Identity Management with IPA Server

Overview

This page will detail the installation of IPA Server for Identity, Authentication and Authorisation. As far as possible, there are no local user accounts that can login. The IdM Server will be setup with DNS enabled and as all servers will be VM's NTP will be disabled.

Prerequisites

You must follow the below installation steps prior to installing the Application. You must also know the DNS forwarders that will be used. These can be found by looking at the /etc/resolv.conf in a newly created VM.

Setup IPA Server

Install IPA Server. The bind packages are used for the DNS Server

yum install ipa-server bind bind-dyndb-ldap

Create the IdM Server Instance.

ipa-server-install --no-ntp --setup-dns --idstart=10000

The log file for this installation can be found in /var/log/ipaserver-install.log

==============================================================================

This program will set up the IPA Server.

This includes:

Configure a stand-alone CA (dogtag) for certificate management

Create and configure an instance of Directory Server

Create and configure a Kerberos Key Distribution Center (KDC)

Configure Apache (httpd)

Configure DNS (bind)

Excluded by options:

Configure the Network Time Daemon (ntpd)

To accept the default shown in brackets, press the Enter key.

Existing BIND configuration detected, overwrite? [no]: yes

Enter the fully qualified domain name of the computer

on which you're setting up server software. Using the form

<hostname>.<domainname>

Example: master.example.com.

Server host name [ipaserver.example.com]:

Warning: skipping DNS resolution of host ipaserver.example.com

The domain name has been determined based on the host name.

Please confirm the domain name [example.com]:

The kerberos protocol requires a Realm name to be defined.

This is typically the domain name converted to uppercase.

Please provide a realm name [EXAMPLE.COM]:

Certain directory server operations require an administrative user.

This user is referred to as the Directory Manager and has full access

to the Directory for system management tasks and will be added to the

instance of directory server created for IPA.

The password must be at least 8 characters long.

Directory Manager password:

Password (confirm):

The IPA server requires an administrative user, named 'admin'.

This user is a regular system account used for IPA server administration.

IPA admin password:

Password (confirm):

Do you want to configure DNS forwarders? [yes]:

Enter the IP address of DNS forwarder to use, or press Enter to finish.

Enter IP address for a DNS forwarder: 172.17.1.26

DNS forwarder 172.17.1.26 added

Enter IP address for a DNS forwarder: 172.17.1.27

DNS forwarder 172.17.1.27 added

Enter IP address for a DNS forwarder:

Checking forwarders, please wait ...

Do you want to configure the reverse zone? [yes]:

Please specify the reverse zone name [10.10.10.in-addr.arpa.]:

Using reverse zone(s) 10.10.10.in-addr.arpa.

The IPA Master Server will be configured with:

Hostname: ipaserver.example.com

IP address(es): 10.10.10.10

Domain name: example.com

Realm name: EXAMPLE.COM

BIND DNS server will be configured to serve IPA domain with:

Forwarders: 172.17.1.26, 172.17.1.27

Reverse zone(s): 10.10.10.in-addr.arpa.

Continue to configure the system with these values? [no]: yes

The ipa-dns-install command (which is run with the install script when the --setup-dns option is used) does not automatically configure the system's rndc service. This must be configured manually, after DNS is configured for IdM.

Create the rndc configuration file and key and set permissions. The permissions appear to be correct after running the rndc-confgen but as the Red Hat Documentation mentions them they have been listed for reference.

/usr/sbin/rndc-confgen -a

/sbin/restorecon /etc/rndc.key

chown root:named /etc/rndc.key

chmod 0640 /etc/rndc.key

Restart the SSH service to retrieve the Kerberos principal and to refresh the name server switch (NSS) configuration file:

systemctl start sshd

Authenticate to the Kerberos realm using the admin user's credentials to ensure that the user is

properly configured and the Kerberos realm is accessible.

kinit admin

Test the IdM configuration by running a command like ipa user-find

ipa user-find admin

Show the IdM Status

ipactl status

Amend default shell from /bin/sh to /bin/bash

ipa config-mod --defaultshell=/bin/bash

Configure the firewall to allow clients to access the IdM services.

firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="10.105.94.0/24" service name="ldap" accept'

firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="10.105.94.0/24" service name="ldaps" accept'

firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="10.105.94.0/24" service name="http" accept'

firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="10.105.94.0/24" service name="https" accept'

firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="10.105.94.0/24" service name="dns" accept'

firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="10.105.94.0/24" service name="kerberos" accept'

firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="10.105.94.0/24" service name="kpasswd" accept'

firewall-cmd --reload

As the install for the server automatically installs the client, it does not allow you to either select options for the client install or reinstall the client. You therefore need to manually setup the mkhomedir for the users.

authconfig --enablemkhomedir --update

Install IPA Clients

Install the IPA Client

yum -y install ipa-client

There is a bug in ipa-client-4.1.0-18.el7_1.3 which causes the install to hang if NTP is not running. We therefore need to start NTP for installation purposes and then disable it afterwards.

systemctl start ntpd

Configure IPA. You will need the IPA admin password to compete this process.

ipa-client-install --enable-dns-updates --mkhomedir --no-ntp

Discovery was successful!

