freeipa - cstan.io · 2016. 8. 21. · 1 # kinit cstan 2 password for [email protected]: 3 #...
TRANSCRIPT
![Page 1: FreeIPA - cstan.io · 2016. 8. 21. · 1 # kinit cstan 2 Password for cstan@STANKOWIC.LOC: 3 # klist 4 Ticket cache: KEYRING:persistent:35800001: krb_ccache_xTeMlYY 5 Default principal:](https://reader036.vdocuments.us/reader036/viewer/2022071411/6107866cb52ee7100f11e298/html5/thumbnails/1.jpg)
FreeIPADirectory and authenticationservices the easy way
Christian Stankowicwww.stankowic-development.net
Free and Open Source softwareConference21.08.2016
![Page 2: FreeIPA - cstan.io · 2016. 8. 21. · 1 # kinit cstan 2 Password for cstan@STANKOWIC.LOC: 3 # klist 4 Ticket cache: KEYRING:persistent:35800001: krb_ccache_xTeMlYY 5 Default principal:](https://reader036.vdocuments.us/reader036/viewer/2022071411/6107866cb52ee7100f11e298/html5/thumbnails/2.jpg)
whoami
Christian Stankowic
Messer Information Services GmbH
Linux & vSphere administrator
Blogger & book author
2
![Page 3: FreeIPA - cstan.io · 2016. 8. 21. · 1 # kinit cstan 2 Password for cstan@STANKOWIC.LOC: 3 # klist 4 Ticket cache: KEYRING:persistent:35800001: krb_ccache_xTeMlYY 5 Default principal:](https://reader036.vdocuments.us/reader036/viewer/2022071411/6107866cb52ee7100f11e298/html5/thumbnails/3.jpg)
AGENDA
![Page 4: FreeIPA - cstan.io · 2016. 8. 21. · 1 # kinit cstan 2 Password for cstan@STANKOWIC.LOC: 3 # klist 4 Ticket cache: KEYRING:persistent:35800001: krb_ccache_xTeMlYY 5 Default principal:](https://reader036.vdocuments.us/reader036/viewer/2022071411/6107866cb52ee7100f11e298/html5/thumbnails/4.jpg)
Agenda
Motivation
Installation
Client integration
Basic administration and examples
4
![Page 5: FreeIPA - cstan.io · 2016. 8. 21. · 1 # kinit cstan 2 Password for cstan@STANKOWIC.LOC: 3 # klist 4 Ticket cache: KEYRING:persistent:35800001: krb_ccache_xTeMlYY 5 Default principal:](https://reader036.vdocuments.us/reader036/viewer/2022071411/6107866cb52ee7100f11e298/html5/thumbnails/5.jpg)
MOTIVATION
![Page 6: FreeIPA - cstan.io · 2016. 8. 21. · 1 # kinit cstan 2 Password for cstan@STANKOWIC.LOC: 3 # klist 4 Ticket cache: KEYRING:persistent:35800001: krb_ccache_xTeMlYY 5 Default principal:](https://reader036.vdocuments.us/reader036/viewer/2022071411/6107866cb52ee7100f11e298/html5/thumbnails/6.jpg)
Why central authentication?
User information are stored centrally
No password clutter
Low effort after job cancellation
Reasonable when having more than 2systems
6
![Page 7: FreeIPA - cstan.io · 2016. 8. 21. · 1 # kinit cstan 2 Password for cstan@STANKOWIC.LOC: 3 # klist 4 Ticket cache: KEYRING:persistent:35800001: krb_ccache_xTeMlYY 5 Default principal:](https://reader036.vdocuments.us/reader036/viewer/2022071411/6107866cb52ee7100f11e298/html5/thumbnails/7.jpg)
7
![Page 8: FreeIPA - cstan.io · 2016. 8. 21. · 1 # kinit cstan 2 Password for cstan@STANKOWIC.LOC: 3 # klist 4 Ticket cache: KEYRING:persistent:35800001: krb_ccache_xTeMlYY 5 Default principal:](https://reader036.vdocuments.us/reader036/viewer/2022071411/6107866cb52ee7100f11e298/html5/thumbnails/8.jpg)
What is FreeIPA?
