freeipa/doc/workshop/3-user-management.rst

132 lines
4.6 KiB
ReStructuredText
Raw Normal View History

2018-06-07 02:05:50 -05:00
Unit 3: User management and Kerberos authentication
=====================================================
This unit introduces the ``ipa`` CLI program and the web
interface. We will perform some simple administrative tasks: adding
groups and users and managing group membership.
Web UI
------
Visit ``https://server.ipademo.local/``. You'll get a TLS
*untrusted issuer* warning which you can dismiss (by adding a temporary
exception). Log in as ``admin``.
Welcome to the FreeIPA Web UI. Most management activities can be
performed here, or via the ``ipa`` CLI program. Use the Web UI to
perform the following actions:
1. Add a *User* with the username ``alice``.
2. Add a *User Group* for system administrators named ``sysadmin``.
3. Add ``alice`` to the ``sysadmin`` group.
CLI
---
Make sure you have a Kerberos ticket for ``admin`` (reminder:
``kinit admin``).
Most FreeIPA administrative actions can be carried out using the
2018-06-07 02:05:50 -05:00
``ipa`` CLI program. Let's see what commands are available::
[server]% ipa help commands
automember-add Add an automember rule.
automember-add-condition Add conditions to an automember rule.
automember-default-group-remove Remove default (fallback) group for all unmatched entries.
automember-default-group-set Set default (fallback) group for all unmatched entries.
automember-default-group-show Display information about the default (fallback) automember groups.
...
Whoa! There are nearly 400 commands! We'll be using only a handful
of these today. Note that command completion is enabled in the
shell, so you can type a partial command and press ``<TAB>`` a
couple of times to see what commands are available, e.g. all the
commands starting with ``cert-``::
[server]$ ipa cert-<TAB>
cert-find cert-request cert-show
cert-remove-hold cert-revoke cert-status
2018-06-11 00:04:28 -05:00
You'll notice that commands are grouped by *topic*, or the kind of
2018-06-11 00:42:39 -05:00
object they act upon. Run ``ipa help topics`` to list all topics.
You can read a general overview of a topic by running ``ipa help
<topic>``, and specific information on a particular command by
running ``ipa help <command>``.
2018-06-07 02:05:50 -05:00
2018-06-11 00:04:28 -05:00
Add a user named ``bob`` from the CLI. Use the CLI help to find the
right command (**hint**: the ``user`` plugin provides the command).
2018-06-07 02:05:50 -05:00
User authentication
-------------------
We have seen how to authenticate as ``admin``. The process is the
same for regular users - just ``kinit <username>``!
Try to authenticate as ``bob``::
[server]$ kinit bob
kinit: Pre-authentication failed: Invalid argument while getting initial credentials
If you did *not* encounter this error, congratulations - you must be
a disciplined reader of documentation! To set an initial password
when creating a user via the ``ipa user-add`` command you must
supply the ``--password`` flag (the command will prompt for the
password).
Use the ``ipa passwd`` command to (re)set a user's password::
[server]$ ipa passwd bob
New Password:
Enter New Password again to verify:
----------------------------------------
Changed password for "bob@IPADEMO.LOCAL"
----------------------------------------
Whenever a user has their password reset (including the first time
it is set), the next ``kinit`` will prompt them to enter a new
password::
[server]$ kinit bob
Password for bob@IPADEMO.LOCAL:
Password expired. You must change it now.
Enter new password:
Enter it again:
Now ``bob`` has a TGT (run ``klist`` to confirm) which he can use to
authenticate himself to other hosts and services. Try logging into
``client.ipademo.local``::
[server]$ ssh bob@client.ipademo.local
Creating home directory for bob.
[bob@client]$
You are now logged into the client as ``bob``. Type ``^D`` or
``exit`` to log out and return to the ``server`` shell. If you run
``klist`` again, you will see not only the TGT but a *service ticket*
that was automatically acquired to log in to
``client.ipademo.local`` without prompting for a password. Kerberos
is a true *single sign-on* protocol!
::
[server]$ klist
Ticket cache: KEYRING:persistent:1000:1000
2018-06-11 00:04:28 -05:00
Default principal: bob@IPADEMO.LOCAL
2018-06-07 02:05:50 -05:00
Valid starting Expires Service principal
06/04/2018 21:45:50 06/05/2018 21:38:24 host/client.ipademo.local@IPADEMO.LOCAL
06/04/2018 21:38:41 06/05/2018 21:38:24 krbtgt/IPADEMO.LOCAL@IPADEMO.LOCAL
2018-06-07 02:51:36 -05:00
Now that you have created some users, it's time to define some
access policies. Proceed to
`Unit 4: Host-based access control (HBAC) <4-hbac.rst>`_.
Alternatively, if you are interested in SSH public key management
for users and hosts, jump ahead to
`Unit 10: SSH user and host key management <10-ssh-key-management.rst>`_.