小哥之哥 小哥之哥
首页
    • Prometheus
    • Kubertenes
    • Docker
    • MySQL
  • Go
  • Python
  • Vue
  • Jenkins
  • ELK
  • LDAP
  • 随笔
  • 最佳实践
  • 博客搭建
  • 问题杂谈
关于
友链
  • 分类
  • 标签
  • 归档
GitHub (opens new window)

小哥之哥

运维扫地僧
首页
    • Prometheus
    • Kubertenes
    • Docker
    • MySQL
  • Go
  • Python
  • Vue
  • Jenkins
  • ELK
  • LDAP
  • 随笔
  • 最佳实践
  • 博客搭建
  • 问题杂谈
关于
友链
  • 分类
  • 标签
  • 归档
GitHub (opens new window)
  • LDAP

    • LDAP-概述
    • ocserv 部署
    • OpenLDAP部署
    • FreeIPA 高可用部署
    • Jenkins

    • 技术专题
    • LDAP
    tchua
    2024-06-12
    目录

    FreeIPA 高可用部署

    # FreeIPA 高可用部署

      FreeIPA是一个集成安全信息管理解决方案,FreeIPA服务器通过存储管理计算机网络安全方面所需的用户、组、主机和其他对象的数据,提供集中的身份验证、授权和账户信息。结合了Linux、Directory Server、MIT Kerberos、NTP、DNS、Dogtag(认证系统)。它由Web界面和命令行管理工具组成。类似于windows中的AD域。
    
    1

    # 一、机器规划

    系统版本CentOS 7.6

    主机 IP 角色 域名
    ipa1 172.16.12.10 主 ipa1.dc.losinx.com
    ipa2 172.16.12.11 主 ipa2.dc.losinx.com

    # 二、初始化环境准备

    # 2.1 查看系统信息
    # 发行版本
    [root@localhost ~]# cat /etc/redhat-release 
    CentOS Linux release 7.6.1810 (Core) 
    # 系统内核
    [root@localhost ~]# uname -r
    3.10.0-957.el7.x86_64
    
    1
    2
    3
    4
    5
    6
    # 2.2 设置主机名
    # ipa1
    [root@localhost ~]# hostnamectl set-hostname ipa1.dc.losinx.com
    [root@localhost ~]# hostname
    ipa1.dc.losinx.com
    
    # ipa2
    [root@localhost ~]# hostnamectl set-hostname ipa2.dc.losinx.com
    [root@localhost ~]# hostname
    ipa2.dc.losinx.com
    
    
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    # 2.3 配置host解析
    cat /etc/hosts
    172.16.12.10 ipa1.dc.losinx.com
    172.16.12.11 ipa2.dc.losinx.com
    
    
    1
    2
    3
    4
    # 2.4 配置域名解析
     FreeIPA依赖DNS非常严重,我这里使用的域名是阿里云,因此直接在阿里云做的解析,直接把域名解析成对应的ip即可。
     ipa1.dc.losinx.com  172.16.12.10
     ipa2.dc.losinx.com  172.16.12.11
     
     # 注:FreeIPA内部有DNS服务,可以选择安装,我这里直接借助阿里云,所以不介绍DNS配置安装。
    
    1
    2
    3
    4
    5
    # 2.5 配置yum源(可选)
    [root@ipa1 ~]# wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo
    [root@ipa1 ~]# yum clean all	# 清除系统所有的yum缓存
    [root@ipa1 ~]# yum makecache	# 生成yum缓存
    
    1
    2
    3
    # 2.6 升级内核

    内核升级根据实际情况,我这里是因为系统版本内核比较低,安装过程出现问题才进行的升级

    # 如果选择升级,2台机器都需要进行升级操作,升级后重启机器
    # ## 针对于全新机器
    [root@ipa1 ~]# yum update
    [root@ipa1 ~]# uname -r
    3.10.0-1127.18.2.el7.x86_64
    # ## 如果不想全部升级 指定内核版本升级即可
    
    
    # 注:如果不进行内核升级,系统自带的内核版本对于FreeIPA 4.6.6版本后面证书生成时,有可能会报类似下面的错误
    """
    2020-08-05T09:50:36Z DEBUG The ipa-server-install command failed, exception: CalledProcessError: Command '/usr/bin/certutil -d dbm:/etc/dirsrv/slapd-DC-LOSINX-COM/ -O --simple-self-signed -n DC.LOSINX.COM IPA CA -f /etc/dirsrv/slapd-DC-LOSINX-COM/pwdfile.txt' returned non-zero exit status 1
    2020-08-05T09:50:36Z ERROR Command '/usr/bin/certutil -d dbm:/etc/dirsrv/slapd-DC-LOSINX-COM/ -O --simple-self-signed -n DC.LOSINX.COM IPA CA -f /etc/dirsrv/slapd-DC-LOSINX-COM/pwdfile.txt' returned non-zero exit status 1
    """
    
