Red Hat IdM Installation and Configuration

In this blog post we are going to showcase how to install and configure Red Hat Identity Management Server on Red Hat Enterprise Linux 8.

Requirements:

• Build three servers with at least 4vCPUs and 16GB Memory (Production) or 4GB (Sandbox) (keep in mind that most of the IdM operations are being cached in memory. The more memory is available to IdM, the more performant it becomes 
• Configure Security Group and or Firewall. The following table provides all the required ports that must be opened on the firewall: 

Component	Service	Ports through which access is allowed
Identity Management framework*	Apache-based web-service and routes to other services	HTTPS port 443 (TCP/TCP6)
LDAP directory server*	389-ds instance	port 389 (TCP/TCP6): normal LDAP traffic, with StartTLS extension or SASL GSSAPI to secure the connection port 636 (TCP/TCP6): normal LDAP traffic over SSL port 389 (UDP): a Connectionless LDAP access to facilitate integration with Active Directory services
Kerberos Key Distribution Centre*	krb5kdc	port 88 (TCP/TCP6 and UDP/UDP6): normal Kerberos traffic port 464 (TCP/TCP6 and UDP/UDP6): Kerberos password change protocol access
Kerberos Administrator daemon*	kadmind	port 749 (TCP/TCP6): Kerberos remote administration protocol
Custodia key management*	custodia	HTTPS port 443 (TCP/TCP6): as part of the Identity Management framework
The System Security Services Daemon*	sssd	HTTPS port 443 (TCP/TCP6): as part of the Identity Management framework
MS-KKDCP proxy**	Proxy access to Kerberos over HTTPS	HTTPS port 443 (TCP/TCP6): as part of the Identity Management framework
Certificate Authority	Dogtag instance on top of Tomcat	HTTPS port 443 (TCP/TCP6): as part of the Identity Management framework HTTP access over port 80 (TCP/TCP6) but redirected to port 8080 (TCP/TCP6) according to the Apache rules set for Identity Management; the retrieved information is the OCSP responder and certificate status (the Certificate Revocation List) HTTPS access over port 8443 (TCP/TCP6): for CA administration purposes Internally, on IPA masters, ports 8005 and 8009 (TCP/TCP6) are used to run components of the Certificate Authority services on the 127.0.0.1 and ::1 local interface addresses
DNS	named	port 53 (TCP/TCP6 and UDP/UDP6): standard DNS resolver port 953 (TCP/TCP6): BIND service remote control on the 127.0.0.1 and ::1 local interface addresses
Active Directory integration	Samba services (smbd, winbindd)	port 135 (TCP/TCP6): DCE RPC end-point mapper (smbd daemon) port 138 (TCP/TCP6), NetBIOS Datagram service (optional, requires nmbd daemon to run) port 139 (TCP/TCP6), NetBIOS Session service (smbd daemon) port 445 (TCP/TCP6), SMB protocol over TCP/TCP6 (smbd daemon) dynamically opened ports 49152-65535 (TCP/TCP6) for DCE RPC end-point services
Certificate Authority Vault	KRA component of the Dogtag instance	HTTPS port 443 (TCP/TCP6): as part of the Identity Management framework HTTP access over port 80 (TCP/TCP6) but redirected to port 8080 (TCP/TCP6) by Apache rules: for the OCSP responder and certificate status (Certificate Revocation List) HTTPS access over port 8443 (TCP/TCP6): for CA administration purposes Internally, on IPA masters, ports 8005 and 8009 (TCP/TCP6) are used to run components of the Certificate Authority services on the 127.0.0.1 and ::1 local interface addresses

• If servers have not been registered to Red Hat CDN, register them using the following commands:  

subscription-manager register   subscription-manager attach --pool=pool_number 

• Install firewalld on each host:  

dnf install firewalld -y 

• Start and enable firewalld service 

systemctl enable firewalld --now 

• Configure the hostnames

hostnamectl set-hostname idm01.example.net   hostnamectl set-hostname idm02.example.net   hostnamectl set-hostname idm03.example.net 

• Install chrony (ntp) 

dnf install chrony -y 

• Start and enable chronyd 

systemctl enable chronyd --now 

• Configure chronyd 

vi /etc/chrony.conf 

change the following lines from: 

pool 2.rhel.pool.ntp.org iburst 

to: 

server your_ntp_server iburst 

• Restart chronyd  

systemctl restart chronyd 

• Verify if chrony is getting the time from the configured NTP server(s) 

hronyc tracking   chronyc sources 

• Configure dnf module and install relevant IdM packages: 

dnf module enable idm:DL1 -y   dnf distrosync -y   dnf module install idm:DL1/{dns,adtrust,server} -y   dnf install ipa-server-trust-ad samba-client -y 

