From Fedora Project Wiki

mNo edit summary
No edit summary
 
(3 intermediate revisions by one other user not shown)
Line 5: Line 5:
<li>For testing purposes, a machine (or VM) with at least 1GB of RAM and 4 GB of free disk space for binaries, data and logs should be plenty to set up and run an IPA master.
<li>For testing purposes, a machine (or VM) with at least 1GB of RAM and 4 GB of free disk space for binaries, data and logs should be plenty to set up and run an IPA master.
<li>Make sure <code>/etc/hosts</code> is sane and your hostname does not appear in either the IPv4 or IPv6 localhost lines.</li>
<li>Make sure <code>/etc/hosts</code> is sane and your hostname does not appear in either the IPv4 or IPv6 localhost lines.</li>
<li>If you have an existing AD server in your network, choose a different name for the IPA server realm name. Clients that use DNS autodiscovery to find the KDC to use may get confused and try to authenticate to the AD KDC. It is recommended that FreeIPA and AD serves different domains, for example ''ipa.example.org'' and ''ad.example.org''</li>
<li>If you have an existing AD server in your network, choose a different name for the IPA server realm name. Clients that use DNS autodiscovery to find the KDC to use may get confused and try to authenticate to the AD KDC. It is recommended that FreeIPA and AD serves different domains.''</li>
</ol>
</ol>
|actions=
|actions=
=== Installation ===
=== Installation ===
The ideal way to test this is with an isolated DNS install using IPA as the DNS server.


First, install the FreeIPA server package:
First, install the FreeIPA server package:


  # yum install freeipa-server
  # dnf install freeipa-server
 
Make sure you have a real hostname set (and not localhost.localdomain):
 
# hostname idp.example.com


===== With DNS =====
===== With DNS =====
Line 18: Line 24:
We recommend installing FreeIPA with integrated DNS service as it will make client autodiscovery much easier. You will just need to make sure that the domain managed by FreeIPA is properly delegated to the FreeIPA server or that your VMs are configured to use FreeIPA server directly (by configuring your DHCP server or manually updating ''/etc/resolv.conf'').
We recommend installing FreeIPA with integrated DNS service as it will make client autodiscovery much easier. You will just need to make sure that the domain managed by FreeIPA is properly delegated to the FreeIPA server or that your VMs are configured to use FreeIPA server directly (by configuring your DHCP server or manually updating ''/etc/resolv.conf'').


  # yum install bind bind-dyndb-ldap
  # dnf install bind bind-dyndb-ldap
  # ipa-server-install --setup-dns
  # ipa-server-install --setup-dns


Or with all options on the command-line:
Or with all options on the command-line:


  # ipa-server-install -a Secret123 -p Secret123 --domain=ipa.example.org --realm=IPA.EXAMPLE.ORG --hostname srv1.ipa.example.org --setup-dns --forwarder=<forwarder IP> -U
  # ipa-server-install -a Secret123 -p Secret123 --domain=example.com --realm=EXAMPLE.COM --hostname idp.example.com --setup-dns --forwarder=<forwarder IP> -U


Substitute you existing DNS server's IP for <forwarder IP>, or pass --no-forwarders.
Substitute you existing DNS server's IP for <forwarder IP>, or pass --no-forwarders.
Line 35: Line 41:
You can optionally provide all options on the command-line:
You can optionally provide all options on the command-line:


  # ipa-server-install -a Secret123 -p Secret123 --domain=ipa.example.org --realm=IPA.EXAMPLE.ORG --hostname srv1.ipa.example.org -U
  # ipa-server-install -a Secret123 -p Secret123 --domain=example.com --realm=EXAMPLE.COM --hostname idp.example.com -U


==== Create Test User ====
==== Create Test User ====
Line 47: Line 53:
Add a user:
Add a user:


  # ipa user-add --first=Timmy --last=Test --street='123 Main St' --city="Anytown" --password ttest
  # ipa user-add --first=Timmy --last=Test --street='123 Main St' --city=Anytown --password ttest


You will be prompted twice for a password.
You will be prompted twice for a password.


Become that new user and reset the password (all administrateively set passwords in IPA need to be reset by the user):
Become that new user and reset the password (all administratively set passwords in IPA need to be reset by the user):


  # kinit ttest
  # kinit ttest
Line 76: Line 82:
Verify these only if you installed with a DNS server.
Verify these only if you installed with a DNS server.


