The IdM server is an integrated authentication server.
Figure 1.1. The IdM server:unifying Services
Authentication:kerberos KDC
Kerberos uses a symmetric key encryption algorithm to generate a ticket to the user, and the Kerberos-aware service checks the ticket to verify the user's identity.
Data storage:red Hat Directory Server
The directory service is used to store all Kerberos, user accounts, user groups, system services, computer policies, DNS information, and other information.
authentication:red Hat Certificate System
Certificate system
Server/client Discovery:dns
Domain Name Service (DNS) Domain name resolution service.
Management:sssd
System Security Services Daemon (SSSD) is a credential caching service.
Management:ntp
Network Time Protocol (NTP) Network time Synchronization protocol.
Figure 1.2. Server and Replica Interactions
Figure 1.3. Server and Client Interactions
Figure 1.4. Interactions between IdM Services
Part I. Installing the IDM server
Hardware Recommended configuration:
- 10,000 users and 100 user groups, at least 2GB of memory and 1GB swap partitions.
- 100,000 users and 50,000 user groups, at least 16GB of memory and 4GB swap partitions.
Software Requirements:
Package:ipa-server
If the IdM server requires an integrated DNS service, you will also need to install the BIND, BIND-DYNDB-LDAP package.
Check machine name
The machine name must be a full name.
hostname server.example.com
Open the desired port
Table 2.1. IdM Ports
Service |
Ports |
Type |
Http/https |
80, 443 |
Tcp |
Ldap/ldaps |
389, 636 |
Tcp |
Kerberos |
88, 464 |
TCP and UDP |
Dns |
53 |
TCP and UDP |
Ntp |
123 |
Udp |
First FIREWALLD service needs to be run and set as self-booting
[Email protected] ~~]# systemctl enable Firewalld.service
Check FIREWALLD service Status
[Email protected] ~]# systemctl status Firewalld.service
Open the required ports for the IDM server
[Email protected] ~]# firewall-cmd--permanent--add-port={-/tcp,443/tcp,389/tcp, 636/tcp,/tcp,464/tcp, a/tcp,/udp, 464/udp,/ UDP,123/UDP}
Reload firewall rules to make configuration effective
[Email protected] ~]# Firewall-cmd--reload
Installing the IDM server
Install packages
Yum Install ipa-server bind Bind-dyndb-ldap
Start the IdM Server installation script
[[email protected] ~]# ipa-server-Install
The installation script will set up all the services required for the IDM domain:
- The Network Time Daemon (
ntpd
)
- A Red Hat Directory Server Instance
- A Kerberos Key Distribution Center (KDC)
- An Apache HTTP server instance (
httpd
)
- An updated SELinux targeted policy
- The Active Directory Winsync plug-in
- Optional. A Certificate Authority (CA)
- Optional. A Domain Name Service (DNS) server
Table 3.1. ipa-server-install
parameters
Argument |
Description |
-a Ipa_admin_password |
The password for the IdM administrator. This is used for the Admin user to authenticate to the Kerberos realm. |
--hostname =Host name |
The fully-qualified domain name of the IdM server machine. IMPORTANT The fully-qualified domain name must is a valid DNS name, which means only numbers, alphabetic characters, and hyphens (-) is allowed. Other characters, such as underscores, in the host name cause DNS failures. Additionally, the host name must is all lower-case; No capital letters is allowed. For other recommended naming practices, see the Red Hat Enterprise Linux Security Guide. |
-n domain_name |
The name of the LDAP server domain to the IdM domain. This was usually based on the IdM server ' s host name. |
-p Directory_manager_password |
The password for the superuser, cn=Directory Manager and for the LDAP service. |
-P Kerberos_master_password |
The password for the KDC administrator. This is randomly generated if No. value is given. |
-r Realm_name |
The name of the Kerberos realm to create for the IdM domain. |
--subject =subject_dn |
Sets the base element for the subject DN of the issued certificates. This defaults to O= realm. |
--forwarder =Forwarder |
Gives A DNS forwarder to use with the DNS service. To specify more than one forwarder, use the This option multiple times. |
--no-forwarders |
Uses root servers with the DNS service instead of forwarders. |
--no-reverse |
Does not create a reverse DNS zone, the DNS domain is set up. (If a reverse DNS zone is already configured, then the existing reverse DNS zone is used.) If This option isn't used, then the default value is True, which assumes that reverse DNS should being configured by the INS Tallation script. |
--setup-dns |
Tells the installation script to set up a DNS service within the IdM domain. Using A integrated DNS service is optional, so if this option is not passed with the installation script and then no DNS is Configured. |
--idmax =Number --idstart = number |
Sets the range for IDs which can is assigned by the IdM server. See sections 10.8.2, "ID Range Assignments During Installation" For more details. |
--ip-address |
Specifies the IP address of the server. When added ipa-server-install to, this option is accepts IP addresses associated with the local interface. |
Use the admin credentials to verify that Kerberos realm is available.
