在CentOS 8/RHEL 8上安装和配置FreeIPA服务器
欢迎使用我们的指南,了解如何在RHEL 8/CentOS 8上安装和配置FreeIPA服务器。FreeIPA是由Red Hat赞助的免费和开源身份管理工具,它是Red Hat Identity Manager(IdM)的上游。在本指南中,我们将讨论如何在CentOS 8/RHEL 8 Linux服务器上安装和配置FreeIPA Server。
FreeIPA身份管理系统旨在为集中管理用户和服务的身份,策略和审核提供一种简便的方法。它旨在为各种客户端(包括Linux,Mac甚至Windows)提供集成的身份管理服务。
使用FreeIPA的好处
中央身份验证管理大型Linux/Unix企业环境中的用户,机器和服务的集中管理细粒度的访问控制:提供一种清晰的方法来定义访问控制策略以管理用户身份和管理任务的授权一次密码(OTP) ):提供一种实现两因素身份验证(2FA)的流行方法。直接连接到Active Directory:我们可以从Active Directory(AD)检索信息并以标准方式加入域或者领域.Active Directory跨领域信任:作为系统管理员,我们可以与Microsoft Active Directory建立跨林Kerberos信任。这使外部Active Directory(AD)用户可以方便地访问Identity Management域中的资源。集成的公共密钥基础结构(PKI)服务:提供了PKI服务,用于为主机和服务,证书吊销列表(CRL)和OCSP签名和发布证书用于验证已发布证书的软件的服务,以及用于请求,显示和查找证书的API。
FreeIPA服务器的组件
FreeIPA服务器由以下开源项目组成.389目录服务器主数据存储,并提供完整的多主LDAPv3目录基础结构.MIT Kerberos KDC提供单点登录身份验证.Dogtag证书系统为证书管理功能提供CA和RA .ISC绑定DNS服务器,用于管理域名。WebUI/ipa命令行工具用于集中管理访问控制,管理任务的委派和其他网络管理任务。带有4GB内存的NTP ServerServer我安装1GB和2GB RAM失败安装新安装RHEL/CentOS 8服务器2 vCPU端口443和80未被其他应用程序使用FQDN可在公共或者私有DNS服务器上解析10 GB磁盘空间
FreeIPA服务器安装要求
请在下面查看我的服务器详细信息。
下一节将讨论在RHEL/CentOS 8上安装和配置FreeIPA Server所需的步骤。
$free -h
total used free shared buff/cache available
Mem: 3.7Gi 185Mi 3.3Gi 8.0Mi 196Mi 3.3Gi
Swap: 2.0Gi 0B 2.0Gi
$lscpu
Architecture: x86_64
CPU op-mode(s): 32-bit, 64-bit
Byte Order: Little Endian
CPU(s): 2
On-line CPU(s) list: 0,1
Thread(s) per core: 1
Core(s) per socket: 1
Socket(s): 2
NUMA node(s): 1
Vendor ID: GenuineIntel
CPU family: 6
Model: 94
Model name: Intel Core Processor (Skylake, IBRS)
Stepping: 3
CPU MHz: 1800.000
BogoMIPS: 3600.00
Hypervisor vendor: KVM
Virtualization type: full
L1d cache: 32K
L1i cache: 32K
L2 cache: 4096K
L3 cache: 16384K
NUMA node0 CPU(s): 0,1
Flags: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ss syscall nx pdpe1gb rdtscp lm constant_tsc rep_good nopl xtopology cpuid tsc_known_freq pni pclmulqdq ssse3 fma cx16 pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand hypervisor lahf_lm abm 3dnowprefetch cpuid_fault invpcid_single pti ssbd ibrs ibpb fsgsbase tsc_adjust bmi1 avx2 smep bmi2 erms invpcid mpx rdseed adx smap clflushopt xsaveopt xsavec xgetbv1 xsaves arat umip
$df -h | grep root
/dev/mapper/rhel-root 17G 2.3G 15G 14% /
我们必须在服务器上具有正确的时区和主机名,然后才能继续。 FreeIPA服务器还将运行NTP服务,正确的时区将确保我们在服务器上的时间正确。
设定时区和主机名称
如何在RHEL/CentOS 8上设置主机名和时区
RHEL IdM是一个集成解决方案,用于提供集中管理的身份(用户,主机,服务),身份验证(SSO,2FA)和授权(主机访问控制,SELinux用户角色,服务)。
在RHEL/CentOS 8上安装FreeIPA服务器
我在强制模式下使用SELinux安装失败,建议我们将其设置为宽松或者禁用。
FreeIPA服务器和客户端软件包通过RHEL/CentOS 8中的AppStream存储库分发。我们可以检查可用的IdM模块。
sudo setenforce 0 sudo sed -i 's/^SELINUX=.*/SELINUX=permissive/g' /etc/selinux/config
从输出中,我们可以看到我们有DL1和client流。有关服务器模块的更多信息,请运行:
$sudo yum module list idm Updating Subscription Management repositories. Updating Subscription Management repositories. Last metadata expiration check: 0:16:51 ago on Sat 29 Dec 2016 09:52:44 AM EAT. Red Hat Enterprise Linux 8 for x86_64 - AppStream Beta (RPMs) Name Stream Profiles Summary idm DL1 adtrust, client, dns, server, default [d] The Red Hat Enterprise Linux Identity Management system module idm client [d] default [d] RHEL IdM long term support client module Hint: [d]efault, [e]nabled, [x]disabled, [i]nstalled
由于这是FreeIPA Server的安装,因此先安装DL1流,然后再安装freeipa-server。
sudo yum module info idm:DL1
如果要包括DNS服务,请同时安装installipa-server-dns,bind和bind-dyndb-ldap:
sudo yum -y install @idm:DL1 sudo yum -y install freeipa-server
