您的位置:首页 > 其它

RedHat7配置IdM server

2015-10-13 03:01 295 查看
IdM服务器是一个集成身份验证服务器。



Figure 1.1. The IdM Server: Unifying Services

Authentication: Kerberos KDC

Kerberos使用对称密钥加密算法生成票据给用户,Kerberos-aware 服务检查票据来验证用户身份。

Data Storage: Red Hat Directory Server

目录服务用于存储所有的Kerberos,用户账号,用户组,系统服务,计算机策略,DNS信息以及其他信息。

Authentication: Red Hat Certificate System

证书系统

Server/Client Discovery: DNS

Domain Name Service (DNS)域名解析服务。

Management: SSSD

System Security Services Daemon (SSSD)是一个凭据缓存服务。

Management: NTP

Network Time Protocol (NTP) 网络时间同步协议。



Figure 1.2. Server and Replica Interactions



Figure 1.3. Server and Client Interactions



Figure 1.4. Interactions Between IdM Services

PART I. 安装IdM服务器

硬件建议配置:

10,000 用户 和 100 用户组, 至少 2GB 内存和 1GB 交换分区。

100,000 用户 和 50,000 用户组, 至少 16GB 内存和 4GB 交换分区。

软件需求:

软件包:ipa-server

如果IdM服务器需要集成DNS服务,还需要安装 bind, bind-dyndb-ldap 软件包。

检查机器名

机器名必须为全称域名。

[root@server ~]# hostname
server.example.com


打开所需端口

Table 2.1. IdM Ports

ServicePortsType
HTTP/HTTPS80, 443TCP
LDAP/LDAPS389, 636TCP
Kerberos88, 464TCP and UDP
DNS53TCP and UDP
NTP123UDP
首先firewalld服务需要运行并设为自启动

[root@server ~]# systemctl start firewalld.service
[root@server ~]# systemctl enable firewalld.service


检查firewalld服务状态

[root@server ~]# systemctl status firewalld.service


打开IdM Server所需端口

[root@server ~]# firewall-cmd --permanent --add-port={80/tcp,443/tcp,389/tcp,636/tcp,88/tcp,464/tcp,53/tcp,88/udp,464/udp,53/udp,123/udp}


重新加载防火墙规则,使配置生效

[root@server ~]# firewall-cmd --reload


安装IdM服务器

安装软件包

[root@server ~]# yum install ipa-server bind bind-dyndb-ldap


启动IdM服务器安装脚本

[root@server ~]# ipa-server-install


安装脚本将设置IdM域所需的所有服务:

The network time daemon (
ntpd
)

A Red Hat Directory Server instance

A Kerberos key distribution center (KDC)

An Apache HTTP server instance (
httpd
)

An updated SELinux targeted policy

The Active Directory WinSync plug-in

可选. A certificate authority (CA)

可选. A domain name service (DNS) server

Table 3.1. 
ipa-server-install
参数

ArgumentDescription
-a
ipa_admin_password		The password for the IdM administrator. This is used for the admin user to authenticate to the Kerberos realm.
--hostname
=host name		The fully-qualified domain name of the IdM server machine.

IMPORTANT

The fully-qualified domain name must be a valid DNS name, which means only numbers, alphabetic characters, and hyphens (-) are allowed. Other characters, like underscores, in the host name cause DNS failures. Additionally, the host name must be all lower-case; no capital letters are allowed. For other recommended naming practices, see the Red Hat Enterprise Linux Security Guide.

