FreeIPA 4.7.0 服务器 部署
Posted
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了FreeIPA 4.7.0 服务器 部署相关的知识,希望对你有一定的参考价值。
FreeIPA介绍
主要特点
* 集成安全信息管理解决方案,结合了Linux(Fedora),389 Directory Server,MIT Kerberos,NTP,DNS,Dogtag证书系统,SSSD等。
* 建立在众所周知的开源组件和标准协议之上
* 重点关注易于管理和自动化安装和配置任务。
* 完全多主复制,实现更高的冗余和可扩展性
* 可扩展的管理界面(CLI,Web UI,XMLRPC和JSONRPC API)和Python SDK主要为了管理用户系统,其他平台可以通过LDAP协议获取账户信息。例如jumpserver。
部署
- 系统要求: fedora 28 (本次部署用的此系统,用centos7.5没部署上,强烈建议用此系统。此系统和centos一样)
- FreeIPA: 4.7版本
- IP: 192.168.100.23
本次部署 用的本机当DNS (也可以用外网DNS,或者自建的DNS,下面执行的命令不一样,请注意)
部署fedora 很简单。
hostnamectl set-hostname server.zhuxu.co ##这个名字可以根据实际需要修改,请不要加 -
cat /etc/hosts
192.168.100.23 server.zhuxu.co server
yum install -y ipa-server bind bind-dyndb-ldap ipa-server-dns
cat /etc/resolv.conf
search zhuxu.con
nameserver 127.0.0.1
ipa-server-install --setup-dns ##如果指定DNS,加 参数 --forwarder=X.X.X.X
Server host name [server.zhuxu.co]: 回车
Please confirm the domain name [zhuxu.co]:回车
Please provide a realm name [ZHUXU.CO]:回车
Directory Manager password: 密码
Password (confirm): 密码
The IPA server requires an administrative user, named ‘admin‘.
This user is a regular system account used for IPA server administration.
IPA admin password: 登录密码
Password (confirm): 登录密码
Checking DNS domain zhuxu.co., please wait ...
Do you want to configure DNS forwarders? [yes]: no
No DNS forwarders configured
Do you want to search for missing reverse zones? [yes]: yes
Reverse record for IP address 192.168.100.23 already exists
The IPA Master Server will be configured with:
Hostname: server.zhuxu.co
IP address(es): 192.168.100.23
Domain name: zhuxu.co
Realm name: ZHUXU.CO
The CA will be configured with:
Subject DN: CN=Certificate Authority,O=ZHUXU.CO
Subject base: O=ZHUXU.CO
Chaining: self-signed
BIND DNS server will be configured to serve IPA domain with:
Forwarders: No forwarders
Forward policy: only
Reverse zone(s): No reverse zone
Continue to configure the system with these values? [no]: yes
The following operations may take some minutes to complete.
Please wait until the prompt is returned成功显示如下
The ipa-client-install command was successful
==============================================================================
Setup complete
Next steps:
1. You must make sure these network ports are open:
TCP Ports:
* 80, 443: HTTP/HTTPS
* 389, 636: LDAP/LDAPS
* 88, 464: kerberos
* 53: bind
UDP Ports:
* 88, 464: kerberos
* 53: bind
* 123: ntp
2. You can now obtain a kerberos ticket using the command: ‘kinit admin‘
This ticket will allow you to use the IPA tools (e.g., ipa user-add)
and the web user interface.
Be sure to back up the CA certificates stored in /root/cacert.p12
These files are required to create replicas. The password for these
files is the Directory Manager password
The ipa-server-install command was successful本地测试
[[email protected] ~]# kinit admin ###必须要登陆admin 才能管理域
Password for [email protected]:
[[email protected] ~]# ipa user-find --all ###查看所有域用户的信息
--------------
1 user matched
--------------
dn: uid=admin,cn=users,cn=accounts,dc=zhuxu,dc=co
User login: admin
Last name: Administrator
Full name: Administrator
Home directory: /home/admin
GECOS: Administrator
Login shell: /bin/bash
Principal alias: [email protected]
User password expiration: 20181122134155Z
UID: 1919200000
GID: 1919200000
Account disabled: False
Preserved user: False
Member of groups: admins, trust admins
ipauniqueid: ded602aa-a7a2-11e8-a94d-000c298c2968
krbextradata: AAIjC4Bbcm9vdC9hZG1pbkBaSFVYVS5DTwA=
krblastpwdchange: 20180824134155Z
objectclass: top, person, posixaccount, krbprincipalaux, krbticketpolicyaux, inetuser, ipaobject, ipasshuser,
ipaSshGroupOfPubKeys
----------------------------
Number of entries returned 1
----------------------------ipactl --help
Usage: ipactl start|stop|restart|status
Options:
-h, --help show this help message and exit
-d, --debug Display debugging information
-f, --force Force IPA to start. Combine options --skip-version-
check and --ignore-service-failures
--ignore-service-failures
If any service start fails, do not rollback the
services, continue with the operation
--skip-version-check skip version check
网页访问
https://server.zhuxu.co/ipa/ui/
登录admin
参考:http://blog.51cto.com/zhuxu91313/2150779
以上是关于FreeIPA 4.7.0 服务器 部署的主要内容,如果未能解决你的问题,请参考以下文章