Free IPA (Identity - Policy - Audit) - OSDCM: User Management
-
Upload
inovex-gmbh -
Category
Technology
-
view
380 -
download
2
description
Transcript of Free IPA (Identity - Policy - Audit) - OSDCM: User Management
![Page 1: Free IPA (Identity - Policy - Audit) - OSDCM: User Management](https://reader034.fdokument.com/reader034/viewer/2022052619/556459c5d8b42a94308b57df/html5/thumbnails/1.jpg)
Free IPA (Identity – Policy - Audit)
OSDCM: User Management
Jürgen Brunk
München, 06.05.2014
![Page 2: Free IPA (Identity - Policy - Audit) - OSDCM: User Management](https://reader034.fdokument.com/reader034/viewer/2022052619/556459c5d8b42a94308b57df/html5/thumbnails/2.jpg)
Free IPA 2
1. Was ist Free IPA ?2. Übersicht3. CLI und Web-GUI4. Windows AD Anbindung5. Framework6. Umgebung7. Architektur8. Server9. Client10.Multi Master Replication11.Praxis12.Free IPA Server Installation13.Free IPA Client Installation14.Free IPA CLI Management
Agenda
![Page 3: Free IPA (Identity - Policy - Audit) - OSDCM: User Management](https://reader034.fdokument.com/reader034/viewer/2022052619/556459c5d8b42a94308b57df/html5/thumbnails/3.jpg)
Was ist Free IPA ?
![Page 4: Free IPA (Identity - Policy - Audit) - OSDCM: User Management](https://reader034.fdokument.com/reader034/viewer/2022052619/556459c5d8b42a94308b57df/html5/thumbnails/4.jpg)
Free IPA 4
Was ist Free IPA ?Übersicht
Eine Art „Active Directory“ für Linux
Zentrale Verwaltung von Benutzerkonten und Regelwerken
● Benutzer/Hosts/Gruppen, Kennwörter● SUDO Rechte, SSH Keys
● DNS Verwaltung, Zertifikate/PKI● und vieles mehr …
![Page 5: Free IPA (Identity - Policy - Audit) - OSDCM: User Management](https://reader034.fdokument.com/reader034/viewer/2022052619/556459c5d8b42a94308b57df/html5/thumbnails/5.jpg)
Free IPA 5
Was ist Free IPA ?CLI und Web-GUI
![Page 6: Free IPA (Identity - Policy - Audit) - OSDCM: User Management](https://reader034.fdokument.com/reader034/viewer/2022052619/556459c5d8b42a94308b57df/html5/thumbnails/6.jpg)
Free IPA 6
Was ist Free IPA ?Windows AD Anbindung
lässt sich auch an eine bestehende Windows AD Umgebung anbinden (kein Ersatz dafür!)
seit Free IPA v2: Replikation von Benutzern und Passwörtern vom AD zu Free IPA
seit Free IPA v3: Anbindung vom AD per „trusted link“ an Free IPA, SSO von einer
Windows zu einer Linux Maschine
![Page 7: Free IPA (Identity - Policy - Audit) - OSDCM: User Management](https://reader034.fdokument.com/reader034/viewer/2022052619/556459c5d8b42a94308b57df/html5/thumbnails/7.jpg)
Free IPA 7
Was ist Free IPA ?Framework
Open Source Framework:
● MIT Kerberos Server (SSO)● 389 Directory Server (LDAP)● SSS* (System Security Services)● Dogtag PKI● Bind DNS● NTP● Samba● Apache
![Page 8: Free IPA (Identity - Policy - Audit) - OSDCM: User Management](https://reader034.fdokument.com/reader034/viewer/2022052619/556459c5d8b42a94308b57df/html5/thumbnails/8.jpg)
Free IPA 8
Was ist Free IPA ?Umgebung
(aktuell) reines RedHat Projekt
(aktuell) offiziell supported: Fedora / Red Hat Enterprise Linux
Empfohlen:Fedora 20 / RHEL 7
![Page 9: Free IPA (Identity - Policy - Audit) - OSDCM: User Management](https://reader034.fdokument.com/reader034/viewer/2022052619/556459c5d8b42a94308b57df/html5/thumbnails/9.jpg)
Architektur
![Page 10: Free IPA (Identity - Policy - Audit) - OSDCM: User Management](https://reader034.fdokument.com/reader034/viewer/2022052619/556459c5d8b42a94308b57df/html5/thumbnails/10.jpg)
Free IPA 10
ArchitekturIPA Server
![Page 11: Free IPA (Identity - Policy - Audit) - OSDCM: User Management](https://reader034.fdokument.com/reader034/viewer/2022052619/556459c5d8b42a94308b57df/html5/thumbnails/11.jpg)
Free IPA 11
ArchitekturIPA Client
![Page 12: Free IPA (Identity - Policy - Audit) - OSDCM: User Management](https://reader034.fdokument.com/reader034/viewer/2022052619/556459c5d8b42a94308b57df/html5/thumbnails/12.jpg)
Free IPA 12
ArchitekturMulti Master Replication
![Page 13: Free IPA (Identity - Policy - Audit) - OSDCM: User Management](https://reader034.fdokument.com/reader034/viewer/2022052619/556459c5d8b42a94308b57df/html5/thumbnails/13.jpg)
Fragen soweit ?
