FreeIPA 4.7.0 服務器 部署
阿新 • • 發佈:2018-08-25
status sssd nes pac val 自動化 可擴展性 require 建議 FreeIPA介紹
主要特點
* 集成安全信息管理解決方案,結合了Linux(Fedora),389 Directory Server,MIT Kerberos,NTP,DNS,Dogtag證書系統,SSSD等。
* 建立在眾所周知的開源組件和標準協議之上
* 重點關註易於管理和自動化安裝和配置任務。
* 完全多主復制,實現更高的冗余和可擴展性
* 可擴展的管理界面(CLI,Web UI,XMLRPC和JSONRPC API)和Python SDK
主要為了管理用戶系統,其他平臺可以通過LDAP協議獲取賬戶信息。例如jumpserver。
部署
- 系統要求: fedora 28 (本次部署用的此系統,用centos7.5沒部署上,強烈建議用此系統。此系統和centos一樣)
- FreeIPA: 4.7版本
- IP: 192.168.100.23
本次部署 用的本機當DNS (也可以用外網DNS,或者自建的DNS,下面執行的命令不一樣,請註意)
部署fedora 很簡單。 hostnamectl set-hostname server.zhuxu.co ##這個名字可以根據實際需要修改,請不要加 - cat /etc/hosts 192.168.100.23 server.zhuxu.co server yum install -y ipa-server bind bind-dyndb-ldap ipa-server-dns cat /etc/resolv.conf search zhuxu.con nameserver 127.0.0.1
ipa-server-install --setup-dns ##如果指定DNS,加 參數 --forwarder=X.X.X.X Server host name [server.zhuxu.co]: 回車 Please confirm the domain name [zhuxu.co]:回車 Please provide a realm name [ZHUXU.CO]:回車 Directory Manager password: 密碼 Password (confirm): 密碼 The IPA server requires an administrative user, named ‘admin‘. This user is a regular system account used for IPA server administration. IPA admin password: 登錄密碼 Password (confirm): 登錄密碼 Checking DNS domain zhuxu.co., please wait ... Do you want to configure DNS forwarders? [yes]: no No DNS forwarders configured Do you want to search for missing reverse zones? [yes]: yes Reverse record for IP address 192.168.100.23 already exists The IPA Master Server will be configured with: Hostname: server.zhuxu.co IP address(es): 192.168.100.23 Domain name: zhuxu.co Realm name: ZHUXU.CO The CA will be configured with: Subject DN: CN=Certificate Authority,O=ZHUXU.CO Subject base: O=ZHUXU.CO Chaining: self-signed BIND DNS server will be configured to serve IPA domain with: Forwarders: No forwarders Forward policy: only Reverse zone(s): No reverse zone Continue to configure the system with these values? [no]: yes The following operations may take some minutes to complete. Please wait until the prompt is returned
成功顯示如下
The ipa-client-install command was successful
==============================================================================
Setup complete
Next steps:
1. You must make sure these network ports are open:
TCP Ports:
* 80, 443: HTTP/HTTPS
* 389, 636: LDAP/LDAPS
* 88, 464: kerberos
* 53: bind
UDP Ports:
* 88, 464: kerberos
* 53: bind
* 123: ntp
2. You can now obtain a kerberos ticket using the command: ‘kinit admin‘
This ticket will allow you to use the IPA tools (e.g., ipa user-add)
and the web user interface.
Be sure to back up the CA certificates stored in /root/cacert.p12
These files are required to create replicas. The password for these
files is the Directory Manager password
The ipa-server-install command was successful
本地測試
[root@server ~]# kinit admin ###必須要登陸admin 才能管理域
Password for [email protected]:
[root@server ~]# ipa user-find --all ###查看所有域用戶的信息
--------------
1 user matched
--------------
dn: uid=admin,cn=users,cn=accounts,dc=zhuxu,dc=co
User login: admin
Last name: Administrator
Full name: Administrator
Home directory: /home/admin
GECOS: Administrator
Login shell: /bin/bash
Principal alias: [email protected]
User password expiration: 20181122134155Z
UID: 1919200000
GID: 1919200000
Account disabled: False
Preserved user: False
Member of groups: admins, trust admins
ipauniqueid: ded602aa-a7a2-11e8-a94d-000c298c2968
krbextradata: AAIjC4Bbcm9vdC9hZG1pbkBaSFVYVS5DTwA=
krblastpwdchange: 20180824134155Z
objectclass: top, person, posixaccount, krbprincipalaux, krbticketpolicyaux, inetuser, ipaobject, ipasshuser,
ipaSshGroupOfPubKeys
----------------------------
Number of entries returned 1
----------------------------
ipactl --help
Usage: ipactl start|stop|restart|status
Options:
-h, --help show this help message and exit
-d, --debug Display debugging information
-f, --force Force IPA to start. Combine options --skip-version-
check and --ignore-service-failures
--ignore-service-failures
If any service start fails, do not rollback the
services, continue with the operation
--skip-version-check skip version check
網頁訪問
https://server.zhuxu.co/ipa/ui/
登錄admin
參考:http://blog.51cto.com/zhuxu91313/2150779
FreeIPA 4.7.0 服務器 部署