In this blog post, we are going to showcase how to install and configure Red Hat Identity Management Server on Red Hat Enterprise Linux 8.
Requirements:
- Build three servers with at least 4vCPUs and 16GB Memory (Production) or 4GB (Sandbox) (keep in mind that most of the IdM operations are being cached in memory. The more memory is available to IdM, the more performant it becomes
- Configure Security Group and or Firewall. The following table provides all the required ports that must be opened on the firewall:
| Component | Service | Ports through which access is allowed |
| Identity Management framework* | Apache-based web-service and routes to other services | HTTPS port 443 (TCP/TCP6) |
| LDAP directory server* | 389-ds instance | port 389 (TCP/TCP6): normal LDAP traffic, with StartTLS extension or SASL GSSAPI to secure the connection port 636 (TCP/TCP6): normal LDAP traffic over SSL port 389 (UDP): a Connectionless LDAP access to facilitate integration with Active Directory services |
| Kerberos Key Distribution Centre* | krb5kdc | port 88 (TCP/TCP6 and UDP/UDP6): normal Kerberos traffic port 464 (TCP/TCP6 and UDP/UDP6): Kerberos password change protocol access |
| Kerberos Administrator daemon* | kadmind | port 749 (TCP/TCP6): Kerberos remote administration protocol |
| Custodia key management* | custodia | HTTPS port 443 (TCP/TCP6): as part of the Identity Management framework |
| The System Security Services Daemon* | sssd | HTTPS port 443 (TCP/TCP6): as part of the Identity Management framework |
| MS-KKDCP proxy** | Proxy access to Kerberos over HTTPS | HTTPS port 443 (TCP/TCP6): as part of the Identity Management framework |
| Certificate Authority | Dogtag instance on top of Tomcat | HTTPS port 443 (TCP/TCP6): as part of the Identity Management framework HTTP access over port 80 (TCP/TCP6) but redirected to port 8080 (TCP/TCP6) according to the Apache rules set for Identity Management; the retrieved information is the OCSP responder and certificate status (the Certificate Revocation List) HTTPS access over port 8443 (TCP/TCP6): for CA administration purposes Internally, on IPA masters, ports 8005 and 8009 (TCP/TCP6) are used to run components of the Certificate Authority services on the 127.0.0.1 and ::1 local interface addresses |
| DNS | named | port 53 (TCP/TCP6 and UDP/UDP6): standard DNS resolver port 953 (TCP/TCP6): BIND service remote control on the 127.0.0.1 and ::1 local interface addresses |
| Active Directory integration | Samba services (smbd, winbindd) | port 135 (TCP/TCP6): DCE RPC end-point mapper (smbd daemon) port 138 (TCP/TCP6), NetBIOS Datagram service (optional, requires nmbd daemon to run) port 139 (TCP/TCP6), NetBIOS Session service (smbd daemon) port 445 (TCP/TCP6), SMB protocol over TCP/TCP6 (smbd daemon) dynamically opened ports 49152-65535 (TCP/TCP6) for DCE RPC end-point services |
| Certificate Authority Vault | KRA component of the Dogtag instance | HTTPS port 443 (TCP/TCP6): as part of the Identity Management framework HTTP access over port 80 (TCP/TCP6) but redirected to port 8080 (TCP/TCP6) by Apache rules: for the OCSP responder and certificate status (Certificate Revocation List) HTTPS access over port 8443 (TCP/TCP6): for CA administration purposes Internally, on IPA masters, ports 8005 and 8009 (TCP/TCP6) are used to run components of the Certificate Authority services on the 127.0.0.1 and ::1 local interface addresses |
- If servers have not been registered to Red Hat CDN, register them using the following commands:
subscription-manager register
subscription-manager attach --pool=pool_number - Install firewalld on each host:
dnf install firewalld -y - Start and enable firewalld service
systemctl enable firewalld --now - Configure the hostnames
hostnamectl set-hostname idm01.example.net
hostnamectl set-hostname idm02.example.net
hostnamectl set-hostname idm03.example.net - Install chrony (ntp)
dnf install chrony -y - Start and enable chronyd
systemctl enable chronyd --now - Configure chronyd
vi /etc/chrony.conf change the following lines from:
pool 2.rhel.pool.ntp.org iburst to:
server your_ntp_server iburst - Restart chronyd
systemctl restart chronyd - Verify if chrony is getting the time from the configured NTP server(s)
hronyc tracking
chronyc sources - Configure dnf module and install relevant IdM packages:
dnf module enable idm:DL1 -y
dnf distrosync -y
dnf module install idm:DL1/{dns,adtrust,server} -y
dnf install ipa-server-trust-ad samba-client -y - Configure the firewalld on all servers
firewall-cmd --add-service=freeipa-4 --add-service=freeipa-ldaps --add-service=freeipa-ldap --add-service=freeipa-replication --add-service=freeipa-trust --add-service=dns --permanent
firewall-cmd --add-service=freeipa-4 --add-service=freeipa-ldaps --add-service=freeipa-ldap --add-service=freeipa-replication --add-service=freeipa-trust --add-service=dns
firewall-cmd --reload - Start the initial configuration for the primary IdM Server:
[root@idm01 ~]# ipa-server-install --realm EXAMPLE.NET --ds-password Your_password --admin-password Your_password --setup-dns --no-forwarders --mkhomedir --setup-kra --mkhomedir --allow-zone-overlap --no-dnssec-validation --reverse-zone=0.168.192.in-addr.arpa. --reverse-zone=1.168.192.in-addr.arpa.