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    # 2.7 防火墙
    systemctl disable firewalld
    systemctl stop firewalld
    
    # 根据需要若是不关闭防火墙,就需要把后面涉及到的服务放行
    """
    firewall-cmd --permanent --add-service={ntp,http,https,ldap,ldaps,kerberos,kpasswd}
    firewall-cmd --reload
    """
    
    1
    2
    3
    4
    5
    6
    7
    8

    # 三、安装服务端

    • 安装ipa-server服务包
    [root@ipa1 ~]# yum install ipa-server -y
    
    1
    • 执行安装命令
    [root@ipa1 ~]# ipa-server-install --domain=dc.losinx.com --realm=DC.LOSINX.COM
    ........
    Do you want to configure integrated DNS (BIND)? [no]: no # 选择是否安装DNS服务
    
    ........
    Server host name [ipa1.dc.losinx.com]:   # 设置的主机名,默认即可
    
    .........
    Directory Manager password: 12345678  # 输入目录服务管理员的密码
    Password (confirm): 12345678 # 确认密码
    
    .........
    IPA admin password: 12345678 # 输入IPA UI管理员登录密码
    Password (confirm): 12345678 # 确认密码
    
    .........
    Continue to configure the system with these values? [no]: yes # 确认配置
    
    .........
    The ipa-client-install command was successful 
    
    Please add records in this file to your DNS system: /tmp/ipa.system.records.VBLPLU.db
    ==============================================================================
    Setup complete
    
    Next steps:
    	1. You must make sure these network ports are open:
    		TCP Ports:
    		  * 80, 443: HTTP/HTTPS
    		  * 389, 636: LDAP/LDAPS
    		  * 88, 464: kerberos
    		UDP Ports:
    		  * 88, 464: kerberos
    		  * 123: ntp
    
    	2. You can now obtain a kerberos ticket using the command: 'kinit admin'
    	   This ticket will allow you to use the IPA tools (e.g., ipa user-add)
    	   and the web user interface.
    
    Be sure to back up the CA certificates stored in /root/cacert.p12
    These files are required to create replicas. The password for these
    files is the Directory Manager password
    # 出现以上信息表示已经安装成功
    
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    40
    41
    42
    43
    • 查看服务状态
    [root@ipa1 ~]# ipactl status
    Directory Service: RUNNING
    krb5kdc Service: RUNNING
    kadmin Service: RUNNING
    httpd Service: RUNNING
    ipa-custodia Service: RUNNING
    ntpd Service: RUNNING
    pki-tomcatd Service: RUNNING
    ipa-otpd Service: RUNNING
    ipa: INFO: The ipactl command was successful
    
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    • 生成 kerberos 票据
    [root@ipa1 ~]# kinit admin
    Password for admin@DC.LOSINX.COM:  # 上面设置的Manager密码
    
    1
    2
    • 查看生成的票据
    [root@ipa1 ~]# klist 
    Ticket cache: KEYRING:persistent:0:0
    Default principal: admin@DC.LOSINX.COM
    
    Valid starting       Expires              Service principal
    08/05/2020 18:39:40  08/06/2020 18:39:35  krbtgt/DC.LOSINX.COM@DC.LOSINX.COM
    
    
    1
    2
    3
    4
    5
    6
    7
    • 访问
    # 直接输入域名,因为证书问题,这里忽略继续使用即可
    https://ipa1.dc.losinx.com
    
    1
    2

    # 四、复制服务器

    # 4.1 安装FreeIPA客户端
    [root@ipa2 ~]# yum install freeipa-client -y
    
    1
    # 4.2 执行安装命令
    [root@ipa2 ~]# ipa-client-install
    DNS discovery failed to determine your DNS domain
    Provide the domain name of your IPA server (ex: example.com): dc.losinx.com # 
    Provide your IPA server name (ex: ipa.example.com): ipa1.dc.losinx.com # 指定ipa1节点域名
    The failure to use DNS to find your IPA server indicates that your resolv.conf file is not properly configured.
    Autodiscovery of servers for failover cannot work with this configuration.
    If you proceed with the installation, services will be configured to always access the discovered server for all operations and will not fail over to other servers in case of failure.
    Proceed with fixed values and no DNS discovery? [no]: yes  # 不使用DNS
    Client hostname: ipa2.dc.losinx.com
    Realm: DC.LOSINX.COM
    DNS Domain: dc.losinx.com
    IPA Server: ipa1.dc.losinx.com
    BaseDN: dc=dc,dc=losinx,dc=com
    