![Page 14: Free IPA (Identity - Policy - Audit) - OSDCM: User Management](https://reader034.fdokument.com/reader034/viewer/2022052619/556459c5d8b42a94308b57df/html5/thumbnails/14.jpg)
Praxis
![Page 15: Free IPA (Identity - Policy - Audit) - OSDCM: User Management](https://reader034.fdokument.com/reader034/viewer/2022052619/556459c5d8b42a94308b57df/html5/thumbnails/15.jpg)
Free IPA Server Installation
![Page 16: Free IPA (Identity - Policy - Audit) - OSDCM: User Management](https://reader034.fdokument.com/reader034/viewer/2022052619/556459c5d8b42a94308b57df/html5/thumbnails/16.jpg)
Free IPA 16
Free IPAServer Installation 1/3
# cat /etc/redhat-release Fedora release 20 (Heisenbug)
# Firewall disablen (macht den Testbetrieb einfacher)# systemctl disable firewalld# systemctl stop firewalld
# cat /etc/hosts192.168.10.2 freeipa.local.domain freeipa
# cat /etc/hostname freeipa.local.domain
# yum install bind-dyndb-ldap freeipa-server
![Page 17: Free IPA (Identity - Policy - Audit) - OSDCM: User Management](https://reader034.fdokument.com/reader034/viewer/2022052619/556459c5d8b42a94308b57df/html5/thumbnails/17.jpg)
Free IPA 17
Free IPAServer Installation 2/3
# ipa-server-install --setup-dns --mkhomedirServer host name [freeipa.local.domain]:Please confirm the domain name [local.domain]:Please provide a realm name [LOCAL.DOMAIN]:Directory Manager password: *****IPA admin password: *****Do you want to configure DNS forwarders? [yes]:Enter IP address for a DNS forwarder: 8.8.8.8Enter IP address for a DNS forwarder: 8.8.4.4Do you want to configure the reverse zone? [yes]: Please specify the reverse zone name [10.168.192.in-addr.arpa.]:Continue to configure the system with these values? [no]: yes
![Page 18: Free IPA (Identity - Policy - Audit) - OSDCM: User Management](https://reader034.fdokument.com/reader034/viewer/2022052619/556459c5d8b42a94308b57df/html5/thumbnails/18.jpg)
Free IPA 18
Free IPAServer Installation 3/3
# kinit adminPassword for [email protected]: ***** # klistTicket cache: KEYRING:persistent:0:0Default principal: [email protected] starting Expires Service principal05.05.2014 11:26:52 06.05.2014 11:26:49 krbtgt/[email protected]
# optional: Deinstallation ;-)# ipa-server-install --uninstall --unattended
![Page 19: Free IPA (Identity - Policy - Audit) - OSDCM: User Management](https://reader034.fdokument.com/reader034/viewer/2022052619/556459c5d8b42a94308b57df/html5/thumbnails/19.jpg)
Free IPA Client Installation
![Page 20: Free IPA (Identity - Policy - Audit) - OSDCM: User Management](https://reader034.fdokument.com/reader034/viewer/2022052619/556459c5d8b42a94308b57df/html5/thumbnails/20.jpg)
Free IPA 20
Free IPAClient Installation 1/1
# yum install freeipa-client# ipa-client-install --mkhomedir
ggf. SSSd Configuration nachbessern wenn „sudo“ nicht funktioniert:
/etc/nsswitch.conf:+sudoers: files sss
/etc/sssd/sssd.conf:[sssd]-services = nss, pam, ssh+services = nss, pam, ssh, sudo
# systemctl restart sssd
![Page 21: Free IPA (Identity - Policy - Audit) - OSDCM: User Management](https://reader034.fdokument.com/reader034/viewer/2022052619/556459c5d8b42a94308b57df/html5/thumbnails/21.jpg)
Free IPA CLI Management
![Page 22: Free IPA (Identity - Policy - Audit) - OSDCM: User Management](https://reader034.fdokument.com/reader034/viewer/2022052619/556459c5d8b42a94308b57df/html5/thumbnails/22.jpg)
Free IPA 22
Free IPACLI Management 1/2
# Kerberos Ticket erzeugen# kinit admin
# ipa help user
# neuen User „jdoe“ mit Zufalls-Password anlegen# ipa user-add jdoe --first John --last Doe --random
# nach User suchen# ipa user-find john
# User Infos anzeigen# ipa user-show jdoe
![Page 23: Free IPA (Identity - Policy - Audit) - OSDCM: User Management](https://reader034.fdokument.com/reader034/viewer/2022052619/556459c5d8b42a94308b57df/html5/thumbnails/23.jpg)
Free IPA 23
Free IPACLI Management 2/2
# neue Gruppe anlegen# ipa group-add foo
# User einer neuen Gruppe zuweisen# ipa group-add-member foo --user jdoe
# Password neu setzen# ipa passwd jdoe
# SSH Key zuweisen# ipa user-mod jdoe --sshpubkey="ssh-rsa AAAA...“
# User löschen# ipa user-del jdoe
![Page 24: Free IPA (Identity - Policy - Audit) - OSDCM: User Management](https://reader034.fdokument.com/reader034/viewer/2022052619/556459c5d8b42a94308b57df/html5/thumbnails/24.jpg)
Noch Fragen ?
![Page 25: Free IPA (Identity - Policy - Audit) - OSDCM: User Management](https://reader034.fdokument.com/reader034/viewer/2022052619/556459c5d8b42a94308b57df/html5/thumbnails/25.jpg)
Quellennachweise und Links
![Page 26: Free IPA (Identity - Policy - Audit) - OSDCM: User Management](https://reader034.fdokument.com/reader034/viewer/2022052619/556459c5d8b42a94308b57df/html5/thumbnails/26.jpg)
Free IPA 26
Quellennachweise
Quellennachweise:
www.freeipa.orgwww.fedoraproject.org
www.redhat.com
Images:
www.freeipa.orgwww.fedoraproject.org
www.redhat.comwww.linux-magazine.com
![Page 27: Free IPA (Identity - Policy - Audit) - OSDCM: User Management](https://reader034.fdokument.com/reader034/viewer/2022052619/556459c5d8b42a94308b57df/html5/thumbnails/27.jpg)
Free IPA 27
Links
Links:
Free-IPA Website:www.freeipa.org
Free-IPA Dokumentation:www.freeipa.org/page/Quick_Start_Guide
www.freeipa.org/page/HowTos
![Page 28: Free IPA (Identity - Policy - Audit) - OSDCM: User Management](https://reader034.fdokument.com/reader034/viewer/2022052619/556459c5d8b42a94308b57df/html5/thumbnails/28.jpg)
28
Vielen Dank für Ihre Aufmerksamkeit
Kontakt
Jürgen BrunkSystems Engineer
inovex GmbHOffice MünchenValentin-Linhof Str. 2D-81829 München
Mobil: 0173 3181 003Mail: [email protected]