FreeIPA 是 Linux/Unix 网络的集成身份管理和身份验证解决方案。
在本文中，我们将学习如何在 RHEL/CentOS 7 上安装和配置 IPA 服务器。

在 RHEL/CentOS 7 上配置 DNS 服务器

FreeIPA 使用 BIND 提供 DNS 服务。
因此，我们可以按如下方式为网络设置 DNS 服务器。

# ipa dnszone-mod --allow-transfer=192.168.1.0/24 onitroad.com
  Zone name: onitroad.com
  Authoritative nameserver: ipaserver.onitroad.com.
  Administrator e-mail address: hostmaster.onitroad.com.
  SOA serial: 1532711522
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  Active zone: TRUE
  Allow query: any;
  Allow transfer: 192.168.1.0/24;

在DNS Server中添加ipaserver.onitroad.com的MX和A记录

# ipa dnsrecord-add onitroad.com @ --mx-rec="0 ipaserver.onitroad.com."
  Record name: @
  MX record: 0 ipaserver.onitroad.com.
  NS record: ipaserver.onitroad.com.
# ipa dnsrecord-add onitroad.com ipaserver --ttl=3600 --a-ip-address=192.168.1.200
  Record name: ipaserver
  Time to live: 3600
  A record: 192.168.1.200
  SSHFP record: 1 1 C98798DE70AAF8F555A7C1EC4713A7B0F01F9905, 1 2 25B1928F52075F38A06C67EB8E3DD72D65C4EACF2F7A57F1912DCA83
                CD486236, 3 1 5BAEFD0566A4CBEF40C24EC4EAD44371E96BE93B, 3 2
                F4A6AAED25D658329C6B5AA865B99B4B87464F90AF547C83A81FF883 C6EAC281

最后，检查 FreeIPA 服务的状态。

# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
ipa_memcached Service: RUNNING
httpd Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa: INFO: The ipactl command was successful

我们已经在 RHEL/CentOS 7 上成功安装并配置了 FreeIPA 服务器。

在 RHEL/CentOS 7 上安装 FreeIPA 服务器

FreeIPA 服务器包含在 RHEL/CentOS 7 ISO 中。
因此，我们需要一个本地 yum 存储库来安装它。

我们之前说明了如何使用 RHEL 7 ISO 设置本地 yum 存储库，我们可以使用它来安装 FreeIPA 服务器和相关软件包。

# yum install -y ipa-server bind-dyndb-ldap bind

或者直接挂载ISO安装

# mkdir /centos7
# mount -t iso9660 /centos7-x64.iso /centos7 -o loop,ro
# cd /centos7/Packages
# rpm -ivh ipa-server*
# rpm bind-dyndb-ldap*

在 FreeIPA 服务器上创建用户

要添加用户，我们必须先获得 Kerberos 票据。

# kinit admin
Password for admin@EXAMPLE.COM:
# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: admin@EXAMPLE.COM
Valid starting       Expires              Service principal
07/27/2018 10:51:35  07/28/2018 10:51:32  krbtgt/EXAMPLE.COM@EXAMPLE.COM

我们已获得 Kerberos 票证。
我们现在可以运行 ipa 命令。

为用户设置默认命令shell。

# ipa config-mod --defaultshell=/bin/bash
  Maximum username length: 32
  Home directory base: /home
  Default shell: /bin/bash
  Default users group: ipausers
  Default e-mail domain: onitroad.com
  Search time limit: 2
  Search size limit: 100
  User search fields: uid,givenname,sn,telephonenumber,ou,title
  Group search fields: cn,description
  Enable migration mode: FALSE
  Certificate Subject base: O=EXAMPLE.COM
  Password Expiration Notification (days): 4
  Password plugin features: AllowNThash
  SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023
  Default SELinux user: unconfined_u:s0-s0:c0.c1023
  Default PAC types: MS-PAC, nfs:NONE

在我们的 FreeIPA 服务器上创建一个用户。

# ipa user-add jackli --first=jackli --last=fqyang --password
Password:
Enter Password again to verify:
-----------------
Added user "jackli"
-----------------
  User login: jackli
  First name: jackli
  Last name: fqyang
  Full name: jackli fqyang
  Display name: jackli fqyang
  Initials: am
  Home directory: /home/jackli
  GECOS: jackli fqyang
  Login shell: /bin/bash
  Kerberos principal: jackli@EXAMPLE.COM
  Email address: jackli@onitroad.com
  UID: 1692200001
  GID: 1692200001
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True

在 Linux 上安装 FTP 服务器

我们必须公开 CA 证书，以便网络客户端可以下载并安装它。
因此，请在 Linux 操作系统上安装匿名 FTP 服务器。

# yum install -y vsftpd

启动并启用 vsftpd 服务。

# systemctl enable vsftpd && systemctl start vsftpd
ln -s '/usr/lib/systemd/system/vsftpd.service' '/etc/systemd/system/multi-user.target.wants/vsftpd.service'