The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will set up the IPA Server.
Version 4.9.6
This includes:
* Configure a stand-alone CA (dogtag) for certificate management
* Configure the NTP client (chronyd)
* Create and configure an instance of Directory Server
* Create and configure a Kerberos Key Distribution Centre (KDC)
* Configure Apache (httpd)
* Configure KRA (dogtag) for secret management
* Configure DNS (bind)
* Configure SID generation
* Configure the KDC to enable PKINIT
To accept the default shown in brackets, press the Enter key.
Enter the fully qualified domain name of the computer
on which you're setting up server software. Using the form
<hostname>.<domainname>
Example: master.example.com.
Server host name [idm01.example.net]:
Warning: skipping DNS resolution of host idm01.example.net
The domain name has been determined based on the host name.
Please confirm the domain name [example.net]:
Checking DNS domain example.net., please wait ...
DNS zone example.net. already exists in DNS and is handled by server(s): ['ns-272.awsdns-34.com.', 'ns-785.awsdns-34.net.', 'ns-1139.awsdns-14.org.', 'ns-1641.awsdns-13.co.uk.'] Please make sure that the domain is properly delegated to this IPA server.
Checking DNS domain 0.168.192.in-addr.arpa., please wait ...
Checking DNS domain 1.168.192.in-addr.arpa., please wait ...
Using reverse zone(s) 0.168.192.in-addr.arpa., 1.168.192.in-addr.arpa.
Trust is configured but no NetBIOS domain name found, setting it now.
Enter the NetBIOS name for the IPA domain.
Only up to 15 uppercase ASCII letters, digits and dashes are allowed.
Example: EXAMPLE
NetBIOS domain name [EXAMPLE]:
Do you want to configure chrony with NTP server or pool address? [no]:
The IPA Master Server will be configured with:
Hostname: idm01.example.net
IP address(es): 192.168.0.11
Domain name: example.net
Realm name: EXAMPLE.NET
The CA will be configured with:
Subject DN: CN=Certificate Authority,O=EXAMPLE.NET
Subject base: O=EXAMPLE.NET
Chaining: self-signed
BIND DNS server will be configured to serve IPA domain with:
Forwarders: No forwarders
Forward policy: only
Reverse zone(s): 0.168.192.in-addr.arpa., 1.168.192.in-addr.arpa.
Continue to configure the system with these values? [no]: yes
The following operations may take some minutes to complete.
Please wait until the prompt is returned.
Disabled p11-kit-proxy
Synchronizing time
No SRV records of NTP servers found and no NTP server or pool address was provided.
Using default chrony configuration.
Attempting to sync time with chronyc.
Time synchronization was successful.
Configuring directory server (dirsrv). Estimated time: 30 seconds
[1/41]: creating directory server instance
[2/41]: tune ldbm plugin
[3/41]: adding default schema
[4/41]: enabling memberof plugin
[5/41]: enabling winsync plugin
[6/41]: configure password logging
[7/41]: configuring replication version plugin
[8/41]: enabling IPA enrollment plugin
[9/41]: configuring uniqueness plugin
[10/41]: configuring uuid plugin
[11/41]: configuring modrdn plugin
[12/41]: configuring DNS plugin
[13/41]: enabling entryUSN plugin
[14/41]: configuring lockout plugin
[15/41]: configuring topology plugin
[16/41]: creating indices
[17/41]: enabling referential integrity plugin
[18/41]: configuring certmap.conf
[19/41]: configure new location for managed entries
[20/41]: configure dirsrv ccache and keytab
[21/41]: enabling SASL mapping fallback
[22/41]: restarting directory server
[23/41]: adding sasl mappings to the directory
[24/41]: adding default layout
[25/41]: adding delegation layout
[26/41]: creating container for managed entries
[27/41]: configuring user private groups
[28/41]: configuring netgroups from hostgroups
[29/41]: creating default Sudo bind user
[30/41]: creating default Auto Member layout
[31/41]: adding range check plugin
[32/41]: creating default HBAC rule allow_all
[33/41]: adding entries for topology management
[34/41]: initializing group membership
[35/41]: adding master entry
[36/41]: initializing domain level
[37/41]: configuring Posix uid/gid generation
[38/41]: adding replication acis
[39/41]: activating sidgen plugin
[40/41]: activating extdom plugin
[41/41]: configuring directory to start on boot
Done configuring directory server (dirsrv).
