FreeIPA Server

• Versão avaliada: Fedora 42 / LXC

• Requerimentos:

  • Serviço NTP configurado e funcionando.

  •  1536MB memória / 512MB swap.

• Abaixo a configuração do recurso LXC.

Ajustando o Date Time do Servidor

• Quando usado com LXC foi necessário ajustar os parâmetros que seguem:

• Ajustar o datetime do servidor.

# timedatectl

# timedatectl set-timezone "America/Sao_Paulo"

# timedatectl set-ntp yes

Nota: Configurar o serviço Chrony para disponibilizar o serviço NTP.

Configurar Rede (LXC não requer os passos abaixo)

• Configure a interface de rede /etc/NetworkManager/system-connections/ens19.nmconnection

....

[ipv4]

address1=192.168.10.151/24,192.168.10.1

dns=192.168.10.1;

method=manual

....

• Config /etc/hostname

# hostnamectl set-hostname hl151.local.domain

Nota: Obrigatório ser "lower-case", é necessário estar em letras minúsculas para aceitar no processo de configuração do FreeIPA.

• Config /etc/hosts

# echo "192.168.10.151   hl151.local.domain   hl151" >> /etc/hosts

• Config /etc/hosts

# reboot

Dependência

• Adicionar os pacotes a instalação

$ sudo dnf install openssh-server vim firewalld

Install FreeIPA

• Atualize todo o SO e pacotes:

$ sudo dnf update -y

• Instale os pacotes do FreeIPA:

$ sudo dnf install freeipa-server -y 

• Configurar o serviço FreeIPA.

$ sudo ipa-server-install --mkhomedir Opcional --no-ntp

The log file for this installation can be found in /var/log/ipaserver-install.log

==============================================================================

This program will set up the IPA Server.

Version 4.12.2

This includes:

  * Configure a stand-alone CA (dogtag) for certificate management

  * Configure the NTP client (chronyd)

  * Create and configure an instance of Directory Server

  * Create and configure a Kerberos Key Distribution Center (KDC)

  * Configure Apache (httpd)

  * Configure SID generation

  * Configure the KDC to enable PKINIT

To accept the default shown in brackets, press the Enter key.

Do you want to configure integrated DNS (BIND)? [no]: <Enter>

Enter the fully qualified domain name of the computer

on which you're setting up server software. Using the form

<hostname>.<domainname>

Example: master.example.com

Server host name [hl151.local.domain]: <Enter>

The domain name has been determined based on the host name.

Please confirm the domain name [local.domain]: <Enter>

The kerberos protocol requires a Realm name to be defined.

This is typically the domain name converted to uppercase.

Please provide a realm name [LOCAL.DOMAIN]: <Enter>

Certain directory server operations require an administrative user.

This user is referred to as the Directory Manager and has full access

to the Directory for system management tasks and will be added to the

instance of directory server created for IPA.

The password must be at least 8 characters long.

Directory Manager password: <Password>

Password (confirm): <Password>

The IPA server requires an administrative user, named 'admin'.

This user is a regular system account used for IPA server administration.

IPA admin password: <Password>

Password (confirm): <Password>

Trust is configured but no NetBIOS domain name found, setting it now.

Enter the NetBIOS name for the IPA domain.

Only up to 15 uppercase ASCII letters, digits and dashes are allowed.

Example: EXAMPLE.

NetBIOS domain name [LOCAL]: DOMAIN

Do you want to configure chrony with NTP server or pool address? [no]: <Enter> <-Selecionando "yes" ira reconfigurar o Chrony.

The IPA Master Server will be configured with:

Hostname:       hl151.local.domain

IP address(es): 192.168.10.151

Domain name:    local.domain

Realm name:     LOCAL.DOMAIN

The CA will be configured with:

Subject DN:   CN=Certificate Authority,O=LOCAL.DOMAIN

Subject base: O=LOCAL.DOMAIN

Chaining:     self-signed

Continue to configure the system with these values? [no]: <yes>

The following operations may take some minutes to complete.

Please wait until the prompt is returned.

