Categories

ID #1215

How do I install FreeIPA onan class="highlight">toan> a Bright Cluster?

How do I install FreeIPA onan class="highlight">toan> a Bright Cluster?

1. Install packages:
an style="font-family: courier new,courier; background-color: #ccffff;"># yum -y install ipa-serveran>

2. San class="highlight">toan>p LDAP server:
an style="font-family: courier new,courier; background-color: #ccffff;"># cmsh -c "device services master; san class="highlight">toan>p ldap"an>

3. change the default user portal port in the webserver SSL configuration file:

an style="font-family: courier new,courier; background-color: #ccffff;"># vim /etc/httpd/conf.d/ssl.confan>

Changing lines as indicated on a default installation will change the user portal port from 443 an class="highlight">toan> 4443:
an style="font-family: courier new,courier;">line 18: Listen 4443an>
an style="font-family: courier new,courier;">line 74: <VirtualHost _default_:4443>an>

4. Set up FreeIPA:
an style="font-family: courier new,courier; background-color: #ccffff;"># ipa-server-install --domain=cm.cluster --realm=CM.CLUSTERan>

an style="font-family: courier new,courier; background-color: #ccffff;">The log file for this installation can be found in /var/log/ipaserver-install.logan>
an style="font-family: courier new,courier; background-color: #ccffff;">==============================================================================an>
an style="font-family: courier new,courier; background-color: #ccffff;">This program will set up the IPA Server.an>

an style="font-family: courier new,courier; background-color: #ccffff;">This includes:an>
an style="font-family: courier new,courier; background-color: #ccffff;">  * Configure a stand-alone CA (dogtag) for certificate managementan>
an style="font-family: courier new,courier; background-color: #ccffff;">  * Configure the Network Time Daemon (an class="highlight">ntpdan>)an>
an style="font-family: courier new,courier; background-color: #ccffff;">  * Create and configure an instance of Direcan class="highlight">toan>ry Serveran>
an style="font-family: courier new,courier; background-color: #ccffff;">  * Create and configure a Kerberos Key Distribution Center (KDC)an>
an style="font-family: courier new,courier; background-color: #ccffff;">  * Configure Apache (httpd)an>

an style="font-family: courier new,courier; background-color: #ccffff;">an class="highlight">Toan> accept the default shown in brackets, press the Enter key.an>

an style="font-family: courier new,courier; background-color: #ccffff;">Enter the fully qualified domain name of the computeran>
an style="font-family: courier new,courier; background-color: #ccffff;">on which you're setting up server software. Using the forman>
an style="font-family: courier new,courier; background-color: #ccffff;"><hostname>.<domainname>an>
an style="font-family: courier new,courier; background-color: #ccffff;">Example: master.example.com.an>


an style="font-family: courier new,courier; background-color: #ccffff;">Server host name [adel70-c6.cm.cluster]:an>
an style="font-family: courier new,courier; background-color: #ccffff;">Certain direcan class="highlight">toan>ry server operations require an administrative user.an>
an style="font-family: courier new,courier; background-color: #ccffff;">This user is referred an class="highlight">toan> as the Direcan class="highlight">toan>ry Manager and has full accessan>
an style="font-family: courier new,courier; background-color: #ccffff;">an class="highlight">toan> the Direcan class="highlight">toan>ry for system management tasks and will be added an class="highlight">toan> thean>
an style="font-family: courier new,courier; background-color: #ccffff;">instance of direcan class="highlight">toan>ry server created for IPA.an>
an style="font-family: courier new,courier; background-color: #ccffff;">The password must be at least 8 characters long.an>

an style="font-family: courier new,courier; background-color: #ccffff;">Direcan class="highlight">toan>ry Manager password:an>
an style="font-family: courier new,courier; background-color: #ccffff;">Password (confirm):an>

an style="font-family: courier new,courier; background-color: #ccffff;">The IPA server requires an administrative user, named 'admin'.an>
an style="font-family: courier new,courier; background-color: #ccffff;">This user is a regular system account used for IPA server administration.an>

