2023-08-22 14:24:12 -05:00
|
|
|
.. _workshop:
|
|
|
|
|
2016-01-13 22:10:43 -06:00
|
|
|
Copyright 2015, 2016 Red Hat, Inc.
|
|
|
|
|
|
|
|
This work is licensed under the Creative Commons Attribution 4.0
|
|
|
|
International License. To view a copy of this license, visit
|
|
|
|
http://creativecommons.org/licenses/by/4.0/.
|
|
|
|
|
|
|
|
|
2015-10-19 22:19:19 -05:00
|
|
|
Introduction
|
|
|
|
============
|
|
|
|
|
|
|
|
FreeIPA_ is a centralised identity management system. In this
|
|
|
|
workshop you will learn how to deploy FreeIPA servers and enrol
|
|
|
|
client machines, define and manage user and service identities, set
|
|
|
|
up access policies, configure network services to take advantage of
|
2015-10-26 20:00:29 -05:00
|
|
|
FreeIPA's authentication and authorisation facilities and issue
|
|
|
|
X.509 certificates for services.
|
2015-10-19 22:19:19 -05:00
|
|
|
|
|
|
|
.. _FreeIPA: http://www.freeipa.org/page/Main_Page
|
|
|
|
|
2023-08-22 14:24:12 -05:00
|
|
|
.. _curriculum-overview:
|
2015-10-19 22:19:19 -05:00
|
|
|
|
|
|
|
Curriculum overview
|
|
|
|
-------------------
|
|
|
|
|
2018-06-07 02:51:36 -05:00
|
|
|
Mandatory:
|
|
|
|
|
2023-08-22 14:24:12 -05:00
|
|
|
- :ref:`Unit 1: Installing the FreeIPA server <1-server-install>`
|
|
|
|
- :ref:`Unit 2: Enrolling client machines <2-client-install>`
|
|
|
|
- :ref:`Unit 3: User management and Kerberos authentication <3-user-management>`
|
|
|
|
- :ref:`Unit 4: Host-based access control (HBAC) <4-hbac>`
|
2018-06-07 02:51:36 -05:00
|
|
|
|
|
|
|
Optional units—choose the topics that are relevant to you:
|
|
|
|
|
2023-08-22 14:24:12 -05:00
|
|
|
- :ref:`Unit 5: Web application authentication and authorisation <5-web-app-authnz>`
|
|
|
|
- :ref:`Unit 6: Service certificates <6-cert-management>`
|
|
|
|
- :ref:`Unit 7: Replica installation <7-replica-install>`
|
|
|
|
- :ref:`Unit 8: Sudo rule management <8-sudorule>`
|
|
|
|
- :ref:`Unit 9: SELinux User Maps <9-selinux-user-map>`
|
|
|
|
- :ref:`Unit 10: SSH user and host key management <10-ssh-key-management>`
|
|
|
|
- :ref:`Unit 11: Kerberos ticket policy <11-kerberos-ticket-policy>`
|
|
|
|
- :ref:`Unit 12: External IdP support <12-external-idp-support>`
|
2015-10-19 22:19:19 -05:00
|
|
|
|
|
|
|
Editing files on VMs
|
|
|
|
--------------------
|
|
|
|
|
2015-11-05 18:38:36 -06:00
|
|
|
Parts of the workshop involve editing files on virtual
|
2015-10-19 22:19:19 -05:00
|
|
|
machines. The ``vi`` and GNU ``nano`` editors are available on the
|
2015-11-05 18:38:36 -06:00
|
|
|
VMs. If you are not familiar with ``vi`` or you are unsure of what to use, you
|
2015-10-19 22:19:19 -05:00
|
|
|
should choose ``nano``.
|
|
|
|
|
|
|
|
|
|
|
|
Example commands
|
|
|
|
----------------
|
|
|
|
|
2015-11-05 18:38:36 -06:00
|
|
|
This guide contains many examples of commands. Some of the commands
|
2016-01-24 19:20:16 -06:00
|
|
|
should be executed on your host, others on a particular guest VM.