此安装程序用作依赖项的其他流是:389-dshttpdpki-corepki-deps
sudo yum install ipa-server-dns bind-dyndb-ldap
FreeIPA服务器的初始配置是交互式的,我们只需要回答几个问题,所有肮脏的工作都是通过脚本完成的。如果系统上正确设置了DNS区域和SRV记录,则将要求我们提供:集成DNS,我们可以通过选择默认值no继续进行操作。默认情况下,使用反向DNS获取的主机名默认为基于域名的域名。默认情况下基于主机名目录管理器的密码口令目录服务器的管理员帐户IPA管理员口令口令IdM服务器的超级用户
在RHEL/CentOS 8上设置IPA服务器
如果我们没有DNS服务器来解析服务器主机名,请修改/etc/hosts文件以包含主机名和IP地址。
确认
echo "192.168.122.198 ipa.example.com" | sudo tee -a /etc/hosts
配置服务器主机名以匹配上面的名称:
[theitroad@localhost ~]$ping -c 2 ipa.example.com PING ipa.example.com (192.168.122.198) 56(84) bytes of data. 64 bytes from ipa.example.com (192.168.122.198): icmp_seq=1 ttl=64 time=0.040 ms 64 bytes from ipa.example.com (192.168.122.198): icmp_seq=2 ttl=64 time=0.113 ms --- ipa.example.com ping statistics -- 2 packets transmitted, 2 received, 0% packet loss, time 30ms rtt min/avg/max/mdev = 0.040/0.076/0.113/0.037 ms
不要忘记用有效主机名替换" ipa.example.com"。
export HNAME="ipa.example.com" sudo hostnamectl set-hostname $HNAME --static sudo hostname $HNAME
然后使用runipa-server-install命令配置IPA服务器。以具有sudo特权的用户身份或者以root用户身份运行。
如果还要配置DNS服务,请包括setup-dns选项:
sudo ipa-server-install
输出示例:
sudo ipa-server-install --setup-dns
这将:配置用于证书管理的独立CA(dogtag)配置NTP客户端(chronyd)创建和配置Directory Server实例创建和配置Kerberos密钥分发中心(KDC)配置Apache(httpd)配置KDC以启用PKINIT
$sudo ipa-server-install The log file for this installation can be found in /var/log/ipaserver-install.log This program will set up the IPA Server. Version 4.7.1 This includes: Configure a stand-alone CA (dogtag) for certificate management Configure the NTP client (chronyd) Create and configure an instance of Directory Server Create and configure a Kerberos Key Distribution Center (KDC) Configure Apache (httpd) Configure the KDC to enable PKINIT To accept the default shown in brackets, press the Enter key. Do you want to configure integrated DNS (BIND)? [no]: <yes/no> Enter the fully qualified domain name of the computer on which you're setting up server software. Using the form . Example: master.example.com. Server host name [ipa.example.com]: <Set/Confirm Hostname> The domain name has been determined based on the host name. Please confirm the domain name [example.com]: <Confirm domain name> The kerberos protocol requires a Realm name to be defined. This is typically the domain name converted to uppercase. Please provide a realm name [EXAMPLE.COM]: <Confirm Real name> Certain directory server operations require an administrative user. This user is referred to as the Directory Manager and has full access to the Directory for system management tasks and will be added to the instance of directory server created for IPA. The password must be at least 8 characters long. Directory Manager password: <Enter Password> Password (confirm): <Confirm Password> The IPA server requires an administrative user, named 'admin'. This user is a regular system account used for IPA server administration. IPA admin password: <Enter Password> Password (confirm): <Confirm Password> The IPA Master Server will be configured with: Hostname: ipa.example.com IP address(es): 192.168.122.198 Domain name: example.com Realm name: EXAMPLE.COM The CA will be configured with: Subject DN: CN=Certificate Authority,O=EXAMPLE.COM Subject base: O=EXAMPLE.COM Chaining: self-signed Continue to configure the system with these values? [no]: yes The following operations Jan take some minutes to complete. Please wait until the prompt is returned. .....
