LDAPで管理もいいのだがより包括的なディレクトリ管理としてFreeIPAを使ってみる

本家様 https://www.freeipa.org/page/Main_Page

ざっくりsamba-adのように使えそうだけど、windowsドメインコントローラー自身にはなれないっぽい.

いろいろ試したけどFreeIPAドメイン外のwindows/macから smb共有フォルダ へのアクセスは現状はむりっぽい.

構築環境は RockyLinux 8.5 です

[root@freeipa ~]# cat /etc/redhat-release
Rocky Linux release 8.5 (Green Obsidian)
 
[root@freeipa ~]#

インストール

samba-adとは違ってdnfで操作するだけです.
ただ従来なら「dnf instll ....」なのですが、「dnf module install ...」となります. 同じパッケージでもバージョン違い、機能違いでインストール口を複数用意した感じなものかな. ここではまず「FreeIPA」のパッケージを調べます

[root@freeipa ~]# dnf module list idm
Last metadata expiration check: 0:08:44 ago on Sun 24 Apr 2022 12:41:40 AM JST.
Rocky Linux 8 - AppStream
Name     Stream         Profiles                                    Summary
idm      DL1            adtrust, client, common [d], dns, server    The Red Hat Enterprise Linux Identity Management system module
idm      client [d]     common [d]                                  RHEL IdM long term support client module
 
Hint: [d]efault, [e]nabled, [x]disabled, [i]nstalled
 
[root@freeipa ~]#

「FreeIPA」は「idm」として存在していて、Streamに「DL1」と「client」が用意されている.
単に「dnf module install idm」とすると「client」Streamのcommonがインストールされます. 実態は「ipa-client」の「4.9.6-6.module_el8.5.0」でした
そして「dnf module install idm:DL1」としても同じく commmon がインストールされますが、実態は「ipa-client」の「4.9.6-10.module_el8.5.0」です.

Profilesに書かれた品目を入れるには「/」を使います.「dnf module install idm:DL1/server」なら「ipa-server」パッケージがインストールされます.

FreeIPAとしてどんな機能を載せたいのかに応じてインストール項目が違うようです.
FreeIPAの本体serverとdns機能も使うなら「dnf module install idm:DL1/{server,dns}」で行けます.

ここではdnsは既に dnsmasq で DNS と dhcp を管理させている. なのでserver機能のみ入れることとしました.

[root@freeipa ~]# dnf module install idm:DL1/server
 
[root@freeipa ~]# grep ipa-server /var/log/dnf.rpm.log
2022-04-24T20:01:38+0900 SUBDEBUG Installed: ipa-server-common-4.9.6-10.module+el8.5.0+719+4f06efb6.noarch
2022-04-24T20:01:59+0900 SUBDEBUG Installed: ipa-server-4.9.6-10.module+el8.5.0+719+4f06efb6.x86_64
[root@freeipa ~]#

このインストールで LDAP の「389-ds」、webサービスの「httpd」、nfsサービスの「nfs-utils」「autofs」らがインストールされます

設定

ほぼほぼコマンドベースのウイザードが用意されていて、「ipa-server-install」で行う.
事前に「hostname」をFQDNへ、/etc/hostsに自信を登録が必要みたい ここではdnsmasqを使ってMACアドレスからIPと名前を貰っているので/etc/hostnameや/etc/hostsに自信が入っていない

[root@freeipa ~]# hostnamectl set-hostname `hostname -f`
[root@freeipa ~]# echo `hostname -I` `hostname -A` `hostname -s` >> /etc/hosts
 
(確認)
[root@freeipa ~]# cat /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.0.146 freeipa.sybyl.local freeipa
 
[root@freeipa ~]#

っで「ipa-server-install」を動かす

[root@freeipa ~]# man ipa-server-install
 
[root@freeipa ~]# ipa-server-install
 
The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will set up the IPA Server.
Version 4.9.6
 
This includes:
  * Configure a stand-alone CA (dogtag) for certificate management
  * Configure the NTP client (chronyd)
  * Create and configure an instance of Directory Server
  * Create and configure a Kerberos Key Distribution Center (KDC)
  * Configure Apache (httpd)
  * Configure SID generation
  * Configure the KDC to enable PKINIT
 
To accept the default shown in brackets, press the Enter key.
 
Do you want to configure integrated DNS (BIND)? [no]:                <--- 既に dnsmasq でdnsサーバを用意しているので不要[no]
 
Enter the fully qualified domain name of the computer
on which you're setting up server software. Using the form
<hostname>.<domainname>
Example: master.example.com.
 
 
Server host name [freeipa.sybyl.local]:
 
The domain name has been determined based on the host name.
 
Please confirm the domain name [sybyl.local]:
 
The kerberos protocol requires a Realm name to be defined.
This is typically the domain name converted to uppercase.
 