|
|
|
|
For clarity, commands are annotated with the host on which they are
|
|
|
|
meant to be executed, as in these examples::
|
2015-10-19 22:19:19 -05:00
|
|
|
|
|
|
|
$ echo "Run it on virtualisation host (no annotation)"
|
|
|
|
|
|
|
|
[server]$ echo "Run it on FreeIPA server"
|
|
|
|
|
|
|
|
[client]$ echo "Run it on IPA-enrolled client"
|
|
|
|
|
2016-01-24 19:20:16 -06:00
|
|
|
...
|
|
|
|
|
2015-10-19 22:19:19 -05:00
|
|
|
|
2015-10-15 20:14:13 -05:00
|
|
|
Preparation
|
|
|
|
===========
|
|
|
|
|
2015-10-21 19:45:24 -05:00
|
|
|
Some preparation is needed prior to the workshop. The workshop is
|
2016-09-04 02:54:59 -05:00
|
|
|
designed to be carried out in a Vagrant_ environment that configures
|
2018-06-11 00:04:28 -05:00
|
|
|
three networked virtual machines (VMs) with all software needed for
|
|
|
|
the workshop. **The goal of this preparation** is to ``vagrant up``
|
|
|
|
the VMs. After this preparation is completed you are ready to begin
|
|
|
|
the workshop.
|
2015-10-19 22:19:19 -05:00
|
|
|
|
|
|
|
.. _Vagrant: https://www.vagrantup.com/
|
|
|
|
|
|
|
|
|
2015-10-15 20:14:13 -05:00
|
|
|
Requirements
|
|
|
|
------------
|
|
|
|
|
|
|
|
For the FreeIPA workshop you will need to:
|
|
|
|
|
2018-06-04 19:55:02 -05:00
|
|
|
- Install **Vagrant** and **VirtualBox**. (On Fedora, you can use **libvirt**
|
2015-10-22 22:31:12 -05:00
|
|
|
instead of VirtualBox).
|
2015-10-15 20:14:13 -05:00
|
|
|
|
2015-10-19 22:19:19 -05:00
|
|
|
- Use Git to clone the repository containing the ``Vagrantfile``
|
2015-10-15 20:14:13 -05:00
|
|
|
|
2015-10-16 01:07:15 -05:00
|
|
|
- Fetch the Vagrant *box* for the workshop
|
2015-10-15 20:14:13 -05:00
|
|
|
|
|
|
|
- Add entries for the guest VMs to your hosts file (so you can
|
|
|
|
access them by their hostname)
|
|
|
|
|
|
|
|
Please set up these items **prior to the workshop**. More detailed
|
|
|
|
instructions follow.
|
|
|
|
|
|
|
|
|
2015-10-21 20:02:58 -05:00
|
|
|
Install Vagrant and VirtualBox
|
|
|
|
------------------------------
|
2015-10-15 20:14:13 -05:00
|
|
|
|
2015-10-21 20:02:58 -05:00
|
|
|
Fedora
|
|
|
|
^^^^^^
|
2015-10-20 02:42:06 -05:00
|
|
|
|
2015-11-05 18:45:30 -06:00
|
|
|
If you intend to use the ``libvirt`` provider (recommended), install
|
2016-02-02 11:58:47 -06:00
|
|
|
``vagrant-libvirt`` and ``vagrant-libvirt-doc``::
|
2015-10-15 20:14:13 -05:00
|
|
|
|
2016-02-02 11:58:47 -06:00
|
|
|
$ sudo dnf install -y vagrant-libvirt vagrant-libvirt-doc
|
2015-10-22 22:31:12 -05:00
|
|
|
|
2016-09-01 21:50:27 -05:00
|
|
|
Also ensure you have the latest versions of ``selinux-policy`` and
|
|
|
|
``selinux-policy-targeted``.