[[email protected] ~]# kinit admin
Non-interactive installation
-r
Set the name of the Kerberos realm
-p
To set the Directory Manager (dm,directory Server super User) password
-a
Set the IDM server administrator password
-U 设置为无人值守安装
[Email protected] ~]# ipa-server-Install -R example.com-p dm_password-a admin_password-u
Installing IDM with an external CA
Submit Certificate Signing Request (CSR) /root/ipa.csr
to an external CA
[Email protected] ~]# ipa-server-install --external-ca
Retrieve issued certificate and CA certificate chain, run againipa-server-install
[Email protected] ~]# ipa-server-install --external-cert-file=/tmp/servercert20110601.pem-- external-cert-file=/tmp/cacert.pem
installing without a CA
[Email protected] ~]# ipa-server-install --http-cert-file /tmp/server.crt--http-cert-file /tmp/server.key--http-pin Secret--dirsrv-cert-file /tmp/server.crt--dirsrv-cert-file /tmp/ Server.key--dirsrv-pin Secret--ca-cert-file ca.crt
Installing a CA Certificate manually
Install /etc/group/cert.pem
Installing with an Integrated DNS Service interactively
[Email protected] ~]# Ipa-server-install--setup-dns
Installing with an Integrated DNS Service non-interactively
--forwarder
Configure DNS Forwarding
--no-reverse 不创建DNS反向解析区
[Email protected] ~]# ipa-server-install --setup-dns--forwarder=1.2. 3.0 --forwarder=1.2. 255.0 --no-reverse
Installing the IDM Client
First FIREWALLD service needs to be run and set as self-booting
[[Email protected] ~] ~]# systemctl enable Firewalld.service
Port required to open the IdM client
[Email protected] ~]# firewall-cmd--permanent--add-port={-/tcp,443/tcp,389/tcp, 636/tcp,/tcp,464/tcp, a/tcp,/udp, 464/udp,/ UDP,123/UDP}
Reload firewall rules to make configuration effective
[Email protected] ~]# Firewall-cmd--reload
Installing the IDM Client
General User Machine operation
Yum Install ipa-client
The Administrator machine can install the IPA management tool at the same time Ipa-admintools
Yum Install ipa-client ipa-admintools
Parameters:
--no-nisdomain do not set NIS domain name
--nisdomain a custom NIS domain name
--no-sudo do not set sudo service
--enable-dns-updates update client IP to DNS records
--domain Specifying DNS domain names
--server specifying the full name of the IDM server
--realm specifying the Kerberos realm name
-p Specifies the Kerberos principal name
--fixed-primary specifying the preferred IDM server
--NOAC Do not use Authconfig
--no-sss Do not use SSSD
--no-krb5-offline-passwords do not use SSSD cache password
Example. Update client IP to DNS records
[Email protected] ~]# ipa-client-install --enable-dns-updates
REDHAT7 Configuring the IdM server