Configuring Kerberos KDC (krb5kdc)
[1/10]: adding kerberos container to the directory
[2/10]: configuring KDC
[3/10]: initialize kerberos container
WARNING: Your system is running out of entropy, you may experience long delays
[4/10]: adding default ACIs
[5/10]: creating a keytab for the directory
[6/10]: creating a keytab for the machine
[7/10]: adding the password extension to the directory
[8/10]: creating anonymous principal
[9/10]: starting the KDC
[10/10]: configuring KDC to start on boot
Done configuring Kerberos KDC (krb5kdc).
Configuring kadmin
[1/2]: starting kadmin
[2/2]: configuring kadmin to start on boot
Done configuring kadmin.
Configuring ipa-custodia
[1/5]: Making sure custodia container exists
[2/5]: Generating ipa-custodia config file
[3/5]: Generating ipa-custodia keys
[4/5]: starting ipa-custodia
[5/5]: configuring ipa-custodia to start on boot
Done configuring ipa-custodia.
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
[1/28]: configuring certificate server instance
[2/28]: stopping certificate server instance to update CS.cfg
[3/28]: backing up CS.cfg
[4/28]: Add ipa-pki-wait-running
[5/28]: secure AJP connector
[6/28]: reindex attributes
[7/28]: exporting Dogtag certificate store pin
[8/28]: disabling nonces
[9/28]: set up CRL publishing
[10/28]: enable PKIX certificate path discovery and validation
[11/28]: authorising RA to modify profiles
[12/28]: authorising RA to manage lightweight CAs
[13/28]: Ensure lightweight CAs container exists
[14/28]: starting certificate server instance
[15/28]: configure certmonger for renewals
[16/28]: requesting RA certificate from CA
[17/28]: publishing the CA certificate
[18/28]: adding RA agent as a trusted user
[19/28]: configure certificate renewals
[20/28]: Configure HTTP to proxy connections
[21/28]: updating IPA configuration
[22/28]: enabling CA instance
[23/28]: importing IPA certificate profiles
[24/28]: migrating certificate profiles to LDAP
[25/28]: adding default CA ACL
[26/28]: adding 'ipa' CA entry
[27/28]: configuring certmonger renewal for lightweight CAs
[28/28]: deploying ACME service
Done configuring certificate server (pki-tomcatd).
Configuring directory server (dirsrv)
[1/3]: configuring TLS for DS instance
[2/3]: adding CA certificate entry
[3/3]: restarting directory server
Done configuring directory server (dirsrv).
Configuring ipa-otpd
[1/2]: starting ipa-otpd
[2/2]: configuring ipa-otpd to start on boot
Done configuring ipa-otpd.
Configuring the web interface (httpd)
[1/21]: stopping httpd
[2/21]: backing up ssl.conf
[3/21]: disabling nss.conf
[4/21]: configuring mod_ssl certificate paths
[5/21]: setting mod_ssl protocol list
[6/21]: configuring mod_ssl log directory
[7/21]: disabling mod_ssl OCSP
[8/21]: adding URL rewriting rules
[9/21]: configuring httpd
Nothing to do for configure_httpd_wsgi_conf
[10/21]: setting up httpd keytab
[11/21]: configuring Gssproxy
[12/21]: setting up ssl
[13/21]: configure certmonger for renewals
[14/21]: publish CA cert
[15/21]: clean up any existing httpd ccaches
[16/21]: configuring SELinux for httpd
[17/21]: create KDC proxy config
[18/21]: enable KDC proxy
[19/21]: starting httpd
[20/21]: configuring httpd to start on boot
[21/21]: enabling oddjobd
Done configuring the web interface (httpd).
Configuring Kerberos KDC (krb5kdc)
[1/1]: installing X509 Certificate for PKINIT
Done configuring Kerberos KDC (krb5kdc).
Applying LDAP updates
Upgrading IPA:. Estimated time: 1 minute 30 seconds
[1/10]: stopping directory server
[2/10]: saving configuration
[3/10]: disabling listeners
[4/10]: enabling DS global lock
[5/10]: disabling Schema Compat
[6/10]: starting directory server
[7/10]: upgrading server
[8/10]: stopping directory server
[9/10]: restoring configuration
[10/10]: starting directory server
Done.