• Configure the firewalld on all servers 

firewall-cmd --add-service=freeipa-4 --add-service=freeipa-ldaps --add-service=freeipa-ldap --add-service=freeipa-replication --add-service=freeipa-trust --add-service=dns --permanent   firewall-cmd --add-service=freeipa-4 --add-service=freeipa-ldaps --add-service=freeipa-ldap --add-service=freeipa-replication --add-service=freeipa-trust --add-service=dns   firewall-cmd --reload 

• Start the initial configuration for the primary IdM Server:  

[root@idm01 ~]# ipa-server-install --realm EXAMPLE.NET --ds-password Your_password --admin-password Your_password --setup-dns --no-forwarders --mkhomedir --setup-kra --mkhomedir --allow-zone-overlap --no-dnssec-validation --reverse-zone=0.168.192.in-addr.arpa. --reverse-zone=1.168.192.in-addr.arpa.      The log file for this installation can be found in /var/log/ipaserver-install.log   ==============================================================================   This program will set up the IPA Server.   Version 4.9.6      This includes:     * Configure a stand-alone CA (dogtag) for certificate management     * Configure the NTP client (chronyd)     * Create and configure an instance of Directory Server     * Create and configure a Kerberos Key Distribution Centre (KDC)     * Configure Apache (httpd)     * Configure KRA (dogtag) for secret management     * Configure DNS (bind)     * Configure SID generation     * Configure the KDC to enable PKINIT      To accept the default shown in brackets, press the Enter key.      Enter the fully qualified domain name of the computer   on which you're setting up server software. Using the form   <hostname>.<domainname>   Example: master.example.com.         Server host name [idm01.example.net]:       Warning: skipping DNS resolution of host idm01.example.net   The domain name has been determined based on the host name.      Please confirm the domain name [example.net]:       Checking DNS domain example.net., please wait ...   DNS zone example.net. already exists in DNS and is handled by server(s): ['ns-272.awsdns-34.com.', 'ns-785.awsdns-34.net.', 'ns-1139.awsdns-14.org.', 'ns-1641.awsdns-13.co.uk.'] Please make sure that the domain is properly delegated to this IPA server.   Checking DNS domain 0.168.192.in-addr.arpa., please wait ...   Checking DNS domain 1.168.192.in-addr.arpa., please wait ...   Using reverse zone(s) 0.168.192.in-addr.arpa., 1.168.192.in-addr.arpa.   Trust is configured but no NetBIOS domain name found, setting it now.   Enter the NetBIOS name for the IPA domain.   Only up to 15 uppercase ASCII letters, digits and dashes are allowed.   Example: EXAMPLE         NetBIOS domain name [EXAMPLE]:       Do you want to configure chrony with NTP server or pool address? [no]:       The IPA Master Server will be configured with:   Hostname:       idm01.example.net   IP address(es): 192.168.0.11   Domain name:    example.net   Realm name:     EXAMPLE.NET      The CA will be configured with:   Subject DN:   CN=Certificate Authority,O=EXAMPLE.NET   Subject base: O=EXAMPLE.NET   Chaining:     self-signed      BIND DNS server will be configured to serve IPA domain with:   Forwarders:       No forwarders   Forward policy:   only   Reverse zone(s):  0.168.192.in-addr.arpa., 1.168.192.in-addr.arpa.      Continue to configure the system with these values? [no]: yes      The following operations may take some minutes to complete.   Please wait until the prompt is returned.      Disabled p11-kit-proxy   Synchronizing time   No SRV records of NTP servers found and no NTP server or pool address was provided.   Using default chrony configuration.   Attempting to sync time with chronyc.   Time synchronization was successful.   Configuring directory server (dirsrv). Estimated time: 30 seconds     [1/41]: creating directory server instance     [2/41]: tune ldbm plugin     [3/41]: adding default schema     [4/41]: enabling memberof plugin     [5/41]: enabling winsync plugin     [6/41]: configure password logging     [7/41]: configuring replication version plugin     [8/41]: enabling IPA enrollment plugin     [9/41]: configuring uniqueness plugin     [10/41]: configuring uuid plugin     [11/41]: configuring modrdn plugin     [12/41]: configuring DNS plugin     [13/41]: enabling entryUSN plugin     [14/41]: configuring lockout plugin     [15/41]: configuring topology plugin     [16/41]: creating indices     [17/41]: enabling referential integrity plugin     [18/41]: configuring certmap.conf     [19/41]: configure new location for managed entries     [20/41]: configure dirsrv ccache and keytab     [21/41]: enabling SASL mapping fallback     [22/41]: restarting directory server     [23/41]: adding sasl mappings to the directory     [24/41]: adding default layout     [25/41]: adding delegation layout     [26/41]: creating container for managed entries     [27/41]: configuring user private groups     [28/41]: configuring netgroups from hostgroups     [29/41]: creating default Sudo bind user     [30/41]: creating default Auto Member layout     [31/41]: adding range check plugin     [32/41]: creating default HBAC rule allow_all     [33/41]: adding entries for topology management     [34/41]: initializing group membership     [35/41]: adding master entry     [36/41]: initializing domain level     [37/41]: configuring Posix uid/gid generation     [38/41]: adding replication acis     [39/41]: activating sidgen plugin     [40/41]: activating extdom plugin     [41/41]: configuring directory to start on boot   Done configuring directory server (dirsrv).   Configuring Kerberos KDC (krb5kdc)     [1/10]: adding kerberos container to the directory     [2/10]: configuring KDC     [3/10]: initialize kerberos container   WARNING: Your system is running out of entropy, you may experience long delays     [4/10]: adding default ACIs     [5/10]: creating a keytab for the directory     [6/10]: creating a keytab for the machine     [7/10]: adding the password extension to the directory     [8/10]: creating anonymous principal     [9/10]: starting the KDC     [10/10]: configuring KDC to start on boot   Done configuring Kerberos KDC (krb5kdc).   Configuring kadmin     [1/2]: starting kadmin      [2/2]: configuring kadmin to start on boot   Done configuring kadmin.   Configuring ipa-custodia     [1/5]: Making sure custodia container exists     [2/5]: Generating ipa-custodia config file     [3/5]: Generating ipa-custodia keys     [4/5]: starting ipa-custodia      [5/5]: configuring ipa-custodia to start on boot   Done configuring ipa-custodia.   Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes     [1/28]: configuring certificate server instance     [2/28]: stopping certificate server instance to update CS.cfg     [3/28]: backing up CS.cfg     [4/28]: Add ipa-pki-wait-running     [5/28]: secure AJP connector     [6/28]: reindex attributes     [7/28]: exporting Dogtag certificate store pin     [8/28]: disabling nonces     [9/28]: set up CRL publishing     [10/28]: enable PKIX certificate path discovery and validation     [11/28]: authorising RA to modify profiles     [12/28]: authorising RA to manage lightweight CAs     [13/28]: Ensure lightweight CAs container exists     [14/28]: starting certificate server instance     [15/28]: configure certmonger for renewals     [16/28]: requesting RA certificate from CA     [17/28]: publishing the CA certificate     [18/28]: adding RA agent as a trusted user     [19/28]: configure certificate renewals     [20/28]: Configure HTTP to proxy connexions     [21/28]: updating IPA configuration     [22/28]: enabling CA instance     [23/28]: importing IPA certificate profiles     [24/28]: migrating certificate profiles to LDAP     [25/28]: adding default CA ACL     [26/28]: adding 'ipa' CA entry     [27/28]: configuring certmonger renewal for lightweight CAs     [28/28]: deploying ACME service   Done configuring certificate server (pki-tomcatd).   Configuring directory server (dirsrv)     [1/3]: configuring TLS for DS instance     [2/3]: adding CA certificate entry     [3/3]: restarting directory server   Done configuring directory server (dirsrv).   Configuring ipa-otpd     [1/2]: starting ipa-otpd      [2/2]: configuring ipa-otpd to start on boot   Done configuring ipa-otpd.   Configuring the web interface (httpd)     [1/21]: stopping httpd     [2/21]: backing up ssl.conf     [3/21]: disabling nss.conf     [4/21]: configuring mod_ssl certificate paths     [5/21]: setting mod_ssl protocol list     [6/21]: configuring mod_ssl log directory     [7/21]: disabling mod_ssl OCSP     [8/21]: adding URL rewriting rules     [9/21]: configuring httpd   Nothing to do for configure_httpd_wsgi_conf     [10/21]: setting up httpd keytab     [11/21]: configuring Gssproxy     [12/21]: setting up ssl     [13/21]: configure certmonger for renewals     [14/21]: publish CA cert     [15/21]: clean up any existing httpd ccaches     [16/21]: configuring SELinux for httpd     [17/21]: create KDC proxy config     [18/21]: enable KDC proxy     [19/21]: starting httpd     [20/21]: configuring httpd to start on boot     [21/21]: enabling oddjobd   Done configuring the web interface (httpd).   Configuring Kerberos KDC (krb5kdc)     [1/1]: installing X509 Certificate for PKINIT   Done configuring Kerberos KDC (krb5kdc).   Applying LDAP updates   Upgrading IPA:. Estimated time: 1 minute 30 seconds     [1/10]: stopping directory server     [2/10]: saving configuration     [3/10]: disabling listeners     [4/10]: enabling DS global lock     [5/10]: disabling Schema Compat     [6/10]: starting directory server     [7/10]: upgrading server     [8/10]: stopping directory server     [9/10]: restoring configuration     [10/10]: starting directory server   Done.   Restarting the KDC   Configuring KRA server (pki-tomcatd). Estimated time: 2 minutes     [1/9]: configuring KRA instance     [2/9]: create KRA agent     [3/9]: enabling ephemeral requests     [4/9]: restarting KRA     [5/9]: configure certmonger for renewals     [6/9]: configure certificate renewals     [7/9]: add vault container     [8/9]: apply LDAP updates     [9/9]: enabling KRA instance   Done configuring KRA server (pki-tomcatd).   Restarting the directory server   dnssec-validation no   Configuring DNS (named)     [1/12]: generating rndc key file     [2/12]: adding DNS container     [3/12]: setting up our zone     [4/12]: setting up reverse zone     [5/12]: setting up our own record     [6/12]: setting up records for other masters     [7/12]: adding NS record to the zones     [8/12]: setting up kerberos principal     [9/12]: setting up named.conf   created new /etc/named.conf   created named user config '/etc/named/ipa-ext.conf'   created named user config '/etc/named/ipa-options-ext.conf'   created named user config '/etc/named/ipa-logging-ext.conf'     [10/12]: setting up server configuration     [11/12]: configuring named to start on boot     [12/12]: changing resolv.conf to point to ourselves   Done configuring DNS (named).   Restarting the web server to pick up resolv.conf changes   Configuring DNS key synchronization service (ipa-dnskeysyncd)     [1/7]: checking status     [2/7]: setting up bind-dyndb-ldap working directory     [3/7]: setting up kerberos principal     [4/7]: setting up SoftHSM     [5/7]: adding DNSSEC containers     [6/7]: creating replica keys     [7/7]: configuring ipa-dnskeysyncd to start on boot   Done configuring DNS key synchronization service (ipa-dnskeysyncd).   Restarting ipa-dnskeysyncd   Restarting named   Updating DNS system records   Configuring SID generation     [1/8]: creating samba domain object     [2/8]: adding admin(group) SIDs     [3/8]: adding RID bases     [4/8]: updating Kerberos config   'dns_lookup_kdc' already set to 'true', nothing to do.     [5/8]: activating sidgen task     [6/8]: restarting Directory Server to take MS PAC and LDAP plugins changes into account     [7/8]: adding fallback group     [8/8]: adding SIDs to existing users and groups   This step may take considerable amount of time, please wait..   Done.   Configuring client side components   This program will set up IPA client.   Version 4.9.6      Using existing certificate '/etc/ipa/ca.crt'.   Client hostname: idm01.example.net   Realm: EXAMPLE.NET   DNS Domain: example.net   IPA Server: idm01.example.net   BaseDN:dc=example,dc=neten      Configured sudoers in /etc/authselect/user-nsswitch.conf   Configured /etc/sssd/sssd.conf   Systemwide CA database updated.   Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub   Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub   Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub   SSSD enabled   Configured /etc/openldap/ldap.conf   Configured /etc/ssh/ssh_config   Configured /etc/ssh/sshd_config   Configuring example.net as NIS domain.   Client configuration complete.   The ipa-client-install command was successful      ==============================================================================   Setup complete      Next steps:   1. You must make sure these network ports are open:   TCP Ports:     * 80, 443: HTTP/HTTPS     * 389, 636: LDAP/LDAPS     * 88, 464: kerberos     * 53: bind   UDP Ports:     * 88, 464: kerberos     * 53: bind     * 123: ntp      2. You can now obtain a kerberos ticket using the command: 'kinit admin'      This ticket will allow you to use the IPA tools (e.g., ipa user-add)      and the web user interface.      Be sure to back up the CA certificates stored in /root/cacert.p12   These files are required to create replicas. The password for these   files is the Directory Manager password   The ipa-server-install command was successful 

