Shulou(Shulou.com)06/02 Report--

FreeIPA is a security information management solution that integrates Linux (Fedora), 389 directory server, MIT Kerberos, NTP, DNS and Dogtag (certificate system). It consists of a web interface and a command line management tool. Brief introduction

FreeIPA is a security information management solution that integrates Linux (Fedora), 389 directory server, MIT Kerberos, NTP, DNS and Dogtag (certificate system). It consists of a web interface and a command line management tool.

FreeIPA is an integrated identity and authentication solution for Linux/UNIX network environments. The FreeIPA server provides centralized authentication, authorization, and account information by storing data about users, groups, hosts, and other objects needed to manage computer network security.

FreeIPA is built on well-known open source components and standard protocols, with a strong emphasis on ease of management and automation of installation and configuration tasks.

Multiple FreeIPA servers can be easily configured in a FreeIPA domain to provide redundancy and scalability. The 389 directory server is the main data store and provides a complete multi-home LDAPv3 directory infrastructure. Single sign-on authentication is provided through MIT Kerberos KDC. The integrated certification authority based on the Dogtag project enhances authentication capabilities. You can also use an integrated ISC binding server to manage domain names.

Environmental preparation

Two Centos7.7 virtual machines

IPA server version 4.6.5

Address information

VM1 as the server

VM2 as a client

Virtual Machine 1/VM1Virtual Machine 2/VM2IP/Netmask192.168.43.138/24192.168.43.139/24Gateway192.168.43.2192.168.43.2DNS114.114.114.114114.114.114.114

The DNS address is first set to a public network address because the software package needs to be installed from the network. After installing the package, you need to change the dns address of VM1 and VM2 to 192.168.43.138, that is, the address of VM1.

Turn off the firewall

Both virtual machines need to turn off the firewall.

# disable firewalld and selinux set to Permissive mode [root@localhost ~] # systemctl stop firewalld & & systemctl disable firewalld & & setenforce close selinux [root@localhost ~] # sed-I'/ ^ SELINUX/s/enforcing/disabled/' / etc/selinux/config modify hostname and modify / etc/hosts file

VM1 modifies the content:

[root@localhost ~] # hostnamectl set-hostname server.linuxprobe.com [root@localhost ~] # echo '192.168.43.138 server.linuxprobe.com server' > > / etc/hosts [root@localhost ~] # echo' 192.168.43.139 client.linuxprobe.com client' > > / etc/hosts

VM2 modifies the content:

[root@localhost ~] # hostnamectl set-hostname client.linuxprobe.com [root@localhost ~] # echo '192.168.43.138 server.linuxprobe.com server' > > / etc/hosts [root@localhost ~] # echo' 192.168.43.139 client.linuxprobe.com client' > > / etc/hosts boot ntp time synchronization

Set the ntp server address to ntp.aliyun.com on VM1 and VM2

# comment out the included server address [root@localhost ~] # sed-I / ^ server / # & /'/ etc/chrony.conf# add ntp.aliyun.com [root@localhost ~] # echo 'server ntp.aliyun.com iburst' > > / etc/chrony.conf# restart the chronyd service [root@localhost ~] # systemctl restart chronyd# View ntp status [root@localhost ~] # chronyc sources-v210 server = 1.-- Source mode' ^'= server,'='= peer '#' = local clock. /.-Source state'*'= current synced,'+'= combined,'-'= not combined, | /'?'= unreachable,'x' = time may be in error,'~'= time too variable. |.-xxxx [yyyy] + /-zzzz | | Reachability register (octal) -. | xxxx = adjusted offset, | | Log2 (Polling interval)--. | | yyyy = measured offset, | |\ | | zzzz = estimated error. |\ MS Name/IP address Stratum Poll Reach LastRx Last sample = ^ * 203.107.6.88 2 6 17 40-5540us [- 5762us] + /-16ms |

Then restart VM1 and VM2

[root@localhost ~] # reboot configure FreeIPA server installation ipa-server [root@server ~] # yum install-y ipa-server bind bind-dyndb-ldap ipa-server-dns configuration ipa-server in VM1

First set the dns address of the network card to the local address.

Then configure ipa-server

[root@server] # ipa-server-install-- setup-dns-- forwarder=114.114.114.114

# create a home directory for first-time login users, and update the configuration [root@server ~] # authconfig-- enablemkhomedir-- update

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.