IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

add inter-module links

Browse Source
This commit is contained in:
Fraser Tweedale 2018-06-07 17:51:36 +10:00 committed by Alexander Bokovoy
parent b6c50da059
commit 66ff3675c8
11 changed files with 101 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
1-server-install.rst
View File

@ -149,4 +149,9 @@ enrolling client machines, creating users, managing services, and
more! more!
To prepare for the next unit, exit the ``server`` SSH session (but To prepare for the next unit, exit the ``server`` SSH session (but
do not shut the VM down). do not shut the VM down). The next essential unit is
`Unit 2: Enrolling client machines <2-client-install.rst>`_.
Alternatively, if you would like to immediately install a replica
server (essential for production deployments), you can take a detour
to `Unit 7: Replica installation <7-replica-install.rst>`_.

12
10-ssh-key-management.rst
View File

@ -1,6 +1,10 @@
Unit 10: SSH user and host key management Unit 10: SSH user and host key management
========================================= =========================================
**Prerequisites**
- `Unit 9: SELinux User Maps <9-selinux-user-map.rst>`_
In this module you will explore how to use FreeIPA as a backend In this module you will explore how to use FreeIPA as a backend
provider for SSH keys. Instead of distributing ``authorized_keys`` provider for SSH keys. Instead of distributing ``authorized_keys``
and ``known_hosts`` files, SSH keys are uploaded to their and ``known_hosts`` files, SSH keys are uploaded to their
@ -125,3 +129,11 @@ keys to the FreeIPA server.
**Note:** OpenSSH has already been configured to look up known hosts **Note:** OpenSSH has already been configured to look up known hosts
on the FreeIPA server, so no manual configuration is required for on the FreeIPA server, so no manual configuration is required for
this section. this section.
Conclusion
----------
Congratulations! This was the final topic in the workshop.
If you skipped any units, you can reach them from the
`curriculum overview <workshop.rst#Curriculum_overview>`_.

3
2-client-install.rst
View File

@ -51,3 +51,6 @@ Users in your FreeIPA domain can now log into FreeIPA-enrolled
hosts, subject to *Host-based access control* (HBAC) rules. Users hosts, subject to *Host-based access control* (HBAC) rules. Users
logged onto the host can also acquire Kerberos tickets for accessing logged onto the host can also acquire Kerberos tickets for accessing
*services* in your domain. *services* in your domain.
You can now move on to
`Unit 3: User management and Kerberos authentication <3-user-management.rst>`_.

9
3-user-management.rst
View File

@ -120,3 +120,12 @@ is a true *single sign-on* protocol!
Valid starting Expires Service principal Valid starting Expires Service principal
06/04/2018 21:45:50 06/05/2018 21:38:24 host/client.ipademo.local@IPADEMO.LOCAL 06/04/2018 21:45:50 06/05/2018 21:38:24 host/client.ipademo.local@IPADEMO.LOCAL
06/04/2018 21:38:41 06/05/2018 21:38:24 krbtgt/IPADEMO.LOCAL@IPADEMO.LOCAL 06/04/2018 21:38:41 06/05/2018 21:38:24 krbtgt/IPADEMO.LOCAL@IPADEMO.LOCAL
Now that you have created some users, it's time to define some
access policies. Proceed to
`Unit 4: Host-based access control (HBAC) <4-hbac.rst>`_.
Alternatively, if you are interested in SSH public key management
for users and hosts, jump ahead to
`Unit 10: SSH user and host key management <10-ssh-key-management.rst>`_.

9
4-hbac.rst
View File

@ -130,3 +130,12 @@ Then try ``alice``::
[server]$ ssh alice@client.ipademo.local [server]$ ssh alice@client.ipademo.local
Creating home directory for alice. Creating home directory for alice.
[alice@client]$ [alice@client]$
This was the final mandatory unit in the workshop. From here, there
are several optional units you can choose from. You can proceed
directly to
`Unit 5: Web application authentication and authorisation <5-web-app-authnz.rst>`_.
Otherwise,
`return to the curriculum overview <workshop.rst#Curriculum_overview>`_
to see all the options.

5
5-web-app-authnz.rst
View File

@ -301,3 +301,8 @@ Restart Apache and try and perform the same ``curl`` request again
as ``alice``. Everything should work as before because ``alice`` is as ``alice``. Everything should work as before because ``alice`` is
a member of the ``sysadmin`` group. What happens when you are a member of the ``sysadmin`` group. What happens when you are
authenticated as ``bob`` instead? authenticated as ``bob`` instead?
This unit is now concluded. Now that you have mastered web app
authentication, you'll want to configure TLS for your site. Proceed
to
`Unit 6: Certificate management <6-cert-management.rst>`_.

7
6-cert-management.rst
View File

@ -118,3 +118,10 @@ Restart Apache and make a request to the app over HTTPS::
REMOTE_PORT: 51876 REMOTE_PORT: 51876
You can now proceed to
`Unit 7: Replica installation <7-replica-install.rst>`_
or
`Unit 8: Sudo rule management <8-sudorule.rst>`_.
Otherwise,
`return to the curriculum overview <workshop.rst#Curriculum_overview>`_
to see all the options.

