FreeIPA. Directory and authentication services the easy way. Christian Stankowic. Free and Open Source software Conference

Transcription

1 FreeIPA Directory and authentication services the easy way Christian Stankowic Free and Open Source software Conference

2 whoami Christian Stankowic Messer Information Services GmbH Linux & vsphere administrator Blogger & book author 2

3 AGENDA

4 Agenda Motivation Installation Client integration Basic administration and examples 4

5 MOTIVATION

6 Why central authentication? User information are stored centrally No password clutter Low effort after job cancellation Reasonable when having more than 2 systems 6

7 7

8 What is FreeIPA? free IPA solution by Red Hat Identify, Policy, Audit Also known as Red Hat Identity Management (IdM) under RHEL Comparable to Microsoft AD-DS and Novell edirectory 8

9 What is FreeIPA? Web interface combining: DNS server (BIND9) Directory server (389ds) Dogtag certificate system MIT Kerberos for authentication and single sign-on (SSO) 9

10 Features (1/2) Configuring DNS zones Maintinung user(group)s, host(group)s sudo and HBAC (Host Based Access Control) rules role support (e.g. admins, servicedesk,...) 10

11 Features (2/2) AD-DS trusts (version 3+) Multiple servers/replicas, availability / load balancing 2FA (Two-factor-authentication) + OTP (One-time password) multiple APIs (XML/JSONRPC, Python,...) 11

12 INSTALLATION

13 System requirements at least 2 CPUs 1 GB+ memory 10 GB+ hard drive Linux distributions: Fedora Enterprise Linux (RHEL, CentOS, SL) Debian Sid / Ubuntu

14 Network requirements IPv6 should be disabled Time using ntpd (no chronyd) Open ports: 80, 443, 8080 (tcp, web server) 389, 636 (tcp, ldap/ldaps) 88, 464 (tcp/udp, Kerberos) 123 (udp, NTP) 14

15 Installation (1/3) 1 # yum install ipa-server{,-trust-ad} 2 # ipa-server-install Do you want to configure integrated DNS (BIND)? [ no]: yes 5 Server host name [st-ipa.stankowic.loc]: 6 Please confirm the domain name [stankowic.loc]: 7 Please provide a realm name [STANKOWIC.LOC]: Listing 1: Package installation, configuring DNS and Realm 15

16 Installation (2/3) 1 Directory Manager password: 2 Password (confirm): 3 IPA admin password: 4 Password (confirm): Do you want to configure the reverse zone? [yes]: 7 Please specify the reverse zone name [ inaddr.arpa.]: 8 Using reverse zone(s) in-addr.arpa. Listing 2: Passwords and Reverse Zones 16

17 Installation (3/3) 1 The IPA Master Server will be configured with: 2 Hostname: st-ipa.stankowic.loc 3 IP address(es): Domain name: stankowic.loc 5 Realm name: STANKOWIC.LOC 6 BIND DNS server will be configured to serve IPA domain with: 7 Forwarders: , Reverse zone(s): in-addr.arpa. 9 Continue to configure the system with these values? [no]: yes Listing 3: Summary 17

18 18

19 INTEGRATION

20 Client requirements freeipa-client registers and configures: Kerberos LDAP client SSSD Linux distributions: Fedora Enterprise Linux (RHEL, CentOS, SL) Debian Sid / Ubuntu

21 Excursus: SSSD System Security Services Daemon Central authentication, local credentials cache Integration into LDAP, IPA, AD-DS, Kerberos,... Offers PAM and NSS modules 21

22 Client integration (1/4) Install freeipa-client package FreeIPA DNS set? (NS, SRV records) Valid hostname configured? Run ipa-client-install: --mkhomedir - create home folders --uninstall - unregisters host --domain - manually specify domain 22

23 Client integration (2/4) 1 # yum install -y ipa-client 2 # hostnamectl set-hostname giertz.stankowic.loc 3 # ipa-client-install --mkhomedir 4 Discovery was successful! 5 Hostname: giertz.stankowic.loc 6 Realm: STANKOWIC.LOC 7 DNS Domain: stankowic.loc 8 IPA Server: st-ipa.stankowic.loc 9 BaseDN: dc=stankowic,dc=loc 10 Continue to configure the system with these values? [no]: yes Listing 4: Integrating a client 23

24 Client integration (3/4) 1 User authorized to enrole computers: cstan 2 Synchronizing time with KDC... 3 Password for cstan@stankowic.loc: 4 Successfully retrieved CA cert Configured /etc/openldap/ldap.conf 7 Configured /etc/ssh/sshd_config 8 Client configuration complete. Listing 5: Integrating a client 24

25 Client integration (4/4) 1 # kinit cstan 2 Password for cstan@stankowic.loc: 3 # klist 4 Ticket cache: KEYRING:persistent: : krb_ccache_xtemlyy 5 Default principal: cstan@stankowic.loc 6 7 Valid starting Expires Service principal :03: :03:25 krbtgt/ STANKOWIC.LOC@STANKOWIC.LOC 9 # ssh st-ipa.stankowic.loc Listing 6: Tests after integration 25

26 ADMINISTRATION

27 User(group)s Defining typical user information LDAP schema can be extended Users can be grouped Example: all DB admins, all FTP users,... 27

28 28

29 Host(group)s Hosts can be part of groups Example: all web servers, all DB servers,... Hostgroups can be used in sudo and HBAC rules Always use hosts groups instead of hosts! 29

30 30

31 HBAC rules Controls which user(group)s can access which hostgroups using which service Example: add DB admins on all DB servers using SSH Definitely remove default rule allow_all! No replacement for firewall rules! 31

32 32

33 Sudo rules Controlling commands and command groups Defining: User(group)s Host(group)s Commands/command groups Alternate identities 33

34 34

35 Excursus: ipa-sudo-basic-rules (1/2) Group of common administration commands (currently 250) Automatically creates sudo commands and command groups Python script, deploy n play Download at github.com/stdevel/freeipa-stuff 35

36 Excursus: ipa-sudo-basic-rules (2/2) 1 $./ipa-sudo-basic-rules.py -i 2 INFO:ipa-sudo-basic-rules.py:This definition has version and consists of 33 command groups and 255 commands. 3 4 $./ipa-sudo-basic-rules.py -n 5 INFO:ipa-sudo-basic-rules.py:I d like to execute the following command: ipa sudocmdgroup-add firewall --desc= Managing firewall configuration 6... Listing 7: Simulating catalog installation 36

37 QUESTIONS?

38 Links FreeIPA website: freeipa.org Deployment Recommendations Quickstart Guide Active Directory trust setup freeipa-stuff repository on GitHub 38

39 Thanks for your attention! 39