在CentOS 8上安装和配置Free IPA服务器
在CentOS 8上安装和配置Free IPA服务器
FreeIPA是用于Linux和基于Unix的系统的开源集成身份和认证解决方案。它通过存储有关用户,组,主机和其他对象的数据来提供集中式身份验证。 为Linux,Mac和Windows提供集成的身份管理服务。 FreeIPA基于389目录服务器,Kerberos,SSSD,狗标签,NTP和DNS。它提供了一个基于Web的界面,用于从中央位置管理领域中的Linux用户和客户端。
本教程将向您展示如何在CentOS 8上安装免费IPA服务器。
先决条件
- 运行CentOS的服务器8。
- 根密码是在服务器上设置的。
主机名设定
首先,您需要在系统上设置标准主机名。可以使用以下命令进行设置。
hostnamectl set-hostname freeipa.mydomain10.com
然后编辑/ etc / hosts文件并添加服务器IP和主机名。
nano /etc/hosts
添加以下行。
45.58.43.185 freeipa.mydomain10.com
完成后,保存文件并关闭它。
安装免费的IPA服务器
默认情况下,免费IPA软件包在CentOS标准存储库中不可用。因此,您需要在系统上启用idm:DL1存储库。
您可以使用以下命令启用它:
dnf module enable idm:DL1
然后使用以下命令同步存储库:
dnf distro-sync
然后运行以下命令在系统上安装Free IPA服务器。
dnf install ipa-server ipa-server-dns -y
安装完成后,您可以继续执行下一步。
免费的IPA服务器设置
接下来,您需要设置一个免费的IPA服务器。可以使用以下命令进行设置。
ipa-server-install
系统将提示您配置集成DNS,如下所示。
The log file for this installation can be found in /var/log/ipaserver-install.log ipa-server-install The log file for this installation can be found in /var/log/ipaserver-install.log ============================================================================== This program will set up the IPA Server. Version 4.8.4 This includes: * Configure a stand-alone CA (dogtag) for certificate management * Configure the NTP client (chronyd) * Create and configure an instance of Directory Server * Create and configure a Kerberos Key Distribution Center (KDC) * Configure Apache (httpd) * Configure the KDC to enable PKINIT To accept the default shown in brackets, press the Enter key. Do you want to configure integrated DNS (BIND)? [no]:
按Enter键,[いいえ]选择。系统将提示您输入服务器的主机名。
Enter the fully qualified domain name of the computer on which you're setting up server software. Using the form . Example: master.example.com. Server host name [freeipa.mydomain10.com]:
按Enter键选择默认主机名。将会提示您验证域名,如下所示。
The domain name has been determined based on the host name. Please confirm the domain name [mydomain10.com]:
按Enter键选择默认域名。系统将提示您设置目录管理器密码,如下所示。
The kerberos protocol requires a Realm name to be defined. This is typically the domain name converted to uppercase. Please provide a realm name [MYDOMAIN10.COM]: Certain directory server operations require an administrative user. This user is referred to as the Directory Manager and has full access to the Directory for system management tasks and will be added to the instance of directory server created for IPA. The password must be at least 8 characters long. Directory Manager password: Password (confirm):
输入所需的密码,然后按Enter。系统将提示您设置IPA管理员密码,如下所示。
The IPA server requires an administrative user, named 'admin'. This user is a regular system account used for IPA server administration. IPA admin password: Password (confirm):
输入所需的密码,然后按Enter。系统将提示您配置NTP服务器,如下所示。
Do you want to configure chrony with NTP server or pool address? [no]:
按Enter键选择默认选项。您应该获得以下输出:
The IPA Master Server will be configured with: Hostname: freeipa.mydomain10.com IP address(es): 45.58.43.185 Domain name: mydomain10.com Realm name: MYDOMAIN10.COM The CA will be configured with: Subject DN: CN=Certificate Authority,O=MYDOMAIN10.COM Subject base: O=MYDOMAIN10.COM Chaining: self-signed Continue to configure the system with these values? [no]: yes
输入yes,然后按Enter键以使用上述值配置系统。设置完成后,您应该看到以下输出:广告
