FreeIPA 搭建

FreeIPA 是什么

1-4、基于Rock Linux 9 搭建FreeIPA

# 1、硬件要求：内存大于4G，安装好Rock Linux 9

# 2、设置主机名，关闭selinux
    hostnamectl set-hostname ipa.atstm.cc

# 3、设置主机hosts（若是公网使用，请自行设置dns解析）
    echo "192.168.60.13  ipa.atstm.cc" >> /etc/hosts

# 4、安装FreeIPA 软件（注意不安装dns组件），设置防火墙或者关闭防火墙
    dnf install freeipa-server
    firewall-cmd --add-service=freeipa-ldap --add-service=freeipa-ldaps
    firewall-cmd --add-service=freeipa-ldap --add-service=freeipa-ldaps --permanent

# 附、若是想docker方式部署freeipa，请参考以下文章
    https://github.com/freeipa/freeipa-container
    https://hub.docker.com/u/freeipa

# 红帽关于IDM的操作手册
    https://docs.redhat.com/zh-cn/documentation/red_hat_enterprise_linux/8/html/managing_idm_users_groups_hosts_and_access_control_rules/index

5、命令安装FreeIPA

[root@localhost ~]# ipa-server-install --mkhomedir
The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will set up the IPA Server.
Version 4.10.2

This includes:
  * Configure a stand-alone CA (dogtag) for certificate management
  * Configure the NTP client (chronyd)
  * Create and configure an instance of Directory Server
  * Create and configure a Kerberos Key Distribution Center (KDC)
  * Configure Apache (httpd)
  * Configure SID generation
  * Configure the KDC to enable PKINIT

To accept the default shown in brackets, press the Enter key.

Do you want to configure integrated DNS (BIND)? [no]:    # 不设置DNS，就按默认的NO

Enter the fully qualified domain name of the computer
on which you're setting up server software. Using the form
<hostname>.<domainname>
Example: master.example.com

Server host name [ipa.atstm.cc]:     # 主机名，直接回车

The domain name has been determined based on the host name.

Please confirm the domain name [atstm.cc]:     # 域名，直接回车

The kerberos protocol requires a Realm name to be defined.
This is typically the domain name converted to uppercase.

Please provide a realm name [ATSTM.CC]:      # 直接回车
Certain directory server operations require an administrative user.
This user is referred to as the Directory Manager and has full access
to the Directory for system management tasks and will be added to the
instance of directory server created for IPA.
The password must be at least 8 characters long.

Directory Manager password:      # 设置Directory密码
Password (confirm): 

The IPA server requires an administrative user, named 'admin'.
This user is a regular system account used for IPA server administration.

IPA admin password:      # 设置admin密码
Password (confirm): 

Trust is configured but no NetBIOS domain name found, setting it now.
Enter the NetBIOS name for the IPA domain.
Only up to 15 uppercase ASCII letters, digits and dashes are allowed.
Example: EXAMPLE.

NetBIOS domain name [ATSTM]:      # 直接回车

Do you want to configure chrony with NTP server or pool address? [no]:      # 直接回车

The IPA Master Server will be configured with:
Hostname:       ipa.atstm.cc
IP address(es): 192.168.60.13
Domain name:    atstm.cc
Realm name:     ATSTM.CC

The CA will be configured with:
Subject DN:   CN=Certificate Authority,O=ATSTM.CC
Subject base: O=ATSTM.CC
Chaining:     self-signed

Continue to configure the system with these values? [no]: yes     # 设置yes，回车

========================================================
==================  下面就是安装完成  ====================
========================================================
Setup complete
Next steps:
    1. You must make sure these network ports are open:
        TCP Ports:
          * 80, 443: HTTP/HTTPS
          * 389, 636: LDAP/LDAPS
          * 88, 464: kerberos
        UDP Ports:
          * 88, 464: kerberos
          * 123: ntp
    2. You can now obtain a kerberos ticket using the command: 'kinit admin'
       This ticket will allow you to use the IPA tools (e.g., ipa user-add)
       and the web user interface.
Be sure to back up the CA certificates stored in /root/cacert.p12
These files are required to create replicas. The password for these
files is the Directory Manager password
The ipa-server-install command was successful

