IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

updates for FreeIPA 4.3

Browse Source
This commit is contained in:
Fraser Tweedale 2016-09-01 17:35:58 +10:00 committed by Alexander Bokovoy
parent 2f9c9c8757
commit 6548929189
2 changed files with 52 additions and 100 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
ipa.sh
View File

@ -4,6 +4,7 @@ sudo systemctl enable haveged
sudo sh -c "echo 'PS1=\"[\u@\h]\\\\$ \"' >> /etc/profile" sudo sh -c "echo 'PS1=\"[\u@\h]\\\\$ \"' >> /etc/profile"
sudo sh -c "echo 'PS1=\"[\h]\\\\$ \"' >> /etc/bashrc" sudo sh -c "echo 'PS1=\"[\h]\\\\$ \"' >> /etc/bashrc"
sudo sh -c "echo '192.168.33.10 server.ipademo.local' >> /etc/hosts" sudo sh -c "echo '192.168.33.10 server.ipademo.local' >> /etc/hosts"
sudo sh -c "echo '192.168.33.11 replica.ipademo.local' >> /etc/hosts"
sudo sh -c "echo '192.168.33.20 client.ipademo.local' >> /etc/hosts" sudo sh -c "echo '192.168.33.20 client.ipademo.local' >> /etc/hosts"
sudo rm -f /etc/httpd/conf.d/welcome.conf sudo rm -f /etc/httpd/conf.d/welcome.conf