SSSD enabled Configured /etc/openldap/ldap.conf Configured /etc/ssh/ssh_config Configured /etc/ssh/sshd_config Configuring mydomain10.com as NIS domain. Client configuration complete. The ipa-client-install command was successful unable to resolve host name freeipa.mydomain10.com. to IP address, ipa-ca DNS record will be incomplete unable to resolve host name freeipa.mydomain10.com. to IP address, ipa-ca DNS record will be incomplete Please add records in this file to your DNS system: /tmp/ipa.system.records._u0fzahd.db ============================================================================== Setup complete Next steps: 1. You must make sure these network ports are open: TCP Ports: * 80, 443: HTTP/HTTPS * 389, 636: LDAP/LDAPS * 88, 464: kerberos UDP Ports: * 88, 464: kerberos * 123: ntp 2. You can now obtain a kerberos ticket using the command: 'kinit admin' This ticket will allow you to use the IPA tools (e.g., ipa user-add) and the web user interface. Be sure to back up the CA certificates stored in /root/cacert.p12 These files are required to create replicas. The password for these files is the Directory Manager password The ipa-server-install command was successful
完成后,您可以继续下一步。
配置防火墙和SELinux
如果您的系统上安装了防火墙,则需要允许FreeIPA使用某些端口。您可以使用以下命令允许它们:
firewall-cmd --add-service={http,https,dns,ntp,freeipa-ldap,freeipa-ldaps} --permanent
然后使用以下命令重新加载firewalld以应用您的更改。
firewall-cmd --reload
接下来,您还需要在系统上禁用SELinux。
/ etc / selinux / config文件:您可以通过编辑Advertisement禁用SELinux。
nano /etc/selinux/config
找到下一行。
SELINUX=enforcing
然后将其替换为下一行。
SELINUX=permissive
保存并关闭文件。然后重新启动系统以应用更改。
访问FreeIPA Web UI
然后打开Web浏览器,并使用URL https://freeipa.mydomain10.com访问FreeIPA Web界面。您将被重定向到Free IPA登录页面,如下所示。
CentOS ID管理” width=”750″ height=”390″ style=”display: block; margin-left: auto; margin-right: auto;” ezimgfmt=”rs rscb1 src ng ngcb1″ class=”ezlazyload” data-ezsrc=”https://www.howtoforge.com/images/install_and_configure_freeipa_server_on_centos_8/p1.png”>
输入管理员用户名和密码, 日志 至 按钮。免费IPA仪表板显示在下一页上。
免费的IPA CLI操作
FreeIPA还提供了命令行工具,可添加新的用户,组和服务主体,并允许对特定属性从一个组到另一个组进行写访问。
在使用CLI工具之前,您需要使用以下命令获取Kerberos票证:
kinit admin
系统将提示您输入密码,如下所示:
Password for [email protected]:
输入管理员密码,然后按Enter键以获取Kerberos票证。
然后运行以下命令以检查票证的到期日期:
klist
您应该获得以下输出:
Ticket cache: KCM:0 Default principal: [email protected] Valid starting Expires Service principal 2020-09-28T03:36:54 2020-09-29T03:36:50 krbtgt/[email protected]
然后使用以下命令添加新的用户帐户:
ipa user-add user1 --first=hit --last=jethva [email protected] --password
您应该获得以下输出:
Password: Enter Password again to verify: ------------------ Added user "user1" ------------------ User login: user1 First name: hit Last name: jethva Full name: hit jethva Display name: hit jethva Initials: hj Home directory: /home/user1 GECOS: hit jethva Login shell: /bin/sh Principal name: [email protected] Principal alias: [email protected] User password expiration: 20200928073905Z Email address: [email protected] UID: 384600001 GID: 384600001 Password: True Member of groups: ipausers Kerberos keys available: True
您还可以使用以下命令列出系统中的所有用户帐户:
ipa user-find
您应该看到以下输出:
--------------- 2 users matched --------------- User login: admin Last name: Administrator Home directory: /home/admin Login shell: /bin/bash Principal alias: [email protected] UID: 384600000 GID: 384600000 Account disabled: False User login: user1 First name: hit Last name: jethva Home directory: /home/user1 Login shell: /bin/sh Principal name: [email protected] Principal alias: [email protected] Email address: [email protected] UID: 384600001 GID: 384600001 Account disabled: False ---------------------------- Number of entries returned 2
结论
恭喜! Free IPA服务器现在已成功在CentOS 8上安装和配置。现在,您可以安装FreeIPA客户端并将其添加到FreeIPA服务器以进行集中身份验证。如有任何疑问,请随时与我们联系。