===== What? =====
Just some notes on a minimal setup of IdM. This is really only for testing and reproducer setups. This is tested on RHEL9.
===== IPA setup on rhel =====
* [[https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html-single/installing_identity_management/index|product documentation: IdM rhel9]]
export LC_ALL="C.UTF-8"
# We need 2 components in the domain name, so "local" is not ok
hostnamectl set-hostname rhel9u4a.local.net
vi /etc/hosts
# now ensure proper entry, i.e.
192.168.4.2 rhel9u4a.local.net rhel9u4a
dnf install ipa-server ipa-server-dns
MYIP=$(ip addr s dev enp1s0| grep 'inet '|sed -e 's,.*inet ,,' -e 's,/.*,,')
echo $MYIP
umask 0022
ipa-server-install --realm=LOCAL.NET --domain=local.net \
--no-ntp --ds-password=redhat12 --ssh-trust-dns --setup-dns \
--admin-password=redhat12 --hostname=$(hostname -f) --idstart=60010 \
--zonemgr=me@example.org --ip-address=$MYIP --no-forwarders -U
kinit admin
# ensure the openldap-client tools will trust the ca cert
# FreeIPA 4.x have also ipa-client-install
mkdir -p /etc/openldap/cacerts
cp /etc/ipa/ca.crt /etc/openldap/cacerts
# export LDAPTLS_CACERT=/etc/ipa/ca.crt
# create the first user
USER=chorn
PASS=redhat12
ipa user-add $USER --first Test --last User
echo "test" | ipa passwd $USER
ldappasswd -D uid=$USER,cn=users,cn=accounts,dc=local,dc=net \
-H ldap://$(hostname -f) -w test -a test -ZZZ -s $PASS
# to login using the web interface
dnf -y install firefox xauth
dnf -y install $(yum search xorg-x11-font|grep ^xorg-x11-font|sed -e 's,:.*,,')
# log out and log in again, to have xauth properly setup
firefox
# surf to 'localhost', you will get redirected
# follow instructions to import the cert, then you will access
# the ipa webinterface
# verify plain ldap works
# plain admin
ldapsearch -x -b dc=local,dc=net -h $(hostname -f) -w redhat12 \
-D uid=admin,cn=users,cn=accounts,dc=local,dc=net
# plain chorn user
ldapsearch -x -b dc=local,dc=net -h $(hostname -f) -w redhat12 \
-D uid=chorn,cn=users,cn=accounts,dc=local,dc=net
# TLS chorn user
ldapsearch -x -b dc=local,dc=net -h $(hostname -f) -w redhat12 \
-D uid=chorn,cn=users,cn=accounts,dc=local,dc=net -ZZZ
# to retrieve the cacert:
wget http://rhel9u4a.local.net/ipa/config/ca.crt
# using ldapsearch
ldapsearch -D "cn=directory manager" -w redhat12 -b "cn=config"
===== create users automated =====
cat createuser.sh
#!/bin/bash
ipa user-add --first $1 --last $1 $1
echo 'redhat12' | ipa passwd $1 --
chmod +x createuser.sh
for i in $(seq 2 20); do
./createuser.sh user$i;
done
===== create users automated (from Simo) =====
# requires you kinit as admin first):
---------------------------------------------------------------------------------
#!/bin/bash
# Pass user name as first argument and password as second argument
ipa user-add $1 --first Test --last User
echo "test" | ipa passwd $1
ldappasswd -D uid=$1,cn=users,cn=accounts,dc=example,dc=org -w test -a test -s $2
---------------------------------------------------------------------------------
# In this example no escaping is performed, so you'll need to add it to user
# names/password if you want to use characters that may cause shell expansion.
===== set a new users password so he has not to change it =====
# requires you kinit as admin first):
cp /etc/ipa/ca.crt /etc/openldap/cacerts/
cacertdir_rehash /etc/openldap/cacerts/
USER=chorn4
ipa user-add $USER --first Test --last User
echo "test" | ipa passwd $USER
ldappasswd -D uid=$USER,cn=users,cn=accounts,dc=local,dc=net -H ldap://rhel6u3b.local.net -w test -a test -s redhat42 -ZZ