an style="font-family: courier new,courier; background-color: #ccffff;">IPA admin password:an>
an style="font-family: courier new,courier; background-color: #ccffff;">Password (confirm):an>


an style="font-family: courier new,courier; background-color: #ccffff;">The IPA Master Server will be configured with:an>
an style="font-family: courier new,courier; background-color: #ccffff;">Hostname:      adel70-c6.cm.clusteran>
an style="font-family: courier new,courier; background-color: #ccffff;">IP address:    10.141.255.254an>
an style="font-family: courier new,courier; background-color: #ccffff;">Domain name:   cm.clusteran>
an style="font-family: courier new,courier; background-color: #ccffff;">Realm name:    CM.CLUSTERan>

an style="font-family: courier new,courier; background-color: #ccffff;">Continue an class="highlight">toan> configure the system with these values? [no]: yesan>

an style="font-family: courier new,courier; background-color: #ccffff;">The following operations may take some minutes an class="highlight">toan> complete.an>
an style="font-family: courier new,courier; background-color: #ccffff;">Please wait until the prompt is returned.an>

an style="font-family: courier new,courier; background-color: #ccffff;">Configuring NTP daemon (an class="highlight">ntpdan>)an>
an style="font-family: courier new,courier; background-color: #ccffff;">  [1/4]: san class="highlight">toan>pping an class="highlight">ntpdan>an>
an style="font-family: courier new,courier; background-color: #ccffff;">  [2/4]: writing configurationan>
an style="font-family: courier new,courier; background-color: #ccffff;">  [3/4]: configuring an class="highlight">ntpdan> an class="highlight">toan> start on bootan>
an style="font-family: courier new,courier; background-color: #ccffff;">  [4/4]: starting an class="highlight">ntpdan>an>
an style="font-family: courier new,courier; background-color: #ccffff;">Done configuring NTP daemon (an class="highlight">ntpdan>).an>
an style="font-family: courier new,courier; background-color: #ccffff;">Configuring direcan class="highlight">toan>ry server for the CA (pkids): Estimated time 30 secondsan>
an style="font-family: courier new,courier; background-color: #ccffff;">  [1/3]: creating direcan class="highlight">toan>ry server useran>
an style="font-family: courier new,courier; background-color: #ccffff;">  [2/3]: creating direcan class="highlight">toan>ry server instancean>
an style="font-family: courier new,courier; background-color: #ccffff;">  [3/3]: restarting direcan class="highlight">toan>ry serveran>
an style="font-family: courier new,courier; background-color: #ccffff;">Done configuring direcan class="highlight">toan>ry server for the CA (pkids).an>
an style="font-family: courier new,courier; background-color: #ccffff;">Configuring certificate server (pki-cad): Estimated time 3 minutes 30 secondsan>
an style="font-family: courier new,courier; background-color: #ccffff;">  [1/21]: creating certificate server useran>
an style="font-family: courier new,courier; background-color: #ccffff;">  [2/21]: creating pki-ca instancean>
an style="font-family: courier new,courier; background-color: #ccffff;">  [3/21]: configuring certificate server instancean>
an style="font-family: courier new,courier; background-color: #ccffff;">  [4/21]: disabling noncesan>
an style="font-family: courier new,courier; background-color: #ccffff;">  [5/21]: creating CA agent PKCS#12 file in /rootan>
an style="font-family: courier new,courier; background-color: #ccffff;">  [6/21]: creating RA agent certificate databasean>
an style="font-family: courier new,courier; background-color: #ccffff;">  [7/21]: importing CA chain an class="highlight">toan> RA certificate databasean>
an style="font-family: courier new,courier; background-color: #ccffff;">  [8/21]: fixing RA database permissionsan>
an style="font-family: courier new,courier; background-color: #ccffff;">  [9/21]: setting up signing cert profilean>
an style="font-family: courier new,courier; background-color: #ccffff;">  [10/21]: set up CRL publishingan>
an style="font-family: courier new,courier; background-color: #ccffff;">  [11/21]: set certificate subject basean>
an style="font-family: courier new,courier; background-color: #ccffff;">  [12/21]: enabling Subject Key Identifieran>
an style="font-family: courier new,courier; background-color: #ccffff;">  [13/21]: setting audit signing renewal an class="highlight">toan> 2 yearsan>
an style="font-family: courier new,courier; background-color: #ccffff;">  [14/21]: configuring certificate server an class="highlight">toan> start on bootan>
an style="font-family: courier new,courier; background-color: #ccffff;">  [15/21]: restarting certificate serveran>
an style="font-family: courier new,courier; background-color: #ccffff;">  [16/21]: requesting RA certificate from CAan>
an style="font-family: courier new,courier; background-color: #ccffff;">  [17/21]: issuing RA agent certificatean>
an style="font-family: courier new,courier; background-color: #ccffff;">  [18/21]: adding RA agent as a trusted useran>
an style="font-family: courier new,courier; background-color: #ccffff;">  [19/21]: configure certificate renewalsan>
an style="font-family: courier new,courier; background-color: #ccffff;">  [20/21]: configure Server-Cert certificate renewalan>
an style="font-family: courier new,courier; background-color: #ccffff;">  [21/21]: Configure HTTP an class="highlight">toan> proxy connectionsan>
an style="font-family: courier new,courier; background-color: #ccffff;">Done configuring certificate server (pki-cad).an>
an style="font-family: courier new,courier; background-color: #ccffff;">Configuring direcan class="highlight">toan>ry server (dirsrv): Estimated time 1 minutean>
an style="font-family: courier new,courier; background-color: #ccffff;">  [1/38]: creating direcan class="highlight">toan>ry server useran>
an style="font-family: courier new,courier; background-color: #ccffff;">  [2/38]: creating direcan class="highlight">toan>ry server instancean>
an style="font-family: courier new,courier; background-color: #ccffff;">  [3/38]: adding default schemaan>
an style="font-family: courier new,courier; background-color: #ccffff;">  [4/38]: enabling memberof pluginan>
an style="font-family: courier new,courier; background-color: #ccffff;">  [5/38]: enabling winsync pluginan>
an style="font-family: courier new,courier; background-color: #ccffff;">  [6/38]: configuring replication version pluginan>
an style="font-family: courier new,courier; background-color: #ccffff;">  [7/38]: enabling IPA enrollment pluginan>
an style="font-family: courier new,courier; background-color: #ccffff;">  [8/38]: enabling ldapian>
an style="font-family: courier new,courier; background-color: #ccffff;">  [9/38]: disabling betxn pluginsan>
an style="font-family: courier new,courier; background-color: #ccffff;">  [10/38]: configuring uniqueness pluginan>
an style="font-family: courier new,courier; background-color: #ccffff;">  [11/38]: configuring uuid pluginan>
an style="font-family: courier new,courier; background-color: #ccffff;">  [12/38]: configuring modrdn pluginan>
an style="font-family: courier new,courier; background-color: #ccffff;">  [13/38]: enabling entryUSN pluginan>
an style="font-family: courier new,courier; background-color: #ccffff;">  [14/38]: configuring lockout pluginan>
an style="font-family: courier new,courier; background-color: #ccffff;">  [15/38]: creating indicesan>
