More FreeIPA Updates

2024-07-07 04:43:00 -05:00 · 2024-01-07 15:05:11 -06:00 · 2024-01-07 15:05:11 -06:00 · b349e884d2
commit b349e884d2
parent 43d24d39cb
1 changed files with 0 additions and 90 deletions
--- a/freeipa.md
+++ b/freeipa.md
@ -1,90 +0,0 @@
-https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/identity_management_guide/index
-https://youtu.be/xzfHRJNjqDI
-https://www.freeipa.org/page/Howto/ISC_DHCPd_and_Dynamic_DNS_update
-# FreeIPA requires over 2Gb+ in /usr - Change to root, Check DNS
-systemd-resolve --status enp1s0
-firewall-cmd --add-service=freeipa-ldap --add-service=freeipa-ldaps
-firewall-cmd --add-service=freeipa-ldap --add-service=freeipa-ldaps --permanent
-dnf install freeipa-server freeipa-server-dns nfs-utils
-ipa-server-install --mkhomedir
-
-Setup complete: Next steps:
-        1. You must make sure these network ports are open:
-                TCP Ports:
-                  * 80, 443: HTTP/HTTPS
-                  * 389, 636: LDAP/LDAPS
-                  * 88, 464: kerberos
-                  * 53: bind
-                  * 7389: Dogtag Certificate System - LDAP
-                UDP Ports:
-                  * 88, 464: kerberos
-                  * 53: bind
-                  * 123: ntp
-        2. You can now obtain a kerberos ticket using the command: 'kinit admin'
-           This ticket will allow you to use the IPA tools (e.g., ipa user-add)
-           and the web user interface.
-Be sure to back up the CA certificates stored in /root/cacert.p12
-These files are required to create replicas. The password for these
-files is the Directory Manager password
-The ipa-server-install command was successful
-
-reboot
-fips-mode-setup --enable
-reboot
-fips-mode-setup --check
-update-crypto-policies --show
-
-kinit admin
-klist
-
-# REPLICA - Server A can be installed with a CA and DNS services, while Replica A can be based on Server A's configuration but not host either DNS or CA services. Replica B can be added to the domain, also without CA or DNS services. At any time in the future, a CA or DNS service can be created and configured on Replica A or Replica B.
-
-__________________________________________________________
-
-# Setup for client:
-sudo yum -y install freeipa-client ipa-admintools
-firewall-cmd --add-service=freeipa-ldap --add-service=freeipa-ldaps
-firewall-cmd --add-service=freeipa-ldap --add-service=freeipa-ldaps --permanent
-ipa-client-install --mkhomedir --force-ntpd
-ipa sudorule-add --cmdcat=all All
-
-# To check sudo rules:
-ipa sudorule-find All
-
-ipa sudorule-add ANY \
-    --hostcat=all \
-    --cmdcat=all \
-    --runasusercat=all \
-    --runasgroupcat=all
-
-ipa sudorule-add-user ANY \
-    --users=user --groups=group
-
-ipa sudorule-add-option ANY \
-    --sudooption='!authenticate'
-
-
-User2 rob0: I *think* freeipa has a named DLZ module that pulls records straight from LDAP
-User2 not 100% sure (I know Samba does exactly that for AD-hosted zones, however)
-User3 Does it work with IXFR queries, do you know? And I suppose UPDATE queries make the change in the LDAP backend?
-User2 never tried IXFR, but yeah, Windows AD hosts heavily use UPDATE queries for self-registration
-User2 usually with GSS-TSIG
-
-2. Join the server to the domain.
-
-// Join server to domain
-sudo dnf install realmd oddjob oddjob-mkhomedir sssd adcli
-sudo realm join -U Administrator internal.domain.com -u Administrator
-// Type in domain admin password to authenticate.
-// Tweak SSSD
-vi /etc/sssd/sssd.conf
-fallback_homedir = /home/%u
-use_fully_qualified_names = False
-
-3. Install needed packages.
-
-// Install needed packages
-sudo dnf update
-sudo dnf install git gcc
-// Allow weak crypto
-update-crypto-policies --set DEFAULT:SHA1