pub/freeIPA-meetup
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

init

Browse Source
This commit is contained in:
Vassiliy Yegorov
2022-03-10 11:01:43 +07:00
commit 0079d257ea
5 changed files with 402 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

179
install.MD Normal file
View File

@@ -0,0 +1,179 @@
# Setup
## install soft
dnf -y install freeipa-server ipa-server-dns bind-dyndb-ldap curl mc nano htop
## setup
export HNAME="id1.bildme.local"
hostnamectl set-hostname $HNAME --static && hostname $HNAME
check /etc/hosts (clear bad records ip4\ip6 with 127.x.x.x)
192.168.9.42 id1.bildme.local id1
192.168.9.45 id2.bildme.local id2
ipa-server-install
SAVE you PASSWORD!! (zAgQ9T2UEtGF0FRMPxIbg)
for i in 80 443 389 636 88 464 53; do firewall-cmd --add-port=$i/tcp --permanent; done
for i in 88 464 123 53; do firewall-cmd --add-port=$i/udp --permanent; done
firewall-cmd --reload
//todo: add groups\sudo setting with '!authenticate' and more..
Done.
## replica setup
dnf -y install freeipa-server ipa-server-dns bind-dyndb-ldap curl mc nano htop
export HNAME="id2.bildme.local"
hostnamectl set-hostname $HNAME --static && hostname $HNAME
check /etc/hosts (clear bad records ip4\ip6 with 127.x.x.x)
192.168.9.42 id1.bildme.local id1
192.168.9.45 id2.bildme.local id2
- check dns
set resolv.conf on master replica!
ipa-client-install --mkhomedir --bildme=bildme.local --realm=BILDME.LOCAL --server=id1.bildme.local \
--ntp-server=91.189.89.198 --ntp-server=91.189.91.157 --ntp-server=91.189.89.199 \
--hostname=`hostname -f` --enable-dns-updates
on ID1!
kinit admin
ipa hostgroup-add-member ipaservers --hosts id2.bildme.local
on ID2!
for i in 80 443 389 636 88 464 53; do firewall-cmd --add-port=$i/tcp --permanent; done
for i in 88 464 123 53; do firewall-cmd --add-port=$i/udp --permanent; done
firewall-cmd --reload
ipa-replica-install --setup-dns --setup-ca --forwarder 192.168.9.9
# Replica teardown
on del replica
ipa-server-install --uninstall
on master:
ipa-replica-manage del <name> --force
ipa hostgroup-remove-member ipaservers --hosts <name>
# Client setup
- check hostname
/etc/hostname = client2.bildme.local
- check dns
set resolv.conf on master\slave replica!
apt update && apt upgrade -y
apt-get install freeipa-client
ipa-client-install --mkhomedir --hostname=`hostname -f` \
--server=id1.bildme.local --server=id2.bildme.local --bildme=bildme.local --realm=BILDME.LOCAL \
--ntp-server=192.168.9.42 --ntp-server=192.168.9.45
# Client windows setup
from AD:
