如何在Ubuntu/CentOS上配置FreeIPA复制
时间:2020-02-23 14:30:16 来源:igfitidea点击:
我如何配置FreeIPA复制?
你有一个单一的FreeIPA服务器,你害怕单点失败吗?
在此帖子中,我们将介绍在Ubuntu 18.04,Ubuntu 16.04和Centos服务器上配置FreeIPA复制的完整步骤。
如果我们有FreeIPA副本设置,即使服务器关闭,FreeIPA客户端也可以继续进行身份验证。
如果我们对本教程有兴趣,我们应该具有已安装和完全运行的FarmIPA Server,具有测试帐户。
安装并配置了FreeIPA Server后,无需其他准备工作。
我们可以启动FreeIPA复制。
我的实验室设置
我有一个主机名为ipa.theitroad.com的主refeipa服务器,副本将在ipa-replica.theitroad.com上配置。
两个服务器的IP地址如下:
步骤1:配置DNS本地主机文件
在两个服务器上,确保为配置的每个服务器都有主机名。
如果我们在基础架构中没有活动DNS服务,这很重要。
sudo vim /etc/hosts
确保我们有以下线条,用匹配替换主机名。
192.168.10.10 ipa.theitroad.com ipa 192.168.10.11 ipa-replica.theitroad.com ipa-replica
确保正确配置主机名:
sudo hostnamectl set-hostname ipa-replica.theitroad.com
第2步:在副本服务器上安装FreeIPA客户端
在CentOS 7和Ubuntu服务器上安装FreeIPA客户端,请参阅我们的上一页教程:如何在Ubuntu 18.04/Ubuntu 16.04/CentOS 7上配置FareIPA客户端。
总结后,所需的唯一步骤是:
对于CentOS 7.
$sudo yum install ipa-client $sudo ipa-client-install --hostname=`hostname -f` \ --mkhomedir \ --server=ipa.theitroad.com \ --domain theitroad.com \ --realm theitroad.COM
对于Ubuntu 18.04/Ubuntu 16.04:
$sudo apt-get install freeipa-client $sudo bash -c "cat > /usr/share/pam-configs/mkhomedir" <<EOF Name: activate mkhomedir Default: yes Priority: 900 Session-Type: Additional Session: required pam_mkhomedir.so umask=0022 skel=/etc/skel EOF $sudo pam-auth-update
第3步:在副本上安装FreeIPA服务器
一旦安装和配置了Farvipa服务器,下一步就是在副本上安装FreeIPA服务器。
对于Ubuntu 18.04/Ubuntu 16.04,使用:
sudo apt-get install freeipa-server
对于CentOS 7.运行:
sudo yum -y install ipa-server
通过请求对副本上的Kerberos票证进行测试:
[Hyman@theitroad ~]# kinit admin Password for Hyman@theitroad: [Hyman@theitroad ~]# klist Ticket cache: KEYRING:persistent:0:0 Default principal: Hyman@theitroad Valid starting Expires Service principal 06/30/2016 11:58:58 07/01/2016 11:58:56 krbtgt/Hyman@theitroad
第4步:将副本服务器添加到FreeIPA服务器上的IpaServers组
登录FreeIPA Server并将副本服务器添加到IpAservers组:
[Hyman@theitroad ~]# kinit admin Password for Hyman@theitroad [Hyman@theitroad ~]# ipa hostgroup-add-member ipaservers --hosts ipa-replica.theitroad.com Host-group: ipaservers Description: IPA server hosts Member hosts: ipa.theitroad.com, ipa-replica.theitroad.com ------------------------ Number of members added 1 ------------------------
我们可以看到我们现在有两个成员主机。 ipa & ipa-replica
对于CentOS 7 FreeIPA服务器,开放 freeipa-replication在防火墙上,如果我们有主动防火墙服务:
在IPA服务器上:
sudo firewall-cmd --add-service=freeipa-replication --permanent sudo firewall-cmd --reload
第5步:运行 ipa-replica-install在副本服务器上
为此,你只需要运行步 ipa-replica-installComment在副本服务器上进行同步FareIPA服务器配置,并让服务器准备好客户端连接到。
[Hyman@theitroad ~]# ipa-replica-install WARNING: conflicting time&date synchronization service 'chronyd' will be disabled in favor of ntpd Run connection check to master Connection check OK Configuring NTP daemon (ntpd) [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd Done configuring NTP daemon (ntpd). Configuring directory server (dirsrv). Estimated time: 30 seconds [1/42]: creating directory server instance [2/42]: enabling ldapi [3/42]: configure autobind for root [4/42]: stopping directory server [5/42]: updating configuration in dse.ldif [6/42]: starting directory server [7/42]: adding default schema [8/42]: enabling memberof plugin [9/42]: enabling winsync plugin [10/42]: configuring replication version plugin [11/42]: enabling IPA enrollment plugin [12/42]: configuring uniqueness plugin [13/42]: configuring uuid plugin [14/42]: configuring modrdn plugin [15/42]: configuring DNS plugin [16/42]: enabling entryUSN plugin [17/42]: configuring lockout plugin [18/42]: configuring topology plugin [19/42]: creating indices [20/42]: enabling referential integrity plugin [21/42]: configuring certmap.conf [22/42]: configure new location for managed entries [23/42]: configure dirsrv ccache [24/42]: enabling SASL mapping fallback [25/42]: restarting directory server [26/42]: creating DS keytab [27/42]: ignore time skew for initial replication [28/42]: setting up initial replication Starting replication, please wait until