introducing freeipa

FREE IPAOCT 2013

Anu Bhaskar www.anubhaskar.name

Creative Commons Attribution-ShareAlike 3.0 Unported License.

2

1.Introduction2.Product Architecture3.Prototype Architecture4.Prerequisites5.Install & configure FreeIPA server6.Configure WebUI7.Create a user through WebUI8.Install & configure FreeIPA client9.Configure Policy

AGENDA


3

Introduction


Integrated identity and authentication solutionMade up of below open source components

1. 389 director server – For multimaster LDAPv3 directory infrastructure

2. MIT Kerberos – For single sign-on authentication

3. Dogtag – For certificate management4. Bind – For optional DNS management5. NTP – Time synchronization6. WebUI and CLI7. SSSD – Client side component for

integration with FreeIPA server

4

Product Architecture


5

Prototype Architeture


ipaclient.demo.lab(Centos6/10.10.10.4)

Users

SSH login

WebUI

ipaserver.demo.lab(Centos6/10.10.10.3)

Admin

Authentication & authorization

Administration

6

Prerequisites


For simplicity and ease of demonstration below changes are made in prototype. These options should be avoided or carefully considered in a production deployment

1. All the hosts are installed with Centos6.3 minimal install cd.

2. Disable SELinux on both server and client# vi /etc/selinux/configSELINUX=disabled

3. Disable firewall on both server and client# chkconfig iptables off

4. Add host entries on server, client and admin workstation10.10.10.3 ipaserver.demo.lab10.10.10.4 ipaclient.demo.lab

4. Reboot server and client hosts

7

Install & configure FreeIPA server


1. Install FreeIPA server on 10.10.10.3# yum install ipa-server

2. Configure FreeIPA server# ipa-server-installServer host name : ipaserver.demo.labPlease confirm the domain name : demo.labPlease provide a realm name : DEMO.LABDirectory Manager password: manager1234Password (confirm): manager1234IPA admin password: admin1234Password (confirm): admin 1234The IPA Master Server will be configured with:Hostname: freeipaserver.demo.tstIP address: 10.10.10.3Domain name: demo.labRealm name: DEMO.LABContinue to configure the system with these values? [no]: yes

8

Configure WebUI


1. Use Firefox browser and login to http://ipaserver.demo.lab2. Follow the link to download and install Firefox plug-in to configure browser for Keberos authentication.

http://ipaserver.demo.lab/

9

Create a user through WebUI


Login to the WebUI and create a user with name “seller”

10

Install & configure FreeIPA client


Install FreeIPA client in 10.10.10.4# yum install ipa-client

2. Configure FreeIPA client# ipa-client-install --mkhomedirProvide the domain name of your IPA server (ex: example.com): demo.labProvide your IPA server name (ex: ipa.example.com): ipaserver.demo.labProceed with fixed values and no DNS discovery? [no]: yesHostname: freeipaclient.demo.labRealm: DEMO.LABDNS Domain: demo.labIPA Server: freeipaserver.demo.labBaseDN: dc=demo,dc=lab

Continue to configure the system with these values? [no]: yesUser authorized to enroll computers: adminSynchronizing time with KDC...Password for [email protected]:admin1234

mailto:[email protected]

11

Install & configure FreeIPA client


Login to WebUI and confirm the client host is displayed

12

Configure Policy


Configure policy in WebUI to allow user “seller” to ssh only to host “ipaclient.demo.lab”

13

Configure Policy


Configure policy in WebUI to allow user “seller” to ssh only to host “ipaclient.demo.lab”

14

Configure Policy


Configure policy in WebUI to allow user “seller” to ssh only to host “ipaclient.demo.lab”. After configuration ssh to host as “seller”.

introducing freeipa

Technology