    Continue to configure the system with these values? [no]: yes # 确认配置
    Synchronizing time with KDC...
    Attempting to sync time using ntpd.  Will timeout after 15 seconds
    User authorized to enroll computers: admin  # 用户名
    Password for admin@DC.LOSINX.COM: 			# 密码
    Successfully retrieved CA cert
        Subject:     CN=Certificate Authority,O=DC.LOSINX.COM
        Issuer:      CN=Certificate Authority,O=DC.LOSINX.COM
        Valid From:  2020-08-06 01:15:31
        Valid Until: 2040-08-06 01:15:31
    
    Enrolled in IPA realm DC.LOSINX.COM
    Created /etc/ipa/default.conf
    New SSSD config will be created
    Configured sudoers in /etc/nsswitch.conf
    Configured /etc/sssd/sssd.conf
    Configured /etc/krb5.conf for IPA realm DC.LOSINX.COM
    trying https://ipa1.dc.losinx.com/ipa/json
    [try 1]: Forwarding 'schema' to json server 'https://ipa1.dc.losinx.com/ipa/json'
    trying https://ipa1.dc.losinx.com/ipa/session/json
    [try 1]: Forwarding 'ping' to json server 'https://ipa1.dc.losinx.com/ipa/session/json'
    [try 1]: Forwarding 'ca_is_enabled' to json server 'https://ipa1.dc.losinx.com/ipa/session/json'
    Systemwide CA database updated.
    Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
    Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
    Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
    [try 1]: Forwarding 'host_mod' to json server 'https://ipa1.dc.losinx.com/ipa/session/json'
    Could not update DNS SSHFP records.
    SSSD enabled
    Configured /etc/openldap/ldap.conf
    No SRV records of NTP servers found. IPA server address will be used
    NTP enabled
    Configured /etc/ssh/ssh_config
    Configured /etc/ssh/sshd_config
    Configuring dc.losinx.com as NIS domain.
    Client configuration complete.
    The ipa-client-install command was successful  # 安装完成
    
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    40
    41
    42
    43
    44
    45
    46
    47
    48
    49
    50
    51
    # 4.3 安装FreeIPA复制服务
    • 安装服务端组件
    [root@ipa2 ~]# yum install ipa-server -y
    
    1
    • 执行复制安装命令
    [root@ipa2 ~]# ipa-replica-install
    Password for admin@DC.LOSINX.COM:  # 输入admin密码
    Run connection check to master
    Connection check OK
    Configuring NTP daemon (ntpd)
      [1/4]: stopping ntpd
      [2/4]: writing configuration
      [3/4]: configuring ntpd to start on boot
      [4/4]: starting ntpd
    Done configuring NTP daemon (ntpd).
    Configuring directory server (dirsrv). Estimated time: 30 seconds
      [1/42]: creating directory server instance
      [2/42]: enabling ldapi
      [3/42]: configure autobind for root
      [4/42]: stopping directory server
      [5/42]: updating configuration in dse.ldif
      [6/42]: starting directory server
      [7/42]: adding default schema
      [8/42]: enabling memberof plugin
      [9/42]: enabling winsync plugin
      [10/42]: configure password logging
      [11/42]: configuring replication version plugin
      [12/42]: enabling IPA enrollment plugin
      [13/42]: configuring uniqueness plugin
      [14/42]: configuring uuid plugin
      [15/42]: configuring modrdn plugin
      [16/42]: configuring DNS plugin
      [17/42]: enabling entryUSN plugin
      [18/42]: configuring lockout plugin
      [19/42]: configuring topology plugin
      [20/42]: creating indices
      [21/42]: enabling referential integrity plugin
      [22/42]: configuring certmap.conf
      [23/42]: configure new location for managed entries
      [24/42]: configure dirsrv ccache
      [25/42]: enabling SASL mapping fallback
      [26/42]: restarting directory server
      [27/42]: creating DS keytab
      [28/42]: ignore time skew for initial replication
      [29/42]: setting up initial replication
    Starting replication, please wait until this has completed.
    Update in progress, 3 seconds elapsed
    Update succeeded
    