Restarting the KDC
Configuring KRA server (pki-tomcatd). Estimated time: 2 minutes
[1/9]: configuring KRA instance
[2/9]: create KRA agent
[3/9]: enabling ephemeral requests
[4/9]: restarting KRA
[5/9]: configure certmonger for renewals
[6/9]: configure certificate renewals
[7/9]: add vault container
[8/9]: apply LDAP updates
[9/9]: enabling KRA instance
Done configuring KRA server (pki-tomcatd).
Restarting the directory server
dnssec-validation no
Configuring DNS (named)
[1/12]: generating rndc key file
[2/12]: adding DNS container
[3/12]: setting up our zone
[4/12]: setting up reverse zone
[5/12]: setting up our own record
[6/12]: setting up records for other masters
[7/12]: adding NS record to the zones
[8/12]: setting up kerberos principal
[9/12]: setting up named.conf
created new /etc/named.conf
created named user config '/etc/named/ipa-ext.conf'
created named user config '/etc/named/ipa-options-ext.conf'
created named user config '/etc/named/ipa-logging-ext.conf'
[10/12]: setting up server configuration
[11/12]: configuring named to start on boot
[12/12]: changing resolv.conf to point to ourselves
Done configuring DNS (named).
Restarting the web server to pick up resolv.conf changes
Configuring DNS key synchronization service (ipa-dnskeysyncd)
[1/7]: checking status
[2/7]: setting up bind-dyndb-ldap working directory
[3/7]: setting up kerberos principal
[4/7]: setting up SoftHSM
[5/7]: adding DNSSEC containers
[6/7]: creating replica keys
[7/7]: configuring ipa-dnskeysyncd to start on boot
Done configuring DNS key synchronization service (ipa-dnskeysyncd).
Restarting ipa-dnskeysyncd
Restarting named
Updating DNS system records
Configuring SID generation
[1/8]: creating samba domain object
[2/8]: adding admin(group) SIDs
[3/8]: adding RID bases
[4/8]: updating Kerberos config
'dns_lookup_kdc' already set to 'true', nothing to do.
[5/8]: activating sidgen task
[6/8]: restarting Directory Server to take MS PAC and LDAP plugins changes into account
[7/8]: adding fallback group
[8/8]: adding SIDs to existing users and groups
This step may take considerable amount of time, please wait..
Done.
Configuring client side components
This program will set up IPA client.
Version 4.9.6
Using existing certificate '/etc/ipa/ca.crt'.
Client hostname: idm01.example.net
Realm: EXAMPLE.NET
DNS Domain: example.net
IPA Server: idm01.example.net
BaseDN:dc=example,dc=neten
Configured sudoers in /etc/authselect/user-nsswitch.conf
Configured /etc/sssd/sssd.conf
Systemwide CA database updated.
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
SSSD enabled
Configured /etc/openldap/ldap.conf
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Configuring example.net as NIS domain.
Client configuration complete.
The ipa-client-install command was successful
==============================================================================
Setup complete
Next steps:
1. You must make sure these network ports are open:
TCP Ports:
* 80, 443: HTTP/HTTPS
* 389, 636: LDAP/LDAPS
* 88, 464: kerberos
* 53: bind
UDP Ports:
* 88, 464: kerberos
* 53: bind
* 123: ntp
2. You can now obtain a kerberos ticket using the command: 'kinit admin'
This ticket will allow you to use the IPA tools (e.g., ipa user-add)
and the web user interface.
Be sure to back up the CA certificates stored in /root/cacert.p12
These files are required to create replicas. The password for these
files is the Directory Manager password
The ipa-server-install command was successful Verify if the DNS zone has been set to Dynamic update:
- Log into the server as root
- authenticate to IdM server using kerberos
kinit admin Verify if the dynamic updates have been enabled for the zone:
ipa dnszone-show example.net
[root@idm01 ~]# ipa dnszone-show example.net
Zone name: example.net.
Active zone: TRUE
Authoritative nameserver: idm01.example.net.
Administrator e-mail address: hostmaster.example.net.