151
workshop.rst
View File

@ -336,14 +336,14 @@ forget during the workshop!
Password (confirm): Password (confirm):
Do not configure a DNS forwarder (it is likely that you will want to configure Do not configure a DNS forwarder (you will want to configure a DNS
a DNS forwarder for a real-world deployment but it is not needed today) and forwarder for a real-world deployment but it is not needed for this
accept the defaults for configuring the reverse zone:: workshop) and accept the defaults for configuring the reverse zone::
Checking DNS domain ipademo.local., please wait ...
Do you want to configure DNS forwarders? [yes]: no Do you want to configure DNS forwarders? [yes]: no
Do you want to configure the reverse zone? [yes]: No DNS forwarders configured
Please specify the reverse zone name [33.168.192.in-addr.arpa.]: Do you want to search for missing reverse zones? [yes]:
Using reverse zone(s) 33.168.192.in-addr.arpa.
Next, you will be presented with a summary of the server Next, you will be presented with a summary of the server
@ -357,8 +357,9 @@ server installation::
Realm name: IPADEMO.LOCAL Realm name: IPADEMO.LOCAL
BIND DNS server will be configured to serve IPA domain with: BIND DNS server will be configured to serve IPA domain with:
Forwarders: No forwarders Forwarders: No forwarders
Reverse zone(s): 33.168.192.in-addr.arpa. Forward policy: only
Reverse zone(s): No reverse zone
Continue to configure the system with these values? [no]: yes Continue to configure the system with these values? [no]: yes
@ -416,7 +417,7 @@ proceed::
[client]$ sudo ipa-client-install [client]$ sudo ipa-client-install
Discovery was successful! Discovery was successful!
Hostname: client.ipademo.local Client hostname: client.ipademo.local
Realm: IPADEMO.LOCAL Realm: IPADEMO.LOCAL
DNS Domain: ipademo.local DNS Domain: ipademo.local
IPA Server: server.ipademo.local IPA Server: server.ipademo.local
@ -424,13 +425,10 @@ proceed::
Continue to configure the system with these values? [no]: yes Continue to configure the system with these values? [no]: yes
You might see a warning about time synchronisation, which for this
workshop can be ignored. Next you will be be prompted to enter
credentials of a user authorised to enrol hosts (``admin``)::
The client machine's clock will be synchronised to the server's (the
Kerberos protocol requires this). You will then be prompted to
enter credentials of a user authorised to enrol hosts (``admin``)::
Synchronizing time with KDC...
Attempting to sync time using ntpd. Will timeout after 15 seconds
User authorized to enroll computers: admin User authorized to enroll computers: admin
Password for admin@IPADEMO.LOCAL: Password for admin@IPADEMO.LOCAL:
@ -482,17 +480,25 @@ Most FreeIPA adminstrative actions can be carried out using the
automember-default-group-show Display information about the default (fallback) automember groups. automember-default-group-show Display information about the default (fallback) automember groups.
... ...
Whoa! There's almost 300 of them! We'll be using only a handful of Whoa! There are nearly 400 commands! We'll be using only a handful
these today. of these today. Note that command completion is enabled in the
shell, so you can type a partial command and press ``<TAB>`` a
couple of times to see what commands are available, e.g. all the
commands starting with ``cert-``::
You'll notice that commands are grouped by *plugin*. You can get a [client]$ ipa cert-
cert-find cert-request cert-show
cert-remove-hold cert-revoke cert-status
You'll notice that commands are grouped by *plugin*. You can read a
general overview of a plugin by running ``ipa help <plugin>``, and general overview of a plugin by running ``ipa help <plugin>``, and
specific information on a particular command by running ``ipa help specific information on a particular command by running ``ipa help
<command>``. <command>``.
Let's add the user *bob* from the CLI. See if you can work out how Let's add the user *bob* from the CLI. See if you can work out how
to do this using the CLI help commands. (**hint**: the plugin name to do this using the CLI help commands. (**hint**: the ``user``
is ``user``). plugin provides the command).
User authentication User authentication
@ -521,8 +527,9 @@ Use the ``ipa passwd`` command to (re)set a user's password::
Changed password for "bob@IPADEMO.LOCAL" Changed password for "bob@IPADEMO.LOCAL"
---------------------------------------- ----------------------------------------
Whenever a user has their password reset (including the first time), Whenever a user has their password reset (including the first time
the next ``kinit`` will prompt them to enter a new password:: it is set), the next ``kinit`` will prompt them to enter a new
password::
[server]$ kinit bob [server]$ kinit bob
Password for bob@IPADEMO.LOCAL: Password for bob@IPADEMO.LOCAL:
@ -531,11 +538,12 @@ the next ``kinit`` will prompt them to enter a new password::
Enter it again: Enter it again:
Now ``bob`` has a TGT (run ``klist`` to confirm) which can use to Now ``bob`` has a TGT (run ``klist`` to confirm) which hi can use to
log in to other hosts and services. Try logging into log in to other hosts and services. Try logging into
``client.ipademo.local``:: ``client.ipademo.local``::
[server]$ ssh bob@client.ipademo.local [server]$ ssh bob@client.ipademo.local
Creating home directory for bob.
[bob@client]$ [bob@client]$
You are now logged into the client as ``bob``. Type ``^D`` or You are now logged into the client as ``bob``. Type ``^D`` or
@ -604,8 +612,7 @@ List the existing HBAC rules::
User category: all User category: all
Host category: all Host category: all
Service category: all Service category: all
Description: Allow all users to access any host from any Description: Allow all users to access any host from any host