Hostname: server.example.com

Realm: EXAMPLE.COM

DNS Domain: example.com

IPA Server: ipaserver.example.com

BaseDN: dc=example,dc=co,dc=uk

Continue to configure the system with these values? [no]: yes

Synchronizing time with KDC...

Unable to sync time with IPA NTP server, assuming the time is in sync. Please check that 123 UDP port is opened.

User authorized to enroll computers: admin

Password for admin@EXAMPLE.COM:

Successfully retrieved CA cert

Subject: CN=Certificate Authority,O=EXAMPLE.COM

Issuer: CN=Certificate Authority,O=EXAMPLE.COM

Valid From: Mon Jul 20 08:43:20 2015 UTC

Valid Until: Fri Jul 20 08:43:20 2035 UTC

Enrolled in IPA realm EXAMPLE.COM

Created /etc/ipa/default.conf

New SSSD config will be created

Configured sudoers in /etc/nsswitch.conf

Configured /etc/sssd/sssd.conf

Configured /etc/krb5.conf for IPA realm EXAMPLE.COM

trying https://ipaserver.example.com/ipa/json

Forwarding 'ping' to json server 'https://ipaserver.example.com/ipa/json'

Forwarding 'ca_is_enabled' to json server 'https://ipaserver.example.com/ipa/json'

Systemwide CA database updated.

Added CA certificates to the default NSS database.

Hostname (server2.example.com) not found in DNS

DNS server record set to: server2.example.com -> 10.10.10.11

Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub

Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub

Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub

Forwarding 'host_mod' to json server 'https://ipaserver.example.com/ipa/json'

SSSD enabled

Configured /etc/openldap/ldap.conf

Configured /etc/ssh/ssh_config

Configured /etc/ssh/sshd_config

Configuring example.com as NIS domain.

Client configuration complete.

Test connectivity to the IdM server.

getent passwd admin

admin:*:10000:10000:Administrator:/home/admin:/bin/bash

Stop the NTP service.

systemctl stop ntpd

User and Group Management

Creating Users

Usernames are created with firstname.lastname. The following options are used when creating users. --homedir and --shell are not necessarily required. For system accounts like rsync, make sure the shell is /sbin/nologin and setup ssh keys where required. If system accounts need to use ssh keys, you will need to create the home directories manually and copy the ssh private key into .ssh. See below for details.

--first=STR First name

--last=STR Last name

--homedir=STR Home directory - Will be chrooted directory for ftp users. If left out then home directory will be /home/username

--email=STR Email address

--random Generate a random user password

--city=STR City

--shell=STR If different from /bin/bash

# Standard User

ipa user-add first.last --first=First --last=Last --email=first.last@example.co.uk --city=London --random

# System User

ipa user-add "rsync" --first="Rsync" --last="User" --email="group@example.com" --shell="/sbin/nologin" --random --sshpubkey="ssh-rsa WX8TFT110Zev2VPjy5P6tWL Rsync"

Users can be added in bulk by using the following method. Adapt the fields in the file and command as necessary.

cat users.txt

"first1.last1" "First1" "Last1" "first1.last1@example.com" "London"

"first2.last2" "First2" "Last2" "first2.last2@example.com" "London"

awk '{print "ipa user-add "$1" --first="$2" --last="$3" --email="$4" --city="$5" --random"}' users.txt >> users.sh

chmod +x users.sh

Add #!/bin/bash to first line of users.sh

By piping to egrep you are getting the details required to send to the users.

./users.sh | egrep "User login|Random"

Adding ssh keys to users

Upload the users public key and then add to the user in IdM. You will also need to ensure that servers with users connecting with ssh keys has openssh configured to use sssd to request keys from the IdM server. This is done in the sshd_config file on the server and will require s a restart of sshd.

ipa user-mod jsmith --sshpubkey="ssh-rsa 12345abcde= ipaclient.example.com"

vim /etc/ssh/sshd_config

AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys

AuthorizedKeysCommandUser nobody

For system accounts requiring ssh keys, you will need to create the home directory and copy the private key into the .ssh folder.

mkdir -p /home/rsync/.ssh

cp private.key /home/rsync/.ssh/.

chown rsync:rsync /home/rsync

chmod -R 700 /home/rsync

chmod 400 /home/rsync/.ssh/private.key

Creating Groups and Adding Users to Groups

ipa group-add new_group --desc="This is a new group"

ipa group-add-member new_group --users=user1 --users=user2

Modifying User Attributes

User attributes like krbpasswordexpiration can be amended using ldapmodify and the Directory Manager account.

