fluxcoil wiki

Howtos and notes

User Tools

Site Tools

snippets:linux_quickshotsetups:ipa_server_rhel8

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
snippets:linux_quickshotsetups:ipa_server_rhel8 [2023/06/01 05:13] chrissnippets:linux_quickshotsetups:ipa_server_rhel8 [2024/06/10 05:15] (current) – [What?] chris
Line 1: Line 1:
 +===== What? =====
 +Just some notes on a minimal setup of IdM. This is really only for testing and reproducer setups. This is tested on RHEL8.
  
 +===== ipa setup on rhel =====
 +  * [[https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/installing_identity_management/index|product documentation: IdM rhel8]]
 +
 +<code>
 +export LC_ALL="C.UTF-8"
 +
 +# use atleast rhel8.
 +hostnamectl set-hostname rhel8u4a.fluxcoil.net
 +
 +vi /etc/hosts
 +# now ensure proper entry, i.e.
 +192.168.4.2 rhel8u4a.fluxcoil.net rhel8u4a
 +
 +yum module -y enable idm:DL1
 +yum distro-sync -y
 +yum module -y install idm:DL1/dns
 +
 +MYIP=$(ip addr s dev eth0  | grep 'inet '|sed -e 's,.*inet ,,' -e 's,/.*,,')
 +MYIP=$(ip addr s dev enp1s0| grep 'inet '|sed -e 's,.*inet ,,' -e 's,/.*,,')
 +echo $MYIP
 +  
 +ipa-server-install --realm=FLUXCOIL.NET --domain=fluxcoil.net \
 +  --no-ntp --ds-password=redhat12 --ssh-trust-dns --setup-dns \
 +  --admin-password=redhat12 --hostname=$(hostname -f) --idstart=60010 \
 +  --zonemgr=me@example.org --ip-address=$MYIP --no-forwarders -U
 +
 +kinit admin
 +
 +# ensure the openldap-client tools will trust the ca cert
 +# FreeIPA 4.x have also ipa-client-install
 +mkdir -p /etc/openldap/cacerts
 +cp /etc/ipa/ca.crt /etc/openldap/cacerts
 +# export LDAPTLS_CACERT=/etc/ipa/ca.crt
 +
 +# create the first user
 +USER=chorn
 +PASS=redhat12
 +ipa user-add $USER --first Test --last User
 +echo "test" | ipa passwd $USER
 +ldappasswd -D uid=$USER,cn=users,cn=accounts,dc=fluxcoil,dc=net \
 +  -H ldap://$(hostname -f) -w test -a test -ZZZ -s $PASS
 +
 +# to login using the web interface
 +yum -y install firefox xauth
 +yum -y install $(yum search xorg-x11-font|grep ^xorg-x11-font|sed -e 's,:.*,,')
 +
 +# log out and log in again, to have xauth properly setup
 +
 +firefox
 +# surf to 'localhost', you will get redirected
 +# follow instructions to import the cert, then you will access
 +# the ipa webinterface
 +
 +# verify plain ldap works
 +# plain admin
 +ldapsearch -x -b dc=fluxcoil,dc=net -h $(hostname -f) -w redhat12 \
 +  -D uid=admin,cn=users,cn=accounts,dc=fluxcoil,dc=net
 +# plain chorn user
 +ldapsearch -x -b dc=fluxcoil,dc=net -h $(hostname -f) -w redhat12 \
 +  -D uid=chorn,cn=users,cn=accounts,dc=fluxcoil,dc=net
 +# TLS chorn user
 +ldapsearch -x -b dc=fluxcoil,dc=net -h $(hostname -f) -w redhat12 \
 +  -D uid=chorn,cn=users,cn=accounts,dc=fluxcoil,dc=net -ZZZ
 +
 +# to retrieve the cacert:
 +wget http://rhel8a.fluxcoil.net/ipa/config/ca.crt
 +
 +# using ldapsearch
 +ldapsearch -D "cn=directory manager" -w redhat12 -b "cn=config"
 +</code>
 +
 +===== create users automated =====
 +<code>
 +cat >createuser.sh <<EOT
 +#!/bin/bash
 +ipa user-add --first $1 --last $1 $1
 +echo 'redhat12' | ipa passwd $1 --
 +EOT
 +
 +chmod +x createuser.sh
 +for i in $(seq 2 2000); do 
 +  ./createuser.sh user$i; 
 +done
 +</code>
 +
 +===== create users automated (from Simo) =====
 +<code>
 +# requires you kinit as admin first):
 +
 +---------------------------------------------------------------------------------
 +#!/bin/bash
 +
 +# Pass user name as first argument and password as second argument
 +
 +ipa user-add $1 --first Test --last User
 +echo "test" | ipa passwd $1
 +ldappasswd -D uid=$1,cn=users,cn=accounts,dc=example,dc=org -w test -a test -s $2
 +---------------------------------------------------------------------------------
 +
 +# In this example no escaping is performed, so you'll need to add it to user 
 +# names/password if you want to use characters that may cause shell expansion.
 +</code>
 +
 +===== set a new users password so he has not to change it =====
 +<code>
 +# requires you kinit as admin first):
 +
 +cp /etc/ipa/ca.crt /etc/openldap/cacerts/
 +cacertdir_rehash /etc/openldap/cacerts/
 +
 +USER=chorn4
 +ipa user-add $USER --first Test --last User
 +echo "test" | ipa passwd $USER
 +ldappasswd -D uid=$USER,cn=users,cn=accounts,dc=fluxcoil,dc=net -H ldap://rhel6u3b.fluxcoil.net -w test -a test -s redhat42 -ZZ
 +</code>
 +
 +===== creating a IdM replica =====
 +  * https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/installing_identity_management/index#preparing-the-system-for-ipa-replica-installation_installing-identity-management
 +  * https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/installing_identity_management/index#installing-an-ipa-replica_installing-identity-management
 +<code>
 +replica$ yum module -y enable idm:DL1
 +replica$ yum distro-sync -y
 +replica$ yum module -y install idm:DL1/dns
 +
 +replica$ echo 'nameserver 192.168.4.22' >/etc/resolv.conf
 +replica$ ipa-client-install --enable-dns-updates --force
 +replica$ ipa-replica-install --setup-ca
 +
 +# verify DNS is ok
 +DOMAIN=fluxcoil.net
 +NAMESERVER=rhel8u4a.fluxcoil.net
 +for i in _ldap._tcp _kerberos._tcp _kerberos._udp \
 +  _kerberos-master._tcp _kerberos-master._udp _ntp._udp; do \
 +  echo ""; \
 +  dig @${NAMESERVER} ${i}.${DOMAIN} srv +nocmd +noquestion \
 +     +nocomments +nostats +noaa +noadditional +noauthority; \
 +done | egrep -v "^;" | egrep _
 +
 +# ..and on clients ensure they also access the replica for DNS!
 +</code>
snippets/linux_quickshotsetups/ipa_server_rhel8.txt · Last modified: 2024/06/10 05:15 by chris

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Driven by DokuWiki