free ipa (identity - policy - audit) - osdcm: user management
DESCRIPTION
inovex interner Vortrag/Brownbag 1. Was ist Free IPA ? 2. Übersicht 3. CLI und Web-GUI 4. Windows AD Anbindung 5. Framework 6. Umgebung 7. Architektur 8. Server 9. Client 10.Multi Master Replication 11.Praxis 12.Free IPA Server Installation 13.Free IPA Client Installation 14.Free IPA CLI ManagementTRANSCRIPT
![Page 1: Free IPA (Identity - Policy - Audit) - OSDCM: User Management](https://reader034.vdocuments.site/reader034/viewer/2022052619/556459c5d8b42a94308b57df/html5/thumbnails/1.jpg)
Free IPA (Identity – Policy - Audit)
OSDCM: User Management
Jürgen Brunk
München, 06.05.2014
![Page 2: Free IPA (Identity - Policy - Audit) - OSDCM: User Management](https://reader034.vdocuments.site/reader034/viewer/2022052619/556459c5d8b42a94308b57df/html5/thumbnails/2.jpg)
Free IPA 2
1. Was ist Free IPA ?2. Übersicht3. CLI und Web-GUI4. Windows AD Anbindung5. Framework6. Umgebung7. Architektur8. Server9. Client10.Multi Master Replication11.Praxis12.Free IPA Server Installation13.Free IPA Client Installation14.Free IPA CLI Management
Agenda
![Page 3: Free IPA (Identity - Policy - Audit) - OSDCM: User Management](https://reader034.vdocuments.site/reader034/viewer/2022052619/556459c5d8b42a94308b57df/html5/thumbnails/3.jpg)
Was ist Free IPA ?
![Page 4: Free IPA (Identity - Policy - Audit) - OSDCM: User Management](https://reader034.vdocuments.site/reader034/viewer/2022052619/556459c5d8b42a94308b57df/html5/thumbnails/4.jpg)
Free IPA 4
Was ist Free IPA ?Übersicht
Eine Art „Active Directory“ für Linux
Zentrale Verwaltung von Benutzerkonten und Regelwerken
● Benutzer/Hosts/Gruppen, Kennwörter● SUDO Rechte, SSH Keys
● DNS Verwaltung, Zertifikate/PKI● und vieles mehr …
![Page 5: Free IPA (Identity - Policy - Audit) - OSDCM: User Management](https://reader034.vdocuments.site/reader034/viewer/2022052619/556459c5d8b42a94308b57df/html5/thumbnails/5.jpg)
Free IPA 5
Was ist Free IPA ?CLI und Web-GUI
![Page 6: Free IPA (Identity - Policy - Audit) - OSDCM: User Management](https://reader034.vdocuments.site/reader034/viewer/2022052619/556459c5d8b42a94308b57df/html5/thumbnails/6.jpg)
Free IPA 6
Was ist Free IPA ?Windows AD Anbindung
lässt sich auch an eine bestehende Windows AD Umgebung anbinden (kein Ersatz dafür!)
