FreeIPA 高可用部署
# FreeIPA 高可用部署
FreeIPA是一个集成安全信息管理解决方案,FreeIPA服务器通过存储管理计算机网络安全方面所需的用户、组、主机和其他对象的数据,提供集中的身份验证、授权和账户信息。结合了Linux、Directory Server、MIT Kerberos、NTP、DNS、Dogtag(认证系统)。它由Web界面和命令行管理工具组成。类似于windows中的AD域。
1
# 一、机器规划
系统版本CentOS 7.6
主机 | IP | 角色 | 域名 |
---|---|---|---|
ipa1 | 172.16.12.10 | 主 | ipa1.dc.losinx.com |
ipa2 | 172.16.12.11 | 主 | ipa2.dc.losinx.com |
# 二、初始化环境准备
# 2.1 查看系统信息
# 发行版本
[root@localhost ~]# cat /etc/redhat-release
CentOS Linux release 7.6.1810 (Core)
# 系统内核
[root@localhost ~]# uname -r
3.10.0-957.el7.x86_64
1
2
3
4
5
6
2
3
4
5
6
# 2.2 设置主机名
# ipa1
[root@localhost ~]# hostnamectl set-hostname ipa1.dc.losinx.com
[root@localhost ~]# hostname
ipa1.dc.losinx.com
# ipa2
[root@localhost ~]# hostnamectl set-hostname ipa2.dc.losinx.com
[root@localhost ~]# hostname
ipa2.dc.losinx.com
1
2
3
4
5
6
7
8
9
10
2
3
4
5
6
7
8
9
10
# 2.3 配置host解析
cat /etc/hosts
172.16.12.10 ipa1.dc.losinx.com
172.16.12.11 ipa2.dc.losinx.com
1
2
3
4
2
3
4
# 2.4 配置域名解析
FreeIPA依赖DNS非常严重,我这里使用的域名是阿里云,因此直接在阿里云做的解析,直接把域名解析成对应的ip即可。
ipa1.dc.losinx.com 172.16.12.10
ipa2.dc.losinx.com 172.16.12.11
# 注:FreeIPA内部有DNS服务,可以选择安装,我这里直接借助阿里云,所以不介绍DNS配置安装。
1
2
3
4
5
2
3
4
5
# 2.5 配置yum源(可选)
[root@ipa1 ~]# wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo
[root@ipa1 ~]# yum clean all # 清除系统所有的yum缓存
[root@ipa1 ~]# yum makecache # 生成yum缓存
1
2
3
2
3
# 2.6 升级内核
内核升级根据实际情况,我这里是因为系统版本内核比较低,安装过程出现问题才进行的升级
# 如果选择升级,2台机器都需要进行升级操作,升级后重启机器
# ## 针对于全新机器
[root@ipa1 ~]# yum update
[root@ipa1 ~]# uname -r
3.10.0-1127.18.2.el7.x86_64
# ## 如果不想全部升级 指定内核版本升级即可
# 注:如果不进行内核升级,系统自带的内核版本对于FreeIPA 4.6.6版本后面证书生成时,有可能会报类似下面的错误
"""
2020-08-05T09:50:36Z DEBUG The ipa-server-install command failed, exception: CalledProcessError: Command '/usr/bin/certutil -d dbm:/etc/dirsrv/slapd-DC-LOSINX-COM/ -O --simple-self-signed -n DC.LOSINX.COM IPA CA -f /etc/dirsrv/slapd-DC-LOSINX-COM/pwdfile.txt' returned non-zero exit status 1
2020-08-05T09:50:36Z ERROR Command '/usr/bin/certutil -d dbm:/etc/dirsrv/slapd-DC-LOSINX-COM/ -O --simple-self-signed -n DC.LOSINX.COM IPA CA -f /etc/dirsrv/slapd-DC-LOSINX-COM/pwdfile.txt' returned non-zero exit status 1
"""
1
2
3
4
5
6
7
8
9
10
11
12
13
2
3
4
5
6
7
8
9
10
11
12
13
# 2.7 防火墙
systemctl disable firewalld
systemctl stop firewalld
# 根据需要若是不关闭防火墙,就需要把后面涉及到的服务放行
"""
firewall-cmd --permanent --add-service={ntp,http,https,ldap,ldaps,kerberos,kpasswd}
firewall-cmd --reload
"""
1
2
3
4
5
6
7
8
2
3
4
5
6
7
8
# 三、安装服务端
- 安装ipa-server服务包
[root@ipa1 ~]# yum install ipa-server -y
1
- 执行安装命令
[root@ipa1 ~]# ipa-server-install --domain=dc.losinx.com --realm=DC.LOSINX.COM
........
