schema
- [8/45]: enabling memberof plugin
- [9/45]: enabling winsync plugin
- [10/45]: configure password logging
- [11/45]: configuring replication version plugin
- [12/45]: enabling IPA enrollment plugin
- [13/45]: configuring uniqueness plugin
- [14/45]: configuring uuid plugin
- [15/45]: configuring modrdn plugin
- [16/45]: configuring DNS plugin
- [17/45]: enabling entryUSN plugin
- [18/45]: configuring lockout plugin
- [19/45]: configuring topology plugin
- [20/45]: creating indices
- [21/45]: enabling referential integrity plugin
- [22/45]: configuring certmap.conf
- [23/45]: configure new location for managed entries
- [24/45]: configure dirsrv ccache
- [25/45]: enabling SASL mapping fallback
- [26/45]: restarting directory server
- [27/45]: adding sasl mappings to the directory
- [28/45]: adding default layout
- [29/45]: adding delegation layout
- [30/45]: creating container for managed entries
- [31/45]: configuring user private groups
- [32/45]: configuring netgroups from hostgroups
- [33/45]: creating default Sudo bind user
- [34/45]: creating default Auto Member layout
- [35/45]: adding range check plugin
- [36/45]: creating default HBAC rule allow_all
- [37/45]: adding entries for topology management
- [38/45]: initializing group membership
- [39/45]: adding master entry
- [40/45]: initializing domain level
- [41/45]: configuring Posix uid/gid generation
- [42/45]: adding replication acis
- [43/45]: activating sidgen plugin
- [44/45]: activating extdom plugin
- [45/45]: configuring directory to start on boot
- Done configuring directory server (dirsrv).
- Configuring Kerberos KDC (krb5kdc)
- [1/10]: adding kerberos container to the directory
- [2/10]: configuring KDC
- [3/10]: initialize kerberos container
- [4/10]: adding default ACIs
- [5/10]: creating a keytab for the directory
- [6/10]: creating a keytab for the machine
- [7/10]: adding the password extension to the directory
- [8/10]: creating anonymous principal
- [9/10]: starting the KDC
- [10/10]: configuring KDC to start on boot
- Done configuring Kerberos KDC (krb5kdc).
- Configuring kadmin
- [1/2]: starting kadmin
- [2/2]: configuring kadmin to start on boot
- Done configuring kadmin.
- Configuring ipa-custodia
- [1/5]: Making sure custodia container exists
- [2/5]: Generating ipa-custodia config file
- [3/5]: Generating ipa-custodia keys
- [4/5]: starting ipa-custodia
- [5/5]: configuring ipa-custodia to start on boot
- Done configuring ipa-custodia.
- Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
- [1/30]: configuring certificate server instance
- [2/30]: secure AJP connector
- [3/30]: reindex attributes
- [4/30]: exporting Dogtag certificate store pin
- [5/30]: stopping certificate server instance to update CS.cfg
- [6/30]: backing up CS.cfg
- [7/30]: disabling nonces
- [8/30]: set up CRL publishing
- [9/30]: enable PKIX certificate path discovery and validation
- [10/30]: starting certificate server instance
- [11/30]: configure certmonger for renewals
- [12/30]: requesting RA certificate from CA
- [13/30]: setting audit signing renewal to 2 years
- [14/30]: restarting certificate server
- [15/30]: publishing the CA certificate
- [16/30]: adding RA agent as a trusted user
- [17/30]: authorizing RA to modify profiles
- [18/30]: authorizing RA to manage lightweight CAs
- [19/30]: Ensure lightweight CAs container exists
- [20/30]: configure certificate renewals
- [21/30]: configure Server-Cert certificate renewal
- [22/30]: Configure HTTP to proxy connections
- [23/30]: restarting certificate server
- [24/30]: updating IPA configuration
- [25/30]: enabling CA instance
- [26/30]: migrating certificate profiles to LDAP
- [27/30]: importing IPA certificate profiles
- [28/30]: adding default CA ACL
- [29/30]: adding 'ipa' CA entry
- [30/30]: configuring certmonger renewal for lightweight CAs
- Done configuring certificate server (pki-tomcatd).
