fluxcoil wiki

Howtos and notes

User Tools

Site Tools

snippets:linux_quickshotsetups:ipa_server_rhel7

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Last revisionBoth sides next revision
snippets:linux_quickshotsetups:ipa_server_rhel7 [2022/08/23 09:24] – [creating a IdM replica] chrissnippets:linux_quickshotsetups:ipa_server_rhel7 [2022/11/13 12:06] – external edit 127.0.0.1
Line 1: Line 1:
 +===== What? =====
 +Just some notes on a minimal setup of IdM. This is really only for testing and reproducer setups. This is tested on RHEL7.7+.
  
 +===== ipa setup on rhel =====
 +  * [[https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html|product documentation: IdM rhel7]]
 +
 +<code>
 +# use at least rhel7 or rhel8.
 +hostnamectl set-hostname rhel7u7a.fluxcoil.net.local
 +vi /etc/hosts
 +# now ensure proper entry, i.e.
 +192.168.4.2 rhel7u7a.fluxcoil.net.local rhel7u7a
 +
 +yum -y install ipa-server bind bind-dyndb-ldap ipa-server-dns
 +  
 +ipa-server-install --realm=FLUXCOIL.NET.LOCAL --domain=fluxcoil.net.local \
 +  --no-ntp --ds-password=redhat12 --ssh-trust-dns --setup-dns \
 +  --admin-password=redhat12 --hostname=$(hostname -f) --idstart=10000 \
 +  --zonemgr=me@example.org --ip-address=$(ip addr s dev eth0 \
 +  |grep 'inet '|sed -e 's,.*inet ,,' -e 's,/.*,,') --no-forwarders -U
 +
 +kinit admin
 +
 +# ensure the openldap-client tools will trust the ca cert
 +# FreeIPA 4.x have also ipa-client-install
 +mkdir -p /etc/openldap/cacerts
 +cp /etc/ipa/ca.crt /etc/openldap/cacerts
 +cacertdir_rehash /etc/openldap/cacerts
 +export LDAPTLS_CACERT=/etc/ipa/ca.crt
 +
 +# create the first user
 +USER=chorn
 +PASS=redhat12
 +ipa user-add $USER --first Test --last User
 +echo "test" | ipa passwd $USER
 +ldappasswd -D uid=$USER,cn=users,cn=accounts,dc=fluxcoil,dc=net,dc=local \
 +  -H ldap://$(hostname -f) -w test -a test -ZZZ -s $PASS
 +
 +# to login using the web interface
 +yum -y install firefox xauth
 +yum -y install $(yum search xorg-x11-font|grep ^xorg-x11-font|sed -e 's,:.*,,')
 +
 +# log out and log in again, to have xauth properly setup
 +
 +firefox
 +# surf to 'localhost', you will get redirected
 +# follow instructions to import the cert, then you will access
 +# the ipa webinterface
 +
 +# verify plain ldap works
 +# plain admin
 +ldapsearch -x -b dc=fluxcoil,dc=net,dc=local -h $(hostname -f) -w redhat12 \
 +  -D uid=admin,cn=users,cn=accounts,dc=fluxcoil,dc=net,dc=local
 +# plain chorn user
 +ldapsearch -x -b dc=fluxcoil,dc=net,dc=local -h $(hostname -f) -w redhat12 \
 +  -D uid=chorn,cn=users,cn=accounts,dc=fluxcoil,dc=net,dc=local
 +# TLS chorn user
 +ldapsearch -x -b dc=fluxcoil,dc=net,dc=local -h $(hostname -f) -w redhat12 \
 +  -D uid=chorn,cn=users,cn=accounts,dc=fluxcoil,dc=net,dc=local -ZZZ
 +
 +# to retrieve the cacert:
 +wget http://rhel7u2a.fluxcoil.net.local/ipa/config/ca.crt
 +
 +# using ldapsearch
 +ldapsearch -D "cn=directory manager" -w redhat12 -b "cn=config"
 +</code>
 +
 +===== create users automated =====
 +<code>
 +cat >createuser.sh <<EOT
 +#!/bin/bash
 +ipa user-add --first $1 --last $1 $1
 +echo 'redhat12' | ipa passwd $1 --
 +EOT
 +
 +chmod +x createuser.sh
 +for i in $(seq 2 2000); do 
 +  ./createuser.sh user$i; 
 +done
 +</code>
 +
 +===== create users automated (from Simo) =====
 +<code>
 +# requires you kinit as admin first):
 +
 +---------------------------------------------------------------------------------
 +#!/bin/bash
 +
 +# Pass user name as first argument and password as second argument
 +
 +ipa user-add $1 --first Test --last User
 +echo "test" | ipa passwd $1
 +ldappasswd -D uid=$1,cn=users,cn=accounts,dc=example,dc=org,dc=local -w test -a test -s $2
 +---------------------------------------------------------------------------------
 +
 +# In this example no escaping is performed, so you'll need to add it to user 
 +# names/password if you want to use characters that may cause shell expansion.
 +</code>
 +
 +===== set a new users password so he has not to change it =====
 +<code>
 +# requires you kinit as admin first):
 +
 +cp /etc/ipa/ca.crt /etc/openldap/cacerts/
 +cacertdir_rehash /etc/openldap/cacerts/
 +
 +USER=chorn4
 +ipa user-add $USER --first Test --last User
 +echo "test" | ipa passwd $USER
 +ldappasswd -D uid=$USER,cn=users,cn=accounts,dc=fluxcoil,dc=net,dc=local -H ldap://rhel6u3b.fluxcoil.net -w test -a test -s redhat42 -ZZ
 +</code>
 +
 +===== creating a IdM replica =====
 +  * https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/Setting_up_IPA_Replicas.html
 +<code>
 +# rhel7u6a will be the replica.
 +yum install -y ipa-server bind bind-dyndb-ldap
 +echo 'search fluxcoil.net.local' >/etc/resolv.conf
 +echo 'nameserver 192.168.4.29' >>/etc/resolv.conf
 +ipa-client-install
 +ipa-replica-install
 +
 +
 +# verify DNS is ok
 +DOMAIN=fluxcoil.net.local
 +NAMESERVER=rhel7u6b.fluxcoil.net.local
 +for i in _ldap._tcp _kerberos._tcp _kerberos._udp \
 +  _kerberos-master._tcp _kerberos-master._udp _ntp._udp; do \
 +  echo ""; \
 +  dig @${NAMESERVER} ${i}.${DOMAIN} srv +nocmd +noquestion \
 +    +nocomments +nostats +noaa +noadditional +noauthority; \
 +    done | egrep -v "^;" | egrep _
 +
 +# ..and on clients ensure they also access the replica for DNS!
 +</code>
snippets/linux_quickshotsetups/ipa_server_rhel7.txt · Last modified: 2024/03/03 08:59 by chris

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Driven by DokuWiki