|
|
|
|
|
2018-06-04 19:55:02 -05:00
|
|
|
Allow your regular user ID to start and stop Vagrant boxes using ``libvirt``.
|
|
|
|
Add your user to ``libvirt`` group so you don't need to enter your administrator
|
|
|
|
password everytime::
|
2016-02-02 11:58:47 -06:00
|
|
|
|
2018-06-04 19:55:02 -05:00
|
|
|
$ sudo gpasswd -a ${USER} libvirt
|
|
|
|
$ newgrp libvirt
|
2016-02-02 11:58:47 -06:00
|
|
|
|
|
|
|
Finally restart the services::
|
|
|
|
|
|
|
|
$ systemctl restart libvirtd
|
2021-04-19 17:40:40 -05:00
|
|
|
|
|
|
|
More information: https://docs.fedoraproject.org/en-US/quick-docs/getting-started-with-virtualization/
|
2015-10-22 22:31:12 -05:00
|
|
|
|
|
|
|
Otherwise, you will use VirtualBox and the ``virtualbox`` provider.
|
2016-01-13 21:50:08 -06:00
|
|
|
VirtualBox needs to build kernel modules, and that means that you must
|
2015-11-05 18:45:30 -06:00
|
|
|
first install kernel headers and Dynamic Kernel Module Support::
|
2015-10-22 22:31:12 -05:00
|
|
|
|
|
|
|
$ sudo dnf install -y vagrant kernel-devel dkms
|
2015-10-20 21:10:18 -05:00
|
|
|
|
2015-11-05 18:45:30 -06:00
|
|
|
Next, install VirtualBox from the official VirtualBox package repository.
|
2015-10-21 02:36:46 -05:00
|
|
|
Before using the repo, check that its contents match what appears
|
|
|
|
in the transcript below (to make sure it wasn't tampered with)::
|
2015-10-20 21:10:18 -05:00
|
|
|
|
|
|
|
$ sudo curl -o /etc/yum.repos.d/virtualbox.repo \
|
|
|
|
http://download.virtualbox.org/virtualbox/rpm/fedora/virtualbox.repo
|
2015-10-21 02:36:46 -05:00
|
|
|
|
|
|
|
$ cat /etc/yum.repos.d/virtualbox.repo
|
|
|
|
[virtualbox]
|
|
|
|
name=Fedora $releasever - $basearch - VirtualBox
|
|
|
|
baseurl=http://download.virtualbox.org/virtualbox/rpm/fedora/$releasever/$basearch
|
|
|
|
enabled=1
|
|
|
|
gpgcheck=1
|
|
|
|
repo_gpgcheck=1
|
|
|
|
gpgkey=https://www.virtualbox.org/download/oracle_vbox.asc
|
|
|
|
|
2021-04-19 17:40:40 -05:00
|
|
|
$ sudo dnf install -y VirtualBox-6.1
|
2015-10-15 20:14:13 -05:00
|
|
|
|
2018-06-04 19:55:02 -05:00
|
|
|
Finally, load the kernel modules (you may need to restart your system for this to work)::
|
2015-10-20 21:10:18 -05:00
|
|
|
|
|
|
|
$ sudo modprobe vboxdrv vboxnetadp
|
2015-10-16 01:12:30 -05:00
|
|
|
|
2015-10-15 20:14:13 -05:00
|
|
|
|
2015-10-20 02:42:06 -05:00
|
|
|
Mac OS X
|
|
|
|
^^^^^^^^
|
|
|
|
|
2015-10-25 19:25:28 -05:00
|
|
|
Install Vagrant for Mac OS X from
|
|
|
|
https://www.vagrantup.com/downloads.html.
|
|
|
|
|
2021-04-19 17:40:40 -05:00
|
|
|
Install VirtualBox 6.1 for **OS X hosts** from
|
2018-06-04 19:55:02 -05:00
|
|
|
https://www.virtualbox.org/wiki/Downloads.