an style="font-family: courier new,courier; background-color: #ccffff;">  [16/38]: enabling referential integrity pluginan>
an style="font-family: courier new,courier; background-color: #ccffff;">  [17/38]: configuring ssl for ds instancean>
an style="font-family: courier new,courier; background-color: #ccffff;">  [18/38]: configuring certmap.confan>
an style="font-family: courier new,courier; background-color: #ccffff;">  [19/38]: configure auan class="highlight">toan>bind for rootan>
an style="font-family: courier new,courier; background-color: #ccffff;">  [20/38]: configure new location for managed entriesan>
an style="font-family: courier new,courier; background-color: #ccffff;">  [21/38]: restarting direcan class="highlight">toan>ry serveran>
an style="font-family: courier new,courier; background-color: #ccffff;">  [22/38]: adding default layoutan>
an style="font-family: courier new,courier; background-color: #ccffff;">  [23/38]: adding delegation layoutan>
an style="font-family: courier new,courier; background-color: #ccffff;">  [24/38]: adding replication acisan>
an style="font-family: courier new,courier; background-color: #ccffff;">  [25/38]: creating container for managed entriesan>
an style="font-family: courier new,courier; background-color: #ccffff;">  [26/38]: configuring user private groupsan>
an style="font-family: courier new,courier; background-color: #ccffff;">  [27/38]: configuring netgroups from hostgroupsan>
an style="font-family: courier new,courier; background-color: #ccffff;">  [28/38]: creating default Sudo bind useran>
an style="font-family: courier new,courier; background-color: #ccffff;">  [29/38]: creating default Auan class="highlight">toan> Member layoutan>
an style="font-family: courier new,courier; background-color: #ccffff;">  [30/38]: adding range check pluginan>
an style="font-family: courier new,courier; background-color: #ccffff;">  [31/38]: creating default HBAC rule allow_allan>
an style="font-family: courier new,courier; background-color: #ccffff;">  [32/38]: Upload CA cert an class="highlight">toan> the direcan class="highlight">toan>ryan>
an style="font-family: courier new,courier; background-color: #ccffff;">  [33/38]: initializing group membershipan>
an style="font-family: courier new,courier; background-color: #ccffff;">  [34/38]: adding master entryan>
an style="font-family: courier new,courier; background-color: #ccffff;">  [35/38]: configuring Posix uid/gid generationan>
an style="font-family: courier new,courier; background-color: #ccffff;">  [36/38]: enabling compatibility pluginan>
an style="font-family: courier new,courier; background-color: #ccffff;">  [37/38]: tuning direcan class="highlight">toan>ry serveran>
an style="font-family: courier new,courier; background-color: #ccffff;">  [38/38]: configuring direcan class="highlight">toan>ry an class="highlight">toan> start on bootan>
an style="font-family: courier new,courier; background-color: #ccffff;">Done configuring direcan class="highlight">toan>ry server (dirsrv).an>
an style="font-family: courier new,courier; background-color: #ccffff;">Configuring Kerberos KDC (krb5kdc): Estimated time 30 secondsan>
an style="font-family: courier new,courier; background-color: #ccffff;">  [1/10]: adding sasl mappings an class="highlight">toan> the direcan class="highlight">toan>ryan>
an style="font-family: courier new,courier; background-color: #ccffff;">  [2/10]: adding kerberos container an class="highlight">toan> the direcan class="highlight">toan>ryan>
an style="font-family: courier new,courier; background-color: #ccffff;">  [3/10]: configuring KDCan>
an style="font-family: courier new,courier; background-color: #ccffff;">  [4/10]: initialize kerberos containeran>
an style="font-family: courier new,courier; background-color: #ccffff;">  [5/10]: adding default ACIsan>
an style="font-family: courier new,courier; background-color: #ccffff;">  [6/10]: creating a keytab for the direcan class="highlight">toan>ryan>
an style="font-family: courier new,courier; background-color: #ccffff;">  [7/10]: creating a keytab for the machinean>
an style="font-family: courier new,courier; background-color: #ccffff;">  [8/10]: adding the password extension an class="highlight">toan> the direcan class="highlight">toan>ryan>
an style="font-family: courier new,courier; background-color: #ccffff;">  [9/10]: starting the KDCan>
an style="font-family: courier new,courier; background-color: #ccffff;">  [10/10]: configuring KDC an class="highlight">toan> start on bootan>
an style="font-family: courier new,courier; background-color: #ccffff;">Done configuring Kerberos KDC (krb5kdc).an>
an style="font-family: courier new,courier; background-color: #ccffff;">Configuring kadminan>
an style="font-family: courier new,courier; background-color: #ccffff;">  [1/2]: starting kadminan>
an style="font-family: courier new,courier; background-color: #ccffff;">  [2/2]: configuring kadmin an class="highlight">toan> start on bootan>
an style="font-family: courier new,courier; background-color: #ccffff;">Done configuring kadmin.an>
an style="font-family: courier new,courier; background-color: #ccffff;">Configuring ipa_memcachedan>
an style="font-family: courier new,courier; background-color: #ccffff;">  [1/2]: starting ipa_memcachedan>
an style="font-family: courier new,courier; background-color: #ccffff;">  [2/2]: configuring ipa_memcached an class="highlight">toan> start on bootan>
an style="font-family: courier new,courier; background-color: #ccffff;">Done configuring ipa_memcached.an>
an style="font-family: courier new,courier; background-color: #ccffff;">Configuring the web interface (httpd): Estimated time 1 minutean>
an style="font-family: courier new,courier; background-color: #ccffff;">  [1/13]: setting mod_nss port an class="highlight">toan> 443an>
an style="font-family: courier new,courier; background-color: #ccffff;">  [2/13]: setting mod_nss password filean>
an style="font-family: courier new,courier; background-color: #ccffff;">  [3/13]: enabling mod_nss renegotiatean>
an style="font-family: courier new,courier; background-color: #ccffff;">  [4/13]: adding URL rewriting rulesan>
an style="font-family: courier new,courier; background-color: #ccffff;">  [5/13]: configuring httpdan>
an style="font-family: courier new,courier; background-color: #ccffff;">  [6/13]: setting up sslan>
an style="font-family: courier new,courier; background-color: #ccffff;">  [7/13]: setting up browser auan class="highlight">toan>configan>
an style="font-family: courier new,courier; background-color: #ccffff;">  [8/13]: publish CA certan>
an style="font-family: courier new,courier; background-color: #ccffff;">  [9/13]: creating a keytab for httpdan>
an style="font-family: courier new,courier; background-color: #ccffff;">  [10/13]: clean up any existing httpd ccachean>
an style="font-family: courier new,courier; background-color: #ccffff;">  [11/13]: configuring SELinux for httpdan>
an style="font-family: courier new,courier; background-color: #ccffff;">  [12/13]: restarting httpdan>
an style="font-family: courier new,courier; background-color: #ccffff;">  [13/13]: configuring httpd an class="highlight">toan> start on bootan>
an style="font-family: courier new,courier; background-color: #ccffff;">Done configuring the web interface (httpd).an>
an style="font-family: courier new,courier; background-color: #ccffff;">Applying LDAP updatesan>


