User Tools
Sidebar
snippets:linux_quickshotsetups:ipa_server_rhel6
Table of Contents
What?
Just some notes on a minimal setup of IdM. This is really only for testing and reproducer setups. This is tested on RHEL6.
ipa setup on rhel
# use atleast rhel6.2 for IPA, 6.1 had IPA just as tech preview. # versions before 6.4 need different ipa-server-install parameters. vi /etc/sysconfig/network # ensure hostname including domain is set, i.e. HOSTNAME=rhel6u4a.fluxcoil.net # ensure hostname is correct on running system hostname rhel6u1a.fluxcoil.net vi /etc/hosts # now ensure proper entry, i.e. 192.168.4.2 rhel6u1a.fluxcoil.net rhel6u1a yum -y install ipa-server bind bind-dyndb-ldap ipa-server-install --realm=FLUXCOIL.NET --domain=fluxcoil.net --no-ntp \ --ds-password=redhat12 --master-password=redhat12 --ssh-trust-dns \ --admin-password=redhat12 --hostname=$(hostname -f) --idstart=10000 \ --setup-dns --zonemgr=me@example.org --ip-address=$(ip addr s dev eth0 \ |grep 'inet '|sed -e 's,.*inet ,,' -e 's,/.*,,') --no-forwarders -U kinit admin # ensure the openldap-client tools will trust the ca cert # FreeIPA 4.x have also ipa-client-install mkdir -p /etc/openldap/cacerts cp /etc/ipa/ca.crt /etc/openldap/cacerts cacertdir_rehash /etc/openldap/cacerts export LDAPTLS_CACERT=/etc/ipa/ca.crt # create the first user USER=chorn PASS=redhat12 ipa user-add $USER --first Test --last User echo "test" | ipa passwd $USER ldappasswd -D uid=$USER,cn=users,cn=accounts,dc=fluxcoil,dc=net \ -H ldap://$(hostname -f) -w test -a test -ZZZ -s $PASS # to login using the web interface yum -y install firefox xauth yum -y install $(yum search xorg-x11-font|grep ^xorg-x11-font|sed -e 's,:.*,,') # log out and log in again, to have xauth properly setup firefox # surf to 'localhost', you will get redirected # follow instructions to import the cert, then you will access # the ipa webinterface # verify plain ldap works # plain admin ldapsearch -x -b dc=fluxcoil,dc=net -h $(hostname -f) -w redhat12 \ -D uid=admin,cn=users,cn=accounts,dc=fluxcoil,dc=net # plain chorn user ldapsearch -x -b dc=fluxcoil,dc=net -h $(hostname -f) -w redhat12 \ -D uid=chorn,cn=users,cn=accounts,dc=fluxcoil,dc=net # TLS chorn user ldapsearch -x -b dc=fluxcoil,dc=net -h $(hostname -f) -w redhat12 \ -D uid=chorn,cn=users,cn=accounts,dc=fluxcoil,dc=net -ZZZ # to retrieve the cacert: wget http://rhel6u2a.fluxcoil.net/ipa/config/ca.crt # using ldapsearch ldapsearch -D "cn=directory manager" -w redhat12 -b "cn=config"
create users automated
cat >createuser.sh <<EOT #!/bin/bash ipa user-add --first $1 --last $1 $1 echo 'redhat12' | ipa passwd $1 -- EOT chmod +x createuser.sh for i in $(seq 2 2000); do ./createuser.sh user$i; done
create users automated (from Simo)
# requires you kinit as admin first): --------------------------------------------------------------------------------- #!/bin/bash # Pass user name as first argument and password as second argument ipa user-add $1 --first Test --last User echo "test" | ipa passwd $1 ldappasswd -D uid=$1,cn=users,cn=accounts,dc=example,dc=org -w test -a test -s $2 --------------------------------------------------------------------------------- # In this example no escaping is performed, so you'll need to add it to user # names/password if you want to use characters that may cause shell expansion.
set a new users password so he has not to change it
# requires you kinit as admin first): cp /etc/ipa/ca.crt /etc/openldap/cacerts/ cacertdir_rehash /etc/openldap/cacerts/ USER=chorn4 ipa user-add $USER --first Test --last User echo "test" | ipa passwd $USER ldappasswd -D uid=$USER,cn=users,cn=accounts,dc=fluxcoil,dc=net -H ldap://rhel6u3b.fluxcoil.net -w test -a test -s redhat42 -ZZ
creating a IdM replica
# rhel6u5b will be the replica.
replica$ yum install -y ipa-server bind bind-dyndb-ldap
server$ ipa-replica-prepare rhel6u5b.fluxcoil.net --ip-address 192.168.4.13
server$ scp /var/lib/ipa/replica-info-rhel6u5b.fluxcoil.net.gpg root@rhel6u5b.fluxcoil.net:/var/lib/ipa/
replica$ ipa-replica-install --setup-ca --setup-dns --no-forwarders /var/lib/ipa/replica-info-rhel6u5b.fluxcoil.net.gpg
# verify DNS is ok
DOMAIN=fluxcoil.net
NAMESERVER=rhel6u5b.fluxcoil.net
for i in _ldap._tcp _kerberos._tcp _kerberos._udp _kerberos-master._tcp _kerberos-master._udp _ntp._udp; do \
echo ""; \
dig @${NAMESERVER} ${i}.${DOMAIN} srv +nocmd +noquestion +nocomments +nostats +noaa +noadditional +noauthority; \
done | egrep -v "^;" | egrep _
# ..and on clients ensure they also access the replica for DNS!
snippets/linux_quickshotsetups/ipa_server_rhel6.txt ยท Last modified: 2024/03/03 08:59 by chris
Page Tools
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
