gops-Enterprise-level centralized identity authentication and authorization management practice FREEIPA

I. BACKGROUND
With the company's servers, services, users more and more, the previous single-machine user management, sudo authorization method is not a development requirement, it is necessary to do enterprise-level centralized authentication authorization management (such as: LDAP, Kerberos, CA, DNS, sudo, password Policy), for three reasons:
1, facilitate large-scale centralized management,
2. Ability to achieve single sign-on SSO,
3, the combination of the Fortress machine to achieve double-level authorization, double audit.

After a brief investigation, it is a good choice to find Freeipa:
1, all in one, everything I need to integrate all the good things, a few commands can be done, the province of one by one to do the matching, great savings in implementation of deployment time
2, behind the Redhat support open source project, is the IdM open source version, the continuous maintenance has guaranteed
3, support multi-master replication to avoid a single point, after all, enterprise-class applications must consider high availability
4, Rich interface, support Web UI, CLI, API, very good
5, the client can automatically register to the IPA server (combined with kickstart or post-script, this article is introduced)

FREEIPA Official website: http://www.freeipa.org/

Second, the FREEIPA official recommended production environment deployment plan:
Original: Http://www.freeipa.org/page/Deployment_Recommendations

FREEIPA production environment deployment plan main content:
1, the domain name is the basis of Kerberos, in order to avoid the conflict in the domain, before the building must plan a good name system, recommend the application of the domain name of the management authority, even in the intranet use, do not recommend the use of the domain without administrative rights, such as the use of baidu.com is not a good choice;
2, Freeipa can only be built from scratch, can not be set up in the test environment, modify the domain name what can be used in the production environment
3, we recommend the use of integrated DNS server, although the external DNS server can be used, but the configuration is more complex and error probability is large.
4. For performance and stability, do not install other applications on Freeipa server.
5, Multi-master replication environment According to the size, frequency of access, each data center recommended 2-3 copies, but not more than 4.
6. The client needs to configure at least 2 DNS servers to increase redundancy.
7, Backup and recovery: Different scenarios have different methods, but the methods are more complex, simple and feasible method is to use virtual machines to build and regular snapshots.
Http://www.freeipa.org/page/Backup_and_Restore

Iii. specific deployment environment and programme architecture
1. Deployment environment:
Freeipa Server:fedara Server 23
Freeipa version:4.2.4
Client Host:centos 6.5
Network environment: Full intranet access, Freeipa server not exposed to external
Domain Name: example.com (this usage is not recommended, because example.com is not the domain name I applied for, but intranet use to not affect)

2. Scenario Architecture – Multi-master replication:
Freeipa101.example.com
Freeipa102.example.com

3, the company environment is CentOS why FREEIPA not deployed on the CentOS.
Installation on CentOS 6 will have a variety of problems, the Freeipa version is also older, in order to simplify the installation steps, using Fedora Server 23.
On CentOS 6 There will be a problem, even if the solution can not successfully install the IPA server, so eventually gave up, moved to Fedora.

Iv. FREEIPA Server basic System Preparation work
1, install Fedara Server 23, recommended to do in the virtual machine, the benefits you understand
2. Update the system:
Yum Update
3. Set the fully qualified hostname and configure the hosts
[ROOT@FREEIPA101 ~]# hostname
Freeipa101.example.com
[Root@freeipa101 ~]# more/etc/hosts
192.168.0.101 freeipa101.example.com freeipa101

4. Set the DNS server to freeipa101
More/etc/resolv.conf
NameServer 192.168.0.101

5, in order to avoid unnecessary trouble, shut down the firewall, shutdown boot
Systemctl Stop Firewalld
Systemctl Disable FIREWALLD (Fedara down firewall power on start-up doesn't seem to work, everyone, take a look at the firewall)

6, VM Snapshot (slightly)

V. Installation of the main FREEIPA server
[root@freeipa101 ~]# yum install freeipa-server freeipa-server-dns-y

Test: [root@freeipa101 ~]# ldapsearch-x-B "Dc=example, dc=com"

Make a VM snapshot after the test is okay-_-

VI. installation of the configuration Replica IPA server
[root@freeipa102 ~]# yum install freeipa-server freeipa-server-dns-y
The replica IPA server does not perform a Ipa-server-install installation operation.

The multi-master copy of IPA is also great:
1. On the main freeipa101, create replica information file
[root@freeipa101 ~]# ipa-replica-prepare freeipa102.example.com–ip-address 192.168.0.102

2. SCP Copy info file to Replica IPA server:
[Root@freeipa101 ~]# scp/var/lib/ipa/replica-info-freeipa102.example.com.gpg freeipa102.example.com:/var/lib/ipa/

3. In the Replica IPA server
[Root@freeipa102 ~]# ipa-replica-install–setup-ca–setup-dns–no-forwarders/var/lib/ipa/ Replica-info-freeipa102.example.com.gpg

4, login test https://freeipa102.example.com to test

Iptables Shield 101 of the port, or shut down, test 102 whether it can work, login what, and vice versa, high availability of this piece of nothing to say, I can simulate several times.

