fluxcoil wiki

Howtos and notes

User Tools

Site Tools

snippets:linux_quickshotsetups:ipa_server_rhel7

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
Last revisionBoth sides next revision
snippets:linux_quickshotsetups:ipa_server_rhel7 [2022/08/23 09:24] – [creating a IdM replica] chrissnippets:linux_quickshotsetups:ipa_server_rhel7 [2022/11/13 12:06] – external edit 127.0.0.1
Line 1: Line 1:
 +===== What? =====
 +Just some notes on a minimal setup of IdM. This is really only for testing and reproducer setups. This is tested on RHEL7.7+.
  
 +===== ipa setup on rhel =====
 +  * [[https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html|product documentation: IdM rhel7]]
 +
 +<code>
 +# use at least rhel7 or rhel8.
 +hostnamectl set-hostname rhel7u7a.fluxcoil.net.local
 +vi /etc/hosts
 +# now ensure proper entry, i.e.
 +192.168.4.2 rhel7u7a.fluxcoil.net.local rhel7u7a
 +
 +yum -y install ipa-server bind bind-dyndb-ldap ipa-server-dns
 +  
 +ipa-server-install --realm=FLUXCOIL.NET.LOCAL --domain=fluxcoil.net.local \
 +  --no-ntp --ds-password=redhat12 --ssh-trust-dns --setup-dns \
 +  --admin-password=redhat12 --hostname=$(hostname -f) --idstart=10000 \
 +  --zonemgr=me@example.org --ip-address=$(ip addr s dev eth0 \
 +  |grep 'inet '|sed -e 's,.*inet ,,' -e 's,/.*,,') --no-forwarders -U
 +
 +kinit admin
 +
 +# ensure the openldap-client tools will trust the ca cert
 +# FreeIPA 4.x have also ipa-client-install
 +mkdir -p /etc/openldap/cacerts
 +cp /etc/ipa/ca.crt /etc/openldap/cacerts
 +cacertdir_rehash /etc/openldap/cacerts
 +export LDAPTLS_CACERT=/etc/ipa/ca.crt
 +
 +# create the first user
 +USER=chorn
 +PASS=redhat12
 +ipa user-add $USER --first Test --last User
 +echo "test" | ipa passwd $USER
 +ldappasswd -D uid=$USER,cn=users,cn=accounts,dc=fluxcoil,dc=net,dc=local \
 +  -H ldap://$(hostname -f) -w test -a test -ZZZ -s $PASS
 +
 +# to login using the web interface
 +yum -y install firefox xauth
 +yum -y install $(yum search xorg-x11-font|grep ^xorg-x11-font|sed -e 's,:.*,,')
 +
 +# log out and log in again, to have xauth properly setup
 +
 +firefox
 +# surf to 'localhost', you will get redirected
 +# follow instructions to import the cert, then you will access
 +# the ipa webinterface
 +
 +# verify plain ldap works
 +# plain admin
 +ldapsearch -x -b dc=fluxcoil,dc=net,dc=local -h $(hostname -f) -w redhat12 \
 +  -D uid=admin,cn=users,cn=accounts,dc=fluxcoil,dc=net,dc=local
 +# plain chorn user
 +ldapsearch -x -b dc=fluxcoil,dc=net,dc=local -h $(hostname -f) -w redhat12 \
 +  -D uid=chorn,cn=users,cn=accounts,dc=fluxcoil,dc=net,dc=local
 +# TLS chorn user
 +ldapsearch -x -b dc=fluxcoil,dc=net,dc=local -h $(hostname -f) -w redhat12 \
 +  -D uid=chorn,cn=users,cn=accounts,dc=fluxcoil,dc=net,dc=local -ZZZ
 +
 +# to retrieve the cacert:
 +wget http://rhel7u2a.fluxcoil.net.local/ipa/config/ca.crt
 +
 +# using ldapsearch
 +ldapsearch -D "cn=directory manager" -w redhat12 -b "cn=config"
 +</code>
 +
 +===== create users automated =====
 +<code>
 +cat >createuser.sh <<EOT
 +#!/bin/bash
 +ipa user-add --first $1 --last $1 $1
 +echo 'redhat12' | ipa passwd $1 --
 +EOT
 +
 +chmod +x createuser.sh
 +for i in $(seq 2 2000); do 
 +  ./createuser.sh user$i; 
 +done
 +</code>
 +
 +===== create users automated (from Simo) =====
 +<code>
 +# requires you kinit as admin first):
 +
 +---------------------------------------------------------------------------------
 +#!/bin/bash
 +
 +# Pass user name as first argument and password as second argument
 +
 +ipa user-add $1 --first Test --last User
 +echo "test" | ipa passwd $1
 +ldappasswd -D uid=$1,cn=users,cn=accounts,dc=example,dc=org,dc=local -w test -a test -s $2
 +---------------------------------------------------------------------------------
 +
 +# In this example no escaping is performed, so you'll need to add it to user 
 +# names/password if you want to use characters that may cause shell expansion.
 +</code>
 +
 +===== set a new users password so he has not to change it =====
 +<code>
 +# requires you kinit as admin first):
 +
 +cp /etc/ipa/ca.crt /etc/openldap/cacerts/
 +cacertdir_rehash /etc/openldap/cacerts/
 +
 +USER=chorn4
 +ipa user-add $USER --first Test --last User
 +echo "test" | ipa passwd $USER
 +ldappasswd -D uid=$USER,cn=users,cn=accounts,dc=fluxcoil,dc=net,dc=local -H ldap://rhel6u3b.fluxcoil.net -w test -a test -s redhat42 -ZZ
 +</code>
 +
 +===== creating a IdM replica =====
 +  * https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/Setting_up_IPA_Replicas.html
 +<code>
 +# rhel7u6a will be the replica.
 +yum install -y ipa-server bind bind-dyndb-ldap
 +echo 'search fluxcoil.net.local' >/etc/resolv.conf
 +echo 'nameserver 192.168.4.29' >>/etc/resolv.conf
 +ipa-client-install
 +ipa-replica-install
 +
 +
 +# verify DNS is ok
 +DOMAIN=fluxcoil.net.local
 +NAMESERVER=rhel7u6b.fluxcoil.net.local
 +for i in _ldap._tcp _kerberos._tcp _kerberos._udp \
 +  _kerberos-master._tcp _kerberos-master._udp _ntp._udp; do \
 +  echo ""; \
 +  dig @${NAMESERVER} ${i}.${DOMAIN} srv +nocmd +noquestion \
 +    +nocomments +nostats +noaa +noadditional +noauthority; \
 +    done | egrep -v "^;" | egrep _
 +
 +# ..and on clients ensure they also access the replica for DNS!
 +</code>
snippets/linux_quickshotsetups/ipa_server_rhel7.txt · Last modified: 2024/03/03 08:59 by chris

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Driven by DokuWiki