39
FreeIPA Directory and authentication services the easy way Christian Stankowic www.stankowic-development.net Free and Open Source software Conference 21.08.2016
FreeIPADirectory and authenticationservices the easy way
Christian Stankowicwww.stankowic-development.net
Free and Open Source softwareConference21.08.2016
whoami
Christian Stankowic
Messer Information Services GmbH
Linux & vSphere administrator
Blogger & book author
2
AGENDA
Agenda
Motivation
Installation
Client integration
Basic administration and examples
4
MOTIVATION
Why central authentication?
User information are stored centrally
No password clutter
Low effort after job cancellation
Reasonable when having more than 2systems
6
7
What is FreeIPA?
free IPA solution by Red Hat
Identify, Policy, Audit
Also known as Red Hat Identity Management(IdM) under RHEL
Comparable to Microsoft AD-DS and NovelleDirectory
8
What is FreeIPA?
Web interface combining:
DNS server (BIND9)Directory server (389ds)Dogtag certificate systemMIT Kerberos for authentication andsingle sign-on (SSO)
9
Features (1/2)
Configuring DNS zones
Maintinung user(group)s, host(group)s
sudo and HBAC (Host Based Access Control)rules
role support (e.g. admins, servicedesk,...)
10
Features (2/2)
AD-DS trusts (version 3+)
Multiple servers/replicas, availability / loadbalancing
2FA (Two-factor-authentication) + OTP(One-time password)
multiple APIs (XML/JSONRPC, Python,...)
11
INSTALLATION
System requirements
at least 2 CPUs
1 GB+ memory
10 GB+ hard drive
Linux distributions:FedoraEnterprise Linux (RHEL, CentOS, SL)Debian Sid / Ubuntu 16.04
13
Network requirements
IPv6 should be disabled
Time using ntpd (no chronyd)
Open ports:
80, 443, 8080 (tcp, web server)389, 636 (tcp, ldap/ldaps)88, 464 (tcp/udp, Kerberos)123 (udp, NTP)
14
Installation (1/3)
1 # yum install ipa-server{,-trust-ad}
2 # ipa-server-install
3 ...
4 Do you want to configure integrated DNS (BIND)? [
no]: yes
5 Server host name [st-ipa.stankowic.loc]:
6 Please confirm the domain name [stankowic.loc]:
7 Please provide a realm name [STANKOWIC.LOC]:
Listing 1: Package installation, configuring DNS andRealm
15
Installation (2/3)
1 Directory Manager password:
2 Password (confirm):
3 IPA admin password:
4 Password (confirm):
5 ...
6 Do you want to configure the reverse zone? [yes]:
7 Please specify the reverse zone name [1.22.10.in-
addr.arpa.]:
8 Using reverse zone(s) 1.22.10.in-addr.arpa.
Listing 2: Passwords and Reverse Zones
16
Installation (3/3)
1 The IPA Master Server will be configured with:
2 Hostname: st-ipa.stankowic.loc
3 IP address(es): 10.22.1.3
4 Domain name: stankowic.loc
5 Realm name: STANKOWIC.LOC
6 BIND DNS server will be configured to serve IPA
domain with:
7 Forwarders: 10.22.1.1, 10.22.0.2
8 Reverse zone(s): 1.22.10.in-addr.arpa.
9 Continue to configure the system with these
values? [no]: yes
Listing 3: Summary 17
18
INTEGRATION
Client requirements
freeipa-client registers and configures:KerberosLDAP clientSSSD
Linux distributions:FedoraEnterprise Linux (RHEL, CentOS, SL)Debian Sid / Ubuntu 16.04
20
Excursus: SSSD
System Security Services Daemon
Central authentication, local credentialscache
Integration into LDAP, IPA, AD-DS,Kerberos,...
Offers PAM and NSSmodules
21
Client integration (1/4)
Install freeipa-client package
FreeIPA DNS set? (NS, SRV records)
Valid hostname configured?
Run ipa-client-install:
--mkhomedir - create home folders--uninstall - unregisters host--domain - manually specify domain
22
Client integration (2/4)
1 # yum install -y ipa-client
2 # hostnamectl set-hostname giertz.stankowic.loc
3 # ipa-client-install --mkhomedir
4 Discovery was successful!
5 Hostname: giertz.stankowic.loc
6 Realm: STANKOWIC.LOC
7 DNS Domain: stankowic.loc
8 IPA Server: st-ipa.stankowic.loc
9 BaseDN: dc=stankowic,dc=loc
10 Continue to configure the system with these
values? [no]: yes
Listing 4: Integrating a client 23
Client integration (3/4)
1 User authorized to enrole computers: cstan
2 Synchronizing time with KDC...
3 Password for [email protected]:
4 Successfully retrieved CA cert
5 ...
6 Configured /etc/openldap/ldap.conf
7 Configured /etc/ssh/sshd_config
8 Client configuration complete.
Listing 5: Integrating a client
24
Client integration (4/4)
1 # kinit cstan
2 Password for [email protected]:
3 # klist
4 Ticket cache: KEYRING:persistent:35800001:
krb_ccache_xTeMlYY
5 Default principal: [email protected]
6
7 Valid starting Expires Service principal
8 14.07.2016 23:03:25 15.07.2016 23:03:25 krbtgt/
9 # ssh st-ipa.stankowic.loc
Listing 6: Tests after integration 25
ADMINISTRATION
User(group)s
Defining typical user information
LDAP schema can be extended
Users can be grouped
Example: all DB admins, all FTP users,...
27
28
Host(group)s
Hosts can be part of groups
Example: all web servers, all DB servers,...
Hostgroups can be used in sudo and HBACrules
Always use hosts groups instead of hosts!
29
30
HBAC rules
Controls which user(group)s can accesswhich hostgroups using which service
Example: add DB admins on all DB serversusing SSH
Definitely remove default rule allow_all!
No replacement for firewall rules!
31
32
Sudo rules
Controlling commands and commandgroups
Defining:
User(group)sHost(group)sCommands/command groupsAlternate identities
33
34
Excursus: ipa-sudo-basic-rules (1/2)
Group of common administrationcommands (currently 250)
Automatically creates sudo commands andcommand groups
Python script, deploy’n’play
Download at github.com/stdevel/freeipa-stuff
35
Excursus: ipa-sudo-basic-rules (2/2)
1 $ ./ipa-sudo-basic-rules.py -i
2 INFO:ipa-sudo-basic-rules.py:This definition has
version 0.1.9 and consists of 33 command groups
and 255 commands.
3
4 $ ./ipa-sudo-basic-rules.py -n
5 INFO:ipa-sudo-basic-rules.py:I’d like to execute
the following command: ipa sudocmdgroup-add
firewall --desc=’Managing firewall configuration’
6 ...
Listing 7: Simulating catalog installation36
QUESTIONS?
Links
FreeIPA website: freeipa.org
Deployment Recommendations
Quickstart Guide
Active Directory trust setup
freeipa-stuff repository on GitHub
38
Thanks for your attention!
http://www.stankowic-development.net
39
