Shulou(Shulou.com)06/01 Report--

This article is about how to build ipa-server from scratch to achieve ldap+kerberos network user authentication, the editor thinks it is very practical, so I share it with you to learn. I hope you can get something after reading this article.

1. Introduction of user information and authentication services

1.1 with the development of the network, there are more and more hosts in the enterprise, and host user management has become a very difficult task.

One solution is that the account information is not stored in the local system, but in a central location to achieve the centralized management of users.

Single sign-on (single sign on), referred to as SSO, is one of the most popular solutions for enterprise business integration.

The definition of SSO is defined in multiple application systems, and users only need to log in once to access all trusted applications.

1.2 to build a centralized authentication management system, you need to provide: account information and authentication information 1.2.1 account information: popular solutions for storing account information, such as user name, UID,GID, etc.: LADP,NIS,AD or IPA-server1.2.2 authentication information: password, fingerprint, etc. Ldap Service kerberos is a network authentication protocol that provides only SSO authentication services and is usually used with LDAP.

Typical implementation: AD (Microsoft active Directory) and IPA-server

2. Build IPA-server2.1 preparation from scratch:

One physical host, two vm virtual machines, the system is above redhat7.0 (with graphical interface installed).

The address of the physical host is: ip:192.168.0.111/24 gw:192.168.0.1 dns192.168.0.1 address can be determined according to your own situation.

First virtual machine: the network card type is automatic bridging: ip:192.168.0.118/24 gw:192.168.0.1 dns can not be configured for the time being. We will configure this virtual machine as ipa-server

Second virtual machine: network card type is automatic bridging: ip:192.168.0.119/24 gw;192.168.0.1 dns:192.168.0.118

2.2 pre-installation conditions for IPA-server service:

1, you must have a full host name

2, a static ip address

3, able to resolve hostname (forward and reverse resolution)

4the host name should also be parsed in the host hosts file. Cannot resolve to 127.1

5. Activate firewall rules and services

6. Do time ntp synchronization

Step 2.3: now operate the virtual machine 192.168.0.118, which is called server for short.

1, set the hostname to server.zhuxu.co

[root@server ~] # hostnamectl set-hostname server.zhuxu.co

[root@server ~] # hostname server.zhuxu.co

2, a static ip address on which the preparation work has been set up

3. You don't have to do this step to resolve the host name (forward and reverse resolution). If you install ipa-server, the dns service will be automatically configured.

4 server.zhuxu.co server vim / etc/hosts file, add the line 192.168.0.118.

5, in order to simplify the steps, directly turn off the firewall and selinux. (I will send another version, plus the configuration of the firewall)

[root@server ~] # iptables-F clear iptables rules

[root@server ~] # systemctl stop iptables stops the iptables service

[root@server ~] # systemctl disable iptables forbids iptables to boot

[root@server ~] # systemctl stop firewalld stops the firewalld service

[root@server ~] # systemctl disable firewalld forbids firewalld to boot

[root@server ~] # setenforce 0 temporarily shuts down selinux

Edit / etc/selinux/conf file SELINUX=permissive

6Give vim / etc/chrony.conf comments on the first three time services, the last one edited is: server ntp1.aliyun.com iburst

[root@server ~] # systemctl restart chronyd.service restart time service

7. After configuring the yum source, I choose to mount the CD to do the yum repository.

[root@server ~] # vim / etc/yum.repos.d/server.repo

Enter the following in the file

[base] name=redhat7baseurl= file:///mntenabled=1gpgcheck=0

Mount the CD to / mnt (please make sure the CD is connected)

[root@server ~] # mount / dev/cdrom / mnt

The server-side installation conditions are ready:

2.4to install ipa-server

Ipa-server relies on dns services to work. The packages we need to install are: ipa-server bind bind-dyndb-ldap ipa-server-dns

Bind provides dns services, bind-dyndb-ldap provides dns and ldap connection components, etc.