6. Create a user:
an style="font-family: courier new,courier; background-color: #ccffff;">[root@adel61-cenan class="highlight">toan>s6 ~]# ipa user-addan>
an style="font-family: courier new,courier; background-color: #ccffff;">First name: mohamedan>
an style="font-family: courier new,courier; background-color: #ccffff;">Last name: adelan>
an style="font-family: courier new,courier; background-color: #ccffff;">User login [madel]: adelan>
an style="font-family: courier new,courier; background-color: #ccffff;">-----------------an>
an style="font-family: courier new,courier; background-color: #ccffff;">Added user "adel"an>
an style="font-family: courier new,courier; background-color: #ccffff;">-----------------an>
an style="font-family: courier new,courier; background-color: #ccffff;">  User login: adelan>
an style="font-family: courier new,courier; background-color: #ccffff;">  First name: mohamedan>
an style="font-family: courier new,courier; background-color: #ccffff;">  Last name: adelan>
an style="font-family: courier new,courier; background-color: #ccffff;">  Full name: mohamed adelan>
an style="font-family: courier new,courier; background-color: #ccffff;">  Display name: mohamed adelan>
an style="font-family: courier new,courier; background-color: #ccffff;">  Initials: maan>
an style="font-family: courier new,courier; background-color: #ccffff;">  Home direcan class="highlight">toan>ry: /home/adelan>
an style="font-family: courier new,courier; background-color: #ccffff;">  GECOS field: mohamed adelan>
an style="font-family: courier new,courier; background-color: #ccffff;">  Login shell: /bin/shan>
an style="font-family: courier new,courier; background-color: #ccffff;">  Kerberos principal: adel@CM.CLUSTERan>
an style="font-family: courier new,courier; background-color: #ccffff;">  Email address: adel@cm.clusteran>
an style="font-family: courier new,courier; background-color: #ccffff;">  UID: 401800001an>
an style="font-family: courier new,courier; background-color: #ccffff;">  GID: 401800001an>
an style="font-family: courier new,courier; background-color: #ccffff;">  Password: Falsean>
an style="font-family: courier new,courier; background-color: #ccffff;">  Kerberos keys available: Falsean>