free IPA solution by Red Hat
Identify, Policy, Audit
Also known as Red Hat Identity Management(IdM) under RHEL
Comparable to Microsoft AD-DS and NovelleDirectory
8
![Page 9: FreeIPA - cstan.io · 2016. 8. 21. · 1 # kinit cstan 2 Password for cstan@STANKOWIC.LOC: 3 # klist 4 Ticket cache: KEYRING:persistent:35800001: krb_ccache_xTeMlYY 5 Default principal:](https://reader036.vdocuments.us/reader036/viewer/2022071411/6107866cb52ee7100f11e298/html5/thumbnails/9.jpg)
What is FreeIPA?
Web interface combining:
DNS server (BIND9)Directory server (389ds)Dogtag certificate systemMIT Kerberos for authentication andsingle sign-on (SSO)
9
![Page 10: FreeIPA - cstan.io · 2016. 8. 21. · 1 # kinit cstan 2 Password for cstan@STANKOWIC.LOC: 3 # klist 4 Ticket cache: KEYRING:persistent:35800001: krb_ccache_xTeMlYY 5 Default principal:](https://reader036.vdocuments.us/reader036/viewer/2022071411/6107866cb52ee7100f11e298/html5/thumbnails/10.jpg)
Features (1/2)
Configuring DNS zones
Maintinung user(group)s, host(group)s
sudo and HBAC (Host Based Access Control)rules
role support (e.g. admins, servicedesk,...)
10
![Page 11: FreeIPA - cstan.io · 2016. 8. 21. · 1 # kinit cstan 2 Password for cstan@STANKOWIC.LOC: 3 # klist 4 Ticket cache: KEYRING:persistent:35800001: krb_ccache_xTeMlYY 5 Default principal:](https://reader036.vdocuments.us/reader036/viewer/2022071411/6107866cb52ee7100f11e298/html5/thumbnails/11.jpg)
Features (2/2)
AD-DS trusts (version 3+)
Multiple servers/replicas, availability / loadbalancing
2FA (Two-factor-authentication) + OTP(One-time password)
multiple APIs (XML/JSONRPC, Python,...)
11
![Page 12: FreeIPA - cstan.io · 2016. 8. 21. · 1 # kinit cstan 2 Password for cstan@STANKOWIC.LOC: 3 # klist 4 Ticket cache: KEYRING:persistent:35800001: krb_ccache_xTeMlYY 5 Default principal:](https://reader036.vdocuments.us/reader036/viewer/2022071411/6107866cb52ee7100f11e298/html5/thumbnails/12.jpg)
INSTALLATION
![Page 13: FreeIPA - cstan.io · 2016. 8. 21. · 1 # kinit cstan 2 Password for cstan@STANKOWIC.LOC: 3 # klist 4 Ticket cache: KEYRING:persistent:35800001: krb_ccache_xTeMlYY 5 Default principal:](https://reader036.vdocuments.us/reader036/viewer/2022071411/6107866cb52ee7100f11e298/html5/thumbnails/13.jpg)
System requirements
at least 2 CPUs
1 GB+ memory
10 GB+ hard drive
Linux distributions:FedoraEnterprise Linux (RHEL, CentOS, SL)Debian Sid / Ubuntu 16.04
13
![Page 14: FreeIPA - cstan.io · 2016. 8. 21. · 1 # kinit cstan 2 Password for cstan@STANKOWIC.LOC: 3 # klist 4 Ticket cache: KEYRING:persistent:35800001: krb_ccache_xTeMlYY 5 Default principal:](https://reader036.vdocuments.us/reader036/viewer/2022071411/6107866cb52ee7100f11e298/html5/thumbnails/14.jpg)
Network requirements
IPv6 should be disabled
Time using ntpd (no chronyd)
Open ports:
80, 443, 8080 (tcp, web server)389, 636 (tcp, ldap/ldaps)88, 464 (tcp/udp, Kerberos)123 (udp, NTP)
14
![Page 15: FreeIPA - cstan.io · 2016. 8. 21. · 1 # kinit cstan 2 Password for cstan@STANKOWIC.LOC: 3 # klist 4 Ticket cache: KEYRING:persistent:35800001: krb_ccache_xTeMlYY 5 Default principal:](https://reader036.vdocuments.us/reader036/viewer/2022071411/6107866cb52ee7100f11e298/html5/thumbnails/15.jpg)
Installation (1/3)
1 # yum install ipa-server{,-trust-ad}
2 # ipa-server-install
3 ...
