pub/freeIPA-meetup
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
26034a6cb84c91b95c39e970a4b0bc162da55886
freeIPA-meetup/install.MD
Vassiliy Yegorov 26034a6cb8 Update install.MD
2024-04-21 21:55:48 +07:00

5.0 KiB
Raw Blame History

Setup

install soft

dnf -y install freeipa-server ipa-server-dns bind-dyndb-ldap curl mc nano htop

setup

export HNAME="id1.bildme.local"
hostnamectl set-hostname $HNAME --static && hostname $HNAME

check /etc/hosts (clear bad records ip4\ip6 with 127.x.x.x)

192.168.9.42 id1.bildme.local id1 192.168.9.45 id2.bildme.local id2

ipa-server-install

SAVE you PASSWORD!! (zAgQ9T2UEtGF0FRMPxIbg)

open ports on master:

for i in 80 443 389 636 88 464 53; do firewall-cmd --add-port=$i/tcp --permanent; done
for i in 88 464 123 53; do firewall-cmd --add-port=$i/udp --permanent; done
firewall-cmd --reload

TODO: add groups\sudo setting with '!authenticate' and more..

Done.

replica setup

dnf -y install freeipa-server ipa-server-dns bind-dyndb-ldap curl mc nano htop

export HNAME="id2.bildme.local"
hostnamectl set-hostname $HNAME --static && hostname $HNAME

check /etc/hosts (clear bad records ip4\ip6 with 127.x.x.x)

192.168.9.42 id1.bildme.local id1 192.168.9.45 id2.bildme.local id2

  • check dns set resolv.conf on master replica!
ipa-client-install --mkhomedir --domain=bildme.local --realm=BILDME.LOCAL --server=id1.bildme.local \
	--ntp-server=91.189.89.198 --ntp-server=91.189.91.157 --ntp-server=91.189.89.199 \
	--hostname=`hostname -f` --enable-dns-updates

on ID1!

kinit admin
ipa hostgroup-add-member ipaservers --hosts id2.bildme.local

on ID2!

for i in 80 443 389 636 88 464 53; do firewall-cmd --add-port=$i/tcp --permanent; done
for i in 88 464 123 53; do firewall-cmd --add-port=$i/udp --permanent; done
firewall-cmd --reload

ipa-replica-install --setup-dns --setup-ca --forwarder 192.168.9.9

Replica teardown

on del replica

ipa-server-install --uninstall

on master:

ipa-replica-manage del <name> --force
ipa hostgroup-remove-member ipaservers --hosts <name>

Client setup

  • check hostname

/etc/hostname = client2.bildme.local

  • check dns set resolv.conf on master\slave replica!
apt update && apt upgrade -y
apt-get install freeipa-client

ipa-client-install --mkhomedir --hostname=`hostname -f` \
 --server=id1.bildme.local --server=id2.bildme.local --domain=bildme.local --realm=BILDME.LOCAL \
 --ntp-server=192.168.9.42 --ntp-server=192.168.9.45

Client windows setup

from AD:

ipa-getkeytab -s id1.bildme.local -p host/client1.bildme.local -e aes256-cts,aes128-cts,des3-hmac-sha1,des-hmac-sha1,des-cbc-md5,des-cbc-crc -k krb5.keytab.windows -P

from client:

ksetup /setrealm BILDME
ksetup /setbildme BILDME.LOCAL
ksetup /addkdc BILDME.LOCAL id1.bildme.local
ksetup /addkpasswd BILDME.LOCAL id1.bildme.local
ksetup /setcomputerpassword [ПАРОЛЬ]
ksetup /mapuser vasyansk@BILDME.LOCAL vasyansk

Fix warning on ID2

  1. dnf install -y ipa-healthcheck

  2. chmod 600 /var/log/kadmind.log

  3. fix idrange

ipa-replica-manage dnarange-show

  • 762600004-762799999 # (199 995 / 2 = 99 997)
ipa-replica-manage dnarange-set id1.bildme.local 762600004-762700001
ipa-replica-manage dnarange-set id2.bildme.local 762700002-762799999

Backup catalog

check dns

! set resolv.conf on master replica !

  1. add new client to catalog
ipa-client-install --mkhomedir --bildme=bildme.local --realm=BILDME.LOCAL --server=id1.bildme.local \
	--ntp-server=91.189.89.198 --ntp-server=91.189.91.157 --ntp-server=91.189.89.199 \
	--hostname=`hostname -f` --enable-dns-updates

  • check new records of its replica in DNS-masters

  • open ports

for i in 80 443 389 636 88 464 53; do firewall-cmd --add-port=$i/tcp --permanent; done
for i in 88 464 123 53; do firewall-cmd --add-port=$i/udp --permanent; done
firewall-cmd --reload
  • add its replica to ipaservers group
  1. add hidden replica for backup (if you have more resource)
ipa-replica-install --hidden-replica

Restore replica

  • check dns, ip, hostname and version of ipa packages
  • install ipaserver if you need
ipa-restore /var/lib/ipa/backup/ipa-full-2022-03-07-10-42-22/

run ipa-healthcheck get error of replication

ipa-replica-manage re-initialize --from id1.bildme.local
ipa-replica-manage force-sync --from id1.bildme.local
ipactl restart

Auth application LDAP connect

https://docs.gitlab.com/ee/administration/auth/ldap/

  • add uidgitlab to system users by ipa-ctl.sh
  • add ENV's config to you gitlab app
LDAP_ENABLED=true
LDAP_LABEL=LDAP

# "start_tls" if 389, or "simple_tls" if 636
LDAP_METHOD=simple_tls
LDAP_ACTIVE_DIRECTORY=false
LDAP_HOST=id1.bildme.local
LDAP_PORT=636
LDAP_UID=uid
LDAP_PASS=zAgQ9T2UEtGF0FRMPxIbg
LDAP_VERIFY_SSL=false
LDAP_BASE="cn=users,cn=accounts,dc=bildme,dc=local"
LDAP_USER_FILTER="(&(objectClass=posixaccount)(memberOf=cn=gitlab,cn=groups,cn=accounts,dc=bildme,dc=local))"
LDAP_BIND_DN="uid=uidgitlab,cn=sysaccounts,cn=etc,dc=bildme,dc=local"

Bonuses

Migrate users from AD https://github.com/akeske/AD-to-FreeIPA-user-migration/blob/master/ad2ipa.py

Freeipa behind ssl-proxy https://www.adelton.com/freeipa/freeipa-behind-proxy-with-different-name