ipa-getkeytab -s id1.bildme.local -p host/client1.bildme.local -e aes256-cts,aes128-cts,des3-hmac-sha1,des-hmac-sha1,des-cbc-md5,des-cbc-crc -k krb5.keytab.windows -P
from client:
ksetup /setrealm BILDME
ksetup /setbildme BILDME.LOCAL
ksetup /addkdc BILDME.LOCAL id1.bildme.local
ksetup /addkpasswd BILDME.LOCAL id1.bildme.local
ksetup /setcomputerpassword [ПАРОЛЬ]
ksetup /mapuser vasyansk@BILDME.LOCAL vasyansk
# Fix warning on ID2
0. dnf install -y ipa-healthcheck
1. chmod 600 /var/log/kadmind.log
2. fix idrange
ipa-replica-manage dnarange-show
>> 762600004-762799999 # (199 995 / 2 = 99 997)
ipa-replica-manage dnarange-set id1.bildme.local 762600004-762700001
ipa-replica-manage dnarange-set id2.bildme.local 762700002-762799999
# Backup catalog
- check dns
set resolv.conf on master replica!
0. add new client to catalog
ipa-client-install --mkhomedir --bildme=bildme.local --realm=BILDME.LOCAL --server=id1.bildme.local \
--ntp-server=91.189.89.198 --ntp-server=91.189.91.157 --ntp-server=91.189.89.199 \
--hostname=`hostname -f` --enable-dns-updates
- check new records of its replica in DNS-masters
- open ports
for i in 80 443 389 636 88 464 53; do firewall-cmd --add-port=$i/tcp --permanent; done
for i in 88 464 123 53; do firewall-cmd --add-port=$i/udp --permanent; done
firewall-cmd --reload
- add its replica to ipaservers group
1. add hidden replica for backup (if you have more resource)
ipa-replica-install --hidden-replica
# Restore replica
- check dns, ip, hostname and version of ipa packages
- install ipaserver if you need
- ipa-restore /var/lib/ipa/backup/ipa-full-2022-03-07-10-42-22/
run ipa-healthcheck get error of replication
- ipa-replica-manage re-initialize --from id1.bildme.local
- ipa-replica-manage force-sync --from id1.bildme.local
- ipactl restart
# Auth application LDAP connect
https://docs.gitlab.com/ee/administration/auth/ldap/
- add uidgitlab to system users by ipa-ctl.sh
- add ENV's config to you gitlab app
```bash
LDAP_ENABLED=true
LDAP_LABEL=LDAP
# "start_tls" if 389, or "simple_tls" if 636
LDAP_METHOD=simple_tls
LDAP_ACTIVE_DIRECTORY=false
LDAP_HOST=id1.bildme.local
LDAP_PORT=636
LDAP_UID=uid
LDAP_PASS=zAgQ9T2UEtGF0FRMPxIbg
LDAP_VERIFY_SSL=false
LDAP_BASE="cn=users,cn=accounts,dc=bildme,dc=local"
LDAP_USER_FILTER="(&(objectClass=posixaccount)(memberOf=cn=gitlab,cn=groups,cn=accounts,dc=bildme,dc=local))"
LDAP_BIND_DN="uid=uidgitlab,cn=sysaccounts,cn=etc,dc=bildme,dc=local"
```
# Migrate users from AD
1. https://github.com/akeske/AD-to-FreeIPA-user-migration/blob/master/ad2ipa.py
# Freeipa behind ssl-proxy
1. https://www.adelton.com/freeipa/freeipa-behind-proxy-with-different-name