Verify if the DNS zone has been set to Dynamic update:

• Log into the server as root  
• authenticate to IdM server using kerberos 

kinit admin 

Verify if the dynamic updates have been enabled for the zone:

ipa dnszone-show example.net   [root@idm01 ~]# ipa dnszone-show example.net       Zone name: example.net.     Active zone: TRUE     Authoritative nameserver: idm01.example.net.     Administrator e-mail address: hostmaster.example.net.     SOA serial: 1648970401     SOA refresh: 3600     SOA retry: 900     SOA expire: 1209600     SOA minimum: 3600     BIND update policy: grant EXAMPLE.NET krb5-self * A; grant                         EXAMPLE.NET krb5-self * AAAA; grant                         EXAMPLE.NET krb5-self * SSHFP;     Dynamic update: TRUE     Allow query: any;     Allow transfer: none; 

If Dynamic update: FALSE run the following command:

ipa dnszone-mod example.net --dynamic-update=TRUE 

IdM Replicas 

It is important to update the DNS records. If the master IdM server has been configured with the DNS, the DNS records should be configured and each server should be configured to use the master as the DNS server. For example:  

Create DNS records for all replica servers: 

kinit admin   ipa dnsrecord-add example.net idm02 --a-rec 192.168.0.15 --a-create-reverse   ipa dnsrecord-add example.net idm03 --a-rec 192.168.0.22 --a-create-reverse

If the master server has IP address 192.168.0.11, configure each replica to use this IP address:  

nmcli con mod eth0 ipv4.dns 192.168.0.11 ipv4.dns-search example.net   nmcli con up eth0 

Ensure DNS service has been added to the configuration of each server:  

firewall-cmd --add-service=dns --permanent    firewall-cmd --add-service=dns    firewall-cmd --reload  

Install packages as described in the previous section and run the following command. The command instructs to install and configure DNS, CA, KRA on the Replica Server(s) 

ipa-replica-install --principal admin --admin-password Your_password --setup-dns --setup-ca --mkhomedir --allow-zone-overlap --no-dnssec-validation --reverse-zone=0.168.192.in-addr.arpa. --reverse-zone=1.168.192.in-addr.arpa. --setup-kra --no-forwarders --domain=example.net --server=idm01.example.net 

The following dump is an example installation:  

