FreeIPA Server 端部署

DevOps Comments

一、FreeIPA介绍

FreeIPA是Redhat公司推出的开源软件,是一款集成的安全信息管理解决方案。其特点如下:

  • 集成多种服务(389 Directory Server, MIT Kerberos, NTP, DNS, Dogtag certificate system, SSSD),简化安装配置
  • 提供WEB、命令行两种管理工具,方便管理
  • 多主复制,可扩展,高可用
  • 接口丰富,支持CLI、 Web UI、 XMLRPC、JSONRPC API、Python SDK

FreeIPA Server

名词解释

  • MIT KDC:IPA 认证的核心
  • 389 Directory Server:轻量级目录访问
  • Dogtag Certificate System:一款认证系统,提供强大的安全框架来确保用户的身份以及通讯的私密性
  • SSSD:SSSD是红帽企业版Linux6中新加入的一个守护进程,该进程可以用来访问多种验证服务器,如LDAP,Kerberos等,并提供授权。SSSD是介于本地用户和数据存储之间的进程,本地客户端首先连接SSSD,再由SSSD联系外部资源提供者(一台远程服务器)

安装前检查:

  • 使用ntp同步时间
  • 防火墙关闭,或开放以下端口:TCP(80, 443,389, 636,88, 464) UDP(88, 464,123)
  • 配置hosts文件,设置完全合格的主机名(如:192.168.1.1 freeipa.fugetech.com.cn freeipa)

二、FreeIPA服务端安装

FreeIPA的安装比较简单,首先安装软件包:

1
yum install ipa-server bind-dyndb-ldap ipa-server-dns

安装完成后,执行安装命令:

1
ipa-server-install

开始安装:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
The log file for this installation can be found in /var/log/ipaserver-install.log
================================================================
This program will set up the IPA Server.
This includes:
  * Configure a stand-alone CA (dogtag) for certificate management
  * Configure the Network Time Daemon (ntpd)
  * Create and configure an instance of Directory Server
  * Create and configure a Kerberos Key Distribution Center (KDC)
  * Configure Apache (httpd)
To accept the default shown in brackets, press the Enter key.
Enter the fully qualified domain name of the computer
on which you're setting up server software. Using the form
<hostname>.<domainname>
Example: master1.douyu.com.
Server host name [master1.douyu.com]:       #回车确认

The domain name has been determined based on the host name.
Please confirm the domain name [master1.douyu]: #回车确认

The kerberos protocol requires a Realm name to be defined.
This is typically the domain name converted to uppercase.
Please provide a realm name [master1.douyu]:#回车确认

Certain directory server operations require an administrative user.
This user is referred to as the Directory Manager and has full access
to the Directory for system management tasks and will be added to the
instance of directory server created for IPA.
The password must be at least 8 characters long.

Directory Manager password:douyu123 #设置活动目录管理密码
Password (confirm):redn.net
The IPA server requires an administrative user, named 'admin'.
This user is a regular system account used for IPA server administration.

IPA admin password:redn.net #设置IPA admin管理密码
Password (confirm):redn.net
The IPA Master Server will be configured with:
Hostname:      master1.douyu.com
IP address:    172.24.30.100
Domain name:   example.com
Realm name:    EXAMPLE.COM
Continue to configure the system with these values? [no]:yes    #输入yes 确认配置
The following operations may take some minutes to complete.
Please wait until the prompt is returned.

…………………………#等待安装完成
Sample zone file for bind has been created in /tmp/sample.zone.Jd9cwk.db
Restarting the web server
==============================================================
Setup complete
Next steps:
        1. You must make sure these network ports are open:
                TCP Ports:
                  * 80, 443: HTTP/HTTPS
                  * 389, 636: LDAP/LDAPS
                  * 88, 464: kerberos
                UDP Ports:
                  * 88, 464: kerberos
                  * 123: ntp
        2. You can now obtain a kerberos ticket using the command: 'kinit admin'
           This ticket will allow you to use the IPA tools (e.g., ipa user-add)
           and the web user interface.
Be sure to back up the CA certificate stored in /root/cacert.p12
This file is required to create replicas. The password for this
file is the Directory Manager password

安装完成后,打开浏览器,输入:https:/// 地址,即可打开web管理界面。

Cancellara

Go further.