|
2015-10-25 19:25:28 -05:00
|
|
|
|
|
|
|
Install Git from https://git-scm.com/download/mac or via your
|
|
|
|
preferred package manager.
|
2015-10-20 02:42:06 -05:00
|
|
|
|
2015-10-15 20:14:13 -05:00
|
|
|
|
2015-10-22 23:31:37 -05:00
|
|
|
Debian / Ubuntu
|
|
|
|
^^^^^^^^^^^^^^^
|
2015-10-15 20:14:13 -05:00
|
|
|
|
2021-04-19 17:40:40 -05:00
|
|
|
Install Vagrant, Git and VirtualBox::
|
2015-10-25 19:25:28 -05:00
|
|
|
|
|
|
|
$ sudo apt-get install -y vagrant git
|
2021-04-19 17:40:40 -05:00
|
|
|
$ sudo apt-get install -y virtualbox-6.1
|
2015-10-25 19:25:28 -05:00
|
|
|
|
2021-04-19 17:40:40 -05:00
|
|
|
If VirtualBox 6.1 was not available in the official packages for
|
2015-10-25 19:25:28 -05:00
|
|
|
your release, follow the instructions at
|
|
|
|
https://www.virtualbox.org/wiki/Linux_Downloads to install it.
|
2015-10-15 20:14:13 -05:00
|
|
|
|
|
|
|
|
2015-10-20 02:42:06 -05:00
|
|
|
Windows
|
|
|
|
^^^^^^^
|
2015-10-15 20:14:13 -05:00
|
|
|
|
2015-10-20 02:42:06 -05:00
|
|
|
Install Vagrant via the ``.msi`` available from
|
|
|
|
https://www.vagrantup.com/downloads.html.
|
2015-10-15 20:14:13 -05:00
|
|
|
|
2021-04-19 17:40:40 -05:00
|
|
|
Install VirtualBox for **Windows hosts** from
|
2018-06-04 19:55:02 -05:00
|
|
|
https://www.virtualbox.org/wiki/Downloads.
|
2015-10-15 20:14:13 -05:00
|
|
|
|
2015-10-20 02:42:06 -05:00
|
|
|
You will also need to install an SSH client, and Git. Git for
|
|
|
|
Windows also comes with an SSH client so just install Git from
|
|
|
|
https://git-scm.com/download/win.
|
2015-10-15 20:14:13 -05:00
|
|
|
|
|
|
|
|
2016-01-21 01:38:46 -06:00
|
|
|
Clone this repository
|
|
|
|
---------------------
|
2015-10-19 22:19:19 -05:00
|
|
|
|
2016-01-21 01:38:46 -06:00
|
|
|
This repository contains the ``Vagrantfile`` that is used for the
|
|
|
|
workshop, which you will need locally.
|
2015-10-19 22:19:19 -05:00
|
|
|
|
2016-01-21 01:38:46 -06:00
|
|
|
::
|
|
|
|
|
2021-04-19 17:40:40 -05:00
|
|
|
$ git clone https://github.com/freeipa/freeipa.git
|
|
|
|
$ cd freeipa/doc/workshop
|
2015-10-19 22:19:19 -05:00
|
|
|
|
|
|
|
|
2015-10-15 20:14:13 -05:00
|
|
|
Fetch Vagrant box
|
|
|
|
-----------------
|
|
|
|
|
2021-04-19 17:40:40 -05:00
|
|
|
Please fetch the Vagrant box prior to the workshop. It is > 700MB
|
2015-10-19 01:06:04 -05:00
|
|
|
so it may not be feasible to download it during the workshop.
