From 66ff3675c898daeffac6b675cceef0c0edc91b1a Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Thu, 7 Jun 2018 17:51:36 +1000 Subject: [PATCH] add inter-module links --- 1-server-install.rst | 7 ++++++- 10-ssh-key-management.rst | 12 ++++++++++++ 2-client-install.rst | 3 +++ 3-user-management.rst | 9 +++++++++ 4-hbac.rst | 9 +++++++++ 5-web-app-authnz.rst | 5 +++++ 6-cert-management.rst | 7 +++++++ 7-replica-install.rst | 7 +++++++ 8-sudorule.rst | 9 +++++++++ 9-selinux-user-map.rst | 13 +++++++++++++ workshop.rst | 41 ++++++++++++++++++++------------------- 11 files changed, 101 insertions(+), 21 deletions(-) diff --git a/1-server-install.rst b/1-server-install.rst index 93af1e4cb..266704178 100644 --- a/1-server-install.rst +++ b/1-server-install.rst @@ -149,4 +149,9 @@ enrolling client machines, creating users, managing services, and more! To prepare for the next unit, exit the ``server`` SSH session (but -do not shut the VM down). +do not shut the VM down). The next essential unit is +`Unit 2: Enrolling client machines <2-client-install.rst>`_. + +Alternatively, if you would like to immediately install a replica +server (essential for production deployments), you can take a detour +to `Unit 7: Replica installation <7-replica-install.rst>`_. diff --git a/10-ssh-key-management.rst b/10-ssh-key-management.rst index 005820873..cf3fe2431 100644 --- a/10-ssh-key-management.rst +++ b/10-ssh-key-management.rst @@ -1,6 +1,10 @@ Unit 10: SSH user and host key management ========================================= +**Prerequisites** + +- `Unit 9: SELinux User Maps <9-selinux-user-map.rst>`_ + In this module you will explore how to use FreeIPA as a backend provider for SSH keys. Instead of distributing ``authorized_keys`` and ``known_hosts`` files, SSH keys are uploaded to their @@ -125,3 +129,11 @@ keys to the FreeIPA server. **Note:** OpenSSH has already been configured to look up known hosts on the FreeIPA server, so no manual configuration is required for this section. + + +Conclusion +---------- + +Congratulations! This was the final topic in the workshop. +If you skipped any units, you can reach them from the +`curriculum overview `_. diff --git a/2-client-install.rst b/2-client-install.rst index 5e682b0dc..f0b97ba45 100644 --- a/2-client-install.rst +++ b/2-client-install.rst @@ -51,3 +51,6 @@ Users in your FreeIPA domain can now log into FreeIPA-enrolled hosts, subject to *Host-based access control* (HBAC) rules. Users logged onto the host can also acquire Kerberos tickets for accessing *services* in your domain. + +You can now move on to +`Unit 3: User management and Kerberos authentication <3-user-management.rst>`_. diff --git a/3-user-management.rst b/3-user-management.rst index 4022bd97f..50a455145 100644 --- a/3-user-management.rst +++ b/3-user-management.rst @@ -120,3 +120,12 @@ is a true *single sign-on* protocol! Valid starting Expires Service principal 06/04/2018 21:45:50 06/05/2018 21:38:24 host/client.ipademo.local@IPADEMO.LOCAL 06/04/2018 21:38:41 06/05/2018 21:38:24 krbtgt/IPADEMO.LOCAL@IPADEMO.LOCAL + + +Now that you have created some users, it's time to define some +access policies. Proceed to +`Unit 4: Host-based access control (HBAC) <4-hbac.rst>`_. + +Alternatively, if you are interested in SSH public key management +for users and hosts, jump ahead to +`Unit 10: SSH user and host key management <10-ssh-key-management.rst>`_. diff --git a/4-hbac.rst b/4-hbac.rst index 2a451d003..27ecb4577 100644 --- a/4-hbac.rst +++ b/4-hbac.rst @@ -130,3 +130,12 @@ Then try ``alice``:: [server]$ ssh alice@client.ipademo.local Creating home directory for alice. [alice@client]$ + + +This was the final mandatory unit in the workshop. From here, there +are several optional units you can choose from. You can proceed +directly to +`Unit 5: Web application authentication and authorisation <5-web-app-authnz.rst>`_. +Otherwise, +`return to the curriculum overview `_ +to see all the options. diff --git a/5-web-app-authnz.rst b/5-web-app-authnz.rst index ebbe1eb0b..535d01376 100644 --- a/5-web-app-authnz.rst +++ b/5-web-app-authnz.rst @@ -301,3 +301,8 @@ Restart Apache and try and perform the same ``curl`` request again as ``alice``. Everything should work as before because ``alice`` is a member of the ``sysadmin`` group. What happens when you are authenticated as ``bob`` instead? + +This unit is now concluded. Now that you have mastered web app +authentication, you'll want to configure TLS for your site. Proceed +to +`Unit 6: Certificate management <6-cert-management.rst>`_. diff --git a/6-cert-management.rst b/6-cert-management.rst index 76d0a960b..3a22d0a64 100644 --- a/6-cert-management.rst +++ b/6-cert-management.rst @@ -118,3 +118,10 @@ Restart Apache and make a request to the app over HTTPS:: REMOTE_PORT: 51876 +You can now proceed to +`Unit 7: Replica installation <7-replica-install.rst>`_ +or +`Unit 8: Sudo rule management <8-sudorule.rst>`_. +Otherwise, +`return to the curriculum overview `_ +to see all the options. diff --git a/7-replica-install.rst b/7-replica-install.rst index f04df3349..5a2fedd5e 100644 --- a/7-replica-install.rst +++ b/7-replica-install.rst @@ -45,3 +45,10 @@ replication of data to the new Directory Server instance:: Update succeeded After ``ipa-replica-install`` finishes, the replica is operational. +LDAP changes on any server will be replicated to all other servers. + +You can proceed to +`Unit 8: Sudo rule management <8-sudorule.rst>`_ +or +`return to the curriculum overview `_ +to see all the available topics. diff --git a/8-sudorule.rst b/8-sudorule.rst index edd8f0612..06e76cfaf 100644 --- a/8-sudorule.rst +++ b/8-sudorule.rst @@ -1,6 +1,11 @@ Unit 8: Sudo rule management ============================ +**Prerequisites**: + +- `Unit 3: User management and Kerberos authentication <3-user-management.rst>`_ +- `Unit 4: Host-based access control (HBAC) <4-hbac.rst>`_ + Sudo is a program that allows users to run programs as another user with different privileges (possibly ``root``). Sudo rules provide fine-grained control over who can execute which processes, as which @@ -185,3 +190,7 @@ restart (or start) Apache, but not run other commands via ``sudo``:: [sudo] password for bob: [bob@client]$ sudo id Sorry, user bob is not allowed to execute '/bin/id' as root on client.ipademo.local. + + +This concludes the unit. Now that you have Sudo rules working, +proceed to `Unit 9: SELinux User Maps <9-selinux-user-map.rst>`_. diff --git a/9-selinux-user-map.rst b/9-selinux-user-map.rst index 7d6dabbab..ef3e2b14f 100644 --- a/9-selinux-user-map.rst +++ b/9-selinux-user-map.rst @@ -1,6 +1,12 @@ Unit 9: SELinux User Maps ========================= +**Prerequisites**: + +- `Unit 3: User management and Kerberos authentication <3-user-management.rst>`_ +- `Unit 4: Host-based access control (HBAC) <4-hbac.rst>`_ +- `Unit 8: Sudo rule management <8-sudorule.rst>`_ + SELinux is a *mandatory access controls* mechanism for Linux, providing more powerful and flexible access control than traditional Unix permissions. Users have an SELinux *context* consisting of a @@ -118,3 +124,10 @@ the program being run:: staff_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 sh-4.3# systemctl restart httpd sh-4.3# + + +This concludes the unit. You can now proceed to +`Unit 10: SSH user and host key management <10-ssh-key-management.rst>`_ +or +`return to the curriculum overview `_ +to see all the available topics. diff --git a/workshop.rst b/workshop.rst index 8d0587b33..df5c2ab27 100644 --- a/workshop.rst +++ b/workshop.rst @@ -22,27 +22,21 @@ X.509 certificates for services. Curriculum overview ------------------- -- `Unit 1: Installing the FreeIPA server`_ -- `Unit 2: Enrolling client machines`_ -- `Unit 3: User management and Kerberos authentication`_ -- `Unit 4: Host-based access control (HBAC)`_ -- `Unit 5: Web application authentication and authorisation`_ -- `Unit 6: Certificate management`_ -- `Unit 7: Replica installation`_ -- `Unit 8: Sudo rule management`_ -- `Unit 9: SELinux User Maps`_ -- `Unit 10: SSH user and host key management`_ +Mandatory: -.. _Unit 1\: Installing the FreeIPA server: 1-server-install.rst -.. _Unit 2\: Enrolling client machines: 2-client-install.rst -.. _Unit 3\: User management and Kerberos authentication: 3-user-management.rst -.. _Unit 4\: Host-based access control (HBAC): 4-hbac.rst -.. _Unit 5\: Web application authentication and authorisation: 5-web-app-authnz.rst -.. _Unit 6\: Certificate management: 6-cert-management.rst -.. _Unit 7\: Replica installation: 7-replica-install.rst -.. _Unit 8\: Sudo rule management: 8-sudorule.rst -.. _Unit 9\: SELinux User Maps: 9-selinux-user-map.rst -.. _Unit 10\: SSH user and host key management: 10-ssh-key-management.rst +- `Unit 1: Installing the FreeIPA server <1-server-install.rst>`_ +- `Unit 2: Enrolling client machines <2-client-install.rst>`_ +- `Unit 3: User management and Kerberos authentication <3-user-management.rst>`_ +- `Unit 4: Host-based access control (HBAC) <4-hbac.rst>`_ + +Optional units—choose the topics that are relevant to you: + +- `Unit 5: Web application authentication and authorisation <5-web-app-authnz.rst>`_ +- `Unit 6: Certificate management <6-cert-management.rst>`_ +- `Unit 7: Replica installation <7-replica-install.rst>`_ +- `Unit 8: Sudo rule management <8-sudorule.rst>`_ +- `Unit 9: SELinux User Maps <9-selinux-user-map.rst>`_ +- `Unit 10: SSH user and host key management <10-ssh-key-management.rst>`_ Editing files on VMs @@ -256,3 +250,10 @@ On Unix systems (including Mac OS X), the hosts file is ``/etc/hosts`` On Windows, edit ``C:\Windows\System32\system\drivers\etc\hosts`` as *Administrator*. + + +Next step +--------- + +You are ready to begin the workshop. Continue to +`Unit 1: Installing the FreeIPA server <1-server-install.rst>`_.