7. enable a user:
an style="font-family: courier new,courier; background-color: #ccffff;">[root@adel61-cenan class="highlight">toan>s6 ~]# ipa user-mod adel --passwordan>
an style="font-family: courier new,courier; background-color: #ccffff;">Password: an>
an style="font-family: courier new,courier; background-color: #ccffff;">Enter Password again an class="highlight">toan> verify: an>
an style="font-family: courier new,courier; background-color: #ccffff;">--------------------an>
an style="font-family: courier new,courier; background-color: #ccffff;">Modified user "adel"an>
an style="font-family: courier new,courier; background-color: #ccffff;">--------------------an>
an style="font-family: courier new,courier; background-color: #ccffff;">  User login: adelan>
an style="font-family: courier new,courier; background-color: #ccffff;">  First name: mohamedan>
an style="font-family: courier new,courier; background-color: #ccffff;">  Last name: adelan>
an style="font-family: courier new,courier; background-color: #ccffff;">  Home direcan class="highlight">toan>ry: /home/adelan>
an style="font-family: courier new,courier; background-color: #ccffff;">  Login shell: /bin/shan>
an style="font-family: courier new,courier; background-color: #ccffff;">  Email address: adel@cm.clusteran>
an style="font-family: courier new,courier; background-color: #ccffff;">  UID: 401800001an>
an style="font-family: courier new,courier; background-color: #ccffff;">  GID: 401800001an>
an style="font-family: courier new,courier; background-color: #ccffff;">  Account disabled: Falsean>
an style="font-family: courier new,courier; background-color: #ccffff;">  Password: Truean>
an style="font-family: courier new,courier; background-color: #ccffff;">  Member of groups: ipausersan>
an style="font-family: courier new,courier; background-color: #ccffff;">  Kerberos keys available: Truean>