[root@idm02 ~]# ipa-replica-install --principal admin --admin-password Your_password --setup-dns --setup-ca --mkhomedir --allow-zone-overlap --ntp-server=172.16.36.10 --no-dnssec-validation --reverse-zone=36.16.172.in-addr.arpa. --setup-kra --no-forwarders   Configuring client side components   This program will set up IPA client.   Version 4.9.6      Discovery was successful!   Client hostname: idm02.example.net   Realm: EXAMPLE.NET   DNS Domain: example.net   IPA Server: idm01.example.net   BaseDN: dc=example,dc=net   NTP server: 172.16.36.10      Synchronizing time   Configuration of chrony was changed by installer.   Attempting to sync time with chronyc.   Process chronyc waitsync failed to sync time!   Unable to sync time with chrony server, assuming the time is in sync. Please check that 123 UDP port is opened, and any time server is on network.   Successfully retrieved CA cert       Subject:     CN=Certificate Authority,O=EXAMPLE.NET       Issuer:      CN=Certificate Authority,O=EXAMPLE.NET       Valid From:  2022-03-29 04:16:28       Valid Until: 2042-03-29 04:16:28      Enrolled in IPA realm EXAMPLE.NET   Created /etc/ipa/default.conf   Configured sudoers in /etc/authselect/user-nsswitch.conf   Configured /etc/sssd/sssd.conf   Configured /etc/krb5.conf for IPA realm EXAMPLE.NET   Systemwide CA database updated.   Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub   Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub   Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub   SSSD enabled   Configured /etc/openldap/ldap.conf   Configured /etc/ssh/ssh_config   Configured /etc/ssh/sshd_config   Configuring example.net as NIS domain.   Client configuration complete.   The ipa-client-install command was successful      Lookup failed: Preferred host idm02.example.net does not provide DNS.   Checking DNS domain 36.16.172.in-addr.arpa., please wait ...   DNS zone 36.16.172.in-addr.arpa. already exists in DNS and is handled by server(s): idm01.example.net.   Using reverse zone(s) 36.16.172.in-addr.arpa.   Run connexion check to master   Connexion check OK   Disabled p11-kit-proxy   Configuring directory server (dirsrv). Estimated time: 30 seconds     [1/38]: creating directory server instance     [2/38]: tune ldbm plugin     [3/38]: adding default schema     [4/38]: enabling memberof plugin     [5/38]: enabling winsync plugin     [6/38]: configure password logging     [7/38]: configuring replication version plugin     [8/38]: enabling IPA enrollment plugin     [9/38]: configuring uniqueness plugin     [10/38]: configuring uuid plugin     [11/38]: configuring modrdn plugin     [12/38]: configuring DNS plugin     [13/38]: enabling entryUSN plugin     [14/38]: configuring lockout plugin     [15/38]: configuring topology plugin     [16/38]: creating indices     [17/38]: enabling referential integrity plugin     [18/38]: configuring certmap.conf     [19/38]: configure new location for managed entries     [20/38]: configure dirsrv ccache and keytab     [21/38]: enabling SASL mapping fallback     [22/38]: restarting directory server     [23/38]: creating DS keytab     [24/38]: ignore time skew for initial replication     [25/38]: setting up initial replication   Starting replication, please wait until this has completed.   Update in progress, 4 seconds elapsed   Update succeeded        [26/38]: prevent time skew after initial replication     [27/38]: adding sasl mappings to the directory     [28/38]: updating schema     [29/38]: setting Auto Member configuration     [30/38]: enabling S4U2Proxy delegation     [31/38]: initializing group membership     [32/38]: adding master entry     [33/38]: initializing domain level     [34/38]: configuring Posix uid/gid generation     [35/38]: adding replication acis     [36/38]: activating sidgen plugin     [37/38]: activating extdom plugin     [38/38]: configuring directory to start on boot   Done configuring directory server (dirsrv).   Replica DNS records could not be added on master: Insufficient access: Insufficient 'add' privilege to add the entry 'idnsname=idm02,idnsname=example.net.,cn=dns,dc=example,dc=net'.   Configuring Kerberos KDC (krb5kdc)     [1/5]: configuring KDC     [2/5]: adding the password extension to the directory     [3/5]: creating anonymous principal     [4/5]: starting the KDC     [5/5]: configuring KDC to start on boot   Done configuring Kerberos KDC (krb5kdc).   Configuring kadmin     [1/2]: starting kadmin      [2/2]: configuring kadmin to start on boot   Done configuring kadmin.   Configuring directory server (dirsrv)     [1/3]: configuring TLS for DS instance     [2/3]: importing CA certificates from LDAP     [3/3]: restarting directory server   Done configuring directory server (dirsrv).   Configuring the web interface (httpd)     [1/21]: stopping httpd     [2/21]: backing up ssl.conf     [3/21]: disabling nss.conf     [4/21]: configuring mod_ssl certificate paths     [5/21]: setting mod_ssl protocol list     [6/21]: configuring mod_ssl log directory     [7/21]: disabling mod_ssl OCSP     [8/21]: adding URL rewriting rules     [9/21]: configuring httpd   Nothing to do for configure_httpd_wsgi_conf     [10/21]: setting up httpd keytab     [11/21]: configuring Gssproxy     [12/21]: setting up ssl     [13/21]: configure certmonger for renewals     [14/21]: publish CA cert     [15/21]: clean up any existing httpd ccaches     [16/21]: configuring SELinux for httpd     [17/21]: create KDC proxy config     [18/21]: enable KDC proxy     [19/21]: starting httpd     [20/21]: configuring httpd to start on boot     [21/21]: enabling oddjobd   Done configuring the web interface (httpd).   