RockyLinux9使用freeipa 搭建(用户管理)统一认证平台
一、介绍
FreeIPA是用于 Linux 的开源安全解决方案,它提供帐户管理和集中式身份验证,类似于 Microsoft 的 Active Directory。 FreeIPA 建立在多个开源项目之上,包括 389 Directory Server、MIT Kerberos 和 SSSD。
二、先决条件
要遵循本教程,您将需要:
- 一台具有至少 1 GB RAM 的 Rocky Linux9 服务器。 默认情况下,Rocky Linux 9 只使用 root 用户。 因为我们将使用 FreeIPA 来管理用户,所以没有必要手动添加另一个用户。
- 在您的服务器上启用防火墙,强烈建议这样做,因为 FreeIPA 处理敏感的用户凭据。
- 用于服务器和客户端的完全注册的域,也就是一个网址。
- 为您的服务器设置了 DNS 记录。
环境准备
准备3台虚拟机,一台做为server,另外两台当做client。
server: 10.16.16.25
client1: 10.16.16.24
client2: 10.16.16.23
三、ipa server安装
1、关闭selinux
# setenforce 0
# sed -i 's/^SELINUX=.*/SELINUX=disabled/g' /etc/selinux/config
# sed -i 's/^SELINUX=.*/SELINUX=disabled/g' /etc/sysconfig/selinux
2、开启防火墙端口号
在防火墙中打开 FreeIPA 所需的端口,注意使用的端口号,其中有80和443。
# firewall-cmd --permanent --add-port={80/tcp,443/tcp,389/tcp,636/tcp,88/tcp,464/tcp,53/tcp,88/udp,464/udp,53/udp,123/udp}
# firewall-cmd --reload
3、设置主机名,进行域名解析
使用 ipa.example.org 作为 FQDN,使用 hostname 命令:
# echo "10.16.16.25 ipa.example.org ipa" >> /etc/hosts
# hostnamectl set-hostname ipa.example.org
# hostname
# ping -c 3 ipa
# ping -c 3 ipa.example.org
4、安装并配置ipa-server服务端软件
# dnf -y install freeipa-server
# ipa-server-install
The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will set up the IPA Server.
Version 4.12.2
This includes:
* Configure a stand-alone CA (dogtag) for certificate management
* Configure the NTP client (chronyd)
* Create and configure an instance of Directory Server
* Create and configure a Kerberos Key Distribution Center (KDC)
* Configure Apache (httpd)
* Configure SID generation
* Configure the KDC to enable PKINIT
To accept the default shown in brackets, press the Enter key.
Do you want to configure integrated DNS (BIND)? [no]: # 直接回车,不使用 FreeIPA 的集成 DNS
Enter the fully qualified domain name of the computer
on which you're setting up server software. Using the form
<hostname>.<domainname>
Example: master.example.com
Server host name [ipa.example.org]: # 直接回车,使用上一步配置好的解析域名
The domain name has been determined based on the host name.
Please confirm the domain name [example.org]: # 直接回车
The kerberos protocol requires a Realm name to be defined.
This is typically the domain name converted to uppercase.
Please provide a realm name [EXAMPLE.ORG]: # 直接回车
Certain directory server operations require an administrative user.
This user is referred to as the Directory Manager and has full access
to the Directory for system management tasks and will be added to the
instance of directory server created for IPA.
The password must be at least 8 characters long.
Directory Manager password: # 设置目录服务器的密码:12345678
Password (confirm):
The IPA server requires an administrative user, named 'admin'.
This user is a regular system account used for IPA server administration.
IPA admin password: # 设置ipa-server的密码:12345678
Password (confirm):
Trust is configured but no NetBIOS domain name found, setting it now.
Enter the NetBIOS name for the IPA domain.
Only up to 15 uppercase ASCII letters, digits and dashes are allowed.
Example: EXAMPLE.