4 Do you want to configure integrated DNS (BIND)? [
no]: yes
5 Server host name [st-ipa.stankowic.loc]:
6 Please confirm the domain name [stankowic.loc]:
7 Please provide a realm name [STANKOWIC.LOC]:
Listing 1: Package installation, configuring DNS andRealm
15
![Page 16: FreeIPA - cstan.io · 2016. 8. 21. · 1 # kinit cstan 2 Password for cstan@STANKOWIC.LOC: 3 # klist 4 Ticket cache: KEYRING:persistent:35800001: krb_ccache_xTeMlYY 5 Default principal:](https://reader036.vdocuments.us/reader036/viewer/2022071411/6107866cb52ee7100f11e298/html5/thumbnails/16.jpg)
Installation (2/3)
1 Directory Manager password:
2 Password (confirm):
3 IPA admin password:
4 Password (confirm):
5 ...
6 Do you want to configure the reverse zone? [yes]:
7 Please specify the reverse zone name [1.22.10.in-
addr.arpa.]:
8 Using reverse zone(s) 1.22.10.in-addr.arpa.
Listing 2: Passwords and Reverse Zones
16
![Page 17: FreeIPA - cstan.io · 2016. 8. 21. · 1 # kinit cstan 2 Password for cstan@STANKOWIC.LOC: 3 # klist 4 Ticket cache: KEYRING:persistent:35800001: krb_ccache_xTeMlYY 5 Default principal:](https://reader036.vdocuments.us/reader036/viewer/2022071411/6107866cb52ee7100f11e298/html5/thumbnails/17.jpg)
Installation (3/3)
1 The IPA Master Server will be configured with:
2 Hostname: st-ipa.stankowic.loc
3 IP address(es): 10.22.1.3
4 Domain name: stankowic.loc
5 Realm name: STANKOWIC.LOC
6 BIND DNS server will be configured to serve IPA
domain with:
7 Forwarders: 10.22.1.1, 10.22.0.2
8 Reverse zone(s): 1.22.10.in-addr.arpa.
9 Continue to configure the system with these
values? [no]: yes
Listing 3: Summary 17
![Page 18: FreeIPA - cstan.io · 2016. 8. 21. · 1 # kinit cstan 2 Password for cstan@STANKOWIC.LOC: 3 # klist 4 Ticket cache: KEYRING:persistent:35800001: krb_ccache_xTeMlYY 5 Default principal:](https://reader036.vdocuments.us/reader036/viewer/2022071411/6107866cb52ee7100f11e298/html5/thumbnails/18.jpg)
18
![Page 19: FreeIPA - cstan.io · 2016. 8. 21. · 1 # kinit cstan 2 Password for cstan@STANKOWIC.LOC: 3 # klist 4 Ticket cache: KEYRING:persistent:35800001: krb_ccache_xTeMlYY 5 Default principal:](https://reader036.vdocuments.us/reader036/viewer/2022071411/6107866cb52ee7100f11e298/html5/thumbnails/19.jpg)
INTEGRATION
![Page 20: FreeIPA - cstan.io · 2016. 8. 21. · 1 # kinit cstan 2 Password for cstan@STANKOWIC.LOC: 3 # klist 4 Ticket cache: KEYRING:persistent:35800001: krb_ccache_xTeMlYY 5 Default principal:](https://reader036.vdocuments.us/reader036/viewer/2022071411/6107866cb52ee7100f11e298/html5/thumbnails/20.jpg)
Client requirements
freeipa-client registers and configures:KerberosLDAP clientSSSD
Linux distributions:FedoraEnterprise Linux (RHEL, CentOS, SL)Debian Sid / Ubuntu 16.04
20
![Page 21: FreeIPA - cstan.io · 2016. 8. 21. · 1 # kinit cstan 2 Password for cstan@STANKOWIC.LOC: 3 # klist 4 Ticket cache: KEYRING:persistent:35800001: krb_ccache_xTeMlYY 5 Default principal:](https://reader036.vdocuments.us/reader036/viewer/2022071411/6107866cb52ee7100f11e298/html5/thumbnails/21.jpg)
Excursus: SSSD
System Security Services Daemon
Central authentication, local credentialscache
Integration into LDAP, IPA, AD-DS,Kerberos,...