Do you want to configure integrated DNS (BIND)? [no]: no # 选择是否安装DNS服务
........
Server host name [ipa1.dc.losinx.com]: # 设置的主机名,默认即可
.........
Directory Manager password: 12345678 # 输入目录服务管理员的密码
Password (confirm): 12345678 # 确认密码
.........
IPA admin password: 12345678 # 输入IPA UI管理员登录密码
Password (confirm): 12345678 # 确认密码
.........
Continue to configure the system with these values? [no]: yes # 确认配置
.........
The ipa-client-install command was successful
Please add records in this file to your DNS system: /tmp/ipa.system.records.VBLPLU.db
==============================================================================
Setup complete
Next steps:
1. You must make sure these network ports are open:
TCP Ports:
* 80, 443: HTTP/HTTPS
* 389, 636: LDAP/LDAPS
* 88, 464: kerberos
UDP Ports:
* 88, 464: kerberos
* 123: ntp
2. You can now obtain a kerberos ticket using the command: 'kinit admin'
This ticket will allow you to use the IPA tools (e.g., ipa user-add)
and the web user interface.
Be sure to back up the CA certificates stored in /root/cacert.p12
These files are required to create replicas. The password for these
files is the Directory Manager password
# 出现以上信息表示已经安装成功
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
- 查看服务状态
[root@ipa1 ~]# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
ntpd Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa: INFO: The ipactl command was successful
1
2
3
4
5
6
7
8
9
10
2
3
4
5
6
7
8
9
10
- 生成 kerberos 票据
[root@ipa1 ~]# kinit admin
Password for admin@DC.LOSINX.COM: # 上面设置的Manager密码
1
2
2
- 查看生成的票据
[root@ipa1 ~]# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: admin@DC.LOSINX.COM
Valid starting Expires Service principal
08/05/2020 18:39:40 08/06/2020 18:39:35 krbtgt/DC.LOSINX.COM@DC.LOSINX.COM
1
2
3
4
5
6
7
2
3
4
5
6
7
- 访问
# 直接输入域名,因为证书问题,这里忽略继续使用即可
https://ipa1.dc.losinx.com
1
2
2
# 四、复制服务器
# 4.1 安装FreeIPA客户端
[root@ipa2 ~]# yum install freeipa-client -y
1
# 4.2 执行安装命令
[root@ipa2 ~]# ipa-client-install
DNS discovery failed to determine your DNS domain
Provide the domain name of your IPA server (ex: example.com): dc.losinx.com #
Provide your IPA server name (ex: ipa.example.com): ipa1.dc.losinx.com # 指定ipa1节点域名
The failure to use DNS to find your IPA server indicates that your resolv.conf file is not properly configured.
Autodiscovery of servers for failover cannot work with this configuration.
If you proceed with the installation, services will be configured to always access the discovered server for all operations and will not fail over to other servers in case of failure.
Proceed with fixed values and no DNS discovery? [no]: yes # 不使用DNS
Client hostname: ipa2.dc.losinx.com
Realm: DC.LOSINX.COM
DNS Domain: dc.losinx.com
IPA Server: ipa1.dc.losinx.com
BaseDN: dc=dc,dc=losinx,dc=com
Continue to configure the system with these values? [no]: yes # 确认配置
Synchronizing time with KDC...
Attempting to sync time using ntpd. Will timeout after 15 seconds
User authorized to enroll computers: admin # 用户名
Password for admin@DC.LOSINX.COM: # 密码
Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=DC.LOSINX.COM
Issuer: CN=Certificate Authority,O=DC.LOSINX.COM
Valid From: 2020-08-06 01:15:31
Valid Until: 2040-08-06 01:15:31
Enrolled in IPA realm DC.LOSINX.COM
Created /etc/ipa/default.conf
New SSSD config will be created
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm DC.LOSINX.COM
trying https://ipa1.dc.losinx.com/ipa/json
[try 1]: Forwarding 'schema' to json server 'https://ipa1.dc.losinx.com/ipa/json'
trying https://ipa1.dc.losinx.com/ipa/session/json
[try 1]: Forwarding 'ping' to json server 'https://ipa1.dc.losinx.com/ipa/session/json'
[try 1]: Forwarding 'ca_is_enabled' to json server 'https://ipa1.dc.losinx.com/ipa/session/json'
Systemwide CA database updated.
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
[try 1]: Forwarding 'host_mod' to json server 'https://ipa1.dc.losinx.com/ipa/session/json'
Could not update DNS SSHFP records.
