FreeIPA部署步骤

Posted by bluesky blog on December 14, 2016

目录



FreeIPA部署步骤

一、FreeIPA介绍

FreeIPA是Redhat公司推出的开源软件,是一款集成的安全信息管理解决方案。其特点如下:

  • 集成多种服务(389 Directory Server, MIT Kerberos, NTP, DNS, Dogtag certificate system, SSSD),简化安装配置
  • 提供WEB、命令行两种管理工具,方便管理
  • 多主复制,可扩展,高可用
  • 接口丰富,支持CLI、 Web UI、 XMLRPC、JSONRPC API、Python SDK

其架构图如下:

名词解释

  • MIT KDC:IPA 认证的核心
  • 389 Directory Server:轻量级目录访问
  • Dogtag Certificate System:一款认证系统,提供强大的安全框架来确保用户的身份以及通讯的私密性
  • SSSD:SSSD是红帽企业版Linux6中新加入的一个守护进程,该进程可以用来访问多种验证服务器,如LDAP,Kerberos等,并提供授权。SSSD是介于本地用户和数据存储之间的进程,本地客户端首先连接SSSD,再由SSSD联系外部资源提供者(一台远程服务器)

安装前检查

  • 使用ntp同步时间
  • 防火墙关闭,或开放以下端口:TCP(80, 443,389, 636,88, 464) UDP(88, 464,123)
  • 配置hosts文件,设置完全合格的主机名(如:192.168.1.1 freeipa1.douyu.com freeipa1)

二、FreeIPA服务端安装

FreeIPA的安装比较简单,首先安装软件包:

yum -y install ipa-server 

安装完成后,执行安装命令:

ipa-server-install

开始安装:

The log file for this installation can be found in /var/log/ipaserver-install.log
================================================================
This program will set up the IPA Server.
This includes:
  * Configure a stand-alone CA (dogtag) for certificate management
  * Configure the Network Time Daemon (ntpd)
  * Create and configure an instance of Directory Server
  * Create and configure a Kerberos Key Distribution Center (KDC)
  * Configure Apache (httpd)
To accept the default shown in brackets, press the Enter key.
Enter the fully qualified domain name of the computer
on which you're setting up server software. Using the form
<hostname>.<domainname>
Example: master1.douyu.com.
Server host name [master1.douyu.com]:		#回车确认

The domain name has been determined based on the host name.
Please confirm the domain name [master1.douyu]:	#回车确认

The kerberos protocol requires a Realm name to be defined.
This is typically the domain name converted to uppercase.
Please provide a realm name [master1.douyu]:#回车确认

Certain directory server operations require an administrative user.
This user is referred to as the Directory Manager and has full access
to the Directory for system management tasks and will be added to the
instance of directory server created for IPA.
The password must be at least 8 characters long.

Directory Manager password:douyu123	#设置活动目录管理密码
Password (confirm):redn.net
The IPA server requires an administrative user, named 'admin'.
This user is a regular system account used for IPA server administration.

IPA admin password:redn.net	#设置IPA admin管理密码
Password (confirm):redn.net
The IPA Master Server will be configured with:
Hostname:      master1.douyu.com
IP address:    172.24.30.100
Domain name:   example.com
Realm name:    EXAMPLE.COM
Continue to configure the system with these values? [no]:yes	#输入yes 确认配置
The following operations may take some minutes to complete.
Please wait until the prompt is returned.

…………………………#等待安装完成
Sample zone file for bind has been created in /tmp/sample.zone.Jd9cwk.db
Restarting the web server
==============================================================
Setup complete
Next steps:
        1. You must make sure these network ports are open:
                TCP Ports:
                  * 80, 443: HTTP/HTTPS
                  * 389, 636: LDAP/LDAPS
                  * 88, 464: kerberos
                UDP Ports:
                  * 88, 464: kerberos
                  * 123: ntp
        2. You can now obtain a kerberos ticket using the command: 'kinit admin'
           This ticket will allow you to use the IPA tools (e.g., ipa user-add)
           and the web user interface.
Be sure to back up the CA certificate stored in /root/cacert.p12
This file is required to create replicas. The password for this
file is the Directory Manager password

安装完成后,打开浏览器,输入:https://<FreeIPA Server ip>/ 地址,即可打开web管理界面。

三、FreeIPA客户端安装

安装软件包

yum -y install ipa-client

执行安装

 ipa-client-install

开始安装

DNS discovery failed to determine your DNS domain
Provide the domain name of your IPA server (ex: example.com): douyu.com #输入ipa server域名
DNS discovery failed to find the IPA Server

Provide your IPA server name (ex: ipa.example.com): master.douyu.com #输入ipa server名
The failure to use DNS to find your IPA server indicates that your
resolv.conf file is not properly configured.
Autodiscovery of servers for failover cannot work with this configuration.
If you proceed with the installation, services will be configured to always
access the discovered server for all operation and will not fail over to
other servers in case of failure.

