User Tools

Site Tools


snippets:linux_quickshotsetups:ipa_server_rhel6

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

snippets:linux_quickshotsetups:ipa_server_rhel6 [2019/10/09 08:21] (current)
chris created
Line 1: Line 1:
 +===== What? =====
 +Just some notes on a minimal setup of IdM. This is really only for testing and reproducer setups. This is tested on RHEL6.
  
 +===== ipa setup on rhel =====
 +  * [[https://​access.redhat.com/​site/​documentation/​en-US/​Red_Hat_Enterprise_Linux/​6/​html/​Identity_Management_Guide/​index.html|product documentation:​ IdM rhel6]]
 +
 +<​code>​
 +# use atleast rhel6.2 for IPA, 6.1 had IPA just as tech preview.
 +# versions before 6.4 need different ipa-server-install parameters.
 +
 +vi /​etc/​sysconfig/​network
 +# ensure hostname including domain is set, i.e. HOSTNAME=rhel6u4a.fluxcoil.net
 +
 +# ensure hostname is correct on running system
 +hostname rhel6u1a.fluxcoil.net
 +
 +vi /etc/hosts
 +# now ensure proper entry, i.e.
 +192.168.4.2 rhel6u1a.fluxcoil.net rhel6u1a
 +
 +yum -y install ipa-server bind bind-dyndb-ldap
 +
 +ipa-server-install --realm=FLUXCOIL.NET --domain=fluxcoil.net --no-ntp \
 +  --ds-password=redhat12 --master-password=redhat12 --ssh-trust-dns \
 +  --admin-password=redhat12 --hostname=$(hostname -f) --idstart=10000 \
 +  --setup-dns --zonemgr=me@example.org --ip-address=$(ip addr s dev eth0 \
 +  |grep 'inet '|sed -e '​s,​.*inet ,,' -e '​s,/​.*,,'​) --no-forwarders -U
 +
 +kinit admin
 +
 +# ensure the openldap-client tools will trust the ca cert
 +# FreeIPA 4.x have also ipa-client-install
 +mkdir -p /​etc/​openldap/​cacerts
 +cp /​etc/​ipa/​ca.crt /​etc/​openldap/​cacerts
 +cacertdir_rehash /​etc/​openldap/​cacerts
 +export LDAPTLS_CACERT=/​etc/​ipa/​ca.crt
 +
 +# create the first user
 +USER=chorn
 +PASS=redhat12
 +ipa user-add $USER --first Test --last User
 +echo "​test"​ | ipa passwd $USER
 +ldappasswd -D uid=$USER,​cn=users,​cn=accounts,​dc=fluxcoil,​dc=net \
 +  -H ldap://​$(hostname -f) -w test -a test -ZZZ -s $PASS
 +
 +# to login using the web interface
 +yum -y install firefox xauth
 +yum -y install $(yum search xorg-x11-font|grep ^xorg-x11-font|sed -e '​s,:​.*,,'​)
 +
 +# log out and log in again, to have xauth properly setup
 +
 +firefox
 +# surf to '​localhost',​ you will get redirected
 +# follow instructions to import the cert, then you will access
 +# the ipa webinterface
 +
 +# verify plain ldap works
 +# plain admin
 +ldapsearch -x -b dc=fluxcoil,​dc=net -h $(hostname -f) -w redhat12 \
 +  -D uid=admin,​cn=users,​cn=accounts,​dc=fluxcoil,​dc=net
 +# plain chorn user
 +ldapsearch -x -b dc=fluxcoil,​dc=net -h $(hostname -f) -w redhat12 \
 +  -D uid=chorn,​cn=users,​cn=accounts,​dc=fluxcoil,​dc=net
 +# TLS chorn user
 +ldapsearch -x -b dc=fluxcoil,​dc=net -h $(hostname -f) -w redhat12 \
 +  -D uid=chorn,​cn=users,​cn=accounts,​dc=fluxcoil,​dc=net -ZZZ
 +
 +# to retrieve the cacert:
 +wget http://​rhel6u2a.fluxcoil.net/​ipa/​config/​ca.crt
 +
 +# using ldapsearch
 +ldapsearch -D "​cn=directory manager"​ -w redhat12 -b "​cn=config"​
 +</​code>​
 +
 +===== create users automated =====
 +<​code>​
 +cat >​createuser.sh <<EOT
 +#!/bin/bash
 +ipa user-add --first $1 --last $1 $1
 +echo '​redhat12'​ | ipa passwd $1 --
 +EOT
 +
 +chmod +x createuser.sh
 +for i in $(seq 2 2000); do 
 +  ./​createuser.sh user$i; ​
 +done
 +</​code>​
 +
 +===== create users automated (from Simo) =====
 +<​code>​
 +# requires you kinit as admin first):
 +
 +---------------------------------------------------------------------------------
 +#!/bin/bash
 +
 +# Pass user name as first argument and password as second argument
 +
 +ipa user-add $1 --first Test --last User
 +echo "​test"​ | ipa passwd $1
 +ldappasswd -D uid=$1,​cn=users,​cn=accounts,​dc=example,​dc=org -w test -a test -s $2
 +---------------------------------------------------------------------------------
 +
 +# In this example no escaping is performed, so you'll need to add it to user 
 +# names/​password if you want to use characters that may cause shell expansion.
 +</​code>​
 +
 +===== set a new users password so he has not to change it =====
 +<​code>​
 +# requires you kinit as admin first):
 +
 +cp /​etc/​ipa/​ca.crt /​etc/​openldap/​cacerts/​
 +cacertdir_rehash /​etc/​openldap/​cacerts/​
 +
 +USER=chorn4
 +ipa user-add $USER --first Test --last User
 +echo "​test"​ | ipa passwd $USER
 +ldappasswd -D uid=$USER,​cn=users,​cn=accounts,​dc=fluxcoil,​dc=net -H ldap://​rhel6u3b.fluxcoil.net -w test -a test -s redhat42 -ZZ
 +</​code>​
 +
 +===== creating a IdM replica =====
 +  * https://​access.redhat.com/​knowledge/​docs/​en-US/​Red_Hat_Enterprise_Linux/​6/​html/​Identity_Management_Guide/​Setting_up_IPA_Replicas.html
 +<​code>​
 +# rhel6u5b will be the replica.
 +
 +replica$ yum install -y ipa-server bind bind-dyndb-ldap
 +server$ ​ ipa-replica-prepare rhel6u5b.fluxcoil.net --ip-address 192.168.4.13
 +server$ ​ scp /​var/​lib/​ipa/​replica-info-rhel6u5b.fluxcoil.net.gpg root@rhel6u5b.fluxcoil.net:/​var/​lib/​ipa/​
 +replica$ ipa-replica-install --setup-ca --setup-dns --no-forwarders /​var/​lib/​ipa/​replica-info-rhel6u5b.fluxcoil.net.gpg
 +
 +
 +# verify DNS is ok
 +DOMAIN=fluxcoil.net
 +NAMESERVER=rhel6u5b.fluxcoil.net
 +for i in _ldap._tcp _kerberos._tcp _kerberos._udp _kerberos-master._tcp _kerberos-master._udp _ntp._udp; do \
 +  echo "";​ \
 +  dig @${NAMESERVER} ${i}.${DOMAIN} srv +nocmd +noquestion +nocomments +nostats +noaa +noadditional +noauthority;​ \
 +done | egrep -v "​^;"​ | egrep _
 +
 +# ..and on clients ensure they also access the replica for DNS!
 +</​code>​
snippets/linux_quickshotsetups/ipa_server_rhel6.txt ยท Last modified: 2019/10/09 08:21 by chris