rhel8上安装配置IDM服务(IPA-server)

本文主要讲的是如何再RHEL8下安装和配置idm服务(网络用户管理 IPA-server)

1.配置系统并安装软件包

编辑/etc/hosts,确保能把主机名解析成IP

[root@server ~]# cat /etc/hosts

127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4

::1         localhost localhost.localdomain localhost6 localhost6.localdomain6

192.168.26.110 server.rhce8.com server

[root@server ~]#

 

[root@server ~]# yum module install idm:DL1/dns -y

Updating Subscription Management repositories.

Unable to read consumer identity

This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.

上次元数据过期检查:2:01:11 前,执行于 2019年08月23日 星期五 11时13分29秒。

依赖关系解决。

  •  软件包     架构         版本                 仓库      大小

  • This program will set up the IPA Server.

    Version 4.7.1

     

    This includes:

      * Configure a stand-alone CA (dogtag) for certificate management

      ....

    Server host name [server.rhce8.com]: 回车

     

    Warning: skipping DNS resolution of host server.rhce8.com

    The domain name has been determined based on the host name.

     

    Please confirm the domain name [rhce8.com]: 回车

     

    The kerberos protocol requires a Realm name to be defined.

    This is typically the domain name converted to uppercase.

     

    Please provide a realm name [RHCE8.COM]: 回车

    Certain directory server operations require an administrative user.

    This user is referred to as the Directory Manager and has full access

    to the Directory for system management tasks and will be added to the

    instance of directory server created for IPA.

    The password must be at least 8 characters long.

     

    Directory Manager password: redhat123

    Password (confirm): redhat123

     

    The IPA server requires an administrative user, named 'admin'.

    This user is a regular system account used for IPA server administration.

     

    IPA admin password: redhat123

    Password (confirm): redhat123

     

    Checking DNS domain rhce8.com., please wait ...

    DNS check for domain rhce8.com. failed: The DNS operation timed out after 30.000250101089478 seconds.

    Do you want to configure DNS forwarders? [yes]: no

    No DNS forwarders configured

    Do you want to search for missing reverse zones? [yes]: 回车

    Checking DNS domain 26.168.192.in-addr.arpa., please wait ...

    Reverse zone 26.168.192.in-addr.arpa. for IP address 192.168.26.110 already exists

     

    The IPA Master Server will be configured with:

    Hostname:       server.rhce8.com

    IP address(es): 192.168.26.110

    Domain name:    rhce8.com

    Realm name:     RHCE8.COM

     

    The CA will be configured with:

    Subject DN:   CN=Certificate Authority,O=RHCE8.COM

    Subject base: O=RHCE8.COM

    Chaining:     self-signed

     

    BIND DNS server will be configured to serve IPA domain with:

    Forwarders:       No forwarders

    Forward policy:   only

    Reverse zone(s):  No reverse zone

     

    Continue to configure the system with these values? [no]: yes

     

    The following operations may take some minutes to complete.

    Please wait until the prompt is returned.

     

    Synchronizing time

    .....

      [1/44]: creating directory server instance

      .....

      [44/44]: configuring directory to start on boot

    Done configuring directory server (dirsrv).

    Configuring Kerberos KDC (krb5kdc)

      [1/10]: adding kerberos container to the directory

      ....

      [10/10]: configuring KDC to start on boot

    Done configuring Kerberos KDC (krb5kdc).

    Configuring kadmin

      [1/2]: starting kadmin

      [2/2]: configuring kadmin to start on boot

    Done configuring kadmin.

    Configuring ipa-custodia

      [1/5]: Making sure custodia container exists

      ....

      [5/5]: configuring ipa-custodia to start on boot

    Done configuring ipa-custodia.

    Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes

      [1/28]: configuring certificate server instance

      .......

      [28/28]: configuring certmonger renewal for lightweight CAs

    Done configuring certificate server (pki-tomcatd).

    Configuring directory server (dirsrv)

      [1/3]: configuring TLS for DS instance

      [2/3]: adding CA certificate entry

      [3/3]: restarting directory server

    Done configuring directory server (dirsrv).

