introducing freeipa
DESCRIPTION
These are the slides I used in my local libre user group meetup to introduce FreeIPA to my friends and users from varied backgrounds.TRANSCRIPT
FREE IPAOCT 2013
Anu Bhaskar www.anubhaskar.name
Creative Commons Attribution-ShareAlike 3.0 Unported License.
2
1.Introduction2.Product Architecture3.Prototype Architecture4.Prerequisites5.Install & configure FreeIPA server6.Configure WebUI7.Create a user through WebUI8.Install & configure FreeIPA client9.Configure Policy
AGENDA
Creative Commons Attribution-ShareAlike 3.0 Unported License.
3
Introduction
Creative Commons Attribution-ShareAlike 3.0 Unported License.
Integrated identity and authentication solutionMade up of below open source components
1. 389 director server – For multimaster LDAPv3 directory infrastructure
2. MIT Kerberos – For single sign-on authentication
3. Dogtag – For certificate management4. Bind – For optional DNS management5. NTP – Time synchronization6. WebUI and CLI7. SSSD – Client side component for
integration with FreeIPA server
4
Product Architecture
Creative Commons Attribution-ShareAlike 3.0 Unported License.
5
Prototype Architeture
Creative Commons Attribution-ShareAlike 3.0 Unported License.
ipaclient.demo.lab(Centos6/10.10.10.4)
Users
SSH login
WebUI
ipaserver.demo.lab(Centos6/10.10.10.3)
Admin
Authentication & authorization
Administration
6
Prerequisites
Creative Commons Attribution-ShareAlike 3.0 Unported License.
For simplicity and ease of demonstration below changes are made in prototype. These options should be avoided or carefully considered in a production deployment
1. All the hosts are installed with Centos6.3 minimal install cd.
2. Disable SELinux on both server and client# vi /etc/selinux/configSELINUX=disabled
3. Disable firewall on both server and client# chkconfig iptables off
4. Add host entries on server, client and admin workstation10.10.10.3 ipaserver.demo.lab10.10.10.4 ipaclient.demo.lab
4. Reboot server and client hosts
7
Install & configure FreeIPA server
Creative Commons Attribution-ShareAlike 3.0 Unported License.
1. Install FreeIPA server on 10.10.10.3# yum install ipa-server
2. Configure FreeIPA server# ipa-server-installServer host name : ipaserver.demo.labPlease confirm the domain name : demo.labPlease provide a realm name : DEMO.LABDirectory Manager password: manager1234Password (confirm): manager1234IPA admin password: admin1234Password (confirm): admin 1234The IPA Master Server will be configured with:Hostname: freeipaserver.demo.tstIP address: 10.10.10.3Domain name: demo.labRealm name: DEMO.LABContinue to configure the system with these values? [no]: yes
8
Configure WebUI
Creative Commons Attribution-ShareAlike 3.0 Unported License.
1. Use Firefox browser and login to http://ipaserver.demo.lab2. Follow the link to download and install Firefox plug-in to configure browser for Keberos authentication.
9
Create a user through WebUI
Creative Commons Attribution-ShareAlike 3.0 Unported License.
Login to the WebUI and create a user with name “seller”
10
Install & configure FreeIPA client
Creative Commons Attribution-ShareAlike 3.0 Unported License.
Install FreeIPA client in 10.10.10.4# yum install ipa-client
2. Configure FreeIPA client# ipa-client-install --mkhomedirProvide the domain name of your IPA server (ex: example.com): demo.labProvide your IPA server name (ex: ipa.example.com): ipaserver.demo.labProceed with fixed values and no DNS discovery? [no]: yesHostname: freeipaclient.demo.labRealm: DEMO.LABDNS Domain: demo.labIPA Server: freeipaserver.demo.labBaseDN: dc=demo,dc=lab
Continue to configure the system with these values? [no]: yesUser authorized to enroll computers: adminSynchronizing time with KDC...Password for [email protected]:admin1234
11
Install & configure FreeIPA client
Creative Commons Attribution-ShareAlike 3.0 Unported License.
Login to WebUI and confirm the client host is displayed
12
Configure Policy
Creative Commons Attribution-ShareAlike 3.0 Unported License.
Configure policy in WebUI to allow user “seller” to ssh only to host “ipaclient.demo.lab”
13
Configure Policy
Creative Commons Attribution-ShareAlike 3.0 Unported License.
Configure policy in WebUI to allow user “seller” to ssh only to host “ipaclient.demo.lab”
14
Configure Policy
Creative Commons Attribution-ShareAlike 3.0 Unported License.
Configure policy in WebUI to allow user “seller” to ssh only to host “ipaclient.demo.lab”. After configuration ssh to host as “seller”.