rhel8上安装配置IDM服务（IPA-server）

本文主要讲的是如何再RHEL8下安装和配置idm服务（网络用户管理 IPA-server）

1.配置系统并安装软件包

编辑/etc/hosts，确保能把主机名解析成IP

[root@server ~]# cat /etc/hosts

127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4

::1         localhost localhost.localdomain localhost6 localhost6.localdomain6

192.168.26.110 server.rhce8.com server

[root@server ~]#

[root@server ~]# yum module install idm:DL1/dns -y

Updating Subscription Management repositories.

Unable to read consumer identity

This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.

上次元数据过期检查：2:01:11 前，执行于 2019年08月23日 星期五 11时13分29秒。

依赖关系解决。

•  软件包     架构         版本                 仓库      大小

• This program will set up the IPA Server.

  Version 4.7.1

   

  This includes:

    * Configure a stand-alone CA (dogtag) for certificate management

    ....

  Server host name [server.rhce8.com]: 回车

   

  Warning: skipping DNS resolution of host server.rhce8.com

  The domain name has been determined based on the host name.

   

  Please confirm the domain name [rhce8.com]: 回车

   

  The kerberos protocol requires a Realm name to be defined.

  This is typically the domain name converted to uppercase.

   

  Please provide a realm name [RHCE8.COM]: 回车

  Certain directory server operations require an administrative user.

  This user is referred to as the Directory Manager and has full access

  to the Directory for system management tasks and will be added to the

  instance of directory server created for IPA.

  The password must be at least 8 characters long.

   

  Directory Manager password: redhat123

  Password (confirm): redhat123

   

  The IPA server requires an administrative user, named 'admin'.

  This user is a regular system account used for IPA server administration.

   

  IPA admin password: redhat123

  Password (confirm): redhat123

   

  Checking DNS domain rhce8.com., please wait ...

  DNS check for domain rhce8.com. failed: The DNS operation timed out after 30.000250101089478 seconds.

  Do you want to configure DNS forwarders? [yes]: no

  No DNS forwarders configured

  Do you want to search for missing reverse zones? [yes]: 回车

  Checking DNS domain 26.168.192.in-addr.arpa., please wait ...

  Reverse zone 26.168.192.in-addr.arpa. for IP address 192.168.26.110 already exists

   

  The IPA Master Server will be configured with:

  Hostname:       server.rhce8.com

  IP address(es): 192.168.26.110

  Domain name:    rhce8.com

  Realm name:     RHCE8.COM

   

  The CA will be configured with:

  Subject DN:   CN=Certificate Authority,O=RHCE8.COM

  Subject base: O=RHCE8.COM

  Chaining:     self-signed

   

  BIND DNS server will be configured to serve IPA domain with:

  Forwarders:       No forwarders

  Forward policy:   only

  Reverse zone(s):  No reverse zone

   

  Continue to configure the system with these values? [no]: yes

   

  The following operations may take some minutes to complete.

  Please wait until the prompt is returned.

   

  Synchronizing time

  .....

    [1/44]: creating directory server instance

    .....

    [44/44]: configuring directory to start on boot

  Done configuring directory server (dirsrv).

  Configuring Kerberos KDC (krb5kdc)

    [1/10]: adding kerberos container to the directory

    ....

    [10/10]: configuring KDC to start on boot

  Done configuring Kerberos KDC (krb5kdc).

  Configuring kadmin

    [1/2]: starting kadmin

    [2/2]: configuring kadmin to start on boot

  Done configuring kadmin.

  Configuring ipa-custodia

    [1/5]: Making sure custodia container exists

    ....

    [5/5]: configuring ipa-custodia to start on boot

  Done configuring ipa-custodia.

  Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes

    [1/28]: configuring certificate server instance

    .......

    [28/28]: configuring certmonger renewal for lightweight CAs

  Done configuring certificate server (pki-tomcatd).

  Configuring directory server (dirsrv)

    [1/3]: configuring TLS for DS instance

    [2/3]: adding CA certificate entry

    [3/3]: restarting directory server

  Done configuring directory server (dirsrv).

  Configuring ipa-otpd

    [1/2]: starting ipa-otpd

    [2/2]: configuring ipa-otpd to start on boot

  Done configuring ipa-otpd.

  Configuring the web interface (httpd)

    [1/21]: stopping httpd

    .....

    [21/21]: enabling oddjobd

  Done configuring the web interface (httpd).

  Configuring Kerberos KDC (krb5kdc)

    [1/1]: installing X509 Certificate for PKINIT

  Done configuring Kerberos KDC (krb5kdc).

  Applying LDAP updates

  Upgrading IPA:. Estimated time: 1 minute 30 seconds

    [1/10]: stopping directory server

    ....

    [10/10]: starting directory server

  Done.

  Restarting the KDC

  Configuring DNS (named)

    [1/11]: generating rndc key file

    ....

    [11/11]: changing resolv.conf to point to ourselves

  Done configuring DNS (named).

  Restarting the web server to pick up resolv.conf changes

  Configuring DNS key synchronization service (ipa-dnskeysyncd)

    [1/7]: checking status

    .....

    [7/7]: configuring ipa-dnskeysyncd to start on boot

  Done configuring DNS key synchronization service (ipa-dnskeysyncd).

  Restarting ipa-dnskeysyncd

  Restarting named

  Updating DNS system records

  Configuring client side components

  This program will set up IPA client.

  Version 4.7.1

   

  Using existing certificate '/etc/ipa/ca.crt'.

  Client hostname: server.rhce8.com

  Realm: RHCE8.COM

  DNS Domain: rhce8.com

  IPA Server: server.rhce8.com

  BaseDN: dc=rhce8,dc=com

   

  Configured sudoers in /etc/nsswitch.conf

  ....

  The ipa-client-install command was successful