    Configuring ipa-otpd

      [1/2]: starting ipa-otpd

      [2/2]: configuring ipa-otpd to start on boot

    Done configuring ipa-otpd.

    Configuring the web interface (httpd)

      [1/21]: stopping httpd

      .....

      [21/21]: enabling oddjobd

    Done configuring the web interface (httpd).

    Configuring Kerberos KDC (krb5kdc)

      [1/1]: installing X509 Certificate for PKINIT

    Done configuring Kerberos KDC (krb5kdc).

    Applying LDAP updates

    Upgrading IPA:. Estimated time: 1 minute 30 seconds

      [1/10]: stopping directory server

      ....

      [10/10]: starting directory server

    Done.

    Restarting the KDC

    Configuring DNS (named)

      [1/11]: generating rndc key file

      ....

      [11/11]: changing resolv.conf to point to ourselves

    Done configuring DNS (named).

    Restarting the web server to pick up resolv.conf changes

    Configuring DNS key synchronization service (ipa-dnskeysyncd)

      [1/7]: checking status

      .....

      [7/7]: configuring ipa-dnskeysyncd to start on boot

    Done configuring DNS key synchronization service (ipa-dnskeysyncd).

    Restarting ipa-dnskeysyncd

    Restarting named

    Updating DNS system records

    Configuring client side components

    This program will set up IPA client.

    Version 4.7.1

     

    Using existing certificate '/etc/ipa/ca.crt'.

    Client hostname: server.rhce8.com

    Realm: RHCE8.COM

    DNS Domain: rhce8.com

    IPA Server: server.rhce8.com

    BaseDN: dc=rhce8,dc=com

     

    Configured sudoers in /etc/nsswitch.conf

    ....

    The ipa-client-install command was successful

     

Installing group/module packages:

 ipa-server    x86_64       4.7.1-11.module+el8+2842+7481110c     aa       502 k

 ipa-server-dns noarch       4.7.1-11.module+el8+2842+7481110c     aa       177 k

安装依赖关系:

 389-ds-base  x86_64    1.4.0.20-7.module+el8+2750+1f4079fb  aa       1.9 M

...

redhat-logos-httpd-80.7-1.el8.noarch                                                                              

  sssd-dbus-2.0.0-43.el8.x86_64                                                                                     

  sssd-tools-2.0.0-43.el8.x86_64                                                                                    

 

完毕!

[root@server ~]#

 

配置IPA-server

把DNS修改为127.0.0.1

[root@server ~]# grep DNS1 /etc/sysconfig/network-scripts/ifcfg-ens32

DNS1=127.0.0.1

 

重启网络使之生效:

[root@server ~]# nmcli connection reload

[root@server ~]# nmcli connection up ens32

连接已成功激活(D-Bus 活动路径:/org/freedesktop/NetworkManager/ActiveConnection/24)

[root@server ~]#

配置IPA-server

[root@server ~]# ipa-server-install --setup-dns

 

The log file for this installation can be found in /var/log/ipaserver-install.log

Setup complete

 

Next steps:

1. You must make sure these network ports are open:

TCP Ports:

  * 80, 443: HTTP/HTTPS

  * 389, 636: LDAP/LDAPS

  * 88, 464: kerberos

  * 53: bind

UDP Ports:

  * 88, 464: kerberos

  * 53: bind

  * 123: ntp

 

2. You can now obtain a kerberos ticket using the command: 'kinit admin'

   This ticket will allow you to use the IPA tools (e.g., ipa user-add)

   and the web user interface.

 

Be sure to back up the CA certificates stored in /root/cacert.p12

These files are required to create replicas. The password for these

files is the Directory Manager password

The ipa-server-install command was successful

[root@server ~]#

在浏览器里输入server.rhce8.com

rhel8上安装配置IDM服务(IPA-server) 

使用admin/redhat123登录:

rhel8上安装配置IDM服务(IPA-server) 

 

相关新闻

发表回复

Please Login to Comment

此站点使用Akismet来减少垃圾评论。了解我们如何处理您的评论数据

                                                                                                                                    RHCE9学习指南全部更新完成,点击阅读