REDHAT7 Configuring the IdM server

The IdM server is an integrated authentication server.

Figure 1.1. The IdM server:unifying Services

Authentication:kerberos KDC

Kerberos uses a symmetric key encryption algorithm to generate a ticket to the user, and the Kerberos-aware service checks the ticket to verify the user's identity.

Data storage:red Hat Directory Server

The directory service is used to store all Kerberos, user accounts, user groups, system services, computer policies, DNS information, and other information.

authentication:red Hat Certificate System

Certificate system

Server/client Discovery:dns

Domain Name Service (DNS) Domain name resolution service.

Management:sssd

System Security Services Daemon (SSSD) is a credential caching service.

Management:ntp

Network Time Protocol (NTP) Network time Synchronization protocol.

Figure 1.2. Server and Replica Interactions

Figure 1.3. Server and Client Interactions

Figure 1.4. Interactions between IdM Services

Part I. Installing the IDM server

Hardware Recommended configuration:

• 10,000 users and 100 user groups, at least 2GB of memory and 1GB swap partitions.
• 100,000 users and 50,000 user groups, at least 16GB of memory and 4GB swap partitions.

Software Requirements:

Package:ipa-server

If the IdM server requires an integrated DNS service, you will also need to install the BIND, BIND-DYNDB-LDAP package.

Check machine name

The machine name must be a full name.

hostname server.example.com

Open the desired port

Table 2.1. IdM Ports

Service	Ports	Type
Http/https	80, 443	Tcp
Ldap/ldaps	389, 636	Tcp
Kerberos	88, 464	TCP and UDP
Dns	53	TCP and UDP
Ntp	123	Udp

First FIREWALLD service needs to be run and set as self-booting

[Email protected] ~~]# systemctl enable Firewalld.service

Check FIREWALLD service Status

[Email protected] ~]# systemctl status Firewalld.service

Open the required ports for the IDM server

[Email protected] ~]# firewall-cmd--permanent--add-port={-/tcp,443/tcp,389/tcp,  636/tcp,/tcp,464/tcp, a/tcp,/udp, 464/udp,/ UDP,123/UDP}

Reload firewall rules to make configuration effective

[Email protected] ~]# Firewall-cmd--reload

Installing the IDM server

Install packages

Yum Install ipa-server bind Bind-dyndb-ldap

Start the IdM Server installation script

[[email protected] ~]# ipa-server-Install

The installation script will set up all the services required for the IDM domain:

• The Network Time Daemon ( ntpd )
• A Red Hat Directory Server Instance
• A Kerberos Key Distribution Center (KDC)
• An Apache HTTP server instance ( httpd )
• An updated SELinux targeted policy
• The Active Directory Winsync plug-in
• Optional. A Certificate Authority (CA)
• Optional. A Domain Name Service (DNS) server

Table 3.1. ipa-server-installparameters

Argument	Description
-aIpa_admin_password	The password for the IdM administrator. This is used for the Admin user to authenticate to the Kerberos realm.
--hostname=Host name	The fully-qualified domain name of the IdM server machine. IMPORTANT The fully-qualified domain name must is a valid DNS name, which means only numbers, alphabetic characters, and hyphens (-) is allowed. Other characters, such as underscores, in the host name cause DNS failures. Additionally, the host name must is all lower-case; No capital letters is allowed. For other recommended naming practices, see the Red Hat Enterprise Linux Security Guide.
-ndomain_name	The name of the LDAP server domain to the IdM domain. This was usually based on the IdM server ' s host name.
-pDirectory_manager_password	The password for the superuser, cn=Directory Manager and for the LDAP service.
-PKerberos_master_password	The password for the KDC administrator. This is randomly generated if No. value is given.
-rRealm_name	The name of the Kerberos realm to create for the IdM domain.
--subject=subject_dn	Sets the base element for the subject DN of the issued certificates. This defaults to O= realm.
--forwarder=Forwarder	Gives A DNS forwarder to use with the DNS service. To specify more than one forwarder, use the This option multiple times.
--no-forwarders	Uses root servers with the DNS service instead of forwarders.
--no-reverse	Does not create a reverse DNS zone, the DNS domain is set up. (If a reverse DNS zone is already configured, then the existing reverse DNS zone is used.) If This option isn't used, then the default value is True, which assumes that reverse DNS should being configured by the INS Tallation script.
--setup-dns	Tells the installation script to set up a DNS service within the IdM domain. Using A integrated DNS service is optional, so if this option is not passed with the installation script and then no DNS is Configured.
--idmax=Number --idstart = number	Sets the range for IDs which can is assigned by the IdM server. See sections 10.8.2, "ID Range Assignments During Installation" For more details.
--ip-address	Specifies the IP address of the server. When added ipa-server-install to, this option is accepts IP addresses associated with the local interface.