Configuring ipa-otpd     [1/2]: starting ipa-otpd      [2/2]: configuring ipa-otpd to start on boot   Done configuring ipa-otpd.   Custodia uses 'idm01.example.net' as master peer.   Configuring ipa-custodia     [1/4]: Generating ipa-custodia config file     [2/4]: Generating ipa-custodia keys     [3/4]: starting ipa-custodia      [4/4]: configuring ipa-custodia to start on boot   Done configuring ipa-custodia.   Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes     [1/29]: creating certificate server db     [2/29]: setting up initial replication   Starting replication, please wait until this has completed.   Update in progress, 5 seconds elapsed   Update succeeded        [3/29]: creating ACIs for admin     [4/29]: creating installation admin user     [5/29]: configuring certificate server instance     [6/29]: stopping certificate server instance to update CS.cfg     [7/29]: backing up CS.cfg     [8/29]: Add ipa-pki-wait-running     [9/29]: secure AJP connector     [10/29]: reindex attributes     [11/29]: exporting Dogtag certificate store pin     [12/29]: disabling nonces     [13/29]: set up CRL publishing     [14/29]: enable PKIX certificate path discovery and validation     [15/29]: authorising RA to modify profiles     [16/29]: authorising RA to manage lightweight CAs     [17/29]: Ensure lightweight CAs container exists     [18/29]: destroying installation admin user     [19/29]: starting certificate server instance     [20/29]: Finalise replication settings     [21/29]: configure certmonger for renewals     [22/29]: Importing RA key     [23/29]: configure certificate renewals     [24/29]: Configure HTTP to proxy connexions     [25/29]: updating IPA configuration     [26/29]: enabling CA instance     [27/29]: importing IPA certificate profiles     [28/29]: configuring certmonger renewal for lightweight CAs     [29/29]: deploying ACME service   Done configuring certificate server (pki-tomcatd).   Configuring Kerberos KDC (krb5kdc)     [1/1]: installing X509 Certificate for PKINIT   Done configuring Kerberos KDC (krb5kdc).   Applying LDAP updates   Upgrading IPA:. Estimated time: 1 minute 30 seconds     [1/10]: stopping directory server     [2/10]: saving configuration     [3/10]: disabling listeners     [4/10]: enabling DS global lock     [5/10]: disabling Schema Compat     [6/10]: starting directory server     [7/10]: upgrading server     [8/10]: stopping directory server     [9/10]: restoring configuration     [10/10]: starting directory server   Done.   Finalise replication settings   Configuring KRA server (pki-tomcatd). Estimated time: 2 minutes     [1/10]: creating ACIs for admin     [2/10]: creating installation admin user     [3/10]: configuring KRA instance     [4/10]: destroying installation admin user     [5/10]: enabling ephemeral requests     [6/10]: restarting KRA     [7/10]: configure certmonger for renewals     [8/10]: configure certificate renewals     [9/10]: apply LDAP updates     [10/10]: enabling KRA instance   Done configuring KRA server (pki-tomcatd).   Restarting the directory server   Restarting the KDC   dnssec-validation no   Configuring DNS (named)     [1/9]: generating rndc key file     [2/9]: setting up reverse zone     [3/9]: setting up our own record     [4/9]: adding NS record to the zones     [5/9]: setting up kerberos principal     [6/9]: setting up named.conf   created new /etc/named.conf   created named user config '/etc/named/ipa-ext.conf'   created named user config '/etc/named/ipa-options-ext.conf'   created named user config '/etc/named/ipa-logging-ext.conf'     [7/9]: setting up server configuration     [8/9]: configuring named to start on boot     [9/9]: changing resolv.conf to point to ourselves   Done configuring DNS (named).   Restarting the web server to pick up resolv.conf changes   Configuring DNS key synchronization service (ipa-dnskeysyncd)     [1/7]: checking status     [2/7]: setting up bind-dyndb-ldap working directory     [3/7]: setting up kerberos principal     [4/7]: setting up SoftHSM     [5/7]: adding DNSSEC containers   DNSSEC container exists (step skipped)     [6/7]: creating replica keys     [7/7]: configuring ipa-dnskeysyncd to start on boot   Done configuring DNS key synchronization service (ipa-dnskeysyncd).   Restarting ipa-dnskeysyncd   Restarting named   Updating DNS system records      Global DNS configuration in LDAP server is empty   You can use 'dnsconfig-mod' command to set global DNS options that   would override settings in local named.conf files      Configuring SID generation     [1/7]: creating samba domain object   Samba domain object already exists     [2/7]: adding admin(group) SIDs   Admin SID already set, nothing to do   Admin group SID already set, nothing to do     [3/7]: adding RID bases   RID bases already set, nothing to do     [4/7]: updating Kerberos config   'dns_lookup_kdc' already set to 'true', nothing to do.     [5/7]: activating sidgen task     [6/7]: restarting Directory Server to take MS PAC and LDAP plugins changes into account     [7/7]: adding fallback group   Fallback group already set, nothing to do   Done.   The ipa-replica-install command was successful 