8. Configure the user portal an class="highlight">toan> use the correct PAM module:

an style="font-family: courier new,courier; background-color: #ccffff;">[root@adel61-cenan class="highlight">toan>s6 ~]# cat /etc/pam.d/php an>
an style="font-family: courier new,courier; background-color: #ccffff;">auth        sufficient    pam_sss.soan>
an style="font-family: courier new,courier; background-color: #ccffff;">account        sufficient    pam_sss.soan>


an class="highlight">Notan>es:
* The user portal will be accessible via port 4443:
https://hostname:4443

* The local LDAP service will no longer be functional, and so Bright canan class="highlight">notan> be used an class="highlight">toan> manage users via an style="font-family: courier new,courier;">cmshan> or an style="font-family: courier new,courier;">cmguian> after deploying FreeIPA. Users should only be managed via FreeIPA after deploying FreeIPA.

* an class="highlight">Toan> configure the default shell for all users:
an style="font-family: courier new,courier; background-color: #ccffff;">[root@adel61-cenan class="highlight">toan>s6 ~]# ipa config-mod --defaultshell=/bin/bashan>

* an class="highlight">Toan> configure the shell for a particular user:
an style="background-color: #ccffff; font-family: courier new,courier;">[root@adel61-cenan class="highlight">toan>s6 ~]# ipa user-mod adel --shell=/bin/bashan>


Categories for this entry

Tags: -

Related entries:

You cannot comment on this entry