SSSD enabled
Configured /etc/openldap/ldap.conf
No SRV records of NTP servers found. IPA server address will be used
NTP enabled
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Configuring dc.losinx.com as NIS domain.
Client configuration complete.
The ipa-client-install command was successful # 安装完成
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
# 4.3 安装FreeIPA复制服务
- 安装服务端组件
[root@ipa2 ~]# yum install ipa-server -y
1
- 执行复制安装命令
[root@ipa2 ~]# ipa-replica-install
Password for admin@DC.LOSINX.COM: # 输入admin密码
Run connection check to master
Connection check OK
Configuring NTP daemon (ntpd)
[1/4]: stopping ntpd
[2/4]: writing configuration
[3/4]: configuring ntpd to start on boot
[4/4]: starting ntpd
Done configuring NTP daemon (ntpd).
Configuring directory server (dirsrv). Estimated time: 30 seconds
[1/42]: creating directory server instance
[2/42]: enabling ldapi
[3/42]: configure autobind for root
[4/42]: stopping directory server
[5/42]: updating configuration in dse.ldif
[6/42]: starting directory server
[7/42]: adding default schema
[8/42]: enabling memberof plugin
[9/42]: enabling winsync plugin
[10/42]: configure password logging
[11/42]: configuring replication version plugin
[12/42]: enabling IPA enrollment plugin
[13/42]: configuring uniqueness plugin
[14/42]: configuring uuid plugin
[15/42]: configuring modrdn plugin
[16/42]: configuring DNS plugin
[17/42]: enabling entryUSN plugin
[18/42]: configuring lockout plugin
[19/42]: configuring topology plugin
[20/42]: creating indices
[21/42]: enabling referential integrity plugin
[22/42]: configuring certmap.conf
[23/42]: configure new location for managed entries
[24/42]: configure dirsrv ccache
[25/42]: enabling SASL mapping fallback
[26/42]: restarting directory server
[27/42]: creating DS keytab
[28/42]: ignore time skew for initial replication
[29/42]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress, 3 seconds elapsed
Update succeeded
[30/42]: prevent time skew after initial replication
[31/42]: adding sasl mappings to the directory
[32/42]: updating schema
[33/42]: setting Auto Member configuration
[34/42]: enabling S4U2Proxy delegation
[35/42]: initializing group membership
[36/42]: adding master entry
[37/42]: initializing domain level
[38/42]: configuring Posix uid/gid generation
[39/42]: adding replication acis
[40/42]: activating sidgen plugin
[41/42]: activating extdom plugin
[42/42]: configuring directory to start on boot
Done configuring directory server (dirsrv).
Configuring Kerberos KDC (krb5kdc)
[1/5]: configuring KDC
[2/5]: adding the password extension to the directory
[3/5]: creating anonymous principal
[4/5]: starting the KDC
[5/5]: configuring KDC to start on boot
Done configuring Kerberos KDC (krb5kdc).
Configuring kadmin
[1/2]: starting kadmin
[2/2]: configuring kadmin to start on boot
Done configuring kadmin.
Configuring directory server (dirsrv)
[1/3]: configuring TLS for DS instance
[2/3]: importing CA certificates from LDAP
[3/3]: restarting directory server
Done configuring directory server (dirsrv).
Configuring the web interface (httpd)
[1/22]: stopping httpd
[2/22]: setting mod_nss port to 443
[3/22]: setting mod_nss cipher suite
[4/22]: setting mod_nss protocol list to TLSv1.2
[5/22]: setting mod_nss password file
[6/22]: enabling mod_nss renegotiate
[7/22]: disabling mod_nss OCSP
[8/22]: adding URL rewriting rules
[9/22]: configuring httpd
[10/22]: setting up httpd keytab
[11/22]: configuring Gssproxy
[12/22]: setting up ssl
[13/22]: configure certmonger for renewals
[14/22]: importing CA certificates from LDAP
[15/22]: publish CA cert
[16/22]: clean up any existing httpd ccaches
[17/22]: configuring SELinux for httpd
[18/22]: create KDC proxy config
[19/22]: enable KDC proxy
[20/22]: starting httpd
[21/22]: configuring httpd to start on boot
[22/22]: enabling oddjobd
Done configuring the web interface (httpd).
Configuring ipa-otpd
[1/2]: starting ipa-otpd
[2/2]: configuring ipa-otpd to start on boot
Done configuring ipa-otpd.
