===== What? =====
Just some notes on a minimal setup of IdM. This is really only for testing and reproducer setups. This is tested on RHEL8+.

===== ipa setup on rhel =====
  * [[https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/installing_identity_management/index|product documentation: IdM rhel8]]

<code>
export LC_ALL="C.UTF-8"

# use atleast rhel8.
hostnamectl set-hostname rhel8u4a.fluxcoil.net

vi /etc/hosts
# now ensure proper entry, i.e.
192.168.4.2 rhel8u4a.fluxcoil.net rhel8u4a

yum module -y enable idm:DL1
yum distro-sync -y
yum module -y install idm:DL1/dns

MYIP=$(ip addr s dev eth0  | grep 'inet '|sed -e 's,.*inet ,,' -e 's,/.*,,')
MYIP=$(ip addr s dev enp1s0| grep 'inet '|sed -e 's,.*inet ,,' -e 's,/.*,,')
echo $MYIP
  
ipa-server-install --realm=FLUXCOIL.NET --domain=fluxcoil.net \
  --no-ntp --ds-password=redhat12 --ssh-trust-dns --setup-dns \
  --admin-password=redhat12 --hostname=$(hostname -f) --idstart=60010 \
  --zonemgr=me@example.org --ip-address=$MYIP --no-forwarders -U

kinit admin

# ensure the openldap-client tools will trust the ca cert
# FreeIPA 4.x have also ipa-client-install
mkdir -p /etc/openldap/cacerts
cp /etc/ipa/ca.crt /etc/openldap/cacerts
# export LDAPTLS_CACERT=/etc/ipa/ca.crt

# create the first user
USER=chorn
PASS=redhat12
ipa user-add $USER --first Test --last User
echo "test" | ipa passwd $USER
ldappasswd -D uid=$USER,cn=users,cn=accounts,dc=fluxcoil,dc=net \
  -H ldap://$(hostname -f) -w test -a test -ZZZ -s $PASS

# to login using the web interface
yum -y install firefox xauth
yum -y install $(yum search xorg-x11-font|grep ^xorg-x11-font|sed -e 's,:.*,,')

# log out and log in again, to have xauth properly setup

firefox
# surf to 'localhost', you will get redirected
# follow instructions to import the cert, then you will access
# the ipa webinterface

# verify plain ldap works
# plain admin
ldapsearch -x -b dc=fluxcoil,dc=net -h $(hostname -f) -w redhat12 \
  -D uid=admin,cn=users,cn=accounts,dc=fluxcoil,dc=net
# plain chorn user
ldapsearch -x -b dc=fluxcoil,dc=net -h $(hostname -f) -w redhat12 \
  -D uid=chorn,cn=users,cn=accounts,dc=fluxcoil,dc=net
# TLS chorn user
ldapsearch -x -b dc=fluxcoil,dc=net -h $(hostname -f) -w redhat12 \
  -D uid=chorn,cn=users,cn=accounts,dc=fluxcoil,dc=net -ZZZ

# to retrieve the cacert:
wget http://rhel8a.fluxcoil.net/ipa/config/ca.crt

# using ldapsearch
ldapsearch -D "cn=directory manager" -w redhat12 -b "cn=config"
</code>

===== create users automated =====
<code>
cat >createuser.sh <<EOT
#!/bin/bash
ipa user-add --first $1 --last $1 $1
echo 'redhat12' | ipa passwd $1 --
EOT

chmod +x createuser.sh
for i in $(seq 2 2000); do 
  ./createuser.sh user$i; 
done
</code>

===== create users automated (from Simo) =====
<code>
# requires you kinit as admin first):

---------------------------------------------------------------------------------
#!/bin/bash

# Pass user name as first argument and password as second argument

ipa user-add $1 --first Test --last User
echo "test" | ipa passwd $1
ldappasswd -D uid=$1,cn=users,cn=accounts,dc=example,dc=org -w test -a test -s $2
---------------------------------------------------------------------------------

# In this example no escaping is performed, so you'll need to add it to user 
# names/password if you want to use characters that may cause shell expansion.
</code>

===== set a new users password so he has not to change it =====
<code>
# requires you kinit as admin first):

cp /etc/ipa/ca.crt /etc/openldap/cacerts/
cacertdir_rehash /etc/openldap/cacerts/

USER=chorn4
ipa user-add $USER --first Test --last User
echo "test" | ipa passwd $USER
ldappasswd -D uid=$USER,cn=users,cn=accounts,dc=fluxcoil,dc=net -H ldap://rhel6u3b.fluxcoil.net -w test -a test -s redhat42 -ZZ
</code>

===== creating a IdM replica =====
  * https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/installing_identity_management/index#preparing-the-system-for-ipa-replica-installation_installing-identity-management
  * https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/installing_identity_management/index#installing-an-ipa-replica_installing-identity-management
<code>
replica$ yum module -y enable idm:DL1
replica$ yum distro-sync -y
replica$ yum module -y install idm:DL1/dns

replica$ echo 'nameserver 192.168.4.22' >/etc/resolv.conf
replica$ ipa-client-install --enable-dns-updates --force
replica$ ipa-replica-install --setup-ca

# verify DNS is ok
DOMAIN=fluxcoil.net
NAMESERVER=rhel8u4a.fluxcoil.net
for i in _ldap._tcp _kerberos._tcp _kerberos._udp \
  _kerberos-master._tcp _kerberos-master._udp _ntp._udp; do \
  echo ""; \
  dig @${NAMESERVER} ${i}.${DOMAIN} srv +nocmd +noquestion \
     +nocomments +nostats +noaa +noadditional +noauthority; \
done | egrep -v "^;" | egrep _

# ..and on clients ensure they also access the replica for DNS!
</code>