SOA serial: 1648970401
SOA refresh: 3600
SOA retry: 900
SOA expire: 1209600
SOA minimum: 3600
BIND update policy: grant EXAMPLE.NET krb5-self * A; grant
EXAMPLE.NET krb5-self * AAAA; grant
EXAMPLE.NET krb5-self * SSHFP;
Dynamic update: TRUE
Allow query: any;
Allow transfer: none; If Dynamic update: FALSE run the following command:
ipa dnszone-mod example.net --dynamic-update=TRUE IdM Replicas
It is important to update the DNS records. If the master IdM server has been configured with the DNS, the DNS records should be configured and each server should be configured to use the master as the DNS server. For example:
Create DNS records for all replica servers:
kinit admin
ipa dnsrecord-add example.net idm02 --a-rec 192.168.0.15 --a-create-reverse
ipa dnsrecord-add example.net idm03 --a-rec 192.168.0.22 --a-create-reverseIf the master server has IP address 192.168.0.11, configure each replica to use this IP address:
nmcli con mod eth0 ipv4.dns 192.168.0.11 ipv4.dns-search example.net
nmcli con up eth0 Ensure DNS service has been added to the configuration of each server:
firewall-cmd --add-service=dns --permanent
firewall-cmd --add-service=dns
firewall-cmd --reload Install packages as described in the previous section and run the following command. The command instructs to install and configure DNS, CA, KRA on the Replica Server(s)
ipa-replica-install --principal admin --admin-password Your_password --setup-dns --setup-ca --mkhomedir --allow-zone-overlap --no-dnssec-validation --reverse-zone=0.168.192.in-addr.arpa. --reverse-zone=1.168.192.in-addr.arpa. --setup-kra --no-forwarders --domain=example.net --server=idm01.example.net The following dump is an example installation:
[root@idm02 ~]# ipa-replica-install --principal admin --admin-password Your_password --setup-dns --setup-ca --mkhomedir --allow-zone-overlap --ntp-server=172.16.36.10 --no-dnssec-validation --reverse-zone=36.16.172.in-addr.arpa. --setup-kra --no-forwarders
Configuring client side components
This program will set up IPA client.
Version 4.9.6
Discovery was successful!
Client hostname: idm02.example.net
Realm: EXAMPLE.NET
DNS Domain: example.net
IPA Server: idm01.example.net
BaseDN: dc=example,dc=net
NTP server: 172.16.36.10
Synchronizing time
Configuration of chrony was changed by installer.
Attempting to sync time with chronyc.
Process chronyc waitsync failed to sync time!
Unable to sync time with chrony server, assuming the time is in sync. Please check that 123 UDP port is opened, and any time server is on network.
Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=EXAMPLE.NET
Issuer: CN=Certificate Authority,O=EXAMPLE.NET
Valid From: 2022-03-29 04:16:28
Valid Until: 2042-03-29 04:16:28
Enrolled in IPA realm EXAMPLE.NET
Created /etc/ipa/default.conf
Configured sudoers in /etc/authselect/user-nsswitch.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm EXAMPLE.NET
Systemwide CA database updated.
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
SSSD enabled
Configured /etc/openldap/ldap.conf
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Configuring example.net as NIS domain.
Client configuration complete.
The ipa-client-install command was successful
Lookup failed: Preferred host idm02.example.net does not provide DNS.
Checking DNS domain 36.16.172.in-addr.arpa., please wait ...
DNS zone 36.16.172.in-addr.arpa. already exists in DNS and is handled by server(s): idm01.example.net.
Using reverse zone(s) 36.16.172.in-addr.arpa.
Run connection check to master
Connection check OK
Disabled p11-kit-proxy
Configuring directory server (dirsrv). Estimated time: 30 seconds
[1/38]: creating directory server instance
[2/38]: tune ldbm plugin
[3/38]: adding default schema
[4/38]: enabling memberof plugin
[5/38]: enabling winsync plugin
[6/38]: configure password logging
[7/38]: configuring replication version plugin
[8/38]: enabling IPA enrollment plugin
[9/38]: configuring uniqueness plugin
[10/38]: configuring uuid plugin
[11/38]: configuring modrdn plugin
[12/38]: configuring DNS plugin
[13/38]: enabling entryUSN plugin
[14/38]: configuring lockout plugin
[15/38]: configuring topology plugin
[16/38]: creating indices
[17/38]: enabling referential integrity plugin
[18/38]: configuring certmap.conf
[19/38]: configure new location for managed entries
[20/38]: configure dirsrv ccache and keytab
[21/38]: enabling SASL mapping fallback
[22/38]: restarting directory server
[23/38]: creating DS keytab
[24/38]: ignore time skew for initial replication
[25/38]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress, 4 seconds elapsed
Update succeeded
[26/38]: prevent time skew after initial replication
[27/38]: adding sasl mappings to the directory
[28/38]: updating schema
[29/38]: setting Auto Member configuration
[30/38]: enabling S4U2Proxy delegation
[31/38]: initializing group membership
[32/38]: adding master entry
[33/38]: initializing domain level
[34/38]: configuring Posix uid/gid generation
[35/38]: adding replication acis
[36/38]: activating sidgen plugin
[37/38]: activating extdom plugin
[38/38]: configuring directory to start on boot
Done configuring directory server (dirsrv).