Create an LDIFF file similar to this.

dn: uid=user.name,cn=users,cn=accounts,dc=example,dc=co,dc=uk

changetype: modify

replace: krbpasswordexpiration

krbpasswordexpiration: 20160219113819Z

Process the LDIFF file

ldapmodify -h ipaserver.example.com -D cn="Directory Manager" -W -f example.ldiff

Hosts and Host Groups

Hosts are added to IdM automatically when the client is installed and so there shouldn't really be a need to add them manually. Adding hosts to groups can be done as follows.

ipa hostgroup-add --desc="Set of Servers" servers

ipa hostgroup-add-member servers --hosts={server1.example.com,server2.example.com}

HBAC Rules

Adding HBAC rules needs to be done in stages. First you create an HBAC Service and or group which is separate to adding services to a domain. Some more common services are have already been created and can be found using "ipa hbacsvc-find". Once added, you can create a base rule and then added user/services/hosts as required.

Creating HBAC Services and groups

Below is an example but note that you do not have to add a service to a group.

ipa hbacsvcgroup-add --desc="login services" login

ipa hbacsvc-add --desc="Login service" sshd

ipa hbacsvcgroup-add-member --hbacsvcs=sshd login

Setting Host-Based Access Control Rules

When creating rules, try and keep the naming convention service-group/user.

ipa hbacrule-add [--hostcat=all] --desc="Description" sshd-administrators

ipa hbacrule-add-user sshd-administrators --groups=administrators

ipa hbacrule-add-service --hbacsvcs=sshd sshd-administrators

ipa hbacrule-show sshd-administrators

Rule name: sshd-administrators

Host category: all

Enabled: TRUE

User Groups: administrators

Services: sshd

Sudo Rules

As per HBAC Rules, Sudo Rules are added in stages. First you create the sudo commands/groups, then create the sudo rule.

Creating Sudo Commands and Command Groups

Example 1 - Creating a single command # Add the command

ipa sudocmd-add "/bin/su -" --desc="Root Access"

Add the Sudo Rules

Example 1 - Creating root access with a sudo rule using a single command to all servers for a specific group.

# Create the rule

ipa sudorule-add root_access --desc="Root Access" --hostcat=all

# Add the allowed commands

ipa sudorule-add-allow-command root_access --sudocmds="/bin/su -"

# Add the allowed Users and/or Groups

ipa sudorule-add-user root_access --groups=administrators

# Add any required options as per sudoers man page. You must use single quotes.

ipa sudorule-add-option root_access --sudooption='!authenticate'

DNS

IdM provides the DNS for all internal DNS resources. The internal Domain Name is example.com which has been chosen to avoid clashing with any external DNS resources. DNS resources are managed with the "ipa dns*" command and sub commands. We will document examples below.

Adding cnames records

ipa dnsrecord-add example.com server1 --cname-rec="server1_cname"

ipa dnsrecord-add example.com server2 --cname-rec="server2_cname"

Errors/Issues

named-pkcs11.service failes to start

Example output.

# ipactl start

Existing service file detected!

Assuming stale, cleaning and proceeding

Starting Directory Service

Starting krb5kdc Service

Starting kadmin Service

Starting named Service

Job for named-pkcs11.service failed because the control process exited with error code. See "systemctl status named-pkcs11.service" and "journalctl -xe" for details.

Failed to start named Service

Shutting down

Aborting ipactl

Error message in /var/log/messages

LDAP error: Invalid credentials: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS f

ailure. Minor code may provide more information (Cannot create replay cache file /var/tmp/ldap_993: Permission denied): bind to LDAP server f

ailed

This can be due to an invalid cache. Remove the old cache file and start IPA again

rm -f /var/tmp/ldap_993

# ipactl start

Existing service file detected!

Assuming stale, cleaning and proceeding

Starting Directory Service

Starting krb5kdc Service

Starting kadmin Service

Starting named Service

Starting ipa_memcached Service

Starting httpd Service

Starting pki-tomcatd Service

Starting ipa-otpd Service

Starting ipa-dnskeysyncd Service

ipa: INFO: The ipactl command was successful

[root@server]# ipactl status

Directory Service: RUNNING

krb5kdc Service: RUNNING

kadmin Service: RUNNING

named Service: RUNNING

ipa_memcached Service: RUNNING

httpd Service: RUNNING

pki-tomcatd Service: RUNNING

ipa-otpd Service: RUNNING

ipa-dnskeysyncd Service: RUNNING

ipa: INFO: The ipactl command was successful

Google Sites

Report abuse