Please provide a realm name [SYBYL.LOCAL]:
Certain directory server operations require an administrative user.
This user is referred to as the Directory Manager and has full access
to the Directory for system management tasks and will be added to the
instance of directory server created for IPA.
The password must be at least 8 characters long.
 
Directory Manager password:
Password (confirm):
 
The IPA server requires an administrative user, named 'admin'.
This user is a regular system account used for IPA server administration.
 
IPA admin password:
Password (confirm):
 
Trust is configured but no NetBIOS domain name found, setting it now.
Enter the NetBIOS name for the IPA domain.
Only up to 15 uppercase ASCII letters, digits and dashes are allowed.
Example: EXAMPLE.
 
 
NetBIOS domain name [SYBYL]:
 
Do you want to configure chrony with NTP server or pool address? [no]:           <-- 既に chrony でntpを用意しているので不要[no]
 
The IPA Master Server will be configured with:
Hostname:       freeipa.sybyl.local
IP address(es): 192.168.0.146
Domain name:    sybyl.local
Realm name:     SYBYL.LOCAL
 
The CA will be configured with:
Subject DN:   CN=Certificate Authority,O=SYBYL.LOCAL
Subject base: O=SYBYL.LOCAL
Chaining:     self-signed
 
Continue to configure the system with these values? [no]: yes
 
The following operations may take some minutes to complete.
Please wait until the prompt is returned.
 :
 :
The ipa-client-install command was successful
 
Please add records in this file to your DNS system: /tmp/ipa.system.records.zgr4m6_6.db
==============================================================================
Setup complete
 
Next steps:
        1. You must make sure these network ports are open:
                TCP Ports:
                  * 80, 443: HTTP/HTTPS
                  * 389, 636: LDAP/LDAPS
                  * 88, 464: kerberos
                UDP Ports:
                  * 88, 464: kerberos
                  * 123: ntp
 
        2. You can now obtain a kerberos ticket using the command: 'kinit admin'
           This ticket will allow you to use the IPA tools (e.g., ipa user-add)
           and the web user interface.
 
Be sure to back up the CA certificates stored in /root/cacert.p12
These files are required to create replicas. The password for these
files is the Directory Manager password
The ipa-server-install command was successful
[root@freeipa ~]#

設定完了とともにサービスが起動します. サービス名称は「ipa.service」

[root@freeipa ~]# systemctl status ipa
● ipa.service - Identity, Policy, Audit
   Loaded: loaded (/usr/lib/systemd/system/ipa.service; enabled; vendor preset: disabled)
   Active: active (exited) since Mon 2022-04-25 19:43:02 JST; 11min ago
  Process: 24635 ExecStart=/usr/sbin/ipactl start (code=exited, status=0/SUCCESS)
 Main PID: 24635 (code=exited, status=0/SUCCESS)
 
Apr 25 19:43:02 freeipa ipactl[24635]: Assuming stale, cleaning and proceeding
Apr 25 19:43:02 freeipa ipactl[24635]: ipa: INFO: The ipactl command was successful
Apr 25 19:43:02 freeipa ipactl[24635]: Starting Directory Service
Apr 25 19:43:02 freeipa ipactl[24635]: Starting krb5kdc Service
Apr 25 19:43:02 freeipa ipactl[24635]: Starting kadmin Service
Apr 25 19:43:02 freeipa ipactl[24635]: Starting httpd Service
Apr 25 19:43:02 freeipa ipactl[24635]: Starting ipa-custodia Service
Apr 25 19:43:02 freeipa ipactl[24635]: Starting pki-tomcatd Service
Apr 25 19:43:02 freeipa ipactl[24635]: Starting ipa-otpd Service
Apr 25 19:43:02 freeipa systemd[1]: Started Identity, Policy, Audit.
[root@freeipa ~]#

作った設定を破棄して作り直すなら「ipa-server-install --uninstall」を実行します

[root@freeipa ~]# ipa-server-install --uninstall

firewall

と設定は完了します. 最後に firewall でこれらを開けといてと言われるので設定を行うのですが、どうも「/usr/lib/firewalld/services/freeipa-4.xml」の適用でカバーできそう.
ただ「freeipa-4.xml」には ntp は入っていない. ここではFreeIPAサーバ以外で稼働している chrony を使うのでいいが、FreeIPAで ntp を提供するなら「freeipa-4.xml」と「ntp.xml」が必要かなと

[root@freeipa ~]# firewall-cmd --add-service=freeipa-4 --permanent --zone=public
[root@freeipa ~]# firewall-cmd --reload
[root@freeipa ~]# firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: ens192
  sources:
  services: cockpit dhcpv6-client freeipa-4 ssh
  ports:
  protocols:
  forward: no
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:
[root@freeipa ~]#

トップ   編集 添付 複製 名前変更     ヘルプ   最終更新のRSS
Last-modified: 2022-05-01 (日) 23:06:32 (146d)