Disabled p11-kit-proxy

Configuring directory server (dirsrv). Estimated time: 30 seconds

  [1/42]: creating directory server instance

Validate installation settings ...

Create file system structures ...

SELinux is disabled, will not relabel ports or files.

Create database backend: dc=local,dc=domain ...

Perform post-installation tasks ...

  [2/42]: adding default schema

  [3/42]: enabling memberof plugin

  [4/42]: enabling winsync plugin

  [5/42]: configure password logging

..............

  [8/8]: adding SIDs to existing users and groups

This step may take considerable amount of time, please wait..

Done.

Configuring client side components

This program will set up IPA client.

Version 4.12.2

Using existing certificate '/etc/ipa/ca.crt'.

Client hostname: hl151.local.domain

Realm: LOCAL.DOMAIN

DNS Domain: local.domain

IPA Server: hl151.local.domain

BaseDN: dc=local,dc=domain

Configured /etc/sssd/sssd.conf

Systemwide CA database updated.

Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub

Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub

Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub

Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub

Could not update DNS SSHFP records.

SSSD enabled

Configured /etc/openldap/ldap.conf

Configured /etc/ssh/ssh_config

Configured /etc/ssh/sshd_config.d/04-ipa.conf

Configuring local.domain as NIS domain.

Client configuration complete.

The ipa-client-install command was successful

Please add records in this file to your DNS system: /tmp/ipa.system.records.30obul4f.db

==============================================================================

Setup complete

Next steps:

1. You must make sure these network ports are open:

TCP Ports:

  * 80, 443: HTTP/HTTPS

  * 389, 636: LDAP/LDAPS

  * 88, 464: kerberos

  * 53: bind

UDP Ports:

  * 88, 464: kerberos

  * 53: bind

  * 123: ntp

2. You can now obtain a kerberos ticket using the command: 'kinit admin'

  This ticket will allow you to use the IPA tools (e.g., ipa user-add)

  and the web user interface.

Be sure to back up the CA certificates stored in /root/cacert.p12

These files are required to create replicas. The password for these

files is the Directory Manager password

The ipa-server-install command was successful

Testar o funcionamento

# ipactl status

Directory Service: RUNNING

krb5kdc Service: RUNNING

kadmin Service: RUNNING

httpd Service: RUNNING

ipa-custodia Service: RUNNING

pki-tomcatd Service: RUNNING

ipa-otpd Service: RUNNING

ipa: INFO: The ipactl command was successful

# kinit admin

Password for admin@LOCAL.DOMAIN: 

# klist

Ticket cache: KCM:0

Default principal: admin@LOCAL.DOMAIN

Valid starting       Expires              Service principal

03/19/2024 13:12:41  03/20/2024 12:51:43  krbtgt/LOCAL.DOMAIN@LOCAL.DOMAIN

# ipa user-find

---------------

4 users matched

---------------

  User login: admin

  Last name: Administrator

  Home directory: /home/admin

  Login shell: /bin/bash

  Principal alias: admin@LOCAL.DOMAIN, root@LOCAL.DOMAIN

  UID: 963400000

  GID: 963400000

  Account disabled: False

....

# ipa group-find

----------------

6 groups matched

----------------

  Group name: admins

  Description: Account administrators group

  GID: 963400000

....

• Validar o funcionamento do serviço.

# systemctl status ipa.service

• Acompanhar o log do serviço.

# journalctl -fu ipa.service

Segurança

• Configurar regra de firewall para o servidor e serviço.

$ sudo systemctl start firewalld.service

$ sudo systemctl enable firewalld.service

$ sudo firewall-cmd --state 

$ sudo firewall-cmd --list-all

$ sudo firewall-cmd --permanent --add-service={freeipa-ldap,freeipa-ldaps,http,https,ldap,ldaps,kerberos,kpasswd,dns,ntp}

$ sudo firewall-cmd --permanent --add-service=ssh

$ sudo firewall-cmd --reload

Resumo das portas:

TCP: 80,443,389,636,88,464,53,22

UDP: 88,464,53,123

Nota: Para avaliação não necessita ativação.

Link: 1 / 2 / 3 / 4 / 5 / 6