Configuring ipa-custodia
[1/4]: Generating ipa-custodia config file
[2/4]: Generating ipa-custodia keys
[3/4]: starting ipa-custodia
[4/4]: configuring ipa-custodia to start on boot
Done configuring ipa-custodia.
Configuring certificate server (pki-tomcatd)
[1/2]: configure certmonger for renewals
[2/2]: Importing RA key
Done configuring certificate server (pki-tomcatd).
Configuring Kerberos KDC (krb5kdc)
[1/1]: installing X509 Certificate for PKINIT
Done configuring Kerberos KDC (krb5kdc).
Applying LDAP updates
Upgrading IPA:. Estimated time: 1 minute 30 seconds
[1/10]: stopping directory server
[2/10]: saving configuration
[3/10]: disabling listeners
[4/10]: enabling DS global lock
[5/10]: disabling Schema Compat
[6/10]: starting directory server
[7/10]: upgrading server
[8/10]: stopping directory server
[9/10]: restoring configuration
[10/10]: starting directory server
Done.
Finalize replication settings
Restarting the KDC
WARNING: The CA service is only installed on one server (ipa1.dc.losinx.com).
It is strongly recommended to install it on another server.
Run ipa-ca-install(1) on another master to accomplish this.
"""
这里复制服务已经安装完成,可以看到最后显示ca服务器只在ipa1服务器安装,所以我们需要按照提示进行
ipa-ca-install 进行ca复制
"""
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
- CA复制服务
[root@ipa2 ~]# ipa-ca-install
Directory Manager (existing master) password: # 输入前面的Manager密码
Run connection check to master
Connection check OK
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
[1/27]: creating certificate server db
[2/27]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress, 3 seconds elapsed
Update succeeded
[3/27]: creating ACIs for admin
[4/27]: creating installation admin user
[5/27]: configuring certificate server instance
[6/27]: reindex attributes
[7/27]: exporting Dogtag certificate store pin
[8/27]: stopping certificate server instance to update CS.cfg
[9/27]: backing up CS.cfg
[10/27]: disabling nonces
[11/27]: set up CRL publishing
[12/27]: enable PKIX certificate path discovery and validation
[13/27]: destroying installation admin user
[14/27]: starting certificate server instance
[15/27]: Finalize replication settings
[16/27]: setting audit signing renewal to 2 years
[17/27]: restarting certificate server
[18/27]: authorizing RA to modify profiles
[19/27]: authorizing RA to manage lightweight CAs
[20/27]: Ensure lightweight CAs container exists
[21/27]: configure certificate renewals
[22/27]: configure Server-Cert certificate renewal
[23/27]: Configure HTTP to proxy connections
[24/27]: restarting certificate server
[25/27]: updating IPA configuration
[26/27]: enabling CA instance
[27/27]: configuring certmonger renewal for lightweight CAs
Done configuring certificate server (pki-tomcatd).
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
- 查看状态
# ipa2
[root@ipa2 ~]# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
ntpd Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa: INFO: The ipactl command was successful
# ipa1
[root@ipa1 ~]# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
ntpd Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa: INFO: The ipactl command was successful
# 可以看到2台机器服务状态一致
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
# 五、总结
1) FreeIPA 的安装过程,主要包含了Kerberos,LDAP,NTP 等基础服务。
1、Auth-A 服务可以方便管理 CentOS 服务器的认证,FreeIPA 集成了 Kerberos,SSSD。
2、Auth-Z 服务可以方便管理 CentOS 服务器的授权,FreeIPA 集成了 Kerberos,SSSD。
3、CA 服务可以方便管理企业的证书,FreeIPA 集成了 Dogtag。
4、NTP 服务可以方便时间同步,FreeIPA 集成了 chromed。
5、LDAP 服务可以同意管理用户名和密码以及与其他子系统集成, FreeIPA 集成了 389 Directory Server。
1
2
3
4
5
6
7
2
3
4
5
6
7
- 卸载
# ipa1 服务器执行
[root@ipa1 ~]# ipa-replica-manage del ipa2.dc.losinx.com
[root@ipa1 ~]# ipa-server-install --uninstall
# ipa2
[root@ipa2 ~]# ipa-server-install --uninstall
1
2
3
4
5
2
3
4
5
- 访问
FreeIPA 的复制属于主主复制,即两个服务器都是主节点,会将更改相互发送给其他节点。
注意:部署好后,可以随便登录2个地址,查看并修改对应的配置。
ipa1.dc.losinx.com
ipa2.dc.losinx.com
1
2
3
4
5
2
3
4
5
编辑 (opens new window)
上次更新: 2024/06/12, 10:53:12