this has completed. Update in progress, 3 seconds elapsed Update succeeded [29/42]: prevent time skew after initial replication [30/42]: adding sasl mappings to the directory [31/42]: updating schema [32/42]: setting Auto Member configuration [33/42]: enabling S4U2Proxy delegation [34/42]: initializing group membership [35/42]: adding master entry [36/42]: initializing domain level [37/42]: configuring Posix uid/gid generation [38/42]: adding replication acis [39/42]: activating sidgen plugin [40/42]: activating extdom plugin [41/42]: tuning directory server [42/42]: configuring directory to start on boot Done configuring directory server (dirsrv). Configuring Kerberos KDC (krb5kdc) [1/5]: configuring KDC [2/5]: adding the password extension to the directory [3/5]: creating anonymous principal [4/5]: starting the KDC [5/5]: configuring KDC to start on boot Done configuring Kerberos KDC (krb5kdc). Configuring kadmin [1/2]: starting kadmin [2/2]: configuring kadmin to start on boot Done configuring kadmin. Configuring directory server (dirsrv) [1/3]: configuring TLS for DS instance [2/3]: importing CA certificates from LDAP [3/3]: restarting directory server Done configuring directory server (dirsrv). Configuring the web interface (httpd) [1/22]: stopping httpd [2/22]: setting mod_nss port to 443 [3/22]: setting mod_nss cipher suite [4/22]: setting mod_nss protocol list to TLSv1.0 - TLSv1.2 [5/22]: setting mod_nss password file [6/22]: enabling mod_nss renegotiate [7/22]: disabling mod_nss OCSP [8/22]: adding URL rewriting rules [9/22]: configuring httpd [10/22]: setting up httpd keytab [11/22]: configuring Gssproxy [12/22]: setting up ssl [13/22]: configure certmonger for renewals [14/22]: importing CA certificates from LDAP [15/22]: publish CA cert [16/22]: clean up any existing httpd ccaches [17/22]: configuring SELinux for httpd [18/22]: create KDC proxy config [19/22]: enable KDC proxy [20/22]: starting httpd [21/22]: configuring httpd to start on boot [22/22]: enabling oddjobd Done configuring the web interface (httpd). Configuring ipa-otpd [1/2]: starting ipa-otpd [2/2]: configuring ipa-otpd to start on boot Done configuring ipa-otpd. Configuring ipa-custodia [1/4]: Generating ipa-custodia config file [2/4]: Generating ipa-custodia keys [3/4]: starting ipa-custodia [4/4]: configuring ipa-custodia to start on boot Done configuring ipa-custodia. Configuring certificate server (pki-tomcatd) [1/2]: configure certmonger for renewals [2/2]: Importing RA key Done configuring certificate server (pki-tomcatd). Configuring Kerberos KDC (krb5kdc) [1/1]: installing X509 Certificate for PKINIT Done configuring Kerberos KDC (krb5kdc). Applying LDAP updates Upgrading IPA:. Estimated time: 1 minute 30 seconds [1/9]: stopping directory server [2/9]: saving configuration [3/9]: disabling listeners [4/9]: enabling DS global lock [5/9]: starting directory server [6/9]: upgrading server [7/9]: stopping directory server [8/9]: restoring configuration [9/9]: starting directory server Done. Restarting the KDC
如果安装程序成功,则不应遇到任何错误。
在副本服务器上配置防火墙(CentOS 7)
运行通过运行打开副本服务器上的IPA服务器端口:
sudo firewall-cmd --add-service={ssh,dns,freeipa-ldap,freeipa-ldaps,freeipa-replication} --permanent
sudo firewall-cmd --reload
第6步:测试(在FreeIPA副本上注册客户端)
让我们通过配置客户端来进行测试,以便配置FreeIPA副本。
$sudo yum install ipa-client --> CentOS $sudo apt-get install freeipa-client --> Ubuntu
配置FreeIPA客户端
echo "192.168.10.10 ipa.theitroad.com ipa" >> /etc/hosts echo "192.168.10.11 ipa-replica.theitroad.com ipa-replica" >> /etc/hosts
然后运行 ipa-client-install命令:
# ipa-client-install --hostname=`hostname -f` \ --mkhomedir --server=ipa-replica.theitroad.com \ --domain theitroad.com --realm theitroad.COM
删除FreeIPA副本
要删除FreeIPa,首先,请使用以下操作:
[Hyman@theitroad ~]# ipa-server-install --uninstall
然后从ipaservers组中删除服务器:
# ipa-replica-manage del ipa-replica.theitroad.com --force # ipa hostgroup-remove-member ipaservers --hosts ipa-replica.theitroad.com
