HowHow
Categories Home Tags About RedHat-Certified
HowHow

Contents

Linux - IdM 身份管理伺服器安裝

 included in Linux
   1179 words   3 minutes 

在企業中隨時使用者人數增加,在身份管理上對於管理員再做一致性管理有者很有很大的挑戰,除了 Windows Active Directory 網域服務伺服器上,在 Linux 上使用 Identity management 來做為管理。

1. Identity management 簡介

身份管理(IdM)將 LDAP、Kerberos、DNS和 PKI 協定整合,並且具有 Web UI 與 CLI 指令管理操作,並且可以透過 Kerberos 信任 Active Directory 來達到與 AD 整合同步功能。

https://hackmd.io/_uploads/ryS0vCHb3.png
From www.redhat.com

開源上游版
所有紅帽系列產品都有上游開源版,對於 Idm 來說上游就屬於 FreeIPA 組織

2. IdM 安裝步驟

先決必要條件:

1
2
3

1. DNS 名稱正反解析 
2. 主機固定 IP 
3. 時間同步
主機名稱 IP 用途 規格
utility.lab.example.com 192.168.50.125 IdM (Rocky 8) CPU: 2 MEM : 4G

2.1. Utility 設定 DNS 與 NTP

  1. 名稱正反解析
1
2
3
4

[root@utility ~]# host utility.lab.example.com
utility.lab.example.com has address 192.168.50.125
[root@utility ~]# host 192.168.50.125
125.50.168.192.in-addr.arpa domain name pointer utility.lab.example.com.
名稱伺服器設定
正反解析名稱伺服器可以參考 HowHow 的 Linux - BIND 名稱伺服器
  1. 時間同步
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18

[root@utility ~]# systemctl enable --now chronyd
[root@utility ~]# chronyc sources -v

  .-- Source mode  '^' = server, '=' = peer, '#' = local clock.
 / .- Source state '*' = current best, '+' = combined, '-' = not combined,
| /             'x' = may be in error, '~' = too variable, '?' = unusable.
||                                                 .- xxxx [ yyyy ] +/- zzzz
||      Reachability register (octal) -.           |  xxxx = adjusted offset,
||      Log2(Polling interval) --.      |          |  yyyy = measured offset,
||                                \     |          |  zzzz = estimated error.
||                                 |    |           \
MS Name/IP address         Stratum Poll Reach LastRx Last sample
===============================================================================
^* bastion.lab.example.com       3   6     7    63   -127us[ +288us] +/-   22ms
^- 140.137.11.50                 2   6    77    57   -459us[ -459us] +/-   42ms
^- ntp2.ntu.edu.tw               2   6    77    60   +314us[ +314us] +/-   49ms
^- twtpe2-ntp-002.aaplimg.c>     1   6    77    59   +239us[ +239us] +/- 2125us
^- 114-35-131-27.hinet-ip.h>     2   6    77    58  +2128us[+2128us] +/-   32ms
時間同步
時間同步可以參考 HowHow 的 Linux - NTP 時間伺服器

2.2. IdM 套件安裝

  1. 啟用 idm:DL1 Stream
1

yum module enable idm:DL1
  1. 切換至 idm:DL1 Stream
1

yum distro-sync
  1. 安裝 IdM Server 套件。
1

yum module install idm:DL1/server
  1. IdM Server 安裝
  • --realm 提供 Kerberos 域名
  • --ds-password DS 目錄伺服器管理員密碼
  • --admin-password IdM 管理員密碼 (admin)
  • --unattended ,主機名與域名自動選擇 FQDN
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34

[root@utility ~]# ipa-server-install --realm LAB.EXAMPLE.COM --ds-password redhat123 --admin-password redhat123 --unattended

...output omitted...

The IPA Master Server will be configured with:
Hostname:       utility.lab.example.com
IP address(es): 192.168.50.125
Domain name:    lab.example.com
Realm name:     LAB.EXAMPLE.COM

The CA will be configured with:
Subject DN:   CN=Certificate Authority,O=LAB.EXAMPLE.COM
Subject base: O=LAB.EXAMPLE.COM
Chaining:     self-signed

...output omitted...
Next steps:
        1. You must make sure these network ports are open:
                TCP Ports:
                  * 80, 443: HTTP/HTTPS
                  * 389, 636: LDAP/LDAPS
                  * 88, 464: kerberos
                UDP Ports:
                  * 88, 464: kerberos
                  * 123: ntp

        2. You can now obtain a kerberos ticket using the command: 'kinit admin'
           This ticket will allow you to use the IPA tools (e.g., ipa user-add)
           and the web user interface.