seit Free IPA v2: Replikation von Benutzern und Passwörtern vom AD zu Free IPA
seit Free IPA v3: Anbindung vom AD per „trusted link“ an Free IPA, SSO von einer
Windows zu einer Linux Maschine
![Page 7: Free IPA (Identity - Policy - Audit) - OSDCM: User Management](https://reader034.vdocuments.site/reader034/viewer/2022052619/556459c5d8b42a94308b57df/html5/thumbnails/7.jpg)
Free IPA 7
Was ist Free IPA ?Framework
Open Source Framework:
● MIT Kerberos Server (SSO)● 389 Directory Server (LDAP)● SSS* (System Security Services)● Dogtag PKI● Bind DNS● NTP● Samba● Apache
![Page 8: Free IPA (Identity - Policy - Audit) - OSDCM: User Management](https://reader034.vdocuments.site/reader034/viewer/2022052619/556459c5d8b42a94308b57df/html5/thumbnails/8.jpg)
Free IPA 8
Was ist Free IPA ?Umgebung
(aktuell) reines RedHat Projekt
(aktuell) offiziell supported: Fedora / Red Hat Enterprise Linux
Empfohlen:Fedora 20 / RHEL 7
![Page 9: Free IPA (Identity - Policy - Audit) - OSDCM: User Management](https://reader034.vdocuments.site/reader034/viewer/2022052619/556459c5d8b42a94308b57df/html5/thumbnails/9.jpg)
Architektur
![Page 10: Free IPA (Identity - Policy - Audit) - OSDCM: User Management](https://reader034.vdocuments.site/reader034/viewer/2022052619/556459c5d8b42a94308b57df/html5/thumbnails/10.jpg)
Free IPA 10
ArchitekturIPA Server
![Page 11: Free IPA (Identity - Policy - Audit) - OSDCM: User Management](https://reader034.vdocuments.site/reader034/viewer/2022052619/556459c5d8b42a94308b57df/html5/thumbnails/11.jpg)
Free IPA 11
ArchitekturIPA Client
![Page 12: Free IPA (Identity - Policy - Audit) - OSDCM: User Management](https://reader034.vdocuments.site/reader034/viewer/2022052619/556459c5d8b42a94308b57df/html5/thumbnails/12.jpg)
Free IPA 12
ArchitekturMulti Master Replication
![Page 13: Free IPA (Identity - Policy - Audit) - OSDCM: User Management](https://reader034.vdocuments.site/reader034/viewer/2022052619/556459c5d8b42a94308b57df/html5/thumbnails/13.jpg)
Fragen soweit ?
![Page 14: Free IPA (Identity - Policy - Audit) - OSDCM: User Management](https://reader034.vdocuments.site/reader034/viewer/2022052619/556459c5d8b42a94308b57df/html5/thumbnails/14.jpg)
Praxis
![Page 15: Free IPA (Identity - Policy - Audit) - OSDCM: User Management](https://reader034.vdocuments.site/reader034/viewer/2022052619/556459c5d8b42a94308b57df/html5/thumbnails/15.jpg)
Free IPA Server Installation
![Page 16: Free IPA (Identity - Policy - Audit) - OSDCM: User Management](https://reader034.vdocuments.site/reader034/viewer/2022052619/556459c5d8b42a94308b57df/html5/thumbnails/16.jpg)
Free IPA 16
Free IPAServer Installation 1/3
# cat /etc/redhat-release Fedora release 20 (Heisenbug)
# Firewall disablen (macht den Testbetrieb einfacher)# systemctl disable firewalld# systemctl stop firewalld
# cat /etc/hosts192.168.10.2 freeipa.local.domain freeipa
# cat /etc/hostname freeipa.local.domain
# yum install bind-dyndb-ldap freeipa-server
![Page 17: Free IPA (Identity - Policy - Audit) - OSDCM: User Management](https://reader034.vdocuments.site/reader034/viewer/2022052619/556459c5d8b42a94308b57df/html5/thumbnails/17.jpg)
Free IPA 17
Free IPAServer Installation 2/3
# ipa-server-install --setup-dns --mkhomedirServer host name [freeipa.local.domain]:Please confirm the domain name [local.domain]:Please provide a realm name [LOCAL.DOMAIN]:Directory Manager password: *****IPA admin password: *****Do you want to configure DNS forwarders? [yes]:Enter IP address for a DNS forwarder: 8.8.8.8Enter IP address for a DNS forwarder: 8.8.4.4Do you want to configure the reverse zone? [yes]: Please specify the reverse zone name [10.168.192.in-addr.arpa.]:Continue to configure the system with these values? [no]: yes
![Page 18: Free IPA (Identity - Policy - Audit) - OSDCM: User Management](https://reader034.vdocuments.site/reader034/viewer/2022052619/556459c5d8b42a94308b57df/html5/thumbnails/18.jpg)