Use the admin credentials to verify that Kerberos realm is available.

[[email protected] ~]# kinit admin

Non-interactive installation

• -rSet the name of the Kerberos realm
• -pTo set the Directory Manager (dm,directory Server super User) password
• -aSet the IDM server administrator password

-U 设置为无人值守安装

[Email protected] ~]# ipa-server-Install -R example.com-p dm_password-a admin_password-u

Installing IDM with an external CA

Submit Certificate Signing Request (CSR) /root/ipa.csr to an external CA

[Email protected] ~]# ipa-server-install --external-ca

Retrieve issued certificate and CA certificate chain, run againipa-server-install

[Email protected] ~]# ipa-server-install --external-cert-file=/tmp/servercert20110601.pem-- external-cert-file=/tmp/cacert.pem

installing without a CA

[Email protected] ~]# ipa-server-install --http-cert-file /tmp/server.crt--http-cert-file /tmp/server.key--http-pin Secret--dirsrv-cert-file /tmp/server.crt--dirsrv-cert-file /tmp/ Server.key--dirsrv-pin Secret--ca-cert-file ca.crt

Installing a CA Certificate manually

Install /etc/group/cert.pem

Installing with an Integrated DNS Service interactively

[Email protected] ~]# Ipa-server-install--setup-dns

Installing with an Integrated DNS Service non-interactively

--forwarderConfigure DNS Forwarding

--no-reverse  不创建DNS反向解析区

[Email protected] ~]# ipa-server-install --setup-dns--forwarder=1.2. 3.0 --forwarder=1.2. 255.0 --no-reverse

Installing the IDM Client

First FIREWALLD service needs to be run and set as self-booting

[[Email protected] ~]  ~]# systemctl enable Firewalld.service

Port required to open the IdM client

[Email protected] ~]# firewall-cmd--permanent--add-port={-/tcp,443/tcp,389/tcp,  636/tcp,/tcp,464/tcp, a/tcp,/udp, 464/udp,/ UDP,123/UDP}

Reload firewall rules to make configuration effective

[Email protected] ~]# Firewall-cmd--reload

Installing the IDM Client

General User Machine operation

Yum Install ipa-client

The Administrator machine can install the IPA management tool at the same time Ipa-admintools

Yum Install ipa-client ipa-admintools

Parameters:

--no-nisdomain do not set NIS domain name

--nisdomain a custom NIS domain name

--no-sudo do not set sudo service

--enable-dns-updates update client IP to DNS records

--domain Specifying DNS domain names

--server specifying the full name of the IDM server

--realm specifying the Kerberos realm name

-p Specifies the Kerberos principal name

--fixed-primary specifying the preferred IDM server

--NOAC Do not use Authconfig

--no-sss Do not use SSSD

--no-krb5-offline-passwords do not use SSSD cache password

Example. Update client IP to DNS records

[Email protected] ~]# ipa-client-install --enable-dns-updates

REDHAT7 Configuring the IdM server