NetBIOS domain name [EXAMPLE]: # 直接回车
Do you want to configure chrony with NTP server or pool address? [no]: # 直接回车
The IPA Master Server will be configured with:
Hostname: ipa.example.org
IP address(es): 10.16.16.20
Domain name: example.org
Realm name: EXAMPLE.ORG
The CA will be configured with:
Subject DN: CN=Certificate Authority,O=EXAMPLE.ORG
Subject base: O=EXAMPLE.ORG
Chaining: self-signed
Continue to configure the system with these values? [no]: # 输入:yes
Continue to configure the system with these values? [no]: yes
The following operations may take some minutes to complete.
Please wait until the prompt is returned.
Disabled p11-kit-proxy
Synchronizing time
No SRV records of NTP servers found and no NTP server or pool address was provided.
Using default chrony configuration.
Attempting to sync time with chronyc.
......
This step may take considerable amount of time, please wait..
Done.
Configuring client side components
This program will set up IPA client.
Version 4.12.2
Using existing certificate '/etc/ipa/ca.crt'.
Client hostname: ipa.example.org
Realm: EXAMPLE.ORG
DNS Domain: example.org
IPA Server: ipa.example.org
BaseDN: dc=example,dc=org
Configured /etc/sssd/sssd.conf
Systemwide CA database updated.
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Could not update DNS SSHFP records.
SSSD enabled
Configured /etc/openldap/ldap.conf
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config.d/04-ipa.conf
Configuring example.org as NIS domain.
Client configuration complete.
The ipa-client-install command was successful
Invalid IP address fe80::20c:29ff:fe44:51ed for ipa.example.org.: cannot use link-local IP address fe80::20c:29ff:fe44:51ed
Invalid IP address fe80::20c:29ff:fe44:51ed for ipa.example.org.: cannot use link-local IP address fe80::20c:29ff:fe44:51ed
Please add records in this file to your DNS system: /tmp/ipa.system.records.vnccoqb4.db
==============================================================================
Setup complete
Next steps:
1. You must make sure these network ports are open:
TCP Ports:
* 80, 443: HTTP/HTTPS
* 389, 636: LDAP/LDAPS
* 88, 464: kerberos
UDP Ports:
* 88, 464: kerberos
* 123: ntp
2. You can now obtain a kerberos ticket using the command: 'kinit admin'
This ticket will allow you to use the IPA tools (e.g., ipa user-add)
and the web user interface.
Be sure to back up the CA certificates stored in /root/cacert.p12
These files are required to create replicas. The password for these
files is the Directory Manager password
The ipa-server-install command was successful
# 常用命令
ipactl restart 重启 ipa
ipactl status 查看服务的状态
ipactl start
getcert list
5、测试
在其他主机上添加hosts解析后,通过浏览器登录ipa-server
用户名:admin
密码:12345678 # 上一步设置ipa-server的密码
四、ipa client安装
# echo "10.16.16.25 ipa.example.org ipa" >> /etc/hosts => 添加ipa-server主机的解析
# hostnamectl set-hostname ipa2.example.org => 设置ipa client主机名
# yum -y install ipa-client
# ipa-client-install --hostname=`hostname -f` --mkhomedir --server=ipa.example.org --domain example.org --realm EXAMPLE.ORG
This program will set up IPA client.
Version 4.12.2
Autodiscovery of servers for failover cannot work with this configuration.
If you proceed with the installation, services will be configured to always access the discovered server for all operations and will not fail over to other servers in case of failure.
Proceed with fixed values and no DNS discovery? [no]: yes # 输入yes
Do you want to configure chrony with NTP server or pool address? [no]: # 直接回车
Client hostname: ipa2.example.org
Realm: EXAMPLE.ORG
DNS Domain: example.org
IPA Server: ipa.example.org
BaseDN: dc=example,dc=org
Continue to configure the system with these values? [no]: yes # 输入yes
Synchronizing time
No SRV records of NTP servers found and no NTP server or pool address was provided.
Using default chrony configuration.
Attempting to sync time with chronyc.
Process chronyc waitsync failed to sync time!
Unable to sync time with chrony server, assuming the time is in sync. Please check that 123 UDP port is opened, and any time server is on network.