      [30/42]: prevent time skew after initial replication
      [31/42]: adding sasl mappings to the directory
      [32/42]: updating schema
      [33/42]: setting Auto Member configuration
      [34/42]: enabling S4U2Proxy delegation
      [35/42]: initializing group membership
      [36/42]: adding master entry
      [37/42]: initializing domain level
      [38/42]: configuring Posix uid/gid generation
      [39/42]: adding replication acis
      [40/42]: activating sidgen plugin
      [41/42]: activating extdom plugin
      [42/42]: configuring directory to start on boot
    Done configuring directory server (dirsrv).
    Configuring Kerberos KDC (krb5kdc)
      [1/5]: configuring KDC
      [2/5]: adding the password extension to the directory
      [3/5]: creating anonymous principal
      [4/5]: starting the KDC
      [5/5]: configuring KDC to start on boot
    Done configuring Kerberos KDC (krb5kdc).
    Configuring kadmin
      [1/2]: starting kadmin 
      [2/2]: configuring kadmin to start on boot
    Done configuring kadmin.
    Configuring directory server (dirsrv)
      [1/3]: configuring TLS for DS instance
      [2/3]: importing CA certificates from LDAP
      [3/3]: restarting directory server
    Done configuring directory server (dirsrv).
    Configuring the web interface (httpd)
      [1/22]: stopping httpd
      [2/22]: setting mod_nss port to 443
      [3/22]: setting mod_nss cipher suite
      [4/22]: setting mod_nss protocol list to TLSv1.2
      [5/22]: setting mod_nss password file
      [6/22]: enabling mod_nss renegotiate
      [7/22]: disabling mod_nss OCSP
      [8/22]: adding URL rewriting rules
      [9/22]: configuring httpd
      [10/22]: setting up httpd keytab
      [11/22]: configuring Gssproxy
      [12/22]: setting up ssl
      [13/22]: configure certmonger for renewals
      [14/22]: importing CA certificates from LDAP
      [15/22]: publish CA cert
      [16/22]: clean up any existing httpd ccaches
      [17/22]: configuring SELinux for httpd
      [18/22]: create KDC proxy config
      [19/22]: enable KDC proxy
      [20/22]: starting httpd
      [21/22]: configuring httpd to start on boot
      [22/22]: enabling oddjobd
    Done configuring the web interface (httpd).
    Configuring ipa-otpd
      [1/2]: starting ipa-otpd 
      [2/2]: configuring ipa-otpd to start on boot
    Done configuring ipa-otpd.
    Configuring ipa-custodia
      [1/4]: Generating ipa-custodia config file
      [2/4]: Generating ipa-custodia keys
      [3/4]: starting ipa-custodia 
      [4/4]: configuring ipa-custodia to start on boot
    Done configuring ipa-custodia.
    Configuring certificate server (pki-tomcatd)
      [1/2]: configure certmonger for renewals
      [2/2]: Importing RA key
    Done configuring certificate server (pki-tomcatd).
    Configuring Kerberos KDC (krb5kdc)
      [1/1]: installing X509 Certificate for PKINIT
    Done configuring Kerberos KDC (krb5kdc).
    Applying LDAP updates
    Upgrading IPA:. Estimated time: 1 minute 30 seconds
      [1/10]: stopping directory server
      [2/10]: saving configuration
      [3/10]: disabling listeners
      [4/10]: enabling DS global lock
      [5/10]: disabling Schema Compat
      [6/10]: starting directory server
      [7/10]: upgrading server
      [8/10]: stopping directory server
      [9/10]: restoring configuration
      [10/10]: starting directory server
    Done.
    Finalize replication settings
    Restarting the KDC
    
    WARNING: The CA service is only installed on one server (ipa1.dc.losinx.com).
    It is strongly recommended to install it on another server.
    Run ipa-ca-install(1) on another master to accomplish this.
    
    """
    这里复制服务已经安装完成,可以看到最后显示ca服务器只在ipa1服务器安装,所以我们需要按照提示进行
    ipa-ca-install 进行ca复制
    """
    
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    40
    41
    42
    43
    44
    45
    46
    47
    48
    49
    50
    51
    52
    53
    54
    55
    56
    57
    58
    59
    60
    61
    62
    63
    64
    65
    66
    67
    68
    69
    70
    71
    72
    73
    74
    75
    76
    77
    78
    79
    80
    81
    82
    83
    84
    85
    86
    87
    88
    89
    90
    91
    92
    93
    94
    95
    96
    97
    98
    99
    100
    101
    102
    103
    104
    105
    106
    107
    108
    109
    110
    111
    112
    113
    114
    115
    116
    117
    118
    119
    120
    121
    122
    123
    124
    125
    126
    127
    128
    129
    130
    131
    132
    133
    134
    135
    136
    137
    138
    139
    • CA复制服务
    [root@ipa2 ~]# ipa-ca-install
    Directory Manager (existing master) password:  # 输入前面的Manager密码
    