- Configuring directory server (dirsrv)
- [1/3]: configuring TLS for DS instance
- [2/3]: adding CA certificate entry
- [3/3]: restarting directory server
- Done configuring directory server (dirsrv).
- Configuring ipa-otpd
- [1/2]: starting ipa-otpd
- [2/2]: configuring ipa-otpd to start on boot
- Done configuring ipa-otpd.
- Configuring the web interface (httpd)
- [1/22]: stopping httpd
- [2/22]: setting mod_nss port to 443
- [3/22]: setting mod_nss cipher suite
- [4/22]: setting mod_nss protocol list to TLSv1.2
- [5/22]: setting mod_nss password file
- [6/22]: enabling mod_nss renegotiate
- [7/22]: disabling mod_nss OCSP
- [8/22]: adding URL rewriting rules
- [9/22]: configuring httpd
- [10/22]: setting up httpd keytab
- [11/22]: configuring Gssproxy
- [12/22]: setting up ssl
- [13/22]: configure certmonger for renewals
- [14/22]: importing CA certificates from LDAP
- [15/22]: publish CA cert
- [16/22]: clean up any existing httpd ccaches
- [17/22]: configuring SELinux for httpd
- [18/22]: create KDC proxy config
- [19/22]: enable KDC proxy
- [20/22]: starting httpd
- [21/22]: configuring httpd to start on boot
- [22/22]: enabling oddjobd
- Done configuring the web interface (httpd).
- Configuring Kerberos KDC (krb5kdc)
- [1/1]: installing X509 Certificate for PKINIT
- Done configuring Kerberos KDC (krb5kdc).
- Applying LDAP updates
- Upgrading IPA:. Estimated time: 1 minute 30 seconds
- [1/10]: stopping directory server
- [2/10]: saving configuration
- [3/10]: disabling listeners
- [4/10]: enabling DS global lock
- [5/10]: disabling Schema Compat
- [6/10]: starting directory server
- [7/10]: upgrading server
- [8/10]: stopping directory server
- [9/10]: restoring configuration
- [10/10]: starting directory server
- Done.
- Restarting the KDC
- Configuring DNS (named)
- [1/12]: generating rndc key file
- [2/12]: adding DNS container
- [3/12]: setting up our zone
- [4/12]: setting up reverse zone
- [5/12]: setting up our own record
- [6/12]: setting up records for other masters
- [7/12]: adding NS record to the zones
- [8/12]: setting up kerberos principal
- [9/12]: setting up named.conf
- [10/12]: setting up server configuration
- [11/12]: configuring named to start on boot
- [12/12]: changing resolv.conf to point to ourselves
- Done configuring DNS (named).
- Restarting the web server to pick up resolv.conf changes
- Configuring DNS key synchronization service (ipa-dnskeysyncd)
- [1/7]: checking status
- [2/7]: setting up bind-dyndb-ldap working directory
- [3/7]: setting up kerberos principal
- [4/7]: setting up SoftHSM
- [5/7]: adding DNSSEC containers
- [6/7]: creating replica keys
- [7/7]: configuring ipa-dnskeysyncd to start on boot
- Done configuring DNS key synchronization service (ipa-dnskeysyncd).
- Restarting ipa-dnskeysyncd
- Restarting named
- Updating DNS system records
- Configuring client side components
- Using existing certificate '/etc/ipa/ca.crt'.
- Client hostname: ipaserver.changchunhua.cloud
- Realm: CHANGCHUNHUA.CLOUD
- DNS Domain: changchunhua.cloud
- IPA Server: ipaserver.changchunhua.cloud
- BaseDN: dc=changchunhua,dc=cloud
- Skipping synchronizing time with NTP server.
- New SSSD config will be created
- Configured sudoers in /etc/nsswitch.conf
- Configured /etc/sssd/sssd.conf
- trying https://ipaserver.changchunhua.cloud/ipa/json
- [try 1]: Forwarding 'schema' to json server 'https://ipaserver.changchunhua.cloud/ipa/json'
- trying https://ipaserver.changchunhua.cloud/ipa/session/json
- [try 1]: Forwarding 'ping' to json server 'https://ipaserver.changchunhua.cloud/ipa/session/json'
- [try 1]: Forwarding 'ca_is_enabled' to json server 'https://ipaserver.changchunhua.cloud/ipa/session/json'
- Systemwide CA database updated.
- Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
- Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
- Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
- [try 1]: Forwarding 'host_mod' to json server 'https://ipaserver.changchunhua.cloud/ipa/session/json'
- SSSD enabled
- Configured /etc/openldap/ldap.conf
- Configured /etc/ssh/ssh_config
- Configured /etc/ssh/sshd_config
- Configuring changchunhua.cloud as NIS domain.
- Client configuration complete.
- The ipa-client-install command was successful
- ==============================================================================
- Setup complete
- Next steps:
- 1. You must make sure these network ports are open:
- TCP Ports:
- * 80, 443: HTTP/HTTPS
- * 389, 636: LDAP/LDAPS
- * 88, 464: kerberos
- * 53: bind
- UDP Ports:
- * 88, 464: kerberos
- * 53: bind
- * 123: ntp
- 2. You can now obtain a kerberos ticket using the command: 'kinit admin'
- This ticket will allow you to use the IPA tools (e.g., ipa user-add)
- and the web user interface.
- Be sure to back up the CA certificates stored in /root/cacert.p12
- These files are required to create replicas. The password for these
- files is the Directory Manager password
9、验证freeIPA服务功能
通过尝试为admin用户初始化kerberos令牌来验证Kerberos域是否已正确安装。
- [root@vm1 ~]# kinit admin
- Password for admin@TMP.GCE.CLOUDERA.COM:
-
- [root@ipaserver ~]# klist
- Ticket cache: KEYRING:persistent:0:0
- Default principal: admin@CHANGCHUNHUA.CLOUD
-
- Valid starting Expires Service principal
- 11/12/2022 02:32:36 11/13/2022 02:32:33 krbtgt/CHANGCHUNHUA.CLOUD@CHANGCHUNHUA.CLOUD
-
10、验证IPA服务器是否正常运行
- [root@ipaserver ~]# ipa user-find admin
- --------------
- 1 user matched
- --------------
- User login: admin
- Last name: Administrator
- Home directory: /home/admin
- Login shell: /bin/bash
- Principal alias: admin@CHANGCHUNHUA.CLOUD
- UID: 229800000
- GID: 229800000
- Account disabled: False
- ----------------------------
- Number of entries returned 1
- ----------------------------
-
然后我这边通过浏览器访问https://ipaserver.changchunhua.cloud/ipa/ui出现问题。
这个问题,我估计是什么DNS的问题。更新了电脑上的DNS的配置。
然后就能看到这个页面了。
通过ping命令,可以解析成功。
使用admin的账号和配置的密码登录:
11、查看IPA组件状态:
- [root@ipaserver ~]# ipactl status
- Directory Service: RUNNING
- krb5kdc Service: RUNNING
- kadmin Service: RUNNING
- named Service: RUNNING
- httpd Service: RUNNING
- ipa-custodia Service: RUNNING
- ntpd Service: RUNNING
- pki-tomcatd Service: RUNNING
- ipa-otpd Service: RUNNING
- ipa-dnskeysyncd Service: RUNNING
- ipa: INFO: The ipactl command was successful
- [root@ipaserver ~]# ipactl --help
- Usage: ipactl start|stop|restart|status
-
-
- Options:
- -h, --help show this help message and exit
- -d, --debug Display debugging information
- -f, --force Force IPA to start. Combine options --skip-version-
- check and --ignore-service-failures
- --ignore-service-failures
- If any service start fails, do not rollback the
- services, continue with the operation
- --skip-version-check skip version check
2023年3月6日:
然后我这边再试着按照docker的方式来部署freeIPA:
- docker run --rm --name freeipa -ti \
- --read-only \
- --sysctl net.ipv6.conf.all.disable_ipv6=0 \
- -h ipaserver.changchunhua.cloud \
- -p 443:443 -p 8009:389 \
- -v /sys/fs/cgroup:/sys/fs/cgroup:ro \
- -v /data/webapps/ipa:/data:Z \
- freeipa/freeipa-server:centos-8-stream