This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revision | Last revisionBoth sides next revision | ||
snippets:linux_quickshotsetups:ipa_server_rhel7 [2022/08/23 09:24] – [creating a IdM replica] chris | snippets:linux_quickshotsetups:ipa_server_rhel7 [2022/11/13 12:06] – external edit 127.0.0.1 | ||
---|---|---|---|
Line 1: | Line 1: | ||
+ | ===== What? ===== | ||
+ | Just some notes on a minimal setup of IdM. This is really only for testing and reproducer setups. This is tested on RHEL7.7+. | ||
+ | ===== ipa setup on rhel ===== | ||
+ | * [[https:// | ||
+ | |||
+ | < | ||
+ | # use at least rhel7 or rhel8. | ||
+ | hostnamectl set-hostname rhel7u7a.fluxcoil.net.local | ||
+ | vi /etc/hosts | ||
+ | # now ensure proper entry, i.e. | ||
+ | 192.168.4.2 rhel7u7a.fluxcoil.net.local rhel7u7a | ||
+ | |||
+ | yum -y install ipa-server bind bind-dyndb-ldap ipa-server-dns | ||
+ | | ||
+ | ipa-server-install --realm=FLUXCOIL.NET.LOCAL --domain=fluxcoil.net.local \ | ||
+ | --no-ntp --ds-password=redhat12 --ssh-trust-dns --setup-dns \ | ||
+ | --admin-password=redhat12 --hostname=$(hostname -f) --idstart=10000 \ | ||
+ | --zonemgr=me@example.org --ip-address=$(ip addr s dev eth0 \ | ||
+ | |grep 'inet '|sed -e ' | ||
+ | |||
+ | kinit admin | ||
+ | |||
+ | # ensure the openldap-client tools will trust the ca cert | ||
+ | # FreeIPA 4.x have also ipa-client-install | ||
+ | mkdir -p / | ||
+ | cp / | ||
+ | cacertdir_rehash / | ||
+ | export LDAPTLS_CACERT=/ | ||
+ | |||
+ | # create the first user | ||
+ | USER=chorn | ||
+ | PASS=redhat12 | ||
+ | ipa user-add $USER --first Test --last User | ||
+ | echo " | ||
+ | ldappasswd -D uid=$USER, | ||
+ | -H ldap:// | ||
+ | |||
+ | # to login using the web interface | ||
+ | yum -y install firefox xauth | ||
+ | yum -y install $(yum search xorg-x11-font|grep ^xorg-x11-font|sed -e ' | ||
+ | |||
+ | # log out and log in again, to have xauth properly setup | ||
+ | |||
+ | firefox | ||
+ | # surf to ' | ||
+ | # follow instructions to import the cert, then you will access | ||
+ | # the ipa webinterface | ||
+ | |||
+ | # verify plain ldap works | ||
+ | # plain admin | ||
+ | ldapsearch -x -b dc=fluxcoil, | ||
+ | -D uid=admin, | ||
+ | # plain chorn user | ||
+ | ldapsearch -x -b dc=fluxcoil, | ||
+ | -D uid=chorn, | ||
+ | # TLS chorn user | ||
+ | ldapsearch -x -b dc=fluxcoil, | ||
+ | -D uid=chorn, | ||
+ | |||
+ | # to retrieve the cacert: | ||
+ | wget http:// | ||
+ | |||
+ | # using ldapsearch | ||
+ | ldapsearch -D " | ||
+ | </ | ||
+ | |||
+ | ===== create users automated ===== | ||
+ | < | ||
+ | cat > | ||
+ | #!/bin/bash | ||
+ | ipa user-add --first $1 --last $1 $1 | ||
+ | echo ' | ||
+ | EOT | ||
+ | |||
+ | chmod +x createuser.sh | ||
+ | for i in $(seq 2 2000); do | ||
+ | ./ | ||
+ | done | ||
+ | </ | ||
+ | |||
+ | ===== create users automated (from Simo) ===== | ||
+ | < | ||
+ | # requires you kinit as admin first): | ||
+ | |||
+ | --------------------------------------------------------------------------------- | ||
+ | #!/bin/bash | ||
+ | |||
+ | # Pass user name as first argument and password as second argument | ||
+ | |||
+ | ipa user-add $1 --first Test --last User | ||
+ | echo " | ||
+ | ldappasswd -D uid=$1, | ||
+ | --------------------------------------------------------------------------------- | ||
+ | |||
+ | # In this example no escaping is performed, so you'll need to add it to user | ||
+ | # names/ | ||
+ | </ | ||
+ | |||
+ | ===== set a new users password so he has not to change it ===== | ||
+ | < | ||
+ | # requires you kinit as admin first): | ||
+ | |||
+ | cp / | ||
+ | cacertdir_rehash / | ||
+ | |||
+ | USER=chorn4 | ||
+ | ipa user-add $USER --first Test --last User | ||
+ | echo " | ||
+ | ldappasswd -D uid=$USER, | ||
+ | </ | ||
+ | |||
+ | ===== creating a IdM replica ===== | ||
+ | * https:// | ||
+ | < | ||
+ | # rhel7u6a will be the replica. | ||
+ | yum install -y ipa-server bind bind-dyndb-ldap | ||
+ | echo ' | ||
+ | echo ' | ||
+ | ipa-client-install | ||
+ | ipa-replica-install | ||
+ | |||
+ | |||
+ | # verify DNS is ok | ||
+ | DOMAIN=fluxcoil.net.local | ||
+ | NAMESERVER=rhel7u6b.fluxcoil.net.local | ||
+ | for i in _ldap._tcp _kerberos._tcp _kerberos._udp \ | ||
+ | _kerberos-master._tcp _kerberos-master._udp _ntp._udp; do \ | ||
+ | echo ""; | ||
+ | dig @${NAMESERVER} ${i}.${DOMAIN} srv +nocmd +noquestion \ | ||
+ | +nocomments +nostats +noaa +noadditional +noauthority; | ||
+ | done | egrep -v " | ||
+ | |||
+ | # ..and on clients ensure they also access the replica for DNS! | ||
+ | </ |