    Run connection check to master
    Connection check OK
    Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
      [1/27]: creating certificate server db
      [2/27]: setting up initial replication
    Starting replication, please wait until this has completed.
    Update in progress, 3 seconds elapsed
    Update succeeded
    
      [3/27]: creating ACIs for admin
      [4/27]: creating installation admin user
      [5/27]: configuring certificate server instance
      [6/27]: reindex attributes
      [7/27]: exporting Dogtag certificate store pin
      [8/27]: stopping certificate server instance to update CS.cfg
      [9/27]: backing up CS.cfg
      [10/27]: disabling nonces
      [11/27]: set up CRL publishing
      [12/27]: enable PKIX certificate path discovery and validation
      [13/27]: destroying installation admin user
      [14/27]: starting certificate server instance
      [15/27]: Finalize replication settings
      [16/27]: setting audit signing renewal to 2 years
      [17/27]: restarting certificate server
      [18/27]: authorizing RA to modify profiles
      [19/27]: authorizing RA to manage lightweight CAs
      [20/27]: Ensure lightweight CAs container exists
      [21/27]: configure certificate renewals
      [22/27]: configure Server-Cert certificate renewal
      [23/27]: Configure HTTP to proxy connections
      [24/27]: restarting certificate server
      [25/27]: updating IPA configuration
      [26/27]: enabling CA instance
      [27/27]: configuring certmonger renewal for lightweight CAs
    Done configuring certificate server (pki-tomcatd).
    
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    • 查看状态
    # ipa2
    [root@ipa2 ~]# ipactl status
    Directory Service: RUNNING
    krb5kdc Service: RUNNING
    kadmin Service: RUNNING
    httpd Service: RUNNING
    ipa-custodia Service: RUNNING
    ntpd Service: RUNNING
    pki-tomcatd Service: RUNNING
    ipa-otpd Service: RUNNING
    ipa: INFO: The ipactl command was successful
    
    # ipa1
    [root@ipa1 ~]# ipactl status
    Directory Service: RUNNING
    krb5kdc Service: RUNNING
    kadmin Service: RUNNING
    httpd Service: RUNNING
    ipa-custodia Service: RUNNING
    ntpd Service: RUNNING
    pki-tomcatd Service: RUNNING
    ipa-otpd Service: RUNNING
    ipa: INFO: The ipactl command was successful
    
    
    # 可以看到2台机器服务状态一致
    
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26

    # 五、总结

    1) FreeIPA 的安装过程,主要包含了Kerberos,LDAP,NTP 等基础服务。
    
      1、Auth-A 服务可以方便管理 CentOS 服务器的认证,FreeIPA 集成了 Kerberos,SSSD。
      2、Auth-Z 服务可以方便管理 CentOS 服务器的授权,FreeIPA 集成了 Kerberos,SSSD。
      3、CA 服务可以方便管理企业的证书,FreeIPA 集成了 Dogtag。
      4、NTP 服务可以方便时间同步,FreeIPA 集成了 chromed。
      5、LDAP 服务可以同意管理用户名和密码以及与其他子系统集成, FreeIPA 集成了 389 Directory Server。
    
    1
    2
    3
    4
    5
    6
    7
    • 卸载
    # ipa1 服务器执行
    [root@ipa1 ~]# ipa-replica-manage del ipa2.dc.losinx.com
    [root@ipa1 ~]# ipa-server-install --uninstall
    # ipa2 
    [root@ipa2 ~]# ipa-server-install --uninstall
    
    1
    2
    3
    4
    5
    • 访问
    FreeIPA 的复制属于主主复制,即两个服务器都是主节点,会将更改相互发送给其他节点。
    
    注意:部署好后,可以随便登录2个地址,查看并修改对应的配置。
    ipa1.dc.losinx.com
    ipa2.dc.losinx.com
    
    1
    2
    3
    4
    5
    编辑 (opens new window)
    #LDAP
    上次更新: 2024/06/12, 10:53:12
    OpenLDAP部署
    Jenkins之Docker部署

    ← OpenLDAP部署 Jenkins之Docker部署→

    最近更新
    01
    cert-manager自动签发Lets Encrypt
    09-05
    02
    Docker构建多架构镜像
    08-02
    03
    Prometheus数据迁移至VMstorage
    08-01
    更多文章>
    Theme by Vdoing | Copyright © 2023-2024 |豫ICP备2021026650号
    • 跟随系统
    • 浅色模式
    • 深色模式
    • 阅读模式