Offers PAM and NSSmodules
21
![Page 22: FreeIPA - cstan.io · 2016. 8. 21. · 1 # kinit cstan 2 Password for cstan@STANKOWIC.LOC: 3 # klist 4 Ticket cache: KEYRING:persistent:35800001: krb_ccache_xTeMlYY 5 Default principal:](https://reader036.vdocuments.us/reader036/viewer/2022071411/6107866cb52ee7100f11e298/html5/thumbnails/22.jpg)
Client integration (1/4)
Install freeipa-client package
FreeIPA DNS set? (NS, SRV records)
Valid hostname configured?
Run ipa-client-install:
--mkhomedir - create home folders--uninstall - unregisters host--domain - manually specify domain
22
![Page 23: FreeIPA - cstan.io · 2016. 8. 21. · 1 # kinit cstan 2 Password for cstan@STANKOWIC.LOC: 3 # klist 4 Ticket cache: KEYRING:persistent:35800001: krb_ccache_xTeMlYY 5 Default principal:](https://reader036.vdocuments.us/reader036/viewer/2022071411/6107866cb52ee7100f11e298/html5/thumbnails/23.jpg)
Client integration (2/4)
1 # yum install -y ipa-client
2 # hostnamectl set-hostname giertz.stankowic.loc
3 # ipa-client-install --mkhomedir
4 Discovery was successful!
5 Hostname: giertz.stankowic.loc
6 Realm: STANKOWIC.LOC
7 DNS Domain: stankowic.loc
8 IPA Server: st-ipa.stankowic.loc
9 BaseDN: dc=stankowic,dc=loc
10 Continue to configure the system with these
values? [no]: yes
Listing 4: Integrating a client 23
![Page 24: FreeIPA - cstan.io · 2016. 8. 21. · 1 # kinit cstan 2 Password for cstan@STANKOWIC.LOC: 3 # klist 4 Ticket cache: KEYRING:persistent:35800001: krb_ccache_xTeMlYY 5 Default principal:](https://reader036.vdocuments.us/reader036/viewer/2022071411/6107866cb52ee7100f11e298/html5/thumbnails/24.jpg)
Client integration (3/4)
1 User authorized to enrole computers: cstan
2 Synchronizing time with KDC...
3 Password for [email protected]:
4 Successfully retrieved CA cert
5 ...