Replica DNS records could not be added on master: Insufficient access: Insufficient 'add' privilege to add the entry 'idnsname=idm02,idnsname=example.net.,cn=dns,dc=example,dc=net'.
Configuring Kerberos KDC (krb5kdc)
[1/5]: configuring KDC
[2/5]: adding the password extension to the directory
[3/5]: creating anonymous principal
[4/5]: starting the KDC
[5/5]: configuring KDC to start on boot
Done configuring Kerberos KDC (krb5kdc).
Configuring kadmin
[1/2]: starting kadmin
[2/2]: configuring kadmin to start on boot
Done configuring kadmin.
Configuring directory server (dirsrv)
[1/3]: configuring TLS for DS instance
[2/3]: importing CA certificates from LDAP
[3/3]: restarting directory server
Done configuring directory server (dirsrv).
Configuring the web interface (httpd)
[1/21]: stopping httpd
[2/21]: backing up ssl.conf
[3/21]: disabling nss.conf
[4/21]: configuring mod_ssl certificate paths
[5/21]: setting mod_ssl protocol list
[6/21]: configuring mod_ssl log directory
[7/21]: disabling mod_ssl OCSP
[8/21]: adding URL rewriting rules
[9/21]: configuring httpd
Nothing to do for configure_httpd_wsgi_conf
[10/21]: setting up httpd keytab
[11/21]: configuring Gssproxy
[12/21]: setting up ssl
[13/21]: configure certmonger for renewals
[14/21]: publish CA cert
[15/21]: clean up any existing httpd ccaches
[16/21]: configuring SELinux for httpd
[17/21]: create KDC proxy config
[18/21]: enable KDC proxy
[19/21]: starting httpd
[20/21]: configuring httpd to start on boot
[21/21]: enabling oddjobd
Done configuring the web interface (httpd).
Configuring ipa-otpd
[1/2]: starting ipa-otpd
[2/2]: configuring ipa-otpd to start on boot
Done configuring ipa-otpd.
Custodia uses 'idm01.example.net' as master peer.
Configuring ipa-custodia
[1/4]: Generating ipa-custodia config file
[2/4]: Generating ipa-custodia keys
[3/4]: starting ipa-custodia
[4/4]: configuring ipa-custodia to start on boot
Done configuring ipa-custodia.
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
[1/29]: creating certificate server db
[2/29]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress, 5 seconds elapsed
Update succeeded
[3/29]: creating ACIs for admin
[4/29]: creating installation admin user
[5/29]: configuring certificate server instance
[6/29]: stopping certificate server instance to update CS.cfg
[7/29]: backing up CS.cfg
[8/29]: Add ipa-pki-wait-running
[9/29]: secure AJP connector
[10/29]: reindex attributes
[11/29]: exporting Dogtag certificate store pin
[12/29]: disabling nonces
[13/29]: set up CRL publishing
[14/29]: enable PKIX certificate path discovery and validation
[15/29]: authorising RA to modify profiles
[16/29]: authorising RA to manage lightweight CAs
[17/29]: Ensure lightweight CAs container exists
[18/29]: destroying installation admin user
[19/29]: starting certificate server instance
[20/29]: Finalise replication settings
[21/29]: configure certmonger for renewals
[22/29]: Importing RA key
[23/29]: configure certificate renewals
[24/29]: Configure HTTP to proxy connections
[25/29]: updating IPA configuration
[26/29]: enabling CA instance
[27/29]: importing IPA certificate profiles
[28/29]: configuring certmonger renewal for lightweight CAs
[29/29]: deploying ACME service
Done configuring certificate server (pki-tomcatd).
Configuring Kerberos KDC (krb5kdc)
[1/1]: installing X509 Certificate for PKINIT
Done configuring Kerberos KDC (krb5kdc).
Applying LDAP updates
Upgrading IPA:. Estimated time: 1 minute 30 seconds
[1/10]: stopping directory server
[2/10]: saving configuration
[3/10]: disabling listeners
[4/10]: enabling DS global lock
[5/10]: disabling Schema Compat
[6/10]: starting directory server
[7/10]: upgrading server
[8/10]: stopping directory server
[9/10]: restoring configuration
[10/10]: starting directory server
Done.
Finalise replication settings
Configuring KRA server (pki-tomcatd). Estimated time: 2 minutes
[1/10]: creating ACIs for admin
[2/10]: creating installation admin user
[3/10]: configuring KRA instance
[4/10]: destroying installation admin user
[5/10]: enabling ephemeral requests
[6/10]: restarting KRA
[7/10]: configure certmonger for renewals
[8/10]: configure certificate renewals
[9/10]: apply LDAP updates
[10/10]: enabling KRA instance
Done configuring KRA server (pki-tomcatd).