Free IPA 18
Free IPAServer Installation 3/3
# kinit adminPassword for [email protected]: ***** # klistTicket cache: KEYRING:persistent:0:0Default principal: [email protected] starting Expires Service principal05.05.2014 11:26:52 06.05.2014 11:26:49 krbtgt/[email protected]
# optional: Deinstallation ;-)# ipa-server-install --uninstall --unattended
![Page 19: Free IPA (Identity - Policy - Audit) - OSDCM: User Management](https://reader034.vdocuments.site/reader034/viewer/2022052619/556459c5d8b42a94308b57df/html5/thumbnails/19.jpg)
Free IPA Client Installation
![Page 20: Free IPA (Identity - Policy - Audit) - OSDCM: User Management](https://reader034.vdocuments.site/reader034/viewer/2022052619/556459c5d8b42a94308b57df/html5/thumbnails/20.jpg)
Free IPA 20
Free IPAClient Installation 1/1
# yum install freeipa-client# ipa-client-install --mkhomedir
ggf. SSSd Configuration nachbessern wenn „sudo“ nicht funktioniert:
/etc/nsswitch.conf:+sudoers: files sss
/etc/sssd/sssd.conf:[sssd]-services = nss, pam, ssh+services = nss, pam, ssh, sudo
# systemctl restart sssd
![Page 21: Free IPA (Identity - Policy - Audit) - OSDCM: User Management](https://reader034.vdocuments.site/reader034/viewer/2022052619/556459c5d8b42a94308b57df/html5/thumbnails/21.jpg)
Free IPA CLI Management
![Page 22: Free IPA (Identity - Policy - Audit) - OSDCM: User Management](https://reader034.vdocuments.site/reader034/viewer/2022052619/556459c5d8b42a94308b57df/html5/thumbnails/22.jpg)
Free IPA 22
Free IPACLI Management 1/2
# Kerberos Ticket erzeugen# kinit admin
# ipa help user
# neuen User „jdoe“ mit Zufalls-Password anlegen# ipa user-add jdoe --first John --last Doe --random
# nach User suchen# ipa user-find john
# User Infos anzeigen# ipa user-show jdoe
![Page 23: Free IPA (Identity - Policy - Audit) - OSDCM: User Management](https://reader034.vdocuments.site/reader034/viewer/2022052619/556459c5d8b42a94308b57df/html5/thumbnails/23.jpg)
Free IPA 23
Free IPACLI Management 2/2
# neue Gruppe anlegen# ipa group-add foo
# User einer neuen Gruppe zuweisen# ipa group-add-member foo --user jdoe
# Password neu setzen# ipa passwd jdoe
# SSH Key zuweisen# ipa user-mod jdoe --sshpubkey="ssh-rsa AAAA...“
# User löschen# ipa user-del jdoe
![Page 24: Free IPA (Identity - Policy - Audit) - OSDCM: User Management](https://reader034.vdocuments.site/reader034/viewer/2022052619/556459c5d8b42a94308b57df/html5/thumbnails/24.jpg)
Noch Fragen ?
![Page 25: Free IPA (Identity - Policy - Audit) - OSDCM: User Management](https://reader034.vdocuments.site/reader034/viewer/2022052619/556459c5d8b42a94308b57df/html5/thumbnails/25.jpg)
Quellennachweise und Links
![Page 26: Free IPA (Identity - Policy - Audit) - OSDCM: User Management](https://reader034.vdocuments.site/reader034/viewer/2022052619/556459c5d8b42a94308b57df/html5/thumbnails/26.jpg)
Free IPA 26
Quellennachweise
Quellennachweise:
www.freeipa.orgwww.fedoraproject.org
www.redhat.com
Images:
www.freeipa.orgwww.fedoraproject.org
www.redhat.comwww.linux-magazine.com
![Page 27: Free IPA (Identity - Policy - Audit) - OSDCM: User Management](https://reader034.vdocuments.site/reader034/viewer/2022052619/556459c5d8b42a94308b57df/html5/thumbnails/27.jpg)
Free IPA 27
Links
Links:
Free-IPA Website:www.freeipa.org
Free-IPA Dokumentation:www.freeipa.org/page/Quick_Start_Guide
www.freeipa.org/page/HowTos
![Page 28: Free IPA (Identity - Policy - Audit) - OSDCM: User Management](https://reader034.vdocuments.site/reader034/viewer/2022052619/556459c5d8b42a94308b57df/html5/thumbnails/28.jpg)
28
Vielen Dank für Ihre Aufmerksamkeit
Kontakt
Jürgen BrunkSystems Engineer
inovex GmbHOffice MünchenValentin-Linhof Str. 2D-81829 München
Mobil: 0173 3181 003Mail: [email protected]