IPA Directory Service for RHEV
IPA is an integrated security information management solution combining Linux , MIT Kerberos, NTP, DNS. It consists of a web interface and command-line administration tools.
Explaining IPA In details is out of scope of this document, So i will take you directly how you can quickly set up the one and use with RHEV3 for centralized user base Access Controls. If you Look out For More information on IPA please refer
http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6-Beta/html-single/Identity_Management_Guide/index.html#introduction
Installing IPA
As a root run this command on the shell.
# yum install ipa-server
Once you installed run the below command to set up IPA Server and Follow the On Screen Instructions and Provide your INPUT for the field which is Marked BOLD on the following installer set up. See below Sample Install Set up Steps for more details.
Note: For IPA to install with out any errors you need a fully functional DNS Set up with Forward and Reverse Look up Zone Configured Properly. If you need to set up a DNS Please Read My Blog DNS Setup to set up a one
# ipa-server-install
Server host name
[rhevmanager.rhev3.in]: #used default value
IPA is an integrated security information management solution combining Linux , MIT Kerberos, NTP, DNS. It consists of a web interface and command-line administration tools.
Explaining IPA In details is out of scope of this document, So i will take you directly how you can quickly set up the one and use with RHEV3 for centralized user base Access Controls. If you Look out For More information on IPA please refer
http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6-Beta/html-single/Identity_Management_Guide/index.html#introduction
Installing IPA
As a root run this command on the shell.
# yum install ipa-server
Once you installed run the below command to set up IPA Server and Follow the On Screen Instructions and Provide your INPUT for the field which is Marked BOLD on the following installer set up. See below Sample Install Set up Steps for more details.
Note: For IPA to install with out any errors you need a fully functional DNS Set up with Forward and Reverse Look up Zone Configured Properly. If you need to set up a DNS Please Read My Blog DNS Setup to set up a one
# ipa-server-install
The log file for this installation
can be found in /var/log/ipaserver-install.log
This includes:
* Configure the Network Time
Daemon (ntpd)
* Create and configure an instance
of Directory Server
* Create and configure a Kerberos
Key Distribution Center (KDC)
* Configure Apache (httpd)
To accept the default shown in
brackets, press the Enter key.
Enter the fully qualified domain
name of the computer
on which you're setting up server
software. Using the form
<hostname>.<domainname>
Example: master.example.com.
The domain name has been calculated
based on the host name.
Please confirm the domain name
[rhev3.in]: #used default value
The IPA Master Server will be
configured with
Hostname: rhevmanager.rhev3.in
IP address: 192.168.70.26
Domain name: rhev3.in
The kerberos protocol requires a
Realm name to be defined.
This is typically the domain name
converted to uppercase.
Please provide a realm name
[RHEV3.IN]: #used default value
Certain directory server operations
require an administrative user.
This user is referred to as the
Directory Manager and has full access
to the Directory for system
management tasks and will be added to the
instance of directory server created
for IPA.
The password must be at least 8
characters long.
Directory Manager password:##Feed password
Password (confirm):##Retype password
The IPA server requires an
administrative user, named 'admin'.
This user is a regular system
account used for IPA server administration.
IPA admin password: ##Feed password
Password (confirm): ##Retype password
The following operations may take
some minutes to complete.
Please wait until the prompt is
returned.
Configuring ntpd
[1/4]: stopping ntpd
[2/4]: writing configuration
[3/4]: configuring ntpd to start
on boot
[4/4]: starting ntpd
done configuring ntpd.
Configuring directory server for the
CA: Estimated time 30 minutes
[1/3]: creating directory server
user
[2/3]: creating directory server
instance
[3/3]: restarting directory server
done configuring pkids.
Configuring certificate server:
Estimated time 36 minutes
[1/17]: creating certificate
server user
[2/17]: creating pki-ca instance
[3/17]: restarting certificate
server
[4/17]: configuring certificate
server instance
[5/17]: restarting certificate
server
[6/17]: creating CA agent PKCS#12
file in /root
[7/17]: creating RA agent
certificate database
[8/17]: importing CA chain to RA
certificate database
[9/17]: restarting certificate
server
[10/17]: requesting RA certificate
from CA
[11/17]: issuing RA agent
certificate
[12/17]: adding RA agent as a
trusted user
[13/17]: fixing RA database
permissions
[14/17]: setting up signing cert
profile
[15/17]: set up CRL publishing
[16/17]: configuring certificate
server to start on boot
[17/17]: restarting certificate
server
done configuring pki-cad.
