云网牛站
所在位置:首页 > Linux云服务器 > 在CentOS 7服务器上安装FreeIPA的步骤

在CentOS 7服务器上安装FreeIPA的步骤

2019-01-06 15:05:32作者:符天稿源:云网牛站

本文将介绍如何在CentOS 7服务器上安装FreeIPA,一旦运行FreeIPA,你在Linux系统上手动管理用户帐户/身份验证的问题就会结束。最初我使用vanilla OpenLDAP服务器进行身份管理,对于FreeIPA的新用户,它是一个身份管理系统,旨在为用户提供易于管理的身份,策略和审计。以下介绍在CentOS 7操作系统服务器上安装FreeIPA的步骤。

 

FreeIPA安装最低要求

带有4GB内存的服务器,我在1GB和2GB内存上安装都失败了。

CentOS服务器可以是CentOS 7.x或CentOS 6.x版本。

2个vCPU。

端口443和80未被其他应用程序使用。

FQDN可通过公共或私有DNS服务器进行解析。

10 GB磁盘空间。

注:在CentOS服务器上安装FreeIPA之前,需要满足几个设置才行。

 

步骤1:更新系统

我将添加epel存储库并更新系统上安装的所有软件包:

sudo yum -y install epel-release

sudo yum -y update

sudo yum  install bind-utils vim

系统更新后,继续安装FreeIPA服务器软件包。

 

步骤2:安装FreeIPA Server软件包

安装的软件包取决于你需要IPA提供的服务,如果不需要DNS服务,只需安装ipa-server软件包:

sudo yum install ipa-server

如果要包含DNS服务,还要安装ipa-server-dns,bind和bind-dyndb-ldap:

sudo yum install ipa-server-dns bindipa-server  bind-dyndb-ldap

 

步骤3:设置IPA服务器

配置FreeIPA服务器是一个简单的过程,你只需要回答几个问题,就可以配置所有内容。如果你没有DNS服务器来解析服务器主机名,请修改/etc/hosts文件以包含主机名和IP地址:

echo "172.16.11.20  ipa.computingforgeeks.com" | sudo tee -a /etc/hosts

配置服务器主机名以匹配以上名称:

sudo hostnamectl set-hostname ipa.computingforgeeks.com

然后运行ipa-server-install命令配置IPA服务器,需要以root用户身份执行此操作:

sudo ipa-server-install

如果还要配置DNS服务,请包含-setup-dns选项:

sudo ipa-server-install --setup-dns

系统将提示你提供许多问题的答案:

# ipa-server-install 

The log file for this installation can be found in /var/log/ipaserver-install.log

This program will set up the IPA Server.

This includes:

* Configure a stand-alone CA (dogtag) for certificate management

* Configure the Network Time Daemon (ntpd)

* Create and configure an instance of Directory Server

* Create and configure a Kerberos Key Distribution Center (KDC)

* Configure Apache (httpd)

* Configure the KDC to enable PKINIT

To accept the default shown in brackets, press the Enter key.

WARNING: conflicting time&date synchronization service 'chronyd' will be disabled

in favor of ntpd

Do you want to configure integrated DNS (BIND)? [no]: 

Enter the fully qualified domain name of the computer

on which you're setting up server software. Using the form

<hostname>.<domainname>

Example: master.example.com.

Server host name [ipa.computingforgeeks.com]: 

The domain name has been determined based on the host name.

Please confirm the domain name [computingforgeeks.com]: 

The kerberos protocol requires a Realm name to be defined.

This is typically the domain name converted to uppercase.

Please provide a realm name [COMPUTINGFORGEEKS.COM]: 

Certain directory server operations require an administrative user.

This user is referred to as the Directory Manager and has full access

to the Directory for system management tasks and will be added to the

instance of directory server created for IPA.

The password must be at least 8 characters long.

Directory Manager password: 

Password (confirm): 

The IPA server requires an administrative user, named 'admin'.

This user is a regular system account used for IPA server administration.

IPA admin password: 

Password (confirm): 

The IPA Master Server will be configured with:

Hostname:       ipa.computingforgeeks.com

IP address(es): 192.168.x.x

Domain name:    computingforgeeks.com

Realm name:     COMPUTINGFORGEEKS.COM

Continue to configure the system with these values? [no]: yes

The following operations may take some minutes to complete.

Please wait until the prompt is returned.

Configuring NTP daemon (ntpd)

[1/4]: stopping ntpd

[2/4]: writing configuration

[3/4]: configuring ntpd to start on boot

[4/4]: starting ntpd

Done configuring NTP daemon (ntpd).

Configuring directory server (dirsrv). Estimated time: 30 seconds

.....

