mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2025-02-25 18:55:28 -06:00
minor editoral improvements
This commit is contained in:
Fraser Tweedale
committed by
Alexander Bokovoy
Alexander Bokovoy
parent
77eea67705
commit
0f7a460fea
48
workshop.rst
48
workshop.rst
@@ -61,7 +61,10 @@ Preparation
|
|||||||
===========
|
===========
|
||||||
|
|
||||||
Some preparation is needed prior to the workshop. The workshop is
|
Some preparation is needed prior to the workshop. The workshop is
|
||||||
designed to be carried out in a Vagrant_ environment that consists of
|
designed to be carried out in a Vagrant_ environment that configures
|
||||||
|
three virtual machines with all software network configuration ready
|
||||||
|
for the workshop.
|
||||||
|
|
||||||
several VMs. **The goal of the preparation** is to be able to
|
several VMs. **The goal of the preparation** is to be able to
|
||||||
successfully ``vagrant up`` the VMs as the first step of the
|
successfully ``vagrant up`` the VMs as the first step of the
|
||||||
workshop.
|
workshop.
|
||||||
@@ -286,8 +289,8 @@ On ``server``, start the FreeIPA server installation program::
|
|||||||
|
|
||||||
[server]$ sudo ipa-server-install --no-host-dns --mkhomedir
|
[server]$ sudo ipa-server-install --no-host-dns --mkhomedir
|
||||||
|
|
||||||
The ``--no-host-dns`` argument is needed because there is no DNS PTR
|
The ``--no-host-dns`` argument is needed because there are no reverse
|
||||||
resolution for the Vagrant environment. For production deployment,
|
DNS records for the Vagrant environment. For production deployment,
|
||||||
this important sanity check should not be skipped. The ``--mkhomedir``
|
this important sanity check should not be skipped. The ``--mkhomedir``
|
||||||
flag configure PAM to create missing home directories when users log
|
flag configure PAM to create missing home directories when users log
|
||||||
into the host for the first time. FreeIPA supports automount so
|
into the host for the first time. FreeIPA supports automount so
|
||||||
@@ -395,6 +398,8 @@ The FreeIPA server is now set up and you are ready to begin
|
|||||||
enrolling client machines, creating users, managing services, and
|
enrolling client machines, creating users, managing services, and
|
||||||
more!
|
more!
|
||||||
|
|
||||||
|
To prepare for the next unit, exit the ``server`` SSH session (but
|
||||||
|
do not shut the VM down).
|
||||||
|
|
||||||
|
|
||||||
Unit 2: Enrolling client machines
|
Unit 2: Enrolling client machines
|
||||||
@@ -466,18 +471,20 @@ Visit ``https://server.ipademo.local/``. You'll get a TLS
|
|||||||
*untrusted issuer* warning which you can dismiss (by adding a temporary
|
*untrusted issuer* warning which you can dismiss (by adding a temporary
|
||||||
exception). Log in as ``admin``.
|
exception). Log in as ``admin``.
|
||||||
|
|
||||||
Welcome to the FreeIPA web UI. Most management activities can be
|
Welcome to the FreeIPA Web UI. Most management activities can be
|
||||||
performed here, or via the ``ipa`` CLI program. See if you can work
|
performed here, or via the ``ipa`` CLI program. Use the Web UI to
|
||||||
out how to add a *User Group* (let's call it ``sysadmin``) and a
|
perform the following actions:
|
||||||
*User* (give her the username ``alice``). Make ``alice`` a member
|
|
||||||
of the ``sysadmin`` group.
|
1. Add a *User* with the username ``alice``.
|
||||||
|
2. Add a *User Group* for system administrators named ``sysadmin``.
|
||||||
|
3. Add ``alice`` to the ``sysadmin`` group.
|
||||||
|
|
||||||
|
|
||||||
CLI
|
CLI
|
||||||
---
|
---
|
||||||
|
|
||||||
On ``server``, make sure you have a Kerberos ticket for ``admin``
|
Make sure you have a Kerberos ticket for ``admin`` (reminder:
|
||||||
(reminder: ``kinit admin``).
|
``kinit admin``).