Configuring directory server:
Estimated time 31 minutes
[1/32]: creating directory server
user
[2/32]: creating directory server
instance
[3/32]: adding default schema
[4/32]: enabling memberof plugin
[5/32]: enabling referential
integrity plugin
[6/32]: enabling winsync plugin
[7/32]: configuring replication
version plugin
[8/32]: enabling IPA enrollment
plugin
[9/32]: enabling ldapi
[10/32]: configuring uniqueness
plugin
[11/32]: configuring uuid plugin
[12/32]: configuring modrdn plugin
[13/32]: enabling entryUSN plugin
[14/32]: configuring lockout
plugin
[15/32]: creating indices
[16/32]: configuring ssl for ds
instance
[17/32]: configuring certmap.conf
[18/32]: configure autobind for
root
[19/32]: restarting directory
server
[20/32]: adding default layout
[21/32]: adding delegation layout
[22/32]: adding replication acis
[23/32]: configuring user private
groups
[24/32]: configuring netgroups
from hostgroups
[25/32]: creating default Sudo
bind user
[26/32]: creating default HBAC
rule allow_all
[27/32]: initializing group
membership
[28/32]: adding master entry
[29/32]: configuring Posix uid/gid
generation
[30/32]: enabling compatibility
plugin
[31/32]: tuning directory server
[32/32]: configuring directory to
start on boot
done configuring dirsrv.
Configuring Kerberos KDC: Estimated
time 30 minutes
[1/14]: setting KDC account
password
[2/14]: adding sasl mappings to
the directory
[3/14]: adding kerberos entries to
the DS
[4/14]: adding default ACIs
[5/14]: configuring KDC
[6/14]: adding default keytypes
[7/14]: adding default password
policy
[8/14]: creating a keytab for the
directory
[9/14]: creating a keytab for the
machine
[10/14]: exporting the kadmin
keytab
[11/14]: adding the password
extension to the directory
[12/14]: adding the kerberos
master key to the directory
[13/14]: starting the KDC
[14/14]: configuring KDC to start
on boot
done configuring krb5kdc.
Configuring ipa_kpasswd
[1/2]: starting ipa_kpasswd
[2/2]: configuring ipa_kpasswd to
start on boot
done configuring ipa_kpasswd.
Configuring the web interface:
Estimated time 31 minutes
[1/12]: disabling mod_ssl in httpd
[2/12]: setting mod_nss port to
443
[3/12]: setting mod_nss password
file
[4/12]: adding URL rewriting rules
[5/12]: configuring httpd
[6/12]: setting up ssl
[7/12]: setting up browser
autoconfig
[8/12]: publish CA cert
[9/12]: creating a keytab for
httpd
[10/12]: configuring SELinux for
httpd
[11/12]: restarting httpd
[12/12]: configuring httpd to
start on boot
done configuring httpd.
Setting the certificate subject base
restarting certificate server
Applying LDAP updates
Restarting the directory server
Restarting the KDC
Restarting the web server
Sample zone file for bind has been
created in /tmp/sample.zone.LkomfS.db
==============================================================================
Setup complete
Next steps:
1. You must make sure these network
ports are open:
TCP Ports:
* 80, 443: HTTP/HTTPS
* 389, 636: LDAP/LDAPS
* 88, 464: kerberos
UDP Ports:
* 88, 464: kerberos
* 123: ntp
2. You can now obtain a kerberos
ticket using the command: 'kinit admin'
This ticket will allow you to
use the IPA tools (e.g., ipa user-add)
and the web user interface.
Be sure to back up the CA
certificate stored in /root/cacert.p12
This file is required to create
replicas. The password for this
file is the Directory Manager
password
[root@rhevmanager network-scripts]#
Adding Users in IPA Server
Once you installed the IPA Server you can add the users in Directory Server from the command Line or from the IPA UI.
Adding Users from Command Line
Login as admin with the password you used during the above IPA set up
# kinit admin
Password for admin@RHEV3.IN:
[root@rhevmanager network-scripts]#
[root@rhevmanager network-scripts]# ipa user-add rhevadmin
First name: paps
Last name: rhev
----------------------
Added user "rhevadmin"
----------------------
User login: rhevadmin
First name: paps
Last name:rhev
Full name: paps rhev
Display name: paprhev
Initials: pr
Home directory: /home/rhevadmin
GECOS field: rhevadmin
Login shell: /bin/sh
Kerberos principal:
rhevadmin@RHEV3.IN
UID: 660000003
[root@rhevmanager network-scripts]#
Now you are done you can use attach this user from the RHEV Manager Console and Provide Access to Virtual Resources.
Adding users from IPA UI
Before Accessing IPA UI you need to Configure your Browser. You can follow the below link for More Information.
Once its done then you Point your Browser to and feed your admin login credentials
https://rhevmanager.rhev3.in/ipa/ui/
You are Done, Go back to RHEV3 Cook Book for More Cooking
No comments:
Post a Comment