Client configuration complete.

The ipa-client-install command was successful

Setup complete

Next steps:

1. You must make sure these network ports are open:

TCP Ports:

* 80, 443: HTTP/HTTPS

* 389, 636: LDAP/LDAPS

* 88, 464: kerberos

UDP Ports:

* 88, 464: kerberos

* 123: ntp

2. You can now obtain a kerberos ticket using the command: 'kinit admin' This ticket will allow you to use the IPA tools (e.g., ipa user-add) and the web user interface.

Be sure to back up the CA certificates stored in /root/cacert.p12

These files are required to create replicas. The password for these

files is the Directory Manager password

...

要配置集成DNS(BIND)吗?否 - >如果要启用DNS服务,请回答是(绑定)

服务器主机名[ipa.computingforgeeks.com]:<输入以确认>

 

步骤4:配置Firewalld

如果你运行防火墙服务:Firewalld for CentOS 7.x,需要打开FreeIPA服务所需的一些端口。要打开的端口是:

TCP Ports:

* 80, 443: HTTP/HTTPS

* 389, 636: LDAP/LDAPS

* 88, 464: kerberos

UDP Ports:

* 88, 464: kerberos

* 123: ntp

使用以下命令配置firewalld:

sudo firewall-cmd --add-service={dns,freeipa-ldap,freeipa-ldaps} --permanent

sudo firewall-cmd --reload

参考:CentOS 7下使用FirewallD构建动态防火墙

 

步骤5:访问FreeIPA Web界面

打开防火墙端口并配置FreeIPA服务器后,可以访问其管理Web界面进行管理,所有IPA任务都可以在Web界面上完成,也可以使用ipa命令行工具完成。使用地址:https://你的主机名/ 访问管理仪表板:

在CentOS 7服务器上安装FreeIPA的步骤

登录后,你应该可以看到如下的界面:

在CentOS 7服务器上安装FreeIPA的步骤

要使用ipa命令,需要先获取Kerberos:

# kinit admin

Password for admin@COMPUTINGFORGEEKS.COM:

使用klist检查到期信息:

# klist 

Ticket cache: KEYRING:persistent:0:0

Default principal: admin@COMPUTINGFORGEEKS.COM

通过列表添加用户帐户和列出帐户进行测试:

# ipa user-add jmutai  --first=Josphat --last=Mutai --email=jmutai@computingforgeeks.com  --shell=/bin/bash --password

Password: 

Enter Password again to verify: 

-------------------

Added user "jmutai"

-------------------

User login: jmutai

First name: Josphat

Last name: Mutai

Full name: Josphat Mutai

Display name: Josphat Mutai

Initials: JM

Home directory: /home/jmutai

GECOS: Josphat Mutai

Login shell: /bin/bash

Principal name: jmutai@COMPUTINGFORGEEKS.COM

Principal alias: jmutai@COMPUTINGFORGEEKS.COM

Email address: jmutai@computingforgeeks.com

UID: 839400001

GID: 839400001

Password: True

Member of groups: ipausers

Kerberos keys available: True

获取用户帐户:

# ipa user-find

---------------

2 users matched

---------------

User login: admin

Last name: Administrator

Home directory: /home/admin

Login shell: /bin/bash

Principal alias: admin@COMPUTINGFORGEEKS.COM

UID: 839400000

GID: 839400000

Account disabled: False

User login: jmutai

First name: Josphat

Last name: Mutai

Home directory: /home/jmutai

Login shell: /bin/bash

Principal name: jmutai@COMPUTINGFORGEEKS.COM

Principal alias: jmutai@COMPUTINGFORGEEKS.COM

Email address: jmutai@computingforgeeks.com

UID: 839400001

GID: 839400001

Account disabled: False

----------------------------

Number of entries returned 2

----------------------------

在你首次使用LDAP帐户登录时,系统会要求你更改密码:

# ssh jmutai@localhost

The authenticity of host 'localhost (<no hostip for proxy command>)' can't be established.

ECDSA key fingerprint is SHA256:ZlUOPuCJMftjMABxBWAWX/CXWZEtolp2Mv84nzKDV+4.

ECDSA key fingerprint is MD5:03:61:e8:e5:21:17:98:db:96:d5:75:cb:38:c2:0a:34.

Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added 'localhost' (ECDSA) to the list of known hosts.

Password: 

Password expired. Change your password now.

Current Password: 

New password: 

Retype new password: 

Could not chdir to home directory /home/jmutai: No such file or directory

 

相关主题

在Ubuntu 18.04/Ubuntu 16.04上安装和配置FreeIPA服务器

精选文章
热门文章