host
Enabled: TRUE Enabled: TRUE
---------------------------- ----------------------------
Number of entries returned 1 Number of entries returned 1
@ -682,15 +689,15 @@ the ``sysadmin`` group. What about ``alice``?
[server]$ kinit bob [server]$ kinit bob
Password for bob@IPADEMO.LOCAL: Password for bob@IPADEMO.LOCAL:
[server]$ ssh bob@client.ipademo.local [server]$ ssh bob@client.ipademo.local
Connection closed by UNKNOWN packet_write_wait: Connection to UNKNOWN port 0: Broken pipe
Then try ``alice``:: Then try ``alice``::
[server]$ kinit alice [server]$ kinit alice
Password for alice@IPADEMO.LOCAL: Password for alice@IPADEMO.LOCAL:
[server]$ ssh alice@client.ipademo.local [server]$ ssh alice@client.ipademo.local
Last login: Fri Oct 16 01:09:10 2015 from 192.168.33.10 Creating home directory for alice.
-sh-4.3$ [alice@client]$
Module 5: Web application authentication and authorisation Module 5: Web application authentication and authorisation
@ -1138,87 +1145,31 @@ Module 7: Replica installation
FreeIPA is designed to be run in a replicated multi-master FreeIPA is designed to be run in a replicated multi-master
environment. In this module, we will deploy a single FreeIPA environment. In this module, we will deploy a single FreeIPA
replica. For production deployments, see replica. For recommended production topologies, see
http://www.freeipa.org/page/Deployment_Recommendations#Replicas. http://www.freeipa.org/page/Deployment_Recommendations#Replicas.
If you have disabled the ``allow_all`` HBAC rule, add a new rule If you have disabled the ``allow_all`` HBAC rule, add a new rule
that will **allow ``admin`` to access the ``sshd`` service on any that will **allow ``admin`` to access the ``sshd`` service on any
host**. host**.
To prepare to add a replica, execute the ``ipa-replica-prepare(1)`` As of FreeIPA 4.3, replica installation is accomplished by
command. Because FreeIPA manages DNS for our domain, we need to use *promoting* an enrolled client machine to a server.
the ``--ip-address`` option.
SSH to the ``replica`` VM and enrol it per `Module 2: Enrolling
client machines`_.
Now promote the client to server. We will set up the replica
*without* CA or DNS, but in a production deployment there should be
at least one instance of these services in each datacentre. These
components can be added later via ``ipa-ca-install(1)`` and
``ipa-dns-install(1)``.
:: ::
[server]$ sudo ipa-replica-prepare \ [replica]$ sudo ipa-replica-install
--ip-address 192.168.33.11 replica.ipademo.local Password for admin@IPADEMO.LOCAL:
Directory Manager (existing master) password:
Preparing replica for replica.ipademo.local from server.ipademo.local
Creating SSL certificate for the Directory Server
Creating SSL certificate for the dogtag Directory Server
Saving dogtag Directory Server port
Creating SSL certificate for the Web Server
Exporting RA certificate
Copying additional files
Finalizing configuration
Packaging replica information into /var/lib/ipa/replica-info-replica.ipademo.local.gpg
Adding DNS records for replica.ipademo.local
The ipa-replica-prepare command was successful
The *replica file* is now available at
``/var/lib/ipa/replica-info-replica.ipademo.local.gpg`` and must be
copied to the ``replica`` VM::
% vagrant ssh server -- \
"sudo cat /var/lib/ipa/replica-info-replica.ipademo.local.gpg" \
| vagrant ssh replica -- "cat > replica.gpg"
We will set up a replica *without* CA or DNS, but in a production
deployment there should be at least one instance of these services
in each datacentre. See the ``ipa-replica-install(1)`` man page for
details.
SSH to the ``replica`` VM and install the replica::
% vagrant ssh replica
[replica]$ sudo ipa-replica-install --mkhomedir replica.gpg
Directory Manager (existing master) password:
Run connection check to master Run connection check to master
Check connection from replica to remote master 'server.ipademo.local':
Directory Service: Unsecure port (389): OK
Directory Service: Secure port (636): OK
Kerberos KDC: TCP (88): OK
Kerberos Kpasswd: TCP (464): OK
HTTP Server: Unsecure port (80): OK
HTTP Server: Secure port (443): OK
The following list of ports use UDP protocol and would need to be
checked manually:
Kerberos KDC: UDP (88): SKIPPED
Kerberos Kpasswd: UDP (464): SKIPPED
Connection from replica to master is OK.
Start listening on required ports for remote master check
Get credentials to log in to remote master
admin@IPADEMO.LOCAL password:
Check SSH connection to remote master
Execute check on remote master
Check connection from master to remote replica 'replica.ipademo.local':
Directory Service: Unsecure port (389): OK
Directory Service: Secure port (636): OK
Kerberos KDC: TCP (88): OK
Kerberos KDC: UDP (88): OK
Kerberos Kpasswd: TCP (464): OK
Kerberos Kpasswd: UDP (464): OK
HTTP Server: Unsecure port (80): OK
HTTP Server: Secure port (443): OK
Connection from master to replica is OK.
Connection check OK Connection check OK
Configuring NTP daemon (ntpd) Configuring NTP daemon (ntpd)
[1/4]: stopping ntpd [1/4]: stopping ntpd
@ -1229,9 +1180,9 @@ The rest of the replica installation process is almost identical to
server installation. One important difference is the initial server installation. One important difference is the initial
replication of data to the new Directory Server instance:: replication of data to the new Directory Server instance::
[24/38]: setting up initial replication [28/43]: setting up initial replication
Starting replication, please wait until this has completed. Starting replication, please wait until this has completed.
Update in progress, 6 seconds elapsed Update in progress, 7 seconds elapsed
Update succeeded Update succeeded
After ``ipa-replica-install`` finishes, the replica is operational. After ``ipa-replica-install`` finishes, the replica is operational.