  # dig srv1.ipa.example.org.
  # dig idp.example.com.


Look for a line like this in the output:
Look for a line like this in the output:


  srv1.ipa.example.org.      86400  IN      A      192.168.0.1
  idp.example.com.      86400  IN      A      192.168.0.1


  # host srv1.ipa.example.org
  # host idp.example.com
  srv1.ipa.example.org has address 192.168.0.1
  idp.example.com has address 192.168.0.1


# ipa dns-resolve srv1.ipa.example.org
=== Configure the Firewall ===
---------------------------
Found 'srv1.ipa.example.org.'
---------------------------


# ipa host-show srv1.ipa.example.org
We aren't really testing IPA here so for simplicity sake let's just disable the firewall altogether. If you were deploying a real system you would want to individually open the necessary ports as reported at the end of the IPA server installation.
  Host name: srv1.ipa.example.org
  Principal name: host/srv1.ipa.example.org@IPA.EXAMPLE.ORG
  Keytab: True
  Managed by: srv1.ipa.example.org
 
=== Configure the Firewall ===
New Fedora 22 systems have [[FirewallD]] enabled by default, you may want to either open all ports required by FreeIPA server or disable the Firewall for the test and flush iptables rules so that clients do not have issues connecting FreeIPA server:


  # systemctl stop firewalld.service
  # systemctl stop firewalld.service
Line 105: Line 101:
=== Cleanup ===
=== Cleanup ===


Clean up credentials:
Clean up credentials, just to be sure:


  # kdestroy -A
  # kdestroy -A

Latest revision as of 02:13, 12 March 2015

Description

Installation IPA server

Setup

  1. For testing purposes, a machine (or VM) with at least 1GB of RAM and 4 GB of free disk space for binaries, data and logs should be plenty to set up and run an IPA master.
  2. Make sure /etc/hosts is sane and your hostname does not appear in either the IPv4 or IPv6 localhost lines.
  3. If you have an existing AD server in your network, choose a different name for the IPA server realm name. Clients that use DNS autodiscovery to find the KDC to use may get confused and try to authenticate to the AD KDC. It is recommended that FreeIPA and AD serves different domains.

How to test

Installation

The ideal way to test this is with an isolated DNS install using IPA as the DNS server.

First, install the FreeIPA server package:

# dnf install freeipa-server

Make sure you have a real hostname set (and not localhost.localdomain):

# hostname idp.example.com
With DNS

We recommend installing FreeIPA with integrated DNS service as it will make client autodiscovery much easier. You will just need to make sure that the domain managed by FreeIPA is properly delegated to the FreeIPA server or that your VMs are configured to use FreeIPA server directly (by configuring your DHCP server or manually updating /etc/resolv.conf).

# dnf install bind bind-dyndb-ldap
# ipa-server-install --setup-dns

Or with all options on the command-line:

# ipa-server-install -a Secret123 -p Secret123 --domain=example.com --realm=EXAMPLE.COM --hostname idp.example.com --setup-dns --forwarder=<forwarder IP> -U

Substitute you existing DNS server's IP for <forwarder IP>, or pass --no-forwarders.

Without DNS

For a fully-interactive install run:

# ipa-server-install

You can optionally provide all options on the command-line:

# ipa-server-install -a Secret123 -p Secret123 --domain=example.com --realm=EXAMPLE.COM --hostname idp.example.com -U

Create Test User

Create a user that we'll use to test logging into the Service Providers with. You can create more than one if you'd like.

Become the IPA administrator

# kinit admin

Add a user:

# ipa user-add --first=Timmy --last=Test --street='123 Main St' --city=Anytown --password ttest

You will be prompted twice for a password.

Become that new user and reset the password (all administratively set passwords in IPA need to be reset by the user):

# kinit ttest

Verify the basics

Ideally each of these installation steps will conclude with no errors and a running set of IPA services.

To briefly test the installation:

# kinit admin  # (the password is the admin password, or the password from -a)

Show our own user entry:

# ipa user-show admin

And make sure nss can see us too:

# id admin
# getent passwd admin

Verify DNS

Verify these only if you installed with a DNS server.

# dig idp.example.com.

Look for a line like this in the output:

idp.example.com.      86400   IN      A       192.168.0.1
# host idp.example.com
idp.example.com has address 192.168.0.1

Configure the Firewall

We aren't really testing IPA here so for simplicity sake let's just disable the firewall altogether. If you were deploying a real system you would want to individually open the necessary ports as reported at the end of the IPA server installation.

# systemctl stop firewalld.service
# systemctl disable firewalld.service
# iptables -F

Cleanup

Clean up credentials, just to be sure:

# kdestroy -A

Expected Results

All the test steps should end with the specified results.