User authorized to enroll computers: admin # 输入ipa管理员用户
Password for admin@EXAMPLE.ORG: # 输入ipa管理员密码
Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=EXAMPLE.ORG
Issuer: CN=Certificate Authority,O=EXAMPLE.ORG
Valid From: 2025-04-17 03:27:42+00:00
Valid Until: 2045-04-17 03:27:42+00:00
Enrolled in IPA realm EXAMPLE.ORG
Created /etc/ipa/default.conf
Configured /etc/sssd/sssd.conf
Systemwide CA database updated.
Hostname (ipa2.example.org) does not have A/AAAA record.
Failed to update DNS records.
Missing A/AAAA record(s) for host ipa2.example.org: 10.16.16.24.
Missing reverse record(s) for address(es): 10.16.16.24.
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Could not update DNS SSHFP records.
SSSD enabled
Configured /etc/openldap/ldap.conf
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config.d/04-ipa.conf
Configuring example.org as NIS domain.
Configured /etc/krb5.conf for IPA realm EXAMPLE.ORG
Client configuration complete.
The ipa-client-install command was successful
在客户端进行查询,能看到ipa server用户
# id admin
uid=240000000(admin) gid=240000000(admins) groups=240000000(admins)
在ipa-server的web平台,身份-主机一栏中可以查看到添加的客户端主机, 在身份-用户一栏上添加一个用户,此时这个用户在ipa server和ipa client主机上都能查看的到
比如,添加一个test用户,则能切换到这个用户上
# id test
uid=240000003(test) gid=240000003(test) groups=240000003(test)
# su - test
Creating home directory for test.
$ pwd
/home/test
五、启用和验证 sudo 规则(可选)
无需修改客户端配置文件即可启用 sudo 访问; 但是,如果您愿意,您必须在 IPA Web UI 中配置 sudo 规则以允许访问。
FreeIPA 允许您指定哪些用户和用户组可以在哪些机器上运行 sudo 命令。 还可以限制用户可以使用 sudo 运行的命令,以及他们可以模拟的用户。
在本教程中,我们将介绍添加一个简单的规则,允许管理员组对所有机器进行完全 sudo 访问。 请注意,管理员组以及下面显示的其他组默认情况下存在于 FreeIPA 中。
- 在 IPA Web UI 中,单击 Services,然后单击 sudo。 应出现一个下拉菜单。
- 在下拉菜单中,单击 sudo rules,然后单击 add 并在 Rule name 字段中输入规则的名称。 在这里,我们将使用 admin 因为我们允许 sudo 用于 admin 组。
- 接下来,单击添加并编辑。 这将显示规则的完整选项集。
- 在 Who 和 用户组 下单击 + 添加。 选择管理员组并单击箭头将其从 Available 移动到 Prospective。 然后点击添加。
- 在访问此主机下,选择任何主机。 在 运行命令 下,选择 任何命令 。 在 As Whom 下,选择 Anyone 和 Any Group。 您可以在此处限制启用 sudo 的这些机器、可以使用 sudo 运行的命令以及可以模拟哪些用户。
- 最后,滑动到页面顶部并单击保存。
您的规则现在应该处于活动状态; 但是,传播可能需要一些时间,您可能需要重新启动 sshd 服务才能使 sudo 规则生效。 为此,您可以在 IPA 客户端上运行 systemctl restart sshd.service。
完成后,让我们验证我们在客户端计算机上是否具有 sudo 访问权限。 从您的本地计算机上,尝试使用 IPA 管理员用户登录到客户端。 默认情况下,此用户位于 admins 组中。
ssh admin@ipa-client.example.com
登录后,尝试启动交互式 sudo 提示符。
sudo -i
提示现在应更改为 root@ipa-client。 您只需键入 exit 即可返回常规提示。
如果您被拒绝 sudo 访问,您可能需要重新启动计算机并确保您的 sudo 规则配置正确。
六、FreeIPA统一登录集成
Gitlab,Jenkins,Jumpserver,Jira或者Confluence
浙公网安备 33010602011771号