在RHEL/CentOS 8中安装和配置FreeIPA服务器
在本文中,将介绍在RHEL 8和/或者CentOS 8中安装和配置FreeIPA服务器的步骤。
现在,对于RHEL 8,openldap-servers已被弃用,ipa-server rpm也不再可用。
因此,用于在RHEL 8中安装和配置FreeIPA服务器的rpm已更改,我们将在本文中进行深入讨论。
FreeIPA是一种使用本地Linux工具在Linux系统上创建身份存储,集中式身份验证,Kerberos和DNS服务的域控制以及授权策略的方法。尽管集中式身份/策略/授权软件并不是什么新鲜事物,但FreeIPA是支持Linux/Unix域的唯一选择之一。 IPA代表" I"身份," P"策略和" A"认证。
FreeIPA诉LDAP:一种更具针对性的服务类型
从最基本的层面讲,FreeIPA是Linux和Unix机器的域控制器。 FreeIPA使用控制服务器和注册的客户机来定义域。这提供了以前在Linux/Unix环境中不可用的集中式结构,并且使用本机Linux应用程序和协议来完成。
FreeIPA做三件事:
创建一个基于Linux和Linux控制的域。 FreeIPA服务器和FreeIPA客户端都是Linux或者Unix机器。尽管FreeIPA可以将数据与Active Directory域同步以允许与Windows服务器集成,但它不是Windows计算机的管理工具,并且不支持Windows客户端。 FreeIPA是用于Linux域的管理工具。
集中身份管理和身份策略。
以现有的本地Linux应用程序和协议为基础。尽管FreeIPA具有自己的流程和配置,但其底层技术已为Linux管理员所熟悉和信任,并且在Linux系统上已建立良好的基础。
身份管理(FreeIPA)服务器
身份管理服务器是充当域控制器(DC)的Red Hat Enterprise Linux系统。在大多数部署中,IdM服务器还安装了集成证书颁发机构(CA)。
服务器是身份和策略信息的中央存储库。它们还托管域成员使用的服务。
身份管理(FreeIPA)客户端
身份管理客户端是随服务器注册的Red Hat Enterprise Linux系统,并配置为在这些服务器上使用身份管理服务。
客户端与身份管理服务器进行交互以访问其提供的服务。例如,客户端使用Kerberos协议执行身份验证并获取企业SSO的票证,使用LDAP获取身份和策略信息,使用DNS检测服务器和服务的位置以及如何连接它们。
身份管理服务器也是嵌入式身份管理客户端。当客户端自行注册时,服务器将提供与其他客户端相同的功能。
在RHEL 8中配置FreeIPA服务器的准备工作
在RHEL 8中安装和配置FreeIPA服务器之前,请确保已正确配置安装环境。我们还需要在安装和配置过程中提供某些信息,包括领域名称以及某些用户名和密码。
硬件建议
基本用户条目或者带有证书的简单主机条目的大小约为5-10 kB,带有证书的简单主机条目也是如此。要正确调整大小,最重要的硬件功能是RAM。尽管所有部署都不同,但取决于用户和组的数量以及存储的数据类型,有一条经验法则可用来帮助确定要使用多少RAM:
对于10,000个用户和100个组:至少3 GB的RAM和1 GB的交换空间
对于100,000个用户和50,000个组:至少16 GB的RAM和4 GB的交换空间
验证服务器主机名
要在RHEL 8中配置freeipa服务器,主机名必须是标准域名,例如server.example.com。
要验证主机名,请在要安装的系统上使用主机名实用程序:
# hostname ipa-server.example.com
主机名的输出不得为localhost或者localhost6.
