Thoughts about IPA installation
IPA or IdM in its Red Hat productised form is a very neat product. It allows centralised authentication and policy management while providing that over secure channels (kerberos and TLS). IdM provides quite a few features and you may decide that you’re better off without some (saving the extra calories/effort for later) as your infrastructure may already provide those on the side.
This example installation is without DNS, without a CA, and without NTP (VM installations shouldn’t really be running NTP anyway).
Once you’re past the stage of convincing management that it’ll be good for you (and good for them) to allow this installation to happen, this is what you need to think about and discuss with the team managing Certificate Authorities, NTP servers, and DNS:
- DNS – DNS zones need to be configured in such a way that IPA acts as a KDC to its own group of servers if there are existing KDC in a different realm in the environment, they will need to be in a different subdomain/domain. The SRV records will only return the IPA servers when queried about kerberos in this subdomain.
- Certificates – IPA uses SSL for ldap and http. IPA could be acting as a Certificate Authority but not in this instance. Active Directory (or something else) may already be configured as a Certificate Authority which could allow you to present your windows team with a certificate request from IPA to sign in order to obtain a valid web certificate.
- Time – a uniform time source across the estate IPA servers and clients. Think about business meetings, SSL, sex, humour, and trains – all require good timing.
NOTE: IPA/IdM used to have to provide certificates by default to its clients on installation. As this is no longer the case, IPA can be installed without a CA in an easier fashion than you’re used to. Give it a try.
Prerequisite Checking for IPA installation
NOTE: The following installation is for IPA version 4.1 and AD version 2012R2.
Check that you have:
- Access to the right software packages via yum (normal RHEL/CentOS base repo should do)
- Forward and reverse resolvable hostname
- An entry in the /etc/hosts with the ip address and hostname
- nscd off
- An up-to-date OS installation
- Still got your sanity (test to be performed by an external third party)
The certificate creation
Create your secret private key for your server. Here, we are using openssl to generate a private key:
mkdir /root/certs openssl genrsa -out /root/certs/http.$(hostname).key 2048
And then, the certificate request below:
And then the certificate request below: [root@idm certs]# openssl req \ -key /root/certs/http.idm.mgmt.linux.local.key \ -out /root/certs/$(hostname -f).csr -new You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:GB State or Province Name (full name) []:Norfolk Locality Name (eg, city) [Default City]:Norwich Organization Name (eg, company) [Default Company Ltd]:MGMT.LINUX.LOCAL Organizational Unit Name (eg, section) []:She ITs And Giggles Common Name (eg, your name or your server's hostname) []:idm.mgmt.linux.local Email Address []:root@localhost Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:SheITsAndGiggles An optional company name []:
Your AD certificate Authority should be able to sign this csr and then retrieve the CA chain with the cert for IPA installation. An example on how to sign certificates in a windows CA can be found here: Generate a Digital Certificate from CSR.
To examine the Certificates, open them as follows:
openssl x509 -in <certificate> -text
The Installation
The following step just downloads the software on the server. It doesn’t start any services:
yum -y install ipa-server ipa-server-trust-ad
Now for the fun part:
ipa-server-install --http-cert-file /root/certs/http.idm.mgmt.linux.local.crt \ --http-cert-file /root/certs/http.idm.mgmt.linux.local.key \ --http-pin SheITsAndGiggles \ --dirsrv-cert-file /root/certs/http.idm.mgmt.linux.local.crt \ --dirsrv-cert-file /root/certs/http.idm.mgmt.linux.local.key \ --dirsrv-pin SheITsAndGiggles --ca-cert-file ca-chain.p7b \ -n mgmt.linux.local -r LINUX.LOCAL --mkhomedir
NOTE: I have used the same certificate and key for the http and directory servers. The p7b file that has been downloaded from the CA is the chain.
After the installation, you will need to open all the ports for the services that we are running and add some DNS entries to advertise those services:
systemctl enable firewalld
firewall-cmd --permanent --zone=public \
--add-port={80/tcp,443/tcp,389/tcp,636/tcp,88/tcp,464/tcp,88/udp,464/udp}
firewall-cmd --reload
To tell your IPA clients what you are serving you need to advertise the services via DNS. Find an example below:
_ldap._tcp IN SRV 0 100 389 idm _ldap._udp IN SRV 0 100 389 idm _kerberos IN TXT MGMT.LINUX.LOCAL _kerberos._tcp IN SRV 0 100 88 idm _kerberos._udp IN SRV 0 100 88 idm _kerberos-master._tcp IN SRV 0 100 88 idm _kerberos-master._udp IN SRV 0 100 88 idm _kpasswd._tcp IN SRV 0 100 464 idm _kpasswd._udp IN SRV 0 100 464 idm
Check that the installation is running as it should by getting kerberos credentials for your admin user and using admin to ssh on ipa:
[root@idm ~]# kinit admin [root@idm ~]# ssh admin@$(hostname -f) Creating home directory for admin.
She ITs and Giggles 