|
2015-10-15 20:14:13 -05:00
|
|
|
|
|
|
|
::
|
|
|
|
|
2021-04-19 17:40:40 -05:00
|
|
|
$ vagrant box add freeipa/freeipa-workshop
|
2015-10-25 19:25:28 -05:00
|
|
|
|
|
|
|
|
2015-10-15 20:14:13 -05:00
|
|
|
Add hosts file entries
|
|
|
|
----------------------
|
|
|
|
|
2018-06-11 00:04:28 -05:00
|
|
|
*This step is optional. All units can be completed using the CLI
|
|
|
|
only. But if you want to access the FreeIPA Web UI or other web
|
|
|
|
servers on the VMs from your browser, follow these instructions.*
|
2015-10-18 21:46:40 -05:00
|
|
|
|
2015-10-15 20:14:13 -05:00
|
|
|
Add the following entries to your hosts file::
|
|
|
|
|
|
|
|
192.168.33.10 server.ipademo.local
|
2016-01-24 19:20:16 -06:00
|
|
|
192.168.33.11 replica.ipademo.local
|
2015-10-15 20:14:13 -05:00
|
|
|
192.168.33.20 client.ipademo.local
|
|
|
|
|
2015-11-05 18:45:30 -06:00
|
|
|
On Unix systems (including Mac OS X), the hosts file is ``/etc/hosts``
|
2015-10-15 20:14:13 -05:00
|
|
|
(you need elevated permissions to edit it.)
|
|
|
|
|
2016-01-14 01:01:51 -06:00
|
|
|
On Windows, edit ``C:\Windows\System32\system\drivers\etc\hosts`` as
|
2015-10-15 20:14:13 -05:00
|
|
|
*Administrator*.
|
2018-06-07 02:51:36 -05:00
|
|
|
|
|
|
|
|
|
|
|
Next step
|
|
|
|
---------
|
|
|
|
|
|
|
|
You are ready to begin the workshop. Continue to
|
2023-08-22 14:24:12 -05:00
|
|
|
:ref:`Unit 1: Installing the FreeIPA server <1-server-install>`.
|
2018-06-11 20:22:58 -05:00
|
|
|
|
|
|
|
|
|
|
|
After the workshop
|
|
|
|
------------------
|
|
|
|
|
|
|
|
Here are some contact details and resources that may help you after
|
|
|
|
the workshop is over:
|
|
|
|
|
2021-05-26 09:57:34 -05:00
|
|
|
- IRC: ``#freeipa`` and ``#sssd`` (Libera.chat)
|
2018-06-11 20:22:58 -05:00
|
|
|
|
|
|
|
- ``freeipa-users@lists.fedorahosted.org`` `mailing list
|
|
|
|
<https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/>`_
|
|
|
|
|
|
|
|
- `How To guides <https://www.freeipa.org/page/HowTos>`_: large
|
|
|
|
index of articles about specialised tasks and integrations
|
|
|
|
|
|
|
|
- `Troubleshooting guide
|
|
|
|
<https://www.freeipa.org/page/Troubleshooting>`_: how to debug
|
|
|
|
common problems; how to report bugs
|
|
|
|
|
|
|
|
- `Bug tracker <https://pagure.io/freeipa>`_
|
|
|
|
|
|
|
|
- Information about the `FreeIPA public demo
|
|
|
|
<https://www.freeipa.org/page/Demo>`_ instance
|
|
|
|
|
|
|
|
- `Deployment Recommendations
|
|
|
|
<https://www.freeipa.org/page/Deployment_Recommendations>`_:
|
|
|
|
things to consider when going into production
|
|
|
|
|
|
|
|
- `Documentation index
|
|
|
|
<https://www.freeipa.org/page/Documentation>`_
|
|
|
|
|
|
|
|
- `FreeIPA Planet <http://planet.freeipa.org/>`_: aggregate of
|
|
|
|
several FreeIPA and identity-management related blogs
|
|
|
|
|
|
|
|
- `GitHub organisation <https://github.com/freeipa>`_. In addition
|
|
|
|
to the `main repository <https://github.com/freeipa/freeipa>`_
|
|
|
|
there are various tools, CI-related projects and documentation.
|
|
|
|
|
|
|
|
- `Development roadmap <https://www.freeipa.org/page/Roadmap>`_
|