以下是/etc/hosts文件的示例
[root@ipa-server ~]# cat /etc/hosts 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 10.0.2.20 ipa-server.example.com ipa-server
防火墙配置
在RHEL 8中配置FreeIPA Server之前,打开重要端口很重要。
| 服务端口协议 |
|---|
| HTTP/HTTPS |
| LDAP/LDAPS |
| Kerberos |
| DNS |
| NTP |
使用firewall-cmd --add-service命令将防火墙服务添加到防火墙中。例如,要打开默认区域中的端口:
# firewall-cmd --permanent --add-service={freeipa-ldap,freeipa-ldaps,dns}
重新加载firewall-cmd配置,以确保更改立即发生:
# firewall-cmd --reload
安装在RHEL 8中配置FreeIPA服务器所需的RPM
在RHEL 8中安装和配置FreeIPA服务器所需的软件包作为模块提供。 IdM服务器模块流称为DL1流,我们需要先启用此流,然后才能从该流下载软件包。
说明:
在RHEL系统上,我们必须具有RHN的有效订阅,或者我们可以配置本地脱机存储库,通过该本地脱机存储库,yum软件包管理器可以安装提供的rpm及其依赖项。
[root@ipa-server ~]# yum module enable idm:DL1
切换模块流不会更改已安装的软件包
切换到通过idm:DL1流传递的RPM:
[root@ipa-server ~]# yum distro-sync Updating Subscription Management repositories. Last metadata expiration check: 0:00:24 ago on Thu 26 Sep 2019 12:40:03 PM IST. Dependencies resolved. ================================================================================================ Package Arch Version Repository Size ================================================================================================ Installing: kernel-core x86_64 4.18.0-80.11.2.el8_0 ipa-server-for-x86_64-baseos-rpms 24 M kernel x86_64 4.18.0-80.11.2.el8_0 ipa-server-for-x86_64-baseos-rpms 424 k kernel-modules x86_64 4.18.0-80.11.2.el8_0 ipa-server-for-x86_64-baseos-rpms 20 M <Output trimmed> Installed: kernel-core-4.18.0-80.11.2.el8_0.x86_64 kernel-4.18.0-80.11.2.el8_0.x86_64 kernel-modules-4.18.0-80.11.2.el8_0.x86_64 grub2-tools-efi-1:2.02-66.el8_0.1.x86_64 Removed: kernel-4.18.0-80.el8.x86_64 kernel-core-4.18.0-80.el8.x86_64 kernel-modules-4.18.0-80.el8.x86_64 Complete!
如果在上述步骤中安装了新内核,则最好重启节点以激活新内核。
我们还可以检查重启后将加载下一个内核版本
[root@ipa-server ~]# reboot
要下载在具有集成DNS的RHEL 8中安装和配置FreeIPA Server所需的软件包,请执行以下步骤:
提示:
要下载必需的软件包,请在不带集成DNS的RHEL 8中安装和配置FreeIPA Server:
[root@ipa-server ~]# yum module install idm:DL1/server
[root@ipa-server ~]# yum module install idm:DL1/dns
Updating Subscription Management repositories.
Last metadata expiration check: 0:16:42 ago on Thu 26 Sep 2019 12:40:03 PM IST.
Dependencies resolved.
