内容简介:本文风哥教程参考Linux官方文档、Red Hat Enterprise Linux官方文档、Ansible Automation Platform官方文档、Docker官方文档、Kubernetes官方文档和Podman官方文档等内容,详细介绍了相关技术的配置和使用方法。
风哥提示:
本文档详细介绍FreeIPA身份管理系统的配置和使用方法。
Part01-FreeIPA安装
1.1 安装FreeIPA服务器
$ sudo hostnamectl set-hostname ipa.fgedu.net.cn
# 配置hosts
$ echo “19更多学习教程公众号风哥教程itpux_com2.168.1.10 ipa.fgedu.net.cn ipa” | sudo tee -a /etc/hosts
# 安装FreeIPA
$ sudo dnf install -y ipa-server ipa-client
# 配置FreeIPA
$ sudo ipa-server-install
The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will set up the IPA Server.
Server host name [ipa.fgedu.net.cn]:
Please confirm the do学习交流加群风哥QQ113257174main name [fgedu.net.cn]:
Please provide a realm name [EXAMPLE.COM]:
The IPA Master Server will be configured with:
Hostname: ipa.fgedu.net.cn
IP address(es): 192.168.1.更多视频教程www.fgedu.net.cn10
Domain name: fgedu.net.cn
Realm name: EXAMPLE.COM
Continue to configure the system with these values? [no]: yes
Directory Manager password:
Password (confirm):
IPA admin password:
Password (confirm):
# 配置防火墙
$ sudo firewall-cmd –permanent –add-service=freeipa-ldap
$ sudo firewall-cmd –permanent –add-service=freeipa-ldaps
$ sudo firewall-cmd –permanent –add-service=freeipa-replication
$ sudo firewall-cmd –permanent –add-service=dns
$ sudo firewall-cmd –permanent –add-service=ntp
$ sudo firewall-cmd –reload
# 获取Kerberos票据
$ kinit admin
Password for admin@EXAMPLE.COM:
# 验证安装
$ ipa user-find
————–
1 user matched
————–
User login: admin
Last name: Administrator
Home directory: /home/admin
Login shell: /bin/bash
Principal alias: admin@EXAMPLE.COM
UID: 1230000
GID: 1230000
—————————-
Number of entries returned 1
—————————-
Part02-用户管理
2.1 管理用户和组
$ ipa user-add user1 –first=User –last=One –password
Password:
Enter Password again to verify:
——————-
Added user “user1″
——————-
User login: user1
First name: User
Last name: One
Full name: User One
Display name: User One
Initials: UO
Home directory: /home/user1
GECOS: User One
Login shell: /bin/bash
Principal name: user1@EXAMPLE.COM
Principal alias: user1@EXAMPLE.COM
Email address: user1@fgedu.net.cn
UID: 1230001
GID: 1230001
Password: True
# 创建组
$ ipa group-add developers –desc=”Development Team”
——————-
Added group “developers”
——————-
Group name: developers
Description: Development Team
GID: 1230002
# 添加用户到组
$ ipa group-add-member developers –users=user1
Group name: developers
Description: Development Team
GID: 1230002
Member users: user1
————————-
Number of members added 1
————————-
# 查看用户
$ ipa user-show user1
User login: user1
First name: User
Last name: One
Home directory: /home/user1
Login shell: /bin/bash
Principal name: user1@EXAMPLE.COM
Email address: user1@fgedu.net.cn
UID: 1230001
GID: 1230001
Account disabled: False
# 修改用户
$ ipa user-mod user1 –shell=/bin/zsh
——————-
Modified user “user1”
——————-
User login: user1
First name: User
Last name: One
Home directory: /home/user1
Login shell: /bin/zsh
Principal name: user1@EXAMPLE.COM
Email address: user1@fgedu.net.cn
UID: 1230001
GID: 1230001
Account disabled: False
# 禁用用户
$ ipa user-disable user1
—————————–
Disabled user account “user1”
—————————–
# 启用用户
$ ipa user-enable user1
—————————-
Enabled user account “user1”
—————————-
# 删除用户
$ ipa user-del user1
——————–
Deleted user “user1”
——————–
Part03-客户端配置
3.1 配置FreeIPA客户端
$ sudo dnf install -y ipa-client
# 配置客户端
$ sudo ipa-client-install –domain=fgedu.net.cn –server=ipa.fgedu.net.cn –realm=EXAMPLE.COM –principal=admin –password=AdminPassword
# 验证配置
$ id admin
uid=1230000(admin) gid=1230000(admins) groups=1230000(admins)
# 测试登录
$ ssh user1@localhost
# 配置sudo规则
$ ipa sudorule-add sysadmin –cmdcat=all
$ ipa sudorule-add-user sysadmin –users=user1
$ ipa sudorule-add-host sysadmin –hosts=all
# 配置HBAC规则
$ ipa hbacrule-add webadmin –usercat=all
$ ipa hbacrule-add-service webadmin –hbacsvcs=http
$ ipa hbacrule-add-host webadmin –hosts=webserver.fgedu.net.cn
# 查看HBAC规则
$ ipa hbacrule-find
——————-
1 HBAC rule matched
——————-
Rule name: webadmin
User category: all
Enabled: TRUE
—————————-
Number of entries returned 1
—————————-
Part04-服务管理
4.1 管理服务主体
$ ipa service-add HTTP/webserver.fgedu.net.cn
———————————–
Added service “HTTP/webserver.fgedu.net.cn@EXAMPLE.COM”
———————————–
Principal: HTTP/webserver.fgedu.net.cn@EXAMPLE.COM
Managed by: webserver.fgedu.net.cn
# 生成服务密钥
$ ipa-getkeytab -s ipa.fgedu.net.cn -p HTTP/webserver.fgedu.net.cn -k /etc/httpd/conf/http.keytab
# 添加主机
$ ipa host-add webserver.fgedu.net.cn –ip-address=192.168.1.20
———————————–
Added host “webserver.fgedu.net.cn”
———————————–
Host name: webserver.fgedu.net.cn
Principal name: host/wefrom PG视频:www.itpux.combserver.fgedu.net.cn@EXAMPLE.COM
IP address: 192.168.1.20
Managed by: webserver.fgedu.net.cn
# 配置SSH访问
$ ipa host-allow-create-webserver.fgedu.net.cn –users=user1
# 查看服务
$ ipa service-find
—————————
2 services matched
—————————
Principal name: HTTP/webserver.fgedu.net.cn@EXAMPLE.COM
Principal name: ldap/ipa.fgedu.net.cn@EXAMPLE.COM
—————————-
Number of entries returned 2
—————————-
1. 配置DNS服务
2. 启用HBAC规则
3. 使用sudo规则
4. 定期备份
5. 配置复制服务器
本文由风哥教程整理发布,仅用于学习测试使用,转载注明出处:http://www.fgedu.net.cn/10327.html