Restarting the directory server
Restarting the KDC
dnssec-validation no
Configuring DNS (named)
[1/9]: generating rndc key file
[2/9]: setting up reverse zone
[3/9]: setting up our own record
[4/9]: adding NS record to the zones
[5/9]: setting up kerberos principal
[6/9]: setting up named.conf
created new /etc/named.conf
created named user config '/etc/named/ipa-ext.conf'
created named user config '/etc/named/ipa-options-ext.conf'
created named user config '/etc/named/ipa-logging-ext.conf'
[7/9]: setting up server configuration
[8/9]: configuring named to start on boot
[9/9]: changing resolv.conf to point to ourselves
Done configuring DNS (named).
Restarting the web server to pick up resolv.conf changes
Configuring DNS key synchronization service (ipa-dnskeysyncd)
[1/7]: checking status
[2/7]: setting up bind-dyndb-ldap working directory
[3/7]: setting up kerberos principal
[4/7]: setting up SoftHSM
[5/7]: adding DNSSEC containers
DNSSEC container exists (step skipped)
[6/7]: creating replica keys
[7/7]: configuring ipa-dnskeysyncd to start on boot
Done configuring DNS key synchronization service (ipa-dnskeysyncd).
Restarting ipa-dnskeysyncd
Restarting named
Updating DNS system records
Global DNS configuration in LDAP server is empty
You can use 'dnsconfig-mod' command to set global DNS options that
would override settings in local named.conf files
Configuring SID generation
[1/7]: creating samba domain object
Samba domain object already exists
[2/7]: adding admin(group) SIDs
Admin SID already set, nothing to do
Admin group SID already set, nothing to do
[3/7]: adding RID bases
RID bases already set, nothing to do
[4/7]: updating Kerberos config
'dns_lookup_kdc' already set to 'true', nothing to do.
[5/7]: activating sidgen task
[6/7]: restarting Directory Server to take MS PAC and LDAP plugins changes into account
[7/7]: adding fallback group
Fallback group already set, nothing to do
Done.
The ipa-replica-install command was successful Install and enrol the ipa client
hostnamectl set-hostname ssodb03.example.net
dnf update
dnf module enable idm:DL1
dnf distrosync
dnf module install idm:DL1/client
ipa-client-install --enable-dns-updates --mkhomedir --server=idm01.example.net --principal=admin --password=Your_password --domain=example.net --realm=EXAMPLE.NET Add user to IdM
ipa user-add idmuser03
--first=user03 --last=idm
--email=idmuser03@example.net
--password or
ipa user-add idmuser01 --first=idmuser01 --last=idm --email=idmuser01@example.net --random Keep in mind that the user will need to change the password on the first login
Establish AD Trust
- Ensure all the packages have been installed
dnf install ipa-server-trust-ad samba-client -y - Modify the Primary Server DNS configuration:
nmcli con mod eth0 ipv4.dns 127.0.0.1
nmcli con up eth0 - Configure IdM as a trust controller (repeat on each node)
ipa-adtrust-install --netbios-name=EXAMPLE -a Your_password
The log file for this installation can be found in /var/log/ipaserver-adtrust-install.log
==============================================================================
This program will setup components needed to establish trust to AD domains for
the IPA Server.
This includes:
* Configure Samba
* Add trust related objects to IPA LDAP server
To accept the default shown in brackets, press the Enter key.
IPA generated smb.conf detected.
Overwrite smb.conf? [no]: yes
Do you want to enable support for trusted domains in Schema Compatibility plugin?
This will allow clients older than SSSD 1.9 and non-Linux clients to work with trusted users.
Enable trusted domains support in slapi-nis? [no]: yes
The following operations may take some minutes to complete.
Please wait until the prompt is returned.
Configuring CIFS
[1/24]: validate server hostname
[2/24]: stopping smbd
[3/24]: creating samba domain object
Samba domain object already exists
[4/24]: retrieve local idmap range
[5/24]: writing samba config file
[6/24]: creating samba config registry
[7/24]: adding cifs Kerberos principal
[8/24]: adding cifs and host Kerberos principals to the adtrust agents group
[9/24]: check for cifs services defined on other replicas
[10/24]: adding cifs principal to S4U2Proxy targets
cifs principal already targeted, nothing to do.
[11/24]: adding admin(group) SIDs
Admin SID already set, nothing to do
Admin group SID already set, nothing to do
[12/24]: adding RID bases
RID bases already set, nothing to do
[13/24]: updating Kerberos config
'dns_lookup_kdc' already set to 'true', nothing to do.