登录FreeIPA创建用户（用admin账户密码）https://ipa.atstm.cc

FreeIPA 常见命令操作一

# 获取管理员凭证（kinit <user>）
    kinit admin

# 查看凭证有效期
    [root@ipa ~]# klist 
    Ticket cache: KCM:0
    Default principal: admin@ATSTM.CC
    Valid starting       Expires              Service principal
    02/03/2024 19:00:45  02/04/2024 18:16:30  krbtgt/ATSTM.CC@ATSTM.CC

# 查看用户信息
    [root@ipa ~]# ipa user-find test
    --------------
    1 user matched
    --------------
      User login: test
      First name: 彦祖
      Last name: 吴
      Home directory: /home/test
      Login shell: /bin/sh
      Principal name: test@ATSTM.CC
      Principal alias: test@ATSTM.CC
      Email address: test@atstm.cc
      UID: 1639000003
      GID: 1639000002
      Account disabled: False
    ----------------------------
    Number of entries returned 1
    ----------------------------

FreeIPA 如何批量创建用户，并设置密码

# 1、准备包含用户信息的文本文件
    # 条目解释  用户组名称:用户名:名字:姓氏:邮箱
    cat users.txt
noc:user01:大牛:吴:user01@atstm.cc
noc:user02:小天:陈:user02@atstm.cc

# 2、使用该用户信息文件，创建用户，并设置用户组，并非交互式设置密码
while IFS=':' read -r group_name username full_name last_name email; do
    ipa user-add --first="$full_name" --last="$last_name" --email="$email" "$username"
    ipa group-add-member "$group_name" --users="$username"
    echo -e "$username@123456\n$username@123456" | ipa passwd "$username"
done < users.txt

ldap查询相关指令

[root@ipa ~]# ldapsearch -x -h localhost uid=test
# extended LDIF
#
# LDAPv3
# base <dc=atstm,dc=cc> (default) with scope subtree
# filter: uid=test
# requesting: ALL
#

# test, users, compat, atstm.cc
dn: uid=test,cn=users,cn=compat,dc=atstm,dc=cc
objectClass: posixAccount
objectClass: ipaOverrideTarget
objectClass: top
gecos:: 5b2m56WWIOWQtA==
cn:: 5b2m56WWIOWQtA==
uidNumber: 1639000003
gidNumber: 1639000002
loginShell: /bin/sh
homeDirectory: /home/test
ipaAnchorUUID:: OklQQTphdHN0bS5jYzo4MTk5ZTY5OC1jMjRlLTExZWUtYjJjZi1iYzI0MTE3Zm
 ZjY2Y=
uid: test

# test, users, accounts, atstm.cc
dn: uid=test,cn=users,cn=accounts,dc=atstm,dc=cc
givenName:: 5b2m56WW
sn:: 5ZC0
uid: fnk
cn:: 5b2m56WWIOWQtA==
displayName:: 5b2m56WWIOWQtA==
initials:: 5b2m5ZC0
gecos:: 5b2m56WWIOWQtA==
gidNumber: 1639000002
objectClass: top
objectClass: person
objectClass: organizationalperson
objectClass: inetorgperson
objectClass: inetuser
objectClass: posixaccount
objectClass: krbprincipalaux
objectClass: krbticketpolicyaux
objectClass: ipaobject
objectClass: ipasshuser
objectClass: ipaSshGroupOfPubKeys
objectClass: mepOriginEntry
objectClass: ipantuserattrs
objectClass: ipauserauthtypeclass
loginShell: /bin/sh
homeDirectory: /home/test
uidNumber: 1639000003
ipaNTSecurityIdentifier: S-1-5-21-2106839805-2915160950-3243814532-1003

# search result
search: 2
result: 0 Success

# numResponses: 3
# numEntries: 2