================================================================================================
Package Arch Version Repository Size
================================================================================================
Installing group/module packages:
ipa-server-dns noarch 4.7.1-11.module+el8+2842+7481110c
ipa-server-for-x86_64-appstream-rpms 177 k
Installing dependencies:
ldns x86_64 1.7.0-20.el8 ipa-server-for-x86_64-appstream-rpms 165 k
bind-dyndb-ldap x86_64 11.1-13.module+el8+2555+b334d87b
ipa-server-for-x86_64-appstream-rpms 130 k
opendnssec x86_64 1.4.14-1.module+el8+2555+b334d87b
ipa-server-for-x86_64-appstream-rpms 468 k
bind x86_64 32:9.11.4-17.P2.el8_0.1 ipa-server-for-x86_64-appstream-rpms 2.1 M
bind-pkcs11-utils x86_64 32:9.11.4-17.P2.el8_0.1 ipa-server-for-x86_64-appstream-rpms 225 k
bind-pkcs11-libs x86_64 32:9.11.4-17.P2.el8_0.1 ipa-server-for-x86_64-appstream-rpms 1.1 M
bind-pkcs11 x86_64 32:9.11.4-17.P2.el8_0.1 ipa-server-for-x86_64-appstream-rpms 378 k
<Output Trimmed>
Installed:
ipa-server-dns-4.7.1-11.module+el8+2842+7481110c.noarch
ldns-1.7.0-20.el8.x86_64
bind-dyndb-ldap-11.1-13.module+el8+2555+b334d87b.x86_64
opendnssec-1.4.14-1.module+el8+2555+b334d87b.x86_64
bind-32:9.11.4-17.P2.el8_0.1.x86_64
bind-pkcs11-utils-32:9.11.4-17.P2.el8_0.1.x86_64
bind-pkcs11-libs-32:9.11.4-17.P2.el8_0.1.x86_64
bind-pkcs11-32:9.11.4-17.P2.el8_0.1.x86_64
libitm-8.2.1-3.5.el8.x86_64
opencryptoki-3.10.0-3.el8.x86_64
opencryptoki-libs-3.10.0-3.el8.x86_64
sqlite-3.26.0-3.el8.x86_64
opencryptoki-icsftok-3.10.0-3.el8.x86_64
Complete!
使用集成的DNS和CA证书在RHEL 8中安装和配置FreeIPA服务器
FreeIPA设置脚本创建一个服务器实例,该服务器实例包括为FreeIPA域配置所有必需的服务:
网络时间守护程序(ntpd)
389目录服务器实例
Kerberos密钥分发中心(KDC)
阿帕奇(httpd)
更新的SELinux定位策略
Active Directory WinSync插件
证书颁发机构
选修的。域名服务(DNS)服务器
要在RHEL 8中配置FreeIPA服务器,请从终端执行ipa-server-install脚本。该脚本可以接受FreeIPA实例使用的服务(如DNS和Kerberos)的用户定义设置,也可以提供预定义的值,以减少管理员的输入。
[root@ipa-server ~]# ipa-server-install --allow-zone-overlap
The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will set up the IPA Server.
Version 4.7.1
This includes:
* Configure a stand-alone CA (dogtag) for certificate management
* Configure the NTP client (chronyd)
* Create and configure an instance of Directory Server
* Create and configure a Kerberos Key Distribution Center (KDC)
* Configure Apache (httpd)
* Configure the KDC to enable PKINIT
To accept the default shown in brackets, press the Enter key.
Do you want to configure integrated DNS (BIND)? [no]: yes
Enter the fully qualified domain name of the computer
on which you're setting up server software. Using the form
.
Example: master.example.com.
Server host name [ipa-server.example.com]:
Warning: skipping DNS resolution of host ipa-server.example.com
The domain name has been determined based on the host name.
Please confirm the domain name [example.com]:
The kerberos protocol requires a Realm name to be defined.
This is typically the domain name converted to uppercase.
Please provide a realm name [EXAMPLE.COM]:
Certain directory server operations require an administrative user.
This user is referred to as the Directory Manager and has full access
to the Directory for system management tasks and will be added to the
instance of directory server created for IPA.
The password must be at least 8 characters long.
Directory Manager password:
Password (confirm):
The IPA server requires an administrative user, named 'admin'.
This user is a regular system account used for IPA server administration.
IPA admin password:
Password (confirm):
Checking DNS domain example.com., please wait ...
DNS zone example.com. already exists in DNS and is handled by server(s): a.iana-servers.net., b.iana-servers.net. Please make sure that the domain is properly delegated to this IPA server.