[14/24]: activating CLDAP plugin
CLDAP plugin already configured, nothing to do
[15/24]: activating sidgen task
Sidgen task plugin already configured, nothing to do
[16/24]: map BUILTINGuests to nobody group
[17/24]: configuring smbd to start on boot
[18/24]: enabling trusted domains support for older clients via Schema Compatibility plugin
[19/24]: restarting Directory Server to take MS PAC and LDAP plugins changes into account
[20/24]: adding fallback group
Fallback group already set, nothing to do
[21/24]: adding Default Trust View
Default Trust View already exists.
[22/24]: setting SELinux booleans
[23/24]: starting CIFS services
[24/24]: restarting smbd
Done configuring CIFS.
=============================================================================
Setup complete
You must make sure these network ports are open:
TCP Ports:
* 135: epmap
* 138: netbios-dgm
* 139: netbios-ssn
* 445: microsoft-ds
* 1024..1300: epmap listener range
* 3268: msft-gc
UDP Ports:
* 138: netbios-dgm
* 139: netbios-ssn
* 389: (C)LDAP
* 445: microsoft-ds
See the ipa-adtrust-install(1) man page for more details - Update the forwarders and allow zone transfers between Realms:
ipa dnszone-mod example.net --allow-transfer=IP_OF_ACTIVEDIRECTORY_CNTRL
ipa dnsforwardzone-add REMOTE_DOMAIN --forwarder=IP_OF_ACTIVEDIRECTORY_CNTRL --forward-policy=only
ipa dns-update-system-records - On the Active Directory DNS server, execute the following command:
dnscmd 127.0.0.1 /ZoneAdd example.net /Forwarder 192.168.0.11 (idM Primary IP) - Establish the trust with the AD:
This method requires User/Password with privileges to establish trust with AD
kinit admin
ipa trust-add --type=ad remote_domain --admin Administrator --password --two-way=True The following output should be expected:
Active Directory domain administrator's password:
------------------------------------------------------
Re-established trust to domain "archivemigrations.org"
------------------------------------------------------
Realm name: archivemigrations.org
Domain NetBIOS name: ARCHIVEMIG
Domain Security Identifier: S-1-5-21-3330954099-1499013306-3576720302
Trust direction: Two-way trust
Trust type: Active Directory domain
Trust status: Established and verified- Verify if kerberos is working and users can get the kerberos ticket:
[root@idm01 ~]# kinit sbaszczyj@archivemigrations.org
Password for sbaszczyj@archivemigrations.org:
[root@idm01 ~]# klist
Ticket cache: KCM:0:12915
Default principal: sbaszczyj@ARCHIVEMIGRATIONS.ORG
Valid starting Expires Service principal
04/04/22 00:49:35 04/04/22 10:49:35 krbtgt/ARCHIVEMIGRATIONS.ORG@ARCHIVEMIGRATIONS.ORG
renew until 05/04/22 00:49:31
[root@idm01 ~]# id sbaszczyj@archivemigrations.org
uid=794602128(sbaszczyj@archivemigrations.org) gid=794602128(sbaszczyj@archivemigrations.org) groups=794602128(sbaszczyj@archivemigrations.org),794600513(domain users@archivemigrations.org) - Create the external non-POSIX group:
ipa group-add ad_admins_external --external - Add standard POSIX group:
ipa group-add ad_admins - Add external AD Group to ad_admins_external IDM group:
ipa group-add-member ad_admins_external --external 'ARCHIVEMIGDomain admins' Add the external FreeIPA group to the POSIX FreeIPA group as a member. For example:
ipa group-add-member ad_admins --groups ad_admins_external Setting the global domain resolution order on an IdM server
This procedure sets the domain resolution order for all the clients in the IdM domain. This example sets the domain resolution order to search for users and groups in the following order:
The following is just an example
Active Directory (AD) domain: archivemigrations.org
IdM domain: example.net
ipa config-mod --domain-resolution-order=’archivemigrations.org:example.net' When AD administrator credentials are not available
# ipa trust-add --type=ad "ad_domain" --trust-secret Enter the trust shared secret when prompted. At this point IPA will create two-way forest trust on IPA side. Second leg of the trust need to be created manually and validated on AD side. Following GIF sequence shows how trust with shared secret is created:
Once trust leg on AD side is established, one needs to retrieve the list of trusted forest domains from AD side. This is done using following command:
# ipa trust-fetch-domains "ad_domain" With this command running successfully, IPA will get information about trusted domains and will create all needed identity ranges for them.
Use “trustdomain-find” to see list of the trusted domains from a trusted forest:
# ipa trustdomain-find "ad_domain" If you are interested in learning more about how to install and configure Red Hat Identity Management Server on Red Hat Enterprise Linux 8, or if you have any questions about the requirements and configurations mentioned in this blog post, feel free to contact us for more information. Our team of experts is ready to assist you with your IdM installation and configuration needs.