Vii. several large pits encountered during installation and configuration
Tai Hang 1:
Hostname's fully qualified domain name should not be underlined, but can be used with hyphens.
Fully qualified host name: freeipa101.example.com
Unqualified host Name:-freeipa101
This is caused by historical reasons, history server hostname are not fully qualified domain name, and hostname contains underscores, FREEIPA not supported.

Tai Hang 2:
When installing the IPA server
Your system is running out of entropy, you may experience long delays
Due to the virtual machine configuration is not too high, the system comes with random device does not have sufficient number generation capacity, the process of export calculation is unusually slow, may not succeed, etc.

The solution is as follows:
Yum Install-y haveged
Systemctl Start Haveged.service
Systemctl Stop Firewalld

Reference:
Https://www.redhat.com/archives/freeipa-devel/2014-May/msg00459.html
http://blog-ftweedal.rhcloud.com/

Tai Hang 3:freeipa related services No boot from the start, a reboot on the dumbfounded.
Check the operation status of each service in IPA, try restart if there is no service.
[root@freeipa102 ldapuser1]# ipactl Status

Eight, manually configure client host to join FREEIPA server:
1. Install IPA client Package
[Root@client ~]# Yum Install ipa-client

2. Set DNS to 192.168.0.101
/etc/resolv.conf

3, installation (do not specify too many parameters, the client can automatically discover the server)
[Root@client ~]# Ipa-client-install–enable-dns-updates–mkhomedir

4. Testing
[Jsmith@client ~]id[jsmith@client] getent passwd admin
[jsmith@client ~]$ getent Group Admins

5. If you prefer, you can also install the IPA, LDAP management tools
Yum Install ipa-client Ipa-admintools openldap-clients-y
Yum Install NSS-PAM-LDAPD

Nine, automatically register the client to Freeipa server,
After the installation is complete, the post script is executed with kickstart:
1. Pre-create host entity and one-time password in IPA server (password expires after registration)
IPA Host-add Client1.example.com–password=secret
2, Installation Ipa-client
3. Registration
ipa-client-install–domain= example.com–enable-dns-updates–mkhomedir-w secret–realm=example.com–server= freeipa101.example.com–hostname=client1.example.com–unattended

Disadvantages of Kickstart:
Each time you add a new host, admin needs to create the host on the IPA server in advance, which makes it difficult to fully automate registration.

Fully Automated registered client:
Enroll account-only for registering the host
New account Autoenroll, you need to login to the Web, update the password.
Steps to create a enroll account for the Web UI:
IPS Server, Role Based ACL, roles Add Enroll group, select the Privileges permission group host enrollment, and add the user who granted the permission Autoenroll.
The Privileges permission group requires a single permission to add an add hosts
Ipa-client-install–enable-dns-updates–mkhomedir-p autoenroll-w Passwordxxx-u

or specify hostname
Ipa-client-install–enable-dns-updates–mkhomedir–hostname=-netpay141.example.com-p autoenroll-w Passwordxxx-u

Specifying the parameters of the FREEIPA server is not recommended, so that the registered client does not support the automatic failover of the IPA server:
Ipa-client-install–enable-dns-updates–mkhomedir–domain=example.com–server=freeipa101.example.com-p autoenroll-w Passwordxxx-u

Minor problem:
Not automatically registered at the beginning,
1. DNS is not configured
2, Autoenroll permissions are not correct, reset permissions after the cache need to wait a while to take effect.
3, the network card restarts after the DNS settings to restore the original configuration, the reason DNS written in the network card configuration file, and enabled the Networkmanage

Ten, user change password and password policy:
Special reminder: Freeipa's password policy is the first time a new user forces a password change
Users can modify their passwords on any machine that is registered to Freeipa:
passwd username

You can also log in to the Freeipa Web UI self-Modify password

Xi. sudo permissions to control their own to the Web page to see, very practical very simple

12, automount user home directory
Temporarily not implemented, cool features.

13, two-factor authentication OTP
Temporarily not realized, very fluent function.

14, the client SSSD support the main backup
Cat/etc/sssd/sssd.conf:ipa-server: _srv, Ipaserver,ipareplica

A small error caused by time synchronization
Be sure to synchronize all server times:
[Ldapuser1@admin40 ~]$ Kinit
Password for ldapuser1@example.com:
Kinit:clock skew too great while getting initial credentials

Highly recommended:

It's a qa:http://www.0zu.net/freeipa/freeipa-qa.html.

Https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/index.html