Proceed with fixed values and no DNS discovery? [no]: yes #确认输入yes
Hostname: slave.douyu.com
Realm: DOUYU.COM
DNS Domain: douyu.com
IPA Server: master.douyu.com
BaseDN: dc=douyu,dc=com

Continue to configure the system with these values? [no]: yes #确认输入yes
User authorized to enroll computers: admin
Synchronizing time with KDC...
Unable to sync time with IPA NTP server, assuming the time is in sync.

Password for admin@DOUYU.COM:xxxxx #输入IPA admin管理密码
Enrolled in IPA realm DOUYU.COM
Created /etc/ipa/default.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm EXAMPLE.COM
SSSD enabled
NTP enabled
Client configuration complete.

四、FreeIPA热备配置

文档建议,每个数据中心推荐2-3个副本,但不要超过4个

Generally it is recommended to have at least 2-3 replicas in each datacenter. There should be at least one replica in each datacenter with additional FreeIPA services like PKI or DNS if used. Note that it is not recommended to have more than 4 replication agreements per replica

先在原ipa server上执行如下命令,

kinit admin  
ipa-replica-prepare ipa2.xxx.com

将生成的证书,复制到热备服务器上,

scp /var/lib/ipa/replica-info-ipa2.douyu.com.gpg  root@ipa2.douyu.com:/root 

在热备主机上执行

yum  install ipa-server bind-dyndb-ldap -y  
ipa-replica-install    replica-info-ipa2.douyu.com.gpg  --skip-conncheck  

安装完成后,执行

ipa-replica-manage list

发现查询列中有两台master了,热备服务器配置完成。

最后需要修改客户端的配置:编辑/etc/krb5.conf文件,新增热备服务相关信息:

[realms]  
 	 douyu.com = {  
    kdc = ipa.douyu.com:88  #主服务器
   		kdc = ipa2.douyu.com:88 #新增热备配置
    master_kdc = ipa.douyu.com:88  
	master_kdc = ipa2.douyu.com:88  #新增
    admin_server = ipa.douyu.com:749  
	admin_server = ipa2.douyu.com:749  #新增
    default_domain = douyu.com  
    pkinit_anchors = FILE:/etc/ipa/ca.crt     }

修改完成后,可以测试热备是否正常工作:

  • 停掉ipa1 server上的ipa 服务
  • 在 client上 使用kinit 测试,看能否正常获取凭证

五、FreeIPA 卸载

执行如下命令进行卸载

ipa-server-install -U --uninstall #服务端卸载
ipa-client-install -U --uninstall #客户端卸载


#删除残留文件,避免二次安装失败
cd /var/lib/ipa/
rm -f ca*
rm -f *.txt
rm -f sysrestore/*

cd /var/lib/dirsrv/
rm -rf scripts*

cd /var/run/dirsrv/
rm -rf slapd*

cd  /etc/ipa
rm -f ca.crt

cd /var/log/dirsrv
rm -rf slapd*

rm -rf /var/lib/pki* /var/log/pki* /etc/init.d/pki*
rm -rf /usr/share/pki /usr/share/tomcat5 /var/lib/tomcat5/

#卸载软件包
yum erase -y `rpmquery -a | grep freeipa` `rpmquery -a | grep ^pki-` `rpmquery -a | grep tomcat6`  `rpmquery -a | grep httpd` 389-ds-base bind

六、其他

ipa-client-install时报错

LDAP Error: Connect error: TLS error -8054:You are attempting to import a cert with the same issuer/serial as an existing cert, but that is not the same cert.

解决办法:rm -f /etc/ipa/ca.crt,重新运行安装程序

日志位置

安装过程中,如出现错误,可根据信息,查看对应的日志:

Checking IdM Server Logs: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/server-config.html#logging

将系统用户导入FreeIPA中

#!/bin/bash
for line in `grep "x:[5-9][0-9][0-9]:" /etc/passwd`
do
   USER=`echo $line | cut -d: -f1`
   FIRST=`echo $line | cut -d: -f5 | awk {'print $1'}`
   LAST=`echo $line | cut -d: -f5 | awk {'print $2'}`
   if [ ! "$FIRST" ]
   then
      FIRST=$USER
   fi
   if [ ! "$LAST" ]
   then
      LAST=$USER
   fi
   echo $USER | ipa user-add $USER --first=$FIRST --last=$LAST --password
done

新用户自动创建家目录

修改客户端配置文件:

vi /etc/pam.d/system-auth
# add if you need ( create home directory automatically if it's none )
session     optional      pam_mkhomedir.so skel=/etc/skel umask=077

service oddjobd start #启动服务