Be sure to back up the CA certificates stored in /root/cacert.p12
These files are required to create replicas. The password for these
files is the Directory Manager password
The ipa-server-install command was successful
  1. 開放防火牆規則
1
2
3
4
5

[root@utility ~]# firewall-cmd --permanent --add-service freeipa-4
success
firewall-cmd: error: unrecognized arguments: reload
[root@utility ~]# firewall-cmd --reload
success

3. IdM Web 介面

  1. 瀏覽器登入 https://utility.lab.example.com ,並輸入帳號 admin , 密碼 redhat123

https://hackmd.io/_uploads/B1DgEJUWh.png

  1. 創建使用者 rhvm 測試。

https://hackmd.io/_uploads/BkzhVkLb2.png

4. IdM CLI

  1. 取得 admin kerberos ticket。
1
2
3
4
5
6
7
8

[root@utility ~]# kinit admin
Password for [email protected]:
[root@utility ~]# klist
Ticket cache: KCM:0
Default principal: [email protected]

Valid starting       Expires              Service principal
04/02/2023 01:08:13  04/03/2023 00:12:09  krbtgt/[email protected]
  1. 創建 developer 使用者測試。
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24

[root@utility ~]# ipa user-add developer --first=dev --last=user --password
Password:
Enter Password again to verify:
----------------------
Added user "developer"
----------------------
  User login: developer
  First name: dev
  Last name: user
  Full name: dev user
  Display name: dev user
  Initials: du
  Home directory: /home/developer
  GECOS: dev user
  Login shell: /bin/sh
  Principal name: [email protected]
  Principal alias: [email protected]
  User password expiration: 20230401170910Z
  Email address: [email protected]
  UID: 857400004
  GID: 857400004
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True
  1. 查看使用者詳情
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43

[root@utility ~]# ipa user-find rhvm --raw  --all
--------------
1 user matched
--------------
  dn: uid=rhvm,cn=users,cn=accounts,dc=lab,dc=example,dc=com
  uid: rhvm
  givenname: admin
  sn: admin
  cn: admin admin
  initials: aa
  homedirectory: /home/rhvm
  gecos: admin admin
  loginshell: /bin/sh
  krbcanonicalname: [email protected]
  krbprincipalname: [email protected]
  mail: [email protected]
  uidnumber: 857400003
  gidnumber: 857400003
  nsaccountlock: FALSE
  displayName: admin admin
  ipaNTSecurityIdentifier: S-1-5-21-1342798991-565468756-2456127613-1003
  ipaUniqueID: 999d5806-d0af-11ed-a2d8-52540001329e
  krbExtraData: AAKsZChkcm9vdC9hZG1pbkBMQUIuRVhBTVBMRS5DT00A
  krbLastPwdChange: 20230401170652Z
  krbPasswordExpiration: 20230401170652Z
  memberOf: cn=ipausers,cn=groups,cn=accounts,dc=lab,dc=example,dc=com
  mepManagedEntry: cn=rhvm,cn=groups,cn=accounts,dc=lab,dc=example,dc=com
  objectClass: top
  objectClass: person
  objectClass: organizationalperson
  objectClass: inetorgperson
  objectClass: inetuser
  objectClass: posixaccount
  objectClass: krbprincipalaux
  objectClass: krbticketpolicyaux
  objectClass: ipaobject
  objectClass: ipasshuser
  objectClass: ipaSshGroupOfPubKeys
  objectClass: mepOriginEntry
  objectClass: ipantuserattrs
----------------------------
Number of entries returned 1
----------------------------

5. 小結

IdM 無論是安裝方式或是操作都十分容易,另位 微軟的 Windows Active Directory 授權費昂貴可以改用 FreeIPA 來當作身份管理伺服器使用。



如果你還沒有註冊 Like Coin,你可以在文章最下方看到 Like 的按鈕,點下去後即可申請帳號,透過申請帳號後可以幫我的文章按下 Like,而 Like 最多可以點五次,而你不用付出任何一塊錢,就能給我寫這篇文章的最大的回饋!
Updated on 2023-04-01
 Linux
Back | Home