summaryrefslogtreecommitdiffstats
path: root/doc/ipa_server.md
blob: ef12b53f4a72f5adb9a6e2a447c333bd65076dfd (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
#IPA Server Guide

##Contents
* [Setup Overview] (#setup)
* [Configure Network] (#network)
* [Installing IPA Server] (#ipa-server)
* [Configuring DNS] (#dns)
* [Adding Users and Groups] (#users-groups)


<a name="setup" />
##Setup Overview
We have used a RHEL 6.4 box as IPA and DNS server. This document borrows
instructions from the following more detailed guide.
[RHEL 6 Identity Management Guide][]


<a name="network" />
## Configure network

Change hostname (FQDN) to server.rhelbox.com
> hostname "server.rhelbox.com"

Add following to */etc/sysconfig/network* file

    HOSTNAME=server.rhelbox.com

Add the following to */etc/hosts* file

    192.168.56.110 server.rhelbox.com server
    192.168.56.101 client.rhelbox.com client

Logout and login again and verify new hostname
> hostname --fqdn

Turn off firewall
> service iptables stop
>
> chkconfig iptables off


<a name="ipa-server" />
## Installing IPA Server

Install IPA server packages and DNS dependencies
> yum install ipa-server bind bind-dyndb-ldap

Run the following interactive setup to install IPA server with DNS
> ipa-server-install --setup-dns

    The IPA Master Server will be configured with:
    Hostname:      server.rhelbox.com
    IP address:    192.168.56.110
    Domain name:   rhelbox.com
    Realm name:    RHELBOX.COM

    BIND DNS server will be configured to serve IPA domain with:
    Forwarders:    No forwarders
    Reverse zone:  56.168.192.in-addr.arpa.

The installation may take some time.

Check if IPA is installed correctly :
> kinit admin
>
> ipa user-find admin


<a name="dns" />
## Configuring DNS

Edit */etc/resolv.conf* to add this at beginning of file :

    nameserver 192.168.56.110

Warning: NetworkManager changes resolv.conf on restart

Add a DNS A record and PTR record for the client under rhelbox.com zone
> ipa dnsrecord-add rhelbox.com client --a-rec=192.168.56.101 --a-create-reverse

Check if DNS resolution is working by running :

> dig server.rhelbox.com

    ;; ANSWER SECTION:
    server.rhelbox.com. 1200    IN  A   192.168.56.110

> dig client.rhelbox.com

    ;; ANSWER SECTION:
    client.rhelbox.com. 86400   IN  A   192.168.56.101

Check if reverse resolution works :

> dig -t ptr 101.56.168.192.in-addr.arpa.

    ;; ANSWER SECTION:
    101.56.168.192.in-addr.arpa. 86400 IN   PTR client.rhelbox.com.


> dig -t ptr 110.56.168.192.in-addr.arpa.

    ;; ANSWER SECTION:
    110.56.168.192.in-addr.arpa. 86400 IN   PTR server.rhelbox.com.


<a name="users-groups" />
## Adding users and groups

Create *auth_reseller_admin* user group
> ipa group-add auth_reseller_admin --desc="Full access to all Swift accounts"

Create *auth_rhs_test* user group
> ipa group-add auth_rhs_test --desc="Full access to rhs_test account"

Create user *auth_admin* user as member of *auth_reseller_admin* user group
> ipa user-add auth_admin --first=Auth --last=Admin --password
>
> ipa group-add-member auth_reseller_admin --users=auth_admin

Create user *rhs_test_admin* as member of *auth_rhs_test* user group
> ipa user-add rhs_test_admin --first=RHS --last=Admin --password
>
> ipa group-add-member auth_rhs_test --users=rhs_test_admin

Create user *jsmith* with no relevant group membership
> ipa user-add rhs_test_admin --first=RHS --last=Admin --password

You can verify users have been added by running
>ipa user-find admin

NOTE: Every user has to change password on first login.

[RHEL 6 Identity Management Guide]: https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/