6 Configured /etc/openldap/ldap.conf
7 Configured /etc/ssh/sshd_config
8 Client configuration complete.
Listing 5: Integrating a client
24
![Page 25: FreeIPA - cstan.io · 2016. 8. 21. · 1 # kinit cstan 2 Password for cstan@STANKOWIC.LOC: 3 # klist 4 Ticket cache: KEYRING:persistent:35800001: krb_ccache_xTeMlYY 5 Default principal:](https://reader036.vdocuments.us/reader036/viewer/2022071411/6107866cb52ee7100f11e298/html5/thumbnails/25.jpg)
Client integration (4/4)
1 # kinit cstan
2 Password for [email protected]:
3 # klist
4 Ticket cache: KEYRING:persistent:35800001:
krb_ccache_xTeMlYY
5 Default principal: [email protected]
6
7 Valid starting Expires Service principal
8 14.07.2016 23:03:25 15.07.2016 23:03:25 krbtgt/
9 # ssh st-ipa.stankowic.loc
Listing 6: Tests after integration 25
![Page 26: FreeIPA - cstan.io · 2016. 8. 21. · 1 # kinit cstan 2 Password for cstan@STANKOWIC.LOC: 3 # klist 4 Ticket cache: KEYRING:persistent:35800001: krb_ccache_xTeMlYY 5 Default principal:](https://reader036.vdocuments.us/reader036/viewer/2022071411/6107866cb52ee7100f11e298/html5/thumbnails/26.jpg)
ADMINISTRATION
![Page 27: FreeIPA - cstan.io · 2016. 8. 21. · 1 # kinit cstan 2 Password for cstan@STANKOWIC.LOC: 3 # klist 4 Ticket cache: KEYRING:persistent:35800001: krb_ccache_xTeMlYY 5 Default principal:](https://reader036.vdocuments.us/reader036/viewer/2022071411/6107866cb52ee7100f11e298/html5/thumbnails/27.jpg)
User(group)s
Defining typical user information
LDAP schema can be extended
Users can be grouped
Example: all DB admins, all FTP users,...
27
![Page 28: FreeIPA - cstan.io · 2016. 8. 21. · 1 # kinit cstan 2 Password for cstan@STANKOWIC.LOC: 3 # klist 4 Ticket cache: KEYRING:persistent:35800001: krb_ccache_xTeMlYY 5 Default principal:](https://reader036.vdocuments.us/reader036/viewer/2022071411/6107866cb52ee7100f11e298/html5/thumbnails/28.jpg)
28
![Page 29: FreeIPA - cstan.io · 2016. 8. 21. · 1 # kinit cstan 2 Password for cstan@STANKOWIC.LOC: 3 # klist 4 Ticket cache: KEYRING:persistent:35800001: krb_ccache_xTeMlYY 5 Default principal:](https://reader036.vdocuments.us/reader036/viewer/2022071411/6107866cb52ee7100f11e298/html5/thumbnails/29.jpg)
Host(group)s
Hosts can be part of groups
Example: all web servers, all DB servers,...
Hostgroups can be used in sudo and HBACrules
Always use hosts groups instead of hosts!
29
![Page 30: FreeIPA - cstan.io · 2016. 8. 21. · 1 # kinit cstan 2 Password for cstan@STANKOWIC.LOC: 3 # klist 4 Ticket cache: KEYRING:persistent:35800001: krb_ccache_xTeMlYY 5 Default principal:](https://reader036.vdocuments.us/reader036/viewer/2022071411/6107866cb52ee7100f11e298/html5/thumbnails/30.jpg)
30
![Page 31: FreeIPA - cstan.io · 2016. 8. 21. · 1 # kinit cstan 2 Password for cstan@STANKOWIC.LOC: 3 # klist 4 Ticket cache: KEYRING:persistent:35800001: krb_ccache_xTeMlYY 5 Default principal:](https://reader036.vdocuments.us/reader036/viewer/2022071411/6107866cb52ee7100f11e298/html5/thumbnails/31.jpg)
HBAC rules
Controls which user(group)s can accesswhich hostgroups using which service
Example: add DB admins on all DB serversusing SSH
Definitely remove default rule allow_all!
No replacement for firewall rules!
