This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
snippets:linux_quickshotsetups:ipa_server_rhel8 [2023/06/01 05:06] – [creating a IdM replica] chris | snippets:linux_quickshotsetups:ipa_server_rhel8 [2024/06/10 05:15] (current) – [What?] chris | ||
---|---|---|---|
Line 1: | Line 1: | ||
+ | ===== What? ===== | ||
+ | Just some notes on a minimal setup of IdM. This is really only for testing and reproducer setups. This is tested on RHEL8. | ||
+ | ===== ipa setup on rhel ===== | ||
+ | * [[https:// | ||
+ | |||
+ | < | ||
+ | export LC_ALL=" | ||
+ | |||
+ | # use atleast rhel8. | ||
+ | hostnamectl set-hostname rhel8u4a.fluxcoil.net | ||
+ | |||
+ | vi /etc/hosts | ||
+ | # now ensure proper entry, i.e. | ||
+ | 192.168.4.2 rhel8u4a.fluxcoil.net rhel8u4a | ||
+ | |||
+ | yum module -y enable idm:DL1 | ||
+ | yum distro-sync -y | ||
+ | yum module -y install idm:DL1/dns | ||
+ | |||
+ | MYIP=$(ip addr s dev eth0 | grep 'inet '|sed -e ' | ||
+ | MYIP=$(ip addr s dev enp1s0| grep 'inet '|sed -e ' | ||
+ | echo $MYIP | ||
+ | | ||
+ | ipa-server-install --realm=FLUXCOIL.NET --domain=fluxcoil.net \ | ||
+ | --no-ntp --ds-password=redhat12 --ssh-trust-dns --setup-dns \ | ||
+ | --admin-password=redhat12 --hostname=$(hostname -f) --idstart=60010 \ | ||
+ | --zonemgr=me@example.org --ip-address=$MYIP --no-forwarders -U | ||
+ | |||
+ | kinit admin | ||
+ | |||
+ | # ensure the openldap-client tools will trust the ca cert | ||
+ | # FreeIPA 4.x have also ipa-client-install | ||
+ | mkdir -p / | ||
+ | cp / | ||
+ | # export LDAPTLS_CACERT=/ | ||
+ | |||
+ | # create the first user | ||
+ | USER=chorn | ||
+ | PASS=redhat12 | ||
+ | ipa user-add $USER --first Test --last User | ||
+ | echo " | ||
+ | ldappasswd -D uid=$USER, | ||
+ | -H ldap:// | ||
+ | |||
+ | # to login using the web interface | ||
+ | yum -y install firefox xauth | ||
+ | yum -y install $(yum search xorg-x11-font|grep ^xorg-x11-font|sed -e ' | ||
+ | |||
+ | # log out and log in again, to have xauth properly setup | ||
+ | |||
+ | firefox | ||
+ | # surf to ' | ||
+ | # follow instructions to import the cert, then you will access | ||
+ | # the ipa webinterface | ||
+ | |||
+ | # verify plain ldap works | ||
+ | # plain admin | ||
+ | ldapsearch -x -b dc=fluxcoil, | ||
+ | -D uid=admin, | ||
+ | # plain chorn user | ||
+ | ldapsearch -x -b dc=fluxcoil, | ||
+ | -D uid=chorn, | ||
+ | # TLS chorn user | ||
+ | ldapsearch -x -b dc=fluxcoil, | ||
+ | -D uid=chorn, | ||
+ | |||
+ | # to retrieve the cacert: | ||
+ | wget http:// | ||
+ | |||
+ | # using ldapsearch | ||
+ | ldapsearch -D " | ||
+ | </ | ||
+ | |||
+ | ===== create users automated ===== | ||
+ | < | ||
+ | cat > | ||
+ | #!/bin/bash | ||
+ | ipa user-add --first $1 --last $1 $1 | ||
+ | echo ' | ||
+ | EOT | ||
+ | |||
+ | chmod +x createuser.sh | ||
+ | for i in $(seq 2 2000); do | ||
+ | ./ | ||
+ | done | ||
+ | </ | ||
+ | |||
+ | ===== create users automated (from Simo) ===== | ||
+ | < | ||
+ | # requires you kinit as admin first): | ||
+ | |||
+ | --------------------------------------------------------------------------------- | ||
+ | #!/bin/bash | ||
+ | |||
+ | # Pass user name as first argument and password as second argument | ||
+ | |||
+ | ipa user-add $1 --first Test --last User | ||
+ | echo " | ||
+ | ldappasswd -D uid=$1, | ||
+ | --------------------------------------------------------------------------------- | ||
+ | |||
+ | # In this example no escaping is performed, so you'll need to add it to user | ||
+ | # names/ | ||
+ | </ | ||
+ | |||
+ | ===== set a new users password so he has not to change it ===== | ||
+ | < | ||
+ | # requires you kinit as admin first): | ||
+ | |||
+ | cp / | ||
+ | cacertdir_rehash / | ||
+ | |||
+ | USER=chorn4 | ||
+ | ipa user-add $USER --first Test --last User | ||
+ | echo " | ||
+ | ldappasswd -D uid=$USER, | ||
+ | </ | ||
+ | |||
+ | ===== creating a IdM replica ===== | ||
+ | * https:// | ||
+ | * https:// | ||
+ | < | ||
+ | replica$ yum module -y enable idm:DL1 | ||
+ | replica$ yum distro-sync -y | ||
+ | replica$ yum module -y install idm:DL1/dns | ||
+ | |||
+ | replica$ echo ' | ||
+ | replica$ ipa-client-install --enable-dns-updates --force | ||
+ | replica$ ipa-replica-install --setup-ca | ||
+ | |||
+ | # verify DNS is ok | ||
+ | DOMAIN=fluxcoil.net | ||
+ | NAMESERVER=rhel8u4a.fluxcoil.net | ||
+ | for i in _ldap._tcp _kerberos._tcp _kerberos._udp \ | ||
+ | _kerberos-master._tcp _kerberos-master._udp _ntp._udp; do \ | ||
+ | echo ""; | ||
+ | dig @${NAMESERVER} ${i}.${DOMAIN} srv +nocmd +noquestion \ | ||
+ | | ||
+ | done | egrep -v " | ||
+ | |||
+ | # ..and on clients ensure they also access the replica for DNS! | ||
+ | </ |