在本指南中，我们将研究如何在CentOS 7上安装FreeIPA Server。
一旦运行FreeIPA，我们在Linux系统上必须手动管理用户帐户/身份验证的问题将告一段落。
最初，我使用香草OpenLDAP服务器进行身份管理，这真是让人头疼。

对于FreeIPA的新手来说，它是一个身份管理系统，旨在为用户提供易于管理的身份，策略和审核。

FreeIPA是由Red Hat赞助的一个开源项目。
它是商业Red Hat Identity Manager的上游。
在客户端，有一个用于配置目标系统的客户端应用程序。

FreeIPA安装最低要求

• 具有4GB内存的服务器–我在1GB和2GB RAM的服务器上无法安装 CentOS
• 服务器–可以是CentOS 7.x或者CentOS 6.x2 vCPU
• 端口443和80未被其他应用程序使用
• FQDN –可通过公共或者专用DNS服务器解析
• 10 GB磁盘空间

在CentOS 7上安装FreeIPA服务器

在我们的CentOS服务器上安装FreeIPA之前，我们需要满足一些设置。

步骤1：更新系统

我将添加epel存储库并更新系统上安装的所有软件包。

sudo yum -y install epel-release
sudo yum -y update
sudo yum  install bind-utils vim

系统更新后，继续安装FreeIPA服务器软件包。

步骤2：安装FreeIPA Server软件包

我们安装的软件包取决于需要IPA提供的服务。
如果我们不需要DNS服务，只需安装ipa-server软件包：

sudo yum -y install ipa-server

如果要包括DNS服务，请同时安装ipa-server-dns，bind和bind-dyndb-ldap：

sudo yum -y install ipa-server-dns bindipa-server  bind-dyndb-ldap

步骤3：设定IPA伺服器

配置FreeIPA服务器是一个简单的过程，我们只需回答几个问题即可完成所有配置。
如果我们没有DNS服务器来解析服务器主机名，请修改/etc/hosts文件以包含主机名和IP地址。

echo "172.16.11.20  ipa.theitroad.com" | sudo tee -a /etc/hosts

配置服务器主机名以匹配上面的名称：

sudo hostnamectl set-hostname ipa.theitroad.com

然后运行ipa-server-install命令配置IPA服务器。
我们需要以root用户身份执行此操作：

sudo ipa-server-install

如果还要配置DNS服务，请包括–setup-dns选项：

sudo ipa-server-install --setup-dns

系统将提示我们提供以下问题的答案：

$sudo ipa-server-install 
The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will set up the IPA Server.
This includes:
  * Configure a stand-alone CA (dogtag) for certificate management
  * Configure the Network Time Daemon (ntpd)
  * Create and configure an instance of Directory Server
  * Create and configure a Kerberos Key Distribution Center (KDC)
  * Configure Apache (httpd)
  * Configure the KDC to enable PKINIT
To accept the default shown in brackets, press the Enter key.
WARNING: conflicting time&date synchronization service 'chronyd' will be disabled
in favor of ntpd
Do you want to configure integrated DNS (BIND)? [no]: 
Enter the fully qualified domain name of the computer
on which you're setting up server software. Using the form
<hostname>.<domainname>
Example: master.example.com.

Server host name [ipa.theitroad.com]: 
The domain name has been determined based on the host name.
Please confirm the domain name [theitroad.com]: 
The kerberos protocol requires a Realm name to be defined.
This is typically the domain name converted to uppercase.
Please provide a realm name [theitroad.COM]: 
Certain directory server operations require an administrative user.
This user is referred to as the Directory Manager and has full access
to the Directory for system management tasks and will be added to the
instance of directory server created for IPA.
The password must be at least 8 characters long.
Directory Manager password: 
Password (confirm): 
The IPA server requires an administrative user, named 'admin'.
This user is a regular system account used for IPA server administration.
IPA admin password: 
Password (confirm): 