31
![Page 32: FreeIPA - cstan.io · 2016. 8. 21. · 1 # kinit cstan 2 Password for cstan@STANKOWIC.LOC: 3 # klist 4 Ticket cache: KEYRING:persistent:35800001: krb_ccache_xTeMlYY 5 Default principal:](https://reader036.vdocuments.us/reader036/viewer/2022071411/6107866cb52ee7100f11e298/html5/thumbnails/32.jpg)
32
![Page 33: FreeIPA - cstan.io · 2016. 8. 21. · 1 # kinit cstan 2 Password for cstan@STANKOWIC.LOC: 3 # klist 4 Ticket cache: KEYRING:persistent:35800001: krb_ccache_xTeMlYY 5 Default principal:](https://reader036.vdocuments.us/reader036/viewer/2022071411/6107866cb52ee7100f11e298/html5/thumbnails/33.jpg)
Sudo rules
Controlling commands and commandgroups
Defining:
User(group)sHost(group)sCommands/command groupsAlternate identities
33
![Page 34: FreeIPA - cstan.io · 2016. 8. 21. · 1 # kinit cstan 2 Password for cstan@STANKOWIC.LOC: 3 # klist 4 Ticket cache: KEYRING:persistent:35800001: krb_ccache_xTeMlYY 5 Default principal:](https://reader036.vdocuments.us/reader036/viewer/2022071411/6107866cb52ee7100f11e298/html5/thumbnails/34.jpg)
34
![Page 35: FreeIPA - cstan.io · 2016. 8. 21. · 1 # kinit cstan 2 Password for cstan@STANKOWIC.LOC: 3 # klist 4 Ticket cache: KEYRING:persistent:35800001: krb_ccache_xTeMlYY 5 Default principal:](https://reader036.vdocuments.us/reader036/viewer/2022071411/6107866cb52ee7100f11e298/html5/thumbnails/35.jpg)
Excursus: ipa-sudo-basic-rules (1/2)
Group of common administrationcommands (currently 250)
Automatically creates sudo commands andcommand groups
Python script, deploy’n’play
Download at github.com/stdevel/freeipa-stuff
35
![Page 36: FreeIPA - cstan.io · 2016. 8. 21. · 1 # kinit cstan 2 Password for cstan@STANKOWIC.LOC: 3 # klist 4 Ticket cache: KEYRING:persistent:35800001: krb_ccache_xTeMlYY 5 Default principal:](https://reader036.vdocuments.us/reader036/viewer/2022071411/6107866cb52ee7100f11e298/html5/thumbnails/36.jpg)
Excursus: ipa-sudo-basic-rules (2/2)
1 $ ./ipa-sudo-basic-rules.py -i
2 INFO:ipa-sudo-basic-rules.py:This definition has
version 0.1.9 and consists of 33 command groups
and 255 commands.
3
4 $ ./ipa-sudo-basic-rules.py -n
5 INFO:ipa-sudo-basic-rules.py:I’d like to execute
the following command: ipa sudocmdgroup-add
firewall --desc=’Managing firewall configuration’
6 ...
Listing 7: Simulating catalog installation36
![Page 37: FreeIPA - cstan.io · 2016. 8. 21. · 1 # kinit cstan 2 Password for cstan@STANKOWIC.LOC: 3 # klist 4 Ticket cache: KEYRING:persistent:35800001: krb_ccache_xTeMlYY 5 Default principal:](https://reader036.vdocuments.us/reader036/viewer/2022071411/6107866cb52ee7100f11e298/html5/thumbnails/37.jpg)
QUESTIONS?
![Page 38: FreeIPA - cstan.io · 2016. 8. 21. · 1 # kinit cstan 2 Password for cstan@STANKOWIC.LOC: 3 # klist 4 Ticket cache: KEYRING:persistent:35800001: krb_ccache_xTeMlYY 5 Default principal:](https://reader036.vdocuments.us/reader036/viewer/2022071411/6107866cb52ee7100f11e298/html5/thumbnails/38.jpg)
Links
FreeIPA website: freeipa.org
Deployment Recommendations
Quickstart Guide
Active Directory trust setup
freeipa-stuff repository on GitHub
38
![Page 39: FreeIPA - cstan.io · 2016. 8. 21. · 1 # kinit cstan 2 Password for cstan@STANKOWIC.LOC: 3 # klist 4 Ticket cache: KEYRING:persistent:35800001: krb_ccache_xTeMlYY 5 Default principal:](https://reader036.vdocuments.us/reader036/viewer/2022071411/6107866cb52ee7100f11e298/html5/thumbnails/39.jpg)
Thanks for your attention!
http://www.stankowic-development.net
39