Ipa-server-dns provides ipa-server and dns connection components (depending on the candidate package when installing the system, this package may have been installed)

[root@server ~] # yum install-y ipa-server bind bind-dyndb-ldap ipa-server-dns

2.5 configure ipa-server [root@server ~] # ipa-server-install-- setup-dns-- install ipa-server automatic configuration dnsServer host name [server.zhuxu.co]:-enter key (default) Please confirm the domain name [zhuxu.co]:-enter key (default) Please provide a realm name [ZHUXU.CO]:-enter key (default) Directory Manager password:-- set directory The password for administration is at least 8 digits of IPA admin password:-set the password of ipa administrator admin at least 8 digits must be remembered Are you going to use Do you want to configure DNS forwarders later? [yes]: no-do you want to configure dns as a transponder? Choose noDo you want to search for missing reverse zones? [yes]: yes-- do you want to configure the reverse domain of dns? Choose yesContinue to configure the system with these values? [no]: yes-- continue to configure other values of the system? Select yes [root @ server ~] # systemctl enable sssd-- Boot self-starting sssd service (sssd:system security service deamon system security service) [root@server ~] # systemctl start sssd-- enable the sssd service (which may have been enabled by default) [root@server ~] # authconfig-- users created by update, and create a user's home directory by default Update authentication information 2.6. verify ipa-server and dns.2.6.1 verify ipa-server [root@server ~] # kinit admin-you must log in to admin to manage the domain Password for admin@ZHUXU.CO: [root@server ~] # ipa user-find-- all to view the information of all domain users 1 user matched dn: uid=admin,cn=users,cn=accounts,dc=zhuxu,dc=co User login: admin.... Number of entries returned 12.6.2 verify nds Parse [root@server ~] # dig-t a server.zhuxu.co forward and backward to view server.zhuxu.co 's A record [root@server ~] # dig-t ptr 118.0.168.192.in-addr.apra View server.zhuxu.co 's PTR record 2.7 server configuration ends. Restart the system

[root@server ~] # reboot

3, add users and hosts through the image interface (also introduced through the command, please see the next chapter nfs use domain users)

It can be managed by typing https://server.zhuxu.co/ipa/ui in Firefox in the server.zhuxu.co terminal.

Preparation for client configuration 1

1, configure the hostname

[root@client ~] # hostnamectl set-hostname client.zhuxu.co [root@client ~] # hostname client.zhuxu.co

2. Set a static ip address dns must point to the ip of server.zhuxu.co

3. Turn off the firewall just like the server side

4. Modify the hosts file and add 192.168.0.119 client.zhuxu.co client

5. Do time synchronization

Vim / etc/chrony.conf comments the first three time services, and the last one edited is: server ntp1.aliyun.com iburst

[root@server ~] # systemctl restart chronyd.service restart time service

6. Configure the yum source, and I choose to mount the CD to do the yum repository.

[root@server ~] # vim / etc/yum.repos.d/server.repo

Enter the following in the file

[base] name=redhat7baseurl= file:///mntenabled=1gpgcheck=0

Mount the CD to / mnt (please make sure the CD is connected)

[root@server ~] # mount / dev/cdrom / mnt2 configuration client 2.1yum install-y authconfig authconfig-gtk ipa-client2.2 uses graphical configuration kerberos authentication information

[root@client ~] # authconfig-gtk

2.3 configure ipa-client

[root@client] # ipa-client-install-domain=zhuxu.co-no- ntp`-realm=ZHUXU.CO-mkhomedir

Join the domain, do not enable ntp, and automatically create a home directory when you create a user

Continue to configure the system with these values? [no]: yes-continue to configure other values of the system? Select yes

User authorized to enroll computers: admin-domain administrator

Password for admin@ZHUXU.CO:-password

3 verify whether the user can log in

[root@client ~] # ssh tom@client.zhuxu.co-Experimental login on the client side

Password:-enter password

Password expired. Change your password now. -- remind you that your password has expired

Current Password:-- enter the active password

New password:-New password

Retype new password:

Creating home directory for tom.

[tom@client ~] $whoami-login succeeded

Tom

[tom@client ~] $pwd-under the home directory, it means that the home directory has also been created successfully.

/ home/tom

All configuration is over, ipa-server configuration method cannot be found on the Internet. This is probably the most comprehensive configuration method found in Baidu, or built from scratch.

The above is how to build ipa-server from scratch to achieve ldap+kerberos network user authentication. The editor believes that there are some knowledge points that we may see or use in our daily work. I hope you can learn more from this article. For more details, please follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.