Invalid IP address fe80::a00:27ff:fe26:9186 for ipa-server.example.com: cannot use link-local IP address fe80::a00:27ff:fe26:9186
Do you want to configure DNS forwarders? [yes]:
Following DNS servers are configured in /etc/resolv.conf: 8.8.8.8
Do you want to configure these servers as DNS forwarders? [yes]:
All DNS servers from /etc/resolv.conf were added. You can enter additional addresses now:
Enter an IP address for a DNS forwarder, or press Enter to skip:
Checking DNS forwarders, please wait ...
Do you want to search for missing reverse zones? [yes]:
Do you want to create reverse zone for IP 10.0.2.20 [yes]:
Please specify the reverse zone name [2.0.10.in-addr.arpa.]:
Using reverse zone(s) 2.0.10.in-addr.arpa.
The IPA Master Server will be configured with:
Hostname: ipa-server.example.com
IP address(es): 10.0.2.20
Domain name: example.com
Realm name: EXAMPLE.COM
The CA will be configured with:
Subject DN: CN=Certificate Authority,O=EXAMPLE.COM
Subject base: O=EXAMPLE.COM
Chaining: self-signed
BIND DNS server will be configured to serve IPA domain with:
Forwarders: 8.8.8.8
Forward policy: only
Reverse zone(s): 2.0.10.in-addr.arpa.
Continue to configure the system with these values? [no]: yes
The following operations Jan take some minutes to complete.
Please wait until the prompt is returned.
Adding [10.0.2.20 ipa-server.example.com] to your /etc/hosts file
Synchronizing time
No SRV records of NTP servers found and no NTP server or pool address was provided.
Using default chrony configuration.
Attempting to sync time with chronyc.
Time synchronization was successful.
Configuring directory server (dirsrv). Estimated time: 30 seconds
<Output Trimmed>
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
Systemwide CA database updated.
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
WARNING: The configuration pre-client installation is not managed by authselect and cannot be backed up. Uninstallation Jan not be able to revert to the original state.
SSSD enabled
Configured /etc/openldap/ldap.conf
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Configuring example.com as NIS domain.
Client configuration complete.
The ipa-client-install command was successful
==============================================================================
Setup complete
Next steps:
1. You must make sure these network ports are open:
TCP Ports:
* 80, 443: HTTP/HTTPS
* 389, 636: LDAP/LDAPS
* 88, 464: kerberos
* 53: bind
UDP Ports:
* 88, 464: kerberos
* 53: bind
* 123: ntp
2. You can now obtain a kerberos ticket using the command: 'kinit admin'
This ticket will allow you to use the IPA tools (e.g., ipa user-add)
and the web user interface.
Be sure to back up the CA certificates stored in /root/cacert.p12
These files are required to create replicas. The password for these
files is the Directory Manager password
The ipa-server-install command was successful
这应该为我们配置RHEL 8中的FreeIPA服务器,接下来验证DNS区域配置并记录条目
[root@ipa-server ~]# dig +short ipa-server.example.com A 10.0.2.20 [root@ipa-server ~]# dig +short -x 10.0.2.20 ipa-server.example.com.
