FreeIPA Directory and authentication services the easy way Christian Stankowic www.stankowic-development.net Free and Open Source software Conference 21.08.2016
whoami Christian Stankowic Messer Information Services GmbH Linux & vsphere administrator Blogger & book author 2
AGENDA
Agenda Motivation Installation Client integration Basic administration and examples 4
MOTIVATION
Why central authentication? User information are stored centrally No password clutter Low effort after job cancellation Reasonable when having more than 2 systems 6
7
What is FreeIPA? free IPA solution by Red Hat Identify, Policy, Audit Also known as Red Hat Identity Management (IdM) under RHEL Comparable to Microsoft AD-DS and Novell edirectory 8
What is FreeIPA? Web interface combining: DNS server (BIND9) Directory server (389ds) Dogtag certificate system MIT Kerberos for authentication and single sign-on (SSO) 9
Features (1/2) Configuring DNS zones Maintinung user(group)s, host(group)s sudo and HBAC (Host Based Access Control) rules role support (e.g. admins, servicedesk,...) 10
Features (2/2) AD-DS trusts (version 3+) Multiple servers/replicas, availability / load balancing 2FA (Two-factor-authentication) + OTP (One-time password) multiple APIs (XML/JSONRPC, Python,...) 11
INSTALLATION
System requirements at least 2 CPUs 1 GB+ memory 10 GB+ hard drive Linux distributions: Fedora Enterprise Linux (RHEL, CentOS, SL) Debian Sid / Ubuntu 16.04 13
Network requirements IPv6 should be disabled Time using ntpd (no chronyd) Open ports: 80, 443, 8080 (tcp, web server) 389, 636 (tcp, ldap/ldaps) 88, 464 (tcp/udp, Kerberos) 123 (udp, NTP) 14
Installation (1/3) 1 # yum install ipa-server{,-trust-ad} 2 # ipa-server-install 3... 4 Do you want to configure integrated DNS (BIND)? [ no]: yes 5 Server host name [st-ipa.stankowic.loc]: 6 Please confirm the domain name [stankowic.loc]: 7 Please provide a realm name [STANKOWIC.LOC]: Listing 1: Package installation, configuring DNS and Realm 15
Installation (2/3) 1 Directory Manager password: 2 Password (confirm): 3 IPA admin password: 4 Password (confirm): 5... 6 Do you want to configure the reverse zone? [yes]: 7 Please specify the reverse zone name [1.22.10.inaddr.arpa.]: 8 Using reverse zone(s) 1.22.10.in-addr.arpa. Listing 2: Passwords and Reverse Zones 16
Installation (3/3) 1 The IPA Master Server will be configured with: 2 Hostname: st-ipa.stankowic.loc 3 IP address(es): 10.22.1.3 4 Domain name: stankowic.loc 5 Realm name: STANKOWIC.LOC 6 BIND DNS server will be configured to serve IPA domain with: 7 Forwarders: 10.22.1.1, 10.22.0.2 8 Reverse zone(s): 1.22.10.in-addr.arpa. 9 Continue to configure the system with these values? [no]: yes Listing 3: Summary 17
18
INTEGRATION
Client requirements freeipa-client registers and configures: Kerberos LDAP client SSSD Linux distributions: Fedora Enterprise Linux (RHEL, CentOS, SL) Debian Sid / Ubuntu 16.04 20
Excursus: SSSD System Security Services Daemon Central authentication, local credentials cache Integration into LDAP, IPA, AD-DS, Kerberos,... Offers PAM and NSS modules 21
Client integration (1/4) Install freeipa-client package FreeIPA DNS set? (NS, SRV records) Valid hostname configured? Run ipa-client-install: --mkhomedir - create home folders --uninstall - unregisters host --domain - manually specify domain 22
Client integration (2/4) 1 # yum install -y ipa-client 2 # hostnamectl set-hostname giertz.stankowic.loc 3 # ipa-client-install --mkhomedir 4 Discovery was successful! 5 Hostname: giertz.stankowic.loc 6 Realm: STANKOWIC.LOC 7 DNS Domain: stankowic.loc 8 IPA Server: st-ipa.stankowic.loc 9 BaseDN: dc=stankowic,dc=loc 10 Continue to configure the system with these values? [no]: yes Listing 4: Integrating a client 23
Client integration (3/4) 1 User authorized to enrole computers: cstan 2 Synchronizing time with KDC... 3 Password for cstan@stankowic.loc: 4 Successfully retrieved CA cert 5... 6 Configured /etc/openldap/ldap.conf 7 Configured /etc/ssh/sshd_config 8 Client configuration complete. Listing 5: Integrating a client 24
Client integration (4/4) 1 # kinit cstan 2 Password for cstan@stankowic.loc: 3 # klist 4 Ticket cache: KEYRING:persistent:35800001: krb_ccache_xtemlyy 5 Default principal: cstan@stankowic.loc 6 7 Valid starting Expires Service principal 8 14.07.2016 23:03:25 15.07.2016 23:03:25 krbtgt/ STANKOWIC.LOC@STANKOWIC.LOC 9 # ssh st-ipa.stankowic.loc Listing 6: Tests after integration 25
ADMINISTRATION
User(group)s Defining typical user information LDAP schema can be extended Users can be grouped Example: all DB admins, all FTP users,... 27
28
Host(group)s Hosts can be part of groups Example: all web servers, all DB servers,... Hostgroups can be used in sudo and HBAC rules Always use hosts groups instead of hosts! 29
30
HBAC rules Controls which user(group)s can access which hostgroups using which service Example: add DB admins on all DB servers using SSH Definitely remove default rule allow_all! No replacement for firewall rules! 31
32
Sudo rules Controlling commands and command groups Defining: User(group)s Host(group)s Commands/command groups Alternate identities 33
34
Excursus: ipa-sudo-basic-rules (1/2) Group of common administration commands (currently 250) Automatically creates sudo commands and command groups Python script, deploy n play Download at github.com/stdevel/freeipa-stuff 35
Excursus: ipa-sudo-basic-rules (2/2) 1 $./ipa-sudo-basic-rules.py -i 2 INFO:ipa-sudo-basic-rules.py:This definition has version 0.1.9 and consists of 33 command groups and 255 commands. 3 4 $./ipa-sudo-basic-rules.py -n 5 INFO:ipa-sudo-basic-rules.py:I d like to execute the following command: ipa sudocmdgroup-add firewall --desc= Managing firewall configuration 6... Listing 7: Simulating catalog installation 36
QUESTIONS?
Links FreeIPA website: freeipa.org Deployment Recommendations Quickstart Guide Active Directory trust setup freeipa-stuff repository on GitHub 38
Thanks for your attention! http://www.stankowic-development.net 39