在 Linux 防火墙中允许 vsftpd 服务。

# firewall-cmd --permanent --add-service=ftp ; firewall-cmd --reload
success
success

将 CA 证书复制到 FTP 公用文件夹以与网络客户端共享。

# cp /root/cacert.p12 /var/ftp/pub

在 RHEL/CentOS 7 上配置 FreeIPA 服务器

现在，按如下方式配置 FreeIPA 服务器。

# ipa-server-install --setup-dns
The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will set up the IPA Server.
This includes:
  * Configure a stand-alone CA (dogtag) for certificate management
  * Configure the Network Time Daemon (ntpd)
  * Create and configure an instance of Directory Server
  * Create and configure a Kerberos Key Distribution Center (KDC)
  * Configure Apache (httpd)
  * Configure DNS (bind)
To accept the default shown in brackets, press the Enter key.
WARNING: conflicting time&date synchronization service 'chronyd' will be disabled
in favor of ntpd
Existing BIND configuration detected, overwrite? [no]: yes
Enter the fully qualified domain name of the computer
on which you're setting up server software. Using the form
.
Example: master.onitroad.com.

Server host name [ipaserver.onitroad.com]:
Warning: skipping DNS resolution of host ipaserver.onitroad.com
The domain name has been determined based on the host name.
Please confirm the domain name [onitroad.com]:
The kerberos protocol requires a Realm name to be defined.
This is typically the domain name converted to uppercase.
Please provide a realm name [EXAMPLE.COM]:
Certain directory server operations require an administrative user.
This user is referred to as the Directory Manager and has full access
to the Directory for system management tasks and will be added to the
instance of directory server created for IPA.
The password must be at least 8 characters long.
Directory Manager password:
Password (confirm):
The IPA server requires an administrative user, named 'admin'.
This user is a regular system account used for IPA server administration.
IPA admin password:
Password (confirm):
Do you want to configure DNS forwarders? [yes]:
Enter the IP address of DNS forwarder to use, or press Enter to finish.
Enter IP address for a DNS forwarder: 192.168.1.2
DNS forwarder 192.168.1.2 added
Enter IP address for a DNS forwarder:
Do you want to configure the reverse zone? [yes]:
Please specify the reverse zone name [116.168.192.in-addr.arpa.]:
Using reverse zone 116.168.192.in-addr.arpa.
The IPA Master Server will be configured with:
Hostname:      ipaserver.onitroad.com
IP address:    192.168.1.200
Domain name:   onitroad.com
Realm name:    EXAMPLE.COM
BIND DNS server will be configured to serve IPA domain with:
Forwarders:    192.168.1.2
Reverse zone:  116.168.192.in-addr.arpa.
Continue to configure the system with these values? [no]: yes
The following operations may take some minutes to complete.
Please wait until the prompt is returned.
Configuring NTP daemon (ntpd)
  [1/4]: stopping ntpd
  [2/4]: writing configuration
  [3/4]: configuring ntpd to start on boot
  [4/4]: starting ntpd
Done configuring NTP daemon (ntpd).
Configuring directory server (dirsrv): Estimated time 1 minute
  [1/38]: creating directory server user
  [2/38]: creating directory server instance
...
  [38/38]: configuring directory to start on boot
Done configuring directory server (dirsrv).
Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 seconds
  [1/22]: creating certificate server user
  ...
  [22/22]: Configure HTTP to proxy connections
Done configuring certificate server (pki-tomcatd).
Configuring Kerberos KDC (krb5kdc): Estimated time 30 seconds
 
Done configuring Kerberos KDC (krb5kdc).
Configuring kadmin
  [1/2]: starting kadmin
  [2/2]: configuring kadmin to start on boot
Done configuring kadmin.
Configuring ipa_memcached
  [1/2]: starting ipa_memcached
  [2/2]: configuring ipa_memcached to start on boot
Done configuring ipa_memcached.
Configuring ipa-otpd
  [1/2]: starting ipa-otpd
  [2/2]: configuring ipa-otpd to start on boot
Done configuring ipa-otpd.
Configuring the web interface (httpd): Estimated time 1 minute
 
Done configuring the web interface (httpd).
Applying LDAP updates
Restarting the directory server
Restarting the KDC
Restarting the certificate server
Configuring DNS (named)
  
  [11/11]: changing resolv.conf to point to ourselves
Done configuring DNS (named).
Global DNS configuration in LDAP server is empty
You can use 'dnsconfig-mod' command to set global DNS options that
would override settings in local named.conf files
Restarting the web server
==============================================================================
Setup complete
Next steps:
        1. You must make sure these network ports are open:
                TCP Ports:
                  * 80, 443: HTTP/HTTPS
                  * 389, 636: LDAP/LDAPS
                  * 88, 464: kerberos
                  * 53: bind
                UDP Ports:
                  * 88, 464: kerberos
                  * 53: bind
                  * 123: ntp
        2. You can now obtain a kerberos ticket using the command: 'kinit admin'
           This ticket will allow you to use the IPA tools (e.g., ipa user-add)
           and the web user interface.
Be sure to back up the CA certificate stored in /root/cacert.p12
This file is required to create replicas. The password for this
file is the Directory Manager password

通过 Linux 防火墙允许上述服务和端口。

# firewall-cmd --permanent --add-service={http,https,ldap,ldaps,dns,kerberos,ntp} ; firewall-cmd --reload
success
success