使用管理员用户的凭据对Kerberos领域进行身份验证,以确保正确配置了用户并且可以访问Kerberos领域。
[root@ipa-server ~]# kinit admin Password for [email protected]:
使用klist命令从服务器验证身份和票证授予票证(TGT):
[root@ipa-server ~]# klist Ticket cache: KCM:0 Default principal: [email protected] Valid starting Expires Service principal 09/26/2019 17:07:22 09/27/2019 17:07:18 krbtgt/[email protected]
访问IPA服务器的WebGUI
在RHEL 8中成功安装和配置FreeIPA服务器后,我们还可以使用UI来访问IPA服务器。为了使用Web UI,用户必须通过FreeIPA Kerberos域进行身份验证,并且具有活动的Kerberos票证。通常,只能从FreeIPA服务器或者客户端计算机上访问Web UI,并且必须对用户进行本地身份验证。有两种方法可以解决此问题,方法是在非域计算机上配置Kerberos以连接到Kerberos域,或者通过对UI进行密码身份验证。
要打开Web UI,请执行以下操作:
使用kinit获取有效的Kerberos票证
打开FreeIPA URL。完整的URL是
https://IPAserver-FQDN/ipa/ui,但是也可以通过打开https://IPAserver-FQDN来访问此服务。
将系统设置为FreeIPA客户端
在RHEL 8中完成FreeIPA服务器的配置后,继续设置客户端节点。以下是在将系统作为客户端集成到FreeIPA服务器时在后台执行的一组任务
检索FreeIPA CA的CA证书。
创建一个单独的Kerberos配置以测试提供的凭据。这样就可以建立与FreeIPA XML-RPC服务器的Kerberos连接,这是将FreeIPA客户端加入服务器的必要条件。
FreeIPA域。最终,此Kerberos配置将被丢弃。
设置Kerberos配置包括指定领域和域详细信息以及默认票证属性。默认情况下配置可转发票证,这有助于
从任何操作系统到管理界面的连接,并且还提供对管理操作的审核。
运行
ipa-join命令执行实际的加入获取主机服务的服务主体并将其安装到
/etc/krb5.keytab中。例如," host/[email protected]"。启用
certmonger,检索SSL服务器证书,然后将证书安装在/etc/pki/nssdb中。禁用nscd守护程序。
配置SSSD或者LDAP/KRB5,包括NSS和PAM配置文件。
配置OpenSSH服务器和客户端,并允许主机创建DNS SSHFP记录。
配置NTP。
准备工作
确保我们具有有权将客户端注册到身份管理域中的用户的凭据。例如,这可以是具有"注册管理员"角色的hostadmin用户。为此,我们将使用IPA管理员凭据。在/etc/resolv.conf下的客户端节点上更新IPA Server的DNS。
[root@ipa-client ~]# grep DNS /etc/sysconfig/network-scripts/ifcfg-enp0s3 DNS1=10.0.2.20 [root@ipa-client ~]# cat /etc/resolv.conf # Generated by NetworkManager search example.com nameserver 10.0.2.20
重新启动网络服务
说明:
默认情况下,在RHEL 8中network.service不可用,因为它已被弃用,因此必须单独处理。
[root@ipa-client ~]# systemctl restart network
安装Identity Management客户端所需的软件包
在RHEL8中,安装身份管理客户端所需的软件包作为模块提供。以下两个IdM流提供了IdM客户端软件包:
idm:client流
idm:DL1流
说明:
在RHEL系统上,我们必须具有RHN的有效订阅,或者我们可以配置本地脱机存储库,通过该本地脱机存储库,yum软件包管理器可以安装提供的rpm及其依赖项。
从idm:client流安装ipa-client软件包
要下载安装IdM客户端所需的软件包,请执行以下操作:
[root@ipa-client ~]# yum module install idm
从idm:DL1流安装ipa-client软件包
要切换到通过idm:DL1流传递的RPM,请执行以下操作:
[root@ipa-client ~]# yum module enable idm:DL1 -y
切换模块流不会更改已安装的软件包
[root@ipa-client ~]# yum distro-sync -y
要下载安装IdM客户端所需的软件包,请执行以下操作:
[root@ipa-client ~]# yum module install idm:DL1/client -y Updating Subscription Management repositories. Unable to read consumer identity This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register. Last metadata expiration check: 0:02:49 ago on Thu 26 Sep 2019 05:09:38 PM IST. Dependencies resolved. ========================================================================================================== Package Arch Version Repository Size ========================================================================================================== Installing group/module packages: ipa-client x86_64 4.7.1-11.module+el8+2842+7481110c rhel_dvd_appstream 266 k Installing dependencies: certmonger x86_64 0.79.6-5.el8 rhel_dvd_appstream 654 k ipa-client-common noarch 4.7.1-11.module+el8+2842+7481110c rhel_dvd_appstream 169 k ipa-common noarch 4.7.1-11.module+el8+2842+7481110c rhel_dvd_appstream 725 k nss-tools x86_64 3.41.0-5.el8 rhel_dvd_appstream 567 k <Output trimmed> python3-qrcode-core-5.1-11.module+el8+2555+b334d87b.noarch python3-yubico-1.3.2-9.module+el8+2555+b334d87b.noarch autofs-1:5.1.4-29.el8.x86_64 krb5-workstation-1.16.1-22.el8.x86_64 libkadm5-1.16.1-22.el8.x86_64 python3-dns-1.15.0-8.el8.noarch python3-libipa_hbac-2.0.0-43.el8.x86_64 python3-sss-2.0.0-43.el8.x86_64 python3-sss-murmur-2.0.0-43.el8.x86_64 sssd-tools-2.0.0-43.el8.x86_64 Complete!