Install and enrol the ipa client 

hostnamectl set-hostname ssodb03.example.net   dnf update   dnf module enable idm:DL1   dnf distrosync   dnf module install idm:DL1/client   ipa-client-install --enable-dns-updates --mkhomedir --server=idm01.example.net --principal=admin --password=Your_password --domain=example.net --realm=EXAMPLE.NET 

Add user to IdM 

ipa user-add idmuser03 \   --first=user03 --last=idm \   --email=idmuser03@example.net \   --password 

or

ipa user-add idmuser01 --first=idmuser01 --last=idm --email=idmuser01@example.net --random 

Keep in mind that the user will need to change the password on the first login 

Establish AD Trust 

• Ensure all the packages have been installed  

dnf install ipa-server-trust-ad samba-client -y 

• Modify the Primary Server DNS configuration:  

nmcli con mod eth0 ipv4.dns 127.0.0.1    nmcli con up eth0 

• Configure IdM as a trust controller (repeat on each node) 

ipa-adtrust-install --netbios-name=EXAMPLE -a Your_password   The log file for this installation can be found in /var/log/ipaserver-adtrust-install.log   ==============================================================================   This program will setup components needed to establish trust to AD domains for   the IPA Server.      This includes:     * Configure Samba     * Add trust related objects to IPA LDAP server      To accept the default shown in brackets, press the Enter key.      IPA generated smb.conf detected.   Overwrite smb.conf? [no]: yes   Do you want to enable support for trusted domains in Schema Compatibility plugin?   This will allow clients older than SSSD 1.9 and non-Linux clients to work with trusted users.      Enable trusted domains support in slapi-nis? [no]: yes         The following operations may take some minutes to complete.   Please wait until the prompt is returned.      Configuring CIFS     [1/24]: validate server hostname     [2/24]: stopping smbd     [3/24]: creating samba domain object   Samba domain object already exists     [4/24]: retrieve local idmap range     [5/24]: writing samba config file     [6/24]: creating samba config registry     [7/24]: adding cifs Kerberos principal     [8/24]: adding cifs and host Kerberos principals to the adtrust agents group     [9/24]: check for cifs services defined on other replicas     [10/24]: adding cifs principal to S4U2Proxy targets   cifs principal already targeted, nothing to do.     [11/24]: adding admin(group) SIDs   Admin SID already set, nothing to do   Admin group SID already set, nothing to do     [12/24]: adding RID bases   RID bases already set, nothing to do     [13/24]: updating Kerberos config   'dns_lookup_kdc' already set to 'true', nothing to do.     [14/24]: activating CLDAP plugin   CLDAP plugin already configured, nothing to do     [15/24]: activating sidgen task   Sidgen task plugin already configured, nothing to do     [16/24]: map BUILTIN\Guests to nobody group     [17/24]: configuring smbd to start on boot     [18/24]: enabling trusted domains support for older clients via Schema Compatibility plugin     [19/24]: restarting Directory Server to take MS PAC and LDAP plugins changes into account     [20/24]: adding fallback group   Fallback group already set, nothing to do     [21/24]: adding Default Trust View   Default Trust View already exists.     [22/24]: setting SELinux booleans     [23/24]: starting CIFS services     [24/24]: restarting smbd   Done configuring CIFS.      =============================================================================   Setup complete      You must make sure these network ports are open:   TCP Ports:     * 135: epmap     * 138: netbios-dgm     * 139: netbios-ssn     * 445: microsoft-ds     * 1024..1300: epmap listener range     * 3268: msft-gc   UDP Ports:     * 138: netbios-dgm     * 139: netbios-ssn     * 389: (C)LDAP     * 445: microsoft-ds     See the ipa-adtrust-install(1) man page for more details 