成功的安装应提供类似以下的输出。
建议运行防火墙服务,并允许访问FreeIPA服务器服务使用的端口。
.... Restarting the KDC Configuring client side components This program will set up IPA client. Version 4.7.1 Using existing certificate '/etc/ipa/ca.crt'. Client hostname: ipa.example.com Realm: EXAMPLE.COM DNS Domain: example.com IPA Server: ipa.example.com BaseDN: dc=example,dc=com Configured sudoers in /etc/nsswitch.conf Configured /etc/sssd/sssd.conf Systemwide CA database updated. Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub Could not update DNS SSHFP records. SSSD enabled Configured /etc/openldap/ldap.conf Configured /etc/ssh/ssh_config Configured /etc/ssh/sshd_config Configuring example.com as NIS domain. Client configuration complete. The ipa-client-install command was successful Setup complete
配置防火墙
FreeIPA服务器安装已准备就绪。在https://ipa.example.com上访问Web UI。
sudo firewall-cmd --add-service={http,https,dns,ntp,freeipa-ldap,freeipa-ldaps} --permanent
sudo firewall-cmd --reload
访问FreeIPA Web界面
使用安装过程中提供的" admin"用户名和" IPA admin密码"登录。
FreeIPA管理仪表板应该显示给我们。 FreeIPA服务器的管理可以从Web UI或者从命令行完成。
要使用ipa命令,我们首先需要获取Kerberos票证。
使用FreeIPA CLI
使用klist检查票证到期信息。
$sudo kinit admin Password for theitroad@localhost:
将用户的默认shell设置为/bin/bash。
$klist Ticket cache: KCM:0 Default principal: theitroad@localhost Valid starting Expires Service principal 03/24/2019 11:48:06 03/25/2019 11:48:04 krbtgt/theitroad@localhost
通过添加用户帐户和列出当前帐户进行测试:
$sudo ipa config-mod --defaultshell=/bin/bash Maximum username length: 32 Home directory base: /home Default shell: /bin/bash Default users group: ipausers Default e-mail domain: example.com Search time limit: 2 Search size limit: 100 User search fields: uid,givenname,sn,telephonenumber,ou,title Group search fields: cn,description Enable migration mode: FALSE Certificate Subject base: O=EXAMPLE.COM Password Expiration Notification (days): 4 Password plugin features: AllowNThash, KDC:Disable Last Success SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023 Default SELinux user: unconfined_u:s0-s0:c0.c1023 Default PAC types: MS-PAC, nfs:NONE IPA masters: ipa.example.com IPA CA servers: ipa.example.com IPA CA renewal master: ipa.example.com IPA master capable of PKINIT: ipa.example.com
要列出添加的用户帐户,请运行:
$sudo ipa user-add test --first=Test --last=User \ theitroad@localhost --password Password: Enter Password again to verify: ------------------ Added user "test" ------------------ User login: test First name: Test Last name: User Full name: Test User Display name: Test User Initials: TU Home directory: /home/test GECOS: Test User Login shell: /bin/bash Principal name: theitroad@localhost Principal alias: theitroad@localhost User password expiration: 20190324085532Z Email address: theitroad@localhost UID: 1201400001 GID: 1201400001 Password: True Member of groups: ipausers Kerberos keys available: True
尝试以" test"用户身份登录。首次登录时,系统会要求我们更改密码:
$sudo ipa user-find -------------- 2 users matched -------------- User login: admin Last name: Administrator Home directory: /home/admin Login shell: /bin/bash Principal alias: theitroad@localhost UID: 1201400000 GID: 1201400000 Account disabled: False User login: test First name: Test Last name: User Home directory: /home/test Login shell: /bin/bash Principal name: theitroad@localhost Principal alias: theitroad@localhost Email address: theitroad@localhost UID: 1201400001 GID: 1201400001 Account disabled: False --------------------------- Number of entries returned 2 ---------------------------
要卸载FreeIPA Server,请运行:
$ssh theitroad@localhost Password: Password expired. Change your password now. Current Password: New password: <Set new passwtheitroadd Retype new password: Activate the web console with: systemctl enable --now cockpit.socket [theitroad@localhost ~]$id uid=1201400003(test1) gid=1201400003(test1) groups=1201400003(test1) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
在RHEL/CentOS 8上卸载FreeIPA Server
我们已经在CentOS/RHEL 8上成功安装了FreeIPA Server。
$sudo ipa-server-install --uninstall This is a NON REVERSIBLE operation and will delete all data and configuration! It is highly recommended to take a backup of existing data and configuration using ipa-backup utility before proceeding. Are you sure you want to continue with the uninstall procedure? [no]: yes If this server is the last instance of CA, KRA, or DNSSEC master, uninstallation Jan result in data loss. Are you sure you want to continue with the uninstall procedure? [no]: yes Shutting down all IPA services Unconfiguring CA Unconfiguring web server Unconfiguring krb5kdc Unconfiguring kadmin Unconfiguring directory server .......