7
7-replica-install.rst
View File

@ -45,3 +45,10 @@ replication of data to the new Directory Server instance::
Update succeeded Update succeeded
After ``ipa-replica-install`` finishes, the replica is operational. After ``ipa-replica-install`` finishes, the replica is operational.
LDAP changes on any server will be replicated to all other servers.
You can proceed to
`Unit 8: Sudo rule management <8-sudorule.rst>`_
or
`return to the curriculum overview <workshop.rst#Curriculum_overview>`_
to see all the available topics.

9
8-sudorule.rst
View File

@ -1,6 +1,11 @@
Unit 8: Sudo rule management Unit 8: Sudo rule management
============================ ============================
**Prerequisites**:
- `Unit 3: User management and Kerberos authentication <3-user-management.rst>`_
- `Unit 4: Host-based access control (HBAC) <4-hbac.rst>`_
Sudo is a program that allows users to run programs as another user Sudo is a program that allows users to run programs as another user
with different privileges (possibly ``root``). Sudo rules provide with different privileges (possibly ``root``). Sudo rules provide
fine-grained control over who can execute which processes, as which fine-grained control over who can execute which processes, as which
@ -185,3 +190,7 @@ restart (or start) Apache, but not run other commands via ``sudo``::
[sudo] password for bob: [sudo] password for bob:
[bob@client]$ sudo id [bob@client]$ sudo id
Sorry, user bob is not allowed to execute '/bin/id' as root on client.ipademo.local. Sorry, user bob is not allowed to execute '/bin/id' as root on client.ipademo.local.
This concludes the unit. Now that you have Sudo rules working,
proceed to `Unit 9: SELinux User Maps <9-selinux-user-map.rst>`_.

13
9-selinux-user-map.rst
View File

@ -1,6 +1,12 @@
Unit 9: SELinux User Maps Unit 9: SELinux User Maps
========================= =========================
**Prerequisites**:
- `Unit 3: User management and Kerberos authentication <3-user-management.rst>`_
- `Unit 4: Host-based access control (HBAC) <4-hbac.rst>`_
- `Unit 8: Sudo rule management <8-sudorule.rst>`_
SELinux is a *mandatory access controls* mechanism for Linux, SELinux is a *mandatory access controls* mechanism for Linux,
providing more powerful and flexible access control than traditional providing more powerful and flexible access control than traditional
Unix permissions. Users have an SELinux *context* consisting of a Unix permissions. Users have an SELinux *context* consisting of a
@ -118,3 +124,10 @@ the program being run::
staff_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 staff_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
sh-4.3# systemctl restart httpd sh-4.3# systemctl restart httpd
sh-4.3# sh-4.3#
This concludes the unit. You can now proceed to
`Unit 10: SSH user and host key management <10-ssh-key-management.rst>`_
or
`return to the curriculum overview <workshop.rst#Curriculum_overview>`_
to see all the available topics.

41
workshop.rst
View File

@ -22,27 +22,21 @@ X.509 certificates for services.
Curriculum overview Curriculum overview
------------------- -------------------
- `Unit 1: Installing the FreeIPA server`_ Mandatory:
- `Unit 2: Enrolling client machines`_
- `Unit 3: User management and Kerberos authentication`_
- `Unit 4: Host-based access control (HBAC)`_
- `Unit 5: Web application authentication and authorisation`_
- `Unit 6: Certificate management`_
- `Unit 7: Replica installation`_
- `Unit 8: Sudo rule management`_
- `Unit 9: SELinux User Maps`_
- `Unit 10: SSH user and host key management`_
.. _Unit 1\: Installing the FreeIPA server: 1-server-install.rst - `Unit 1: Installing the FreeIPA server <1-server-install.rst>`_
.. _Unit 2\: Enrolling client machines: 2-client-install.rst - `Unit 2: Enrolling client machines <2-client-install.rst>`_
.. _Unit 3\: User management and Kerberos authentication: 3-user-management.rst - `Unit 3: User management and Kerberos authentication <3-user-management.rst>`_
.. _Unit 4\: Host-based access control (HBAC): 4-hbac.rst - `Unit 4: Host-based access control (HBAC) <4-hbac.rst>`_
.. _Unit 5\: Web application authentication and authorisation: 5-web-app-authnz.rst
.. _Unit 6\: Certificate management: 6-cert-management.rst Optional units—choose the topics that are relevant to you:
.. _Unit 7\: Replica installation: 7-replica-install.rst
.. _Unit 8\: Sudo rule management: 8-sudorule.rst - `Unit 5: Web application authentication and authorisation <5-web-app-authnz.rst>`_
.. _Unit 9\: SELinux User Maps: 9-selinux-user-map.rst - `Unit 6: Certificate management <6-cert-management.rst>`_
.. _Unit 10\: SSH user and host key management: 10-ssh-key-management.rst - `Unit 7: Replica installation <7-replica-install.rst>`_
- `Unit 8: Sudo rule management <8-sudorule.rst>`_
- `Unit 9: SELinux User Maps <9-selinux-user-map.rst>`_
- `Unit 10: SSH user and host key management <10-ssh-key-management.rst>`_
Editing files on VMs Editing files on VMs
@ -256,3 +250,10 @@ On Unix systems (including Mac OS X), the hosts file is ``/etc/hosts``
On Windows, edit ``C:\Windows\System32\system\drivers\etc\hosts`` as On Windows, edit ``C:\Windows\System32\system\drivers\etc\hosts`` as
*Administrator*. *Administrator*.
Next step
---------
You are ready to begin the workshop. Continue to
`Unit 1: Installing the FreeIPA server <1-server-install.rst>`_.