如何在Ubuntu/CentOS上配置FreeIPA复制
时间:2020-02-23 14:38:11 来源:igfitidea点击:
如何配置FreeIPA复制?我们是否只有一台FreeIPA服务器,并且担心单点故障?在本文中,我们将介绍在Ubuntu 18.04,Ubuntu 16.04和CentOS服务器上配置FreeIPA复制的完整步骤。设置FreeIPA副本后,即使服务器关闭,FreeIPA客户端也可以继续进行身份验证。
如果我们有兴趣遵循本指南,则应该已经安装了FreeIPA Server并可以正常运行,并带有测试帐户。对于FreeIPA Server的安装,我们为我们提供指南:
如何在Ubuntu 18.04和Ubuntu 16.04上安装FreeIPA Server
如何在CentOS 7上安装FreeIPA Server
在CentOS/RHEL 8上安装FreeIPA服务器
一旦安装并配置了FreeIPA服务器,就不需要其他准备工作了。我们可以启动FreeIPA复制。
测试环境设置
我有一台主机名为ipa.theitroad.local的FreeIPA主服务器,副本服务器将在ipa-replica.theitroad.local上进行配置。两台服务器的IP地址如下:
配置DNS本地主机文件
在两台服务器上,确保每个配置的服务器都有主机名。如果基础结构中没有活动的DNS服务,则这一点很重要。
sudo vim /etc/hosts
确保行如下所示,将主机名替换为匹配项。
192.168.10.10 ipa.theitroad.local ipa 192.168.10.11 ipa-replica.theitroad.local ipa-replica
确保正确配置主机名:
sudo hostnamectl set-hostname ipa-replica.theitroad.local
在副本服务器上安装FreeIPA Client
要在CentOS 7和Ubuntu服务器上安装FreeIPA客户端,请参阅我们以前的指南:如何在Ubuntu 18.04/Ubuntu 16.04/CentOS 7上配置FreeIPA客户端。
总结时,所需的唯一步骤是:
对于CentOS 7
$sudo yum install ipa-client $sudo ipa-client-install --hostname=`hostname -f` \ --mkhomedir \ --server=ipa.theitroad.local \ --domain theitroad.local \ --realm theitroad.local
对于Ubuntu 18.04/Ubuntu 16.04:
$sudo apt-get install freeipa-client $sudo bash -c "cat > /usr/share/pam-configs/mkhomedir" <<EOF Name: activate mkhomedir Default: yes Priority: 900 Session-Type: Additional Session: required pam_mkhomedir.so umask=0022 skel=/etc/skel EOF $sudo pam-auth-update
在副本服务器上安装FreeIPA服务器
一旦安装并配置了FreeIPA服务器,下一步就是在副本上安装FreeIPA服务器。
对于Ubuntu 18.04/Ubuntu 16.04,请使用:
sudo apt-get install freeipa-server
对于CentOS 7.运行:
sudo yum -y install ipa-server
通过在副本上请求Kerberos票证进行测试:
[theitroad@localhost ~]# kinit admin Password for theitroad@localhost: [theitroad@localhost ~]# klist Ticket cache: KEYRING:persistent:0:0 Default principal: theitroad@localhost Valid starting Expires Service principal 06/30/2016 11:58:58 07/01/2016 11:58:56 krbtgt/theitroad@localhost
将副本服务器添加到FreeIPA服务器上的ipaservers组
登录到FreeIPA Server并将副本服务器添加到ipaservers组:
[theitroad@localhost ~]# kinit admin Password for theitroad@localhost [theitroad@localhost ~]# ipa hostgroup-add-member ipaservers --hosts ipa-replica.theitroad.local Host-group: ipaservers Description: IPA server hosts Member hosts: ipa.theitroad.local, ipa-replica.theitroad.local ------------------------ Number of members added 1 ------------------------
我们可以看到我们现在有两个成员主机。 IPA和IPA复制副本
对于CentOS 7 FreeIPA服务器,如果我们有活动的Firewalld服务,请在Firewalld上打开freeipa-replication:
在IPA服务器上:
sudo firewall-cmd --add-service=freeipa-replication --permanent sudo firewall-cmd --reload
在副本服务器上运行ipa-replica-install
至此,我们只需要在副本服务器上运行" ipa-replica-install"命令即可同步FreeIPA Server配置并准备好服务器以供客户端连接。
[theitroad@localhost ~]# ipa-replica-install WARNING: conflicting time&date synchronization service 'chronyd' will be disabled in favor of ntpd Run connection check to master Connection check OK Configuring NTP daemon (ntpd) [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd Done configuring NTP daemon (ntpd). Configuring directory server (dirsrv). Estimated time: 30 seconds [1/42]: creating directory server instance [2/42]: enabling ldapi [3/42]: configure autobind for root [4/42]: stopping directory server [5/42]: updating configuration in dse.ldif [6/42]: starting directory server [7/42]: adding default schema [8/42]: enabling memberof plugin [9/42]: enabling winsync plugin [10/42]: configuring replication version plugin [11/42]: enabling IPA enrollment plugin [12/42]: configuring uniqueness plugin [13/42]: configuring uuid plugin [14/42]: configuring modrdn plugin [15/42]: configuring DNS plugin [16/42]: enabling entryUSN plugin [17/42]: configuring lockout plugin [18/42]: configuring topology plugin [19/42]: creating indices [20/42]: enabling referential integrity plugin [21/42]: configuring certmap.conf [22/42]: configure new location for managed entries [23/42]: configure dirsrv ccache [24/42]: enabling SASL mapping fallback [25/42]: restarting directory server [26/42]: creating DS keytab [27/42]: ignore time skew for initial replication [28/42]: setting up initial replication Starting replication, please wait until this has completed. Update in progress, 3 seconds elapsed Update succeeded [29/42]: prevent time skew after initial replication [30/42]: adding sasl mappings to the directory [31/42]: updating schema [32/42]: setting Auto Member configuration [33/42]: enabling S4U2Proxy delegation [34/42]: initializing group membership [35/42]: adding master entry [36/42]: initializing domain level [37/42]: configuring Posix uid/gid generation [38/42]: adding replication acis [39/42]: activating sidgen plugin [40/42]: activating extdom plugin [41/42]: tuning directory server [42/42]: configuring directory to start on boot Done configuring directory server (dirsrv). Configuring Kerberos KDC (krb5kdc) [1/5]: configuring KDC [2/5]: adding the password extension to the directory [3/5]: creating anonymous principal [4/5]: starting the KDC [5/5]: configuring KDC to start on boot Done configuring Kerberos KDC (krb5kdc). Configuring kadmin [1/2]: starting kadmin [2/2]: configuring kadmin to start on boot Done configuring kadmin. Configuring directory server (dirsrv) [1/3]: configuring TLS for DS instance [2/3]: importing CA certificates from LDAP [3/3]: restarting directory server Done configuring directory server (dirsrv). Configuring the web interface (httpd) [1/22]: stopping httpd [2/22]: setting mod_nss port to 443 [3/22]: setting mod_nss cipher suite [4/22]: setting mod_nss protocol list to TLSv1.0 - TLSv1.2 [5/22]: setting mod_nss password file [6/22]: enabling mod_nss renegotiate [7/22]: disabling mod_nss OCSP [8/22]: adding URL rewriting rules [9/22]: configuring httpd [10/22]: setting up httpd keytab [11/22]: configuring Gssproxy [12/22]: setting up ssl [13/22]: configure certmonger for renewals [14/22]: importing CA certificates from LDAP [15/22]: publish CA cert [16/22]: clean up any existing httpd ccaches [17/22]: configuring SELinux for httpd [18/22]: create KDC proxy config [19/22]: enable KDC proxy [20/22]: starting httpd [21/22]: configuring httpd to start on boot [22/22]: enabling oddjobd Done configuring the web interface (httpd). Configuring ipa-otpd [1/2]: starting ipa-otpd [2/2]: configuring ipa-otpd to start on boot Done configuring ipa-otpd. Configuring ipa-custodia [1/4]: Generating ipa-custodia config file [2/4]: Generating ipa-custodia keys [3/4]: starting ipa-custodia [4/4]: configuring ipa-custodia to start on boot Done configuring ipa-custodia. Configuring certificate server (pki-tomcatd) [1/2]: configure certmonger for renewals [2/2]: Importing RA key Done configuring certificate server (pki-tomcatd). Configuring Kerberos KDC (krb5kdc) [1/1]: installing X509 Certificate for PKINIT Done configuring Kerberos KDC (krb5kdc). Applying LDAP updates Upgrading IPA:. Estimated time: 1 minute 30 seconds [1/9]: stopping directory server [2/9]: saving configuration [3/9]: disabling listeners [4/9]: enabling DS global lock [5/9]: starting directory server [6/9]: upgrading server [7/9]: stopping directory server [8/9]: restoring configuration [9/9]: starting directory server Done. Restarting the KDC
如果安装成功,我们应该不会遇到任何错误。
在副本服务器(CentOS 7)上配置Firewalld
通过运行以下命令打开副本服务器上的IPA服务器端口:
sudo firewall-cmd --add-service={ssh,dns,freeipa-ldap,freeipa-ldaps,freeipa-replication} --permanent
sudo firewall-cmd --reload
第6步:测试(在FreeIPA副本上注册客户端)
通过配置客户端以使用配置的FreeIPA副本进行测试。
$sudo yum install ipa-client --> CentOS $sudo apt-get install freeipa-client --> Ubuntu
配置freeipa客户端
echo "192.168.10.10 ipa.theitroad.local ipa" >> /etc/hosts echo "192.168.10.11 ipa-replica.theitroad.local ipa-replica" >> /etc/hosts
然后运行" ipa-client-install"命令:
# ipa-client-install --hostname=`hostname -f` \ --mkhomedir --server=ipa-replica.theitroad.local \ --domain theitroad.local --realm theitroad.local
删除FreeIPA副本
要删除FreeIPA,首先,使用以下命令在服务器上将其卸载:
[theitroad@localhost ~]# ipa-server-install --uninstall
然后从ipaservers组中删除服务器:
# ipa-replica-manage del ipa-replica.theitroad.local --force # ipa hostgroup-remove-member ipaservers --hosts ipa-replica.theitroad.local