• Update the forwarders and allow zone transfers between Realms:  

 ipa dnszone-mod example.net --allow-transfer=IP_OF_ACTIVEDIRECTORY_CNTRL    ipa dnsforwardzone-add REMOTE_DOMAIN --forwarder=IP_OF_ACTIVEDIRECTORY_CNTRL --forward-policy=only    ipa dns-update-system-records 

• On the Active Directory DNS server, execute the following command:  

dnscmd 127.0.0.1 /ZoneAdd example.net /Forwarder 192.168.0.11 (idM Primary IP) 

• Establish the trust with the AD:  

This method requires User/Password with privileges to establish trust with AD  

kinit admin   ipa trust-add --type=ad remote_domain --admin Administrator --password --two-way=True 

The following output should be expected:  

Active Directory domain administrator's password:    ------------------------------------------------------   Re-established trust to domain "archivemigrations.org"   ------------------------------------------------------     Realm name: archivemigrations.org     Domain NetBIOS name: ARCHIVEMIG     Domain Security Identifier: S-1-5-21-3330954099-1499013306-3576720302     Trust direction: Two-way trust     Trust type: Active Directory domain     Trust status: Established and verified

• Verify if kerberos is working and users can get the kerberos ticket:  

[root@idm01 ~]# kinit sbaszczyj@archivemigrations.org   Password for sbaszczyj@archivemigrations.org:    [root@idm01 ~]# klist   Ticket cache: KCM:0:12915   Default principal: sbaszczyj@ARCHIVEMIGRATIONS.ORG      Valid starting     Expires            Service principal   04/04/22 00:49:35  04/04/22 10:49:35  krbtgt/ARCHIVEMIGRATIONS.ORG@ARCHIVEMIGRATIONS.ORG   renew until 05/04/22 00:49:31   [root@idm01 ~]# id sbaszczyj@archivemigrations.org   uid=794602128(sbaszczyj@archivemigrations.org) gid=794602128(sbaszczyj@archivemigrations.org) groups=794602128(sbaszczyj@archivemigrations.org),794600513(domain users@archivemigrations.org) 

• Create the external non-POSIX group: 

ipa group-add ad_admins_external --external 

• Add standard POSIX group: 

ipa group-add ad_admins 

• Add external AD Group to ad_admins_external IDM group:  

ipa group-add-member ad_admins_external --external 'ARCHIVEMIG\Domain admins' 

Add the external FreeIPA group to the POSIX FreeIPA group as a member. For example: 

ipa group-add-member ad_admins --groups ad_admins_external 

Setting the global domain resolution order on an IdM server 

 
This procedure sets the domain resolution order for all the clients in the IdM domain. This example sets the domain resolution order to search for users and groups in the following order: 

The following is just an example  

Active Directory (AD) domain: archivemigrations.org 
IdM domain: example.net 

ipa config-mod --domain-resolution-order=’archivemigrations.org:example.net' 

When AD administrator credentials are not available

# ipa trust-add --type=ad "ad_domain" --trust-secret 

Enter the trust shared secret when prompted. At this point IPA will create two-way forest trust on IPA side. Second leg of the trust need to be created manually and validated on AD side. Following GIF sequence shows how trust with shared secret is created: 

Once trust leg on AD side is established, one needs to retrieve the list of trusted forest domains from AD side. This is done using following command: 

# ipa trust-fetch-domains "ad_domain" 

With this command running successfuly, IPA will get information about trusted domains and will create all needed identity ranges for them. 

Use “trustdomain-find” to see list of the trusted domains from a trusted forest: 

# ipa trustdomain-find "ad_domain" 

If you are interested in learning more about how to install and configure Red Hat Identity Management Server on Red Hat Enterprise Linux 8, or if you have any questions about the requirements and configurations mentioned in this blog post, feel free to contact us for more information. Our team of experts is ready to assist you with your IdM installation and configuration needs.