-n
domain_name		The name of the LDAP server domain to use for the IdM domain. This is usually based on the IdM server's host name.
-p
directory_manager_password		The password for the superuser, 
cn=Directory Manager
, for the LDAP service.
-P
kerberos_master_password		The password for the KDC administrator. This is randomly generated if no value is given.
-r
realm_name		The name of the Kerberos realm to create for the IdM domain.
--subject
=subject_DN		Sets the base element for the subject DN of the issued certificates. This defaults to 
O=
realm.
--forwarder
=forwarder		Gives a DNS forwarder to use with the DNS service. To specify more than one forwarder, use this option multiple times.
--no-forwarders
Uses root servers with the DNS service instead of forwarders.
--no-reverse
Does not create a reverse DNS zone when the DNS domain is set up. (If a reverse DNS zone is already configured, then that existing reverse DNS zone is used.) If this option is not used, then the default value is true, which assumes that reverse DNS should be configured by the installation script.
--setup-dns
Tells the installation script to set up a DNS service within the IdM domain. Using an integrated DNS service is optional, so if this option is not passed with the installation script, then no DNS is configured.
--idmax
=number
--idstart
=number
Sets the range for IDs which can be assigned by the IdM server. See Section 10.8.2, “ID Range Assignments During Installation” for more details.
--ip-address

Specifies the IP address of the server. When added to 
ipa-server-install
, this option only accepts IP addresses associated with the local interface.
使用admin凭证验证Kerberos realm可用。

[root@server ~]# kinit admin


非交互式安装

-r
设置Kerberos realm的名称

-p
设置Directory Manager (DM,Directory Server的超级用户) 密码

-a
设置IdM服务器管理员密码

-U 设置为无人值守安装


[root@server ~]# ipa-server-install -r EXAMPLE.COM -p DM_password -a admin_password -U


使用外部 CA 安装IdM

提交certificate signing request (CSR) 
/root/ipa.csr
到外部 CA

[root@server ~]# ipa-server-install --external-ca


取回 issued certificate 和 CA certificate chain,再次运行
ipa-server-install


[root@server ~]# ipa-server-install --external-cert-file=/tmp/servercert20110601.pem --external-cert-file=/tmp/cacert.pem


Installing without a CA

[root@server ~]# ipa-server-install --http-cert-file /tmp/server.crt --http-cert-file /tmp/server.key --http-pin secret --dirsrv-cert-file /tmp/server.crt --dirsrv-cert-file /tmp/server.key --dirsrv-pin secret --ca-cert-file ca.crt


Installing a CA Certificate Manually

[root@server ~]# ipa-cacert-manage install /etc/group/cert.pem


Installing with an Integrated DNS Service Interactively

[root@server ~]# ipa-server-install --setup-dns


Installing with an Integrated DNS Service Non-Interactively

--forwarder
配置DNS转发

--no-reverse  不创建DNS反向解析区


[root@server ~]# ipa-server-install --setup-dns --forwarder=1.2.3.0 --forwarder=1.2.255.0 --no-reverse


安装IDM客户端

首先firewalld服务需要运行并设为自启动


[root@client ~]# systemctl start firewalld.service [root@server ~]# systemctl enable firewalld.service


打开IdM Client所需端口

[root@client ~]# firewall-cmd --permanent --add-port={80/tcp,443/tcp,389/tcp,636/tcp,88/tcp,464/tcp,53/tcp,88/udp,464/udp,53/udp,123/udp}


重新加载防火墙规则,使配置生效

[root@client ~]# firewall-cmd --reload


安装IdM客户端
一般用户机器运行

[root@client ~]# yum install ipa-client


管理员机器可以同时安装IPA管理工具 ipa-admintools

[root@client ~]# yum install ipa-client ipa-admintools


参数:

--no-nisdomain  不设置NIS域名

--nisdomain  自定义NIS域名

--no-sudo   不设置sudo服务

--enable-dns-updates   更新客户端IP到DNS记录中

--domain   指定DNS域名

--server   指定IdM服务器的全称域名

--realm   指定Kerberos realm名称

-p   指定Kerberos principal名称

--fixed-primary   指定首选IdM服务器

--noac  不使用authconfig

--no-sss   不使用SSSD

--no-krb5-offline-passwords   不使用SSSD缓存密码

Example. 更新客户端IP到DNS记录中

[root@client ~]# ipa-client-install --enable-dns-updates

                                            

                                        

                        
                        内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 点击这里给我发消息 
                    

                    

                    

                        

                         标签: 
                                                

                        

                    


                

            


            

                
相关文章推荐

                

                
            

        

        

            

            
            

                

                    
新的分享

                    

                        
                    

                

            


            

                

                    
章节导航