The IPA Master Server will be configured with:
Hostname:       ipa.theitroad.com
IP address(es): 192.168.x.x
Domain name:    theitroad.com
Realm name:     theitroad.COM
Continue to configure the system with these values? [no]: yes
The following operations Jan take some minutes to complete.
Please wait until the prompt is returned.
Configuring NTP daemon (ntpd)
  [1/4]: stopping ntpd
  [2/4]: writing configuration
  [3/4]: configuring ntpd to start on boot
  [4/4]: starting ntpd
Done configuring NTP daemon (ntpd).
Configuring directory server (dirsrv). Estimated time: 30 seconds
.....
Client configuration complete.
The ipa-client-install command was successful
==============================================================================
Setup complete
Next steps:
	1. You must make sure these network ports are open:
		TCP Ports:
		  * 80, 443: HTTP/HTTPS
		  * 389, 636: LDAP/LDAPS
		  * 88, 464: kerberos
		UDP Ports:
		  * 88, 464: kerberos
		  * 123: ntp
	2. You can now obtain a kerberos ticket using the command: 'kinit admin'
	   This ticket will allow you to use the IPA tools (e.g., ipa user-add)
	   and the web user interface.
Be sure to back up the CA certificates stored in /root/cacert.p12
These files are required to create replicas. The password for these
files is the Directory Manager password
...

我们是否要配置集成DNS(BIND)？
[no]：否–>如果要启用DNS服务(绑定)，请回答"是"。
服务器主机名[ipa.theitroad.com]：<Enter确认>

步骤4：配置防火墙

如果我们正在运行防火墙服务– CentOS 7.x的Firewalld，则需要打开FreeIPA服务所需的某些端口。
打开的端口是：

TCP Ports:
   * 80, 443: HTTP/HTTPS
   * 389, 636: LDAP/LDAPS
   * 88, 464: kerberos
UDP Ports:
   * 88, 464: kerberos
   * 123: ntp

使用以下命令配置firewalld：

sudo firewall-cmd --add-service={dns,freeipa-ldap,freeipa-ldaps} --permanent
sudo firewall-cmd --reload

步骤5：访问FreeIPA Web界面

打开防火墙端口并配置FreeIPA服务器后，我们可以访问其管理Web界面进行管理。
所有IPA任务都可以在Web界面上或者使用ipa命令行工具完成。
使用https://ipa.theitroad.com/访问管理仪表板。
用主机名替换ipa.computinforgeeks.com。

登录后。
我们应该会看到类似以下的界面：

要使用ipa命令，我们首先需要获取Kerberos票证。

# kinit admin
Password for Hyman@theitroad:

使用klist检查票证的到期信息。

# klist 
Ticket cache: KEYRING:persistent:0:0
Default principal: Hyman@theitroad
Valid starting       Expires              Service principal
06/01/2016 20:14:49  06/02/2016 20:14:44  krbtgt/Hyman@theitroad

通过列出添加用户帐户和列出当前存在的帐户进行测试：

# ipa user-add jmutai  --first=Josphat --last=Mutai Hyman@theitroad  --shell=/bin/bash --password
Password: 
Enter Password again to verify: 
------------------
Added user "jmutai"
------------------
  User login: jmutai
  First name: Josphat
  Last name: Mutai
  Full name: Josphat Mutai
  Display name: Josphat Mutai
  Initials: JM
  Home directory: /home/jmutai
  GECOS: Josphat Mutai
  Login shell: /bin/bash
  Principal name: Hyman@theitroad
  Principal alias: Hyman@theitroad
  Email address: Hyman@theitroad
  UID: 839400001
  GID: 839400001
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True

获取用户帐户：

# ipa user-find
--------------
2 users matched
--------------
  User login: admin
  Last name: Administrator
  Home directory: /home/admin
  Login shell: /bin/bash
  Principal alias: Hyman@theitroad
  UID: 839400000
  GID: 839400000
  Account disabled: False
  User login: jmutai
  First name: Josphat
  Last name: Mutai
  Home directory: /home/jmutai
  Login shell: /bin/bash
  Principal name: Hyman@theitroad
  Principal alias: Hyman@theitroad
  Email address: Hyman@theitroad
  UID: 839400001
  GID: 839400001
  Account disabled: False
---------------------------
Number of entries returned 2
---------------------------

首次使用LDAP帐户登录时，系统会要求我们更改密码：

$ssh Hyman@theitroad
The authenticity of host 'localhost (<no hostip for proxy command>)' can't be established.
ECDSA key fingerprint is SHA256:ZlUOPuCJMftjMABxBWAWX/CXWZEtolp2Mv84nzKDV+4.
ECDSA key fingerprint is MD5:03:61:e8:e5:21:17:98:db:96:d5:75:cb:38:c2:0a:34.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'localhost' (ECDSA) to the list of known hosts.
Password: 
Password expired. Change your password now.
Current Password: 
New password: 
Retype new password: 
Could not chdir to home directory /home/jmutai: No such file or directory

设置FreeIPA Server之后，我们可能需要配置FreeIPA客户端