130
ipa-ctl.sh Executable file
View File

@@ -0,0 +1,130 @@
#!/usr/bin/env bash
ssleval=true
prefix=ldaps
passeval() { [ -z $bindpass ] && passeval="UNSET!" || passeval="SET!"; }
ssleval() { [ "$prefix" == "ldaps" ] && ssleval="true" || ssleval="false"; }
actionseval() { [ "$ldapserver" ] && [ "$binduser" ] && [ "$domain" ] && [ "$passeval" == "SET!" ] && actionseval="ready" || actionseval="conditions not yet met" && return 1; }
menu() {
passeval
ssleval
actionseval
clear
echo "\
### FreeIPA - System Account Manager ###
1.) ldapserver=$ldapserver
2.) domain=$domain (ldapdomain=$ldapdomain)
3.) binduser=$binduser
4.) bindpass=$passeval
5.) ssl=$ssleval
Actions ($actionseval):
add | rm | ls | info | passwd
--- Results ---
$results
--- End Results ---
"
}
domain2ldapdomain() {
echo "${1}" | awk -F'.' '{for(i=1;i<=NF;i++) printf "dc="$i","; print ""}' | sed 's/,$//'
}
dotask() {
case $1 in
# Setup
1|ldapserver)
read -p "ldapserver=" ldapserver
[ -z $domain ] && domain=${ldapserver#*.} && ldapdomain=$(domain2ldapdomain "$domain")
;;
2|domain)
read -p "domain=" domain
ldapdomain=$(domain2ldapdomain "$domain")
#read -p "ldapdomain=" ldapdomain
;;
3|binduser)
[ -z $domain ] && echo "We need the domain first." && dotask domain
echo "Enter \"mgr\" for Directory Manager. Otherwise enter the username or full binddn (-D option in ldapsearch)"
read -p "binduser=" swap
[ "$swap" == "mgr" ] && binduser='cn=Directory Manager' && return
echo "$swap" | grep '=' -q && binduser="$swap" || binduser="uid=$swap,cn=users,cn=accounts,$ldapdomain"
;;
4|bindpass)
read -sp "Enter password (will not echo): " bindpass
;;
5|ssl)
[ "$prefix" == "ldaps" ] && prefix=ldap || prefix=ldaps
;;
# Actions
# poc)
# results=$(ldapsearch "$prefix""://""$ldapserver" -b "$ldapdomain" -D "$binduser" -w "$bindpass")
# ;;
ls)
results=$(ldapsearch -H "$prefix""://""$ldapserver" -b "cn=sysaccounts,cn=etc,$ldapdomain" -D "$binduser" -w "$bindpass" "(uid=*)" "dn" | grep 'dn: uid')
;;
info)
[ "$2" ] && local uid="$2" || uid="*"
results=$(ldapsearch -H "$prefix""://""$ldapserver" -b "cn=sysaccounts,cn=etc,$ldapdomain" -D "$binduser" -w "$bindpass" "(uid=$uid)" "uid" "memberOf" "passwordExpirationTime")
;;
add)
local uid password
[ "$2" ] && local uid="$2" || read -p "uid of new user=" uid
read -sp "password of new user (blank to generate a password)=" password
[ -z "$password" ] && password=$(randpw) && echo && echo "Generated password: $password"
echo
read -p "password expiration date YYYYMMDD (blank for 20380119)=" expire
[ -z "$expire" ] && expire=20380119
echo -E "\
dn: uid=$uid,cn=sysaccounts,cn=etc,$ldapdomain
changetype: add
objectclass: account
objectclass: simplesecurityobject
uid: $uid
userPassword: $password
passwordExpirationTime: ${expire}031407Z
nsIdleTimeout: 0" | ldapmodify -H "$prefix""://""$ldapserver" -D "$binduser" -w "$bindpass" && results="Submitted." || results="Error."
;;
rm)
local uid
[ "$2" ] && local uid="$2" || read -p "uid of user to remove=" uid
echo -E "\
dn: uid=$uid,cn=sysaccounts,cn=etc,$ldapdomain
changetype: delete" | ldapmodify -H "$prefix""://""$ldapserver" -D "$binduser" -w "$bindpass" && results="Submitted." || results="Error."
;;
passwd)
local uid password
[ "$2" ] && local uid="$2" || read -p "uid of user=" uid
read -sp "new password for user (blank to generate a password)=" password
[ -z "$password" ] && password=$(randpw) && echo && echo "Generated password: $password"
echo
read -p "password expiration date YYYYMMDD (blank for 20380119)=" expire
[ -z "$expire" ] && expire=20380119
echo -E "\
dn: uid=$uid,cn=sysaccounts,cn=etc,$ldapdomain
changetype: modify
replace: userPassword
userPassword: $password
-
replace: passwordExpirationTime
passwordExpirationTime: ${expire}031407Z" | ldapmodify -H "$prefix""://""$ldapserver" -D "$binduser" -w "$bindpass" && results="Submitted." || results="Error."
;;
exit)
exit
;;
"")
results=""
;;
*)
results="\"$input\" command not found."
esac
}
prompt() { read -p '> ' input; dotask $input; }
randpw() { < /dev/urandom tr -dc _A-Z-a-z-0-9 | head -c${1:-20};echo;}
while :; do
menu
prompt
done