安装身份管理客户端
在要配置为身份管理客户端的系统上运行" ipa-client-install"实用程序。安装脚本会尝试自动获取所有必需的设置,例如DNS记录。
提示:
添加--enable-dns-updates选项以使用客户端系统的IP地址更新DNS记录。
# ipa-client-install [root@ipa-client ~]# ipa-client-install This program will set up IPA client. Version 4.7.1 Discovery was successful! Client hostname: ipa-client.example.com Realm: EXAMPLE.COM DNS Domain: example.com IPA Server: ipa-server.example.com BaseDN: dc=example,dc=com Continue to configure the system with these values? [no]: yes Synchronizing time No SRV records of NTP servers found and no NTP server or pool address was provided. Using default chrony configuration. Attempting to sync time with chronyc. Time synchronization was successful. User authorized to enroll computers: admin Password for [email protected]: Successfully retrieved CA cert Subject: CN=Certificate Authority,O=EXAMPLE.COM Issuer: CN=Certificate Authority,O=EXAMPLE.COM Valid From: 2019-09-26 11:22:07 Valid Until: 2039-09-26 11:22:07 Enrolled in IPA realm EXAMPLE.COM Created /etc/ipa/default.conf Configured sudoers in /etc/nsswitch.conf Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm EXAMPLE.COM Systemwide CA database updated. Hostname (ipa-client.example.com) does not have A/AAAA record. Missing reverse record(s) for address(es): 10.0.2.14. Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub SSSD enabled Configured /etc/openldap/ldap.conf Configured /etc/ssh/ssh_config Configured /etc/ssh/sshd_config Configuring example.com as NIS domain. Client configuration complete. The ipa-client-install command was successful
使用管理员用户的凭据对Kerberos领域进行身份验证,以确保正确配置了用户并且可以访问Kerberos领域。
[root@ipa-client ~]# kinit admin Password for [email protected]:
使用klist命令从服务器验证身份和票证授予票证(TGT):
[root@ipa-client ~]# klist Ticket cache: KCM:0 Default principal: [email protected] Valid starting Expires Service principal 09/26/2019 17:17:38 09/27/2019 17:17:36 krbtgt/[email protected]
卸载身份管理客户端
作为管理员,我们可以从环境中删除Identity Management客户端。
卸载客户端会将客户端与系统服务(例如系统安全服务守护程序(SSSD))的所有特定身份管理配置一起从身份管理域中删除。这将还原客户端系统的先前配置。
运行ipa-client-install --uninstall命令:
[root@ipa-client ~]# ipa-client-install --uninstall Unenrolling client from IPA server Removing Kerberos service principals from /etc/krb5.keytab Disabling client Kerberos and LDAP configurations Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to /etc/sssd/sssd.conf.deleted Restoring client configuration files Unconfiguring the NIS domain. nscd daemon is not installed, skip configuration nslcd daemon is not installed, skip configuration Systemwide CA database updated. Client uninstall complete. The original nsswitch.conf configuration has been restored. You Jan need to restart services or reboot the machine. Do you want to reboot the machine? [no]: no The ipa-client-install command was successful