|
||||||
|
|
||||||
Most FreeIPA adminstrative actions can be carried out using the
|
Most FreeIPA adminstrative actions can be carried out using the
|
||||||
``ipa`` CLI program. Let's see what commands are available::
|
``ipa`` CLI program. Let's see what commands are available::
|
||||||
@@ -496,7 +503,7 @@ shell, so you can type a partial command and press ``<TAB>`` a
|
|||||||
couple of times to see what commands are available, e.g. all the
|
couple of times to see what commands are available, e.g. all the
|
||||||
commands starting with ``cert-``::
|
commands starting with ``cert-``::
|
||||||
|
|
||||||
[client]$ ipa cert-
|
[server]$ ipa cert-<TAB>
|
||||||
cert-find cert-request cert-show
|
cert-find cert-request cert-show
|
||||||
cert-remove-hold cert-revoke cert-status
|
cert-remove-hold cert-revoke cert-status
|
||||||
|
|
||||||
@@ -506,7 +513,7 @@ general overview of a plugin by running ``ipa help <plugin>``, and
|
|||||||
specific information on a particular command by running ``ipa help
|
specific information on a particular command by running ``ipa help
|
||||||
<command>``.
|
<command>``.
|
||||||
|
|
||||||
Let's add the user *bob* from the CLI. See if you can work out how
|
Add a user named ``bob`` from the CLI. See if you can work out how
|
||||||
to do this using the CLI help commands. (**hint**: the ``user``
|
to do this using the CLI help commands. (**hint**: the ``user``
|
||||||
plugin provides the command).
|
plugin provides the command).
|
||||||
|
|
||||||
@@ -548,8 +555,8 @@ password::
|
|||||||
Enter it again:
|
Enter it again:
|
||||||
|
|
||||||
|
|
||||||
Now ``bob`` has a TGT (run ``klist`` to confirm) which hi can use to
|
Now ``bob`` has a TGT (run ``klist`` to confirm) which he can use to
|
||||||
log in to other hosts and services. Try logging into
|
authenticate himself to other hosts and services. Try logging into
|
||||||
``client.ipademo.local``::
|
``client.ipademo.local``::
|
||||||
|
|
||||||
[server]$ ssh bob@client.ipademo.local
|
[server]$ ssh bob@client.ipademo.local
|
||||||
@@ -581,7 +588,7 @@ Unit 4: Host-based access control (HBAC)
|
|||||||
FreeIPA's *host-based access control* (HBAC) feature allows you to
|
FreeIPA's *host-based access control* (HBAC) feature allows you to
|
||||||
define policies that restrict access to hosts or services based on
|
define policies that restrict access to hosts or services based on
|
||||||
the user attempting to log in and that user's groups, the host that
|
the user attempting to log in and that user's groups, the host that
|
||||||
they are trying to access (or its *host groups*), and (optionally)
|
they are trying to access (or its *Host Groups*), and (optionally)
|
||||||
the service being accessed.
|
the service being accessed.
|
||||||
|
|
||||||
In this unit, we will define an HBAC policy that restricts
|
In this unit, we will define an HBAC policy that restricts
|
||||||
@@ -593,12 +600,11 @@ Adding a host group
|
|||||||
-------------------
|
-------------------
|
||||||
|
|
||||||
Instead of defining the HBAC rule to directly talk about
|
Instead of defining the HBAC rule to directly talk about
|
||||||
``client.ipademo.local``, create a *host group* called
|
``client.ipademo.local``, create a *Host Group* named ``webservers``
|
||||||
``webservers`` and make ``client.ipademo.local`` a member.
|
and add ``client.ipademo.local`` to it. You can do this via the Web
|
||||||
|
UI or the ``ipa`` CLI program (don't forget to ``kinit admin``; see
|
||||||
Explore the Web UI to work out how to do this, or use the CLI (you
|
if you can work out what plugin provides the host group
|
||||||
will need to ``kinit admin``; see if you can work out what plugin
|
functionality).
|
||||||
provides the host group functionality).
|
|
||||||
|
|
||||||
**Hint:** if you use the CLI will need to run two commands - one to
|
**Hint:** if you use the CLI will need to run two commands - one to
|
||||||
create the host group, and one to add ``client.ipademo.local`` as a
|
create the host group, and one to add ``client.ipademo.local`` as a
|
||||||
|
|||||||
Reference in New Issue
Block a user