18
letsencrypt/ipa-httpd.cnf Normal file
View File

@@ -0,0 +1,18 @@
# the fully qualified server (or service) name
FQDN = id1.storedme.com
ALTNAMES = DNS:$FQDN
# --- no modifications required below ---
[ req ]
default_bits = 2048
default_md = sha256
prompt = no
encrypt_key = no
distinguished_name = dn
req_extensions = req_ext
[ dn ]
CN = $FQDN
[ req_ext ]
subjectAltName = $ALTNAMES

44
letsencrypt/renew-le.sh Executable file
View File

@@ -0,0 +1,44 @@
#!/usr/bin/bash
set -o nounset
WORKDIR=$(dirname "$(realpath $0)")
EMAIL="mail@mail.ru"
### cron
# check that the cert will last at least 2 days from now to prevent too frequent renewal
# comment out this line for the first run
if [ "${1:-renew}" != "--first-time" ]
then
start_timestamp=`date +%s --date="$(openssl x509 -startdate -noout -in /var/lib/ipa/certs/httpd.crt | cut -d= -f2)"`
now_timestamp=`date +%s`
let diff=($now_timestamp-$start_timestamp)/86400
if [ "$diff" -lt "2" ]; then
echo "Certificate is actuality"
exit 0
fi
fi
cd "$WORKDIR"
# cert renewal is needed if we reached this line
# cleanup
rm -f "$WORKDIR"/*.pem
rm -f "$WORKDIR"/httpd-csr.*
# generate CSR
OPENSSL_PASSWD_FILE="/var/lib/ipa/passwds/$HOSTNAME-443-RSA"
[ -f "$OPENSSL_PASSWD_FILE" ] && OPENSSL_EXTRA_ARGS="-passin file:$OPENSSL_PASSWD_FILE" || OPENSSL_EXTRA_ARGS=""
openssl req -new -sha256 -config "$WORKDIR/ipa-httpd.cnf" -key /var/lib/ipa/private/httpd.key -out "$WORKDIR/httpd-csr.der" $OPENSSL_EXTRA_ARGS
# httpd process prevents letsencrypt from working, stop it
service httpd stop
# get a new cert
letsencrypt certonly --standalone --csr "$WORKDIR/httpd-csr.der" --email "$EMAIL" --agree-tos
# replace the cert
cp /var/lib/ipa/certs/httpd.crt /var/lib/ipa/certs/httpd.crt.bkp
mv -f "$WORKDIR/0000_cert.pem" /var/lib/ipa/certs/httpd.crt
restorecon -v /var/lib/ipa/certs/httpd.crt
# start httpd with the new cert
service httpd start

31
letsencrypt/setup-le.sh Executable file
View File

@@ -0,0 +1,31 @@
#!/usr/bin/bash
set -o nounset -o errexit
FQDN=$(hostname -f)
WORKDIR=$(dirname "$(realpath $0)")
CERTS=("isrgrootx1.pem" "isrg-root-x2.pem" "lets-encrypt-r3.pem" "lets-encrypt-e1.pem" "lets-encrypt-r4.pem" "lets-encrypt-e2.pem")
sed -i "s/server.example.test/$FQDN/g" $WORKDIR/ipa-httpd.cnf
dnf install letsencrypt -y
if [ ! -d "/etc/ssl/$FQDN" ]
then
mkdir -p "/etc/ssl/$FQDN"
fi
for CERT in "${CERTS[@]}"
do
if command -v wget &> /dev/null
then
wget -O "/etc/ssl/$FQDN/$CERT" "https://letsencrypt.org/certs/$CERT"
elif command -v curl &> /dev/null
then
curl -o "/etc/ssl/$FQDN/$CERT" "https://letsencrypt.org/certs/$CERT"
fi
ipa-cacert-manage install "/etc/ssl/$FQDN/$CERT"
done
ipa-certupdate
"$WORKDIR/renew-le.sh" --first-time