FreeIPADirectory and authenticationservices the easy way

Christian Stankowicwww.stankowic-development.net

Free and Open Source softwareConference21.08.2016

whoami

Christian Stankowic

Messer Information Services GmbH

Linux & vSphere administrator

Blogger & book author

2

AGENDA

Agenda

Motivation

Installation

Client integration

Basic administration and examples

4

MOTIVATION

Why central authentication?

User information are stored centrally

No password clutter

Low effort after job cancellation

Reasonable when having more than 2systems

6

7

What is FreeIPA?

free IPA solution by Red Hat

Identify, Policy, Audit

Also known as Red Hat Identity Management(IdM) under RHEL

Comparable to Microsoft AD-DS and NovelleDirectory

8

What is FreeIPA?

Web interface combining:

DNS server (BIND9)Directory server (389ds)Dogtag certificate systemMIT Kerberos for authentication andsingle sign-on (SSO)

9

Features (1/2)

Configuring DNS zones

Maintinung user(group)s, host(group)s

sudo and HBAC (Host Based Access Control)rules

role support (e.g. admins, servicedesk,...)

10

Features (2/2)

AD-DS trusts (version 3+)

Multiple servers/replicas, availability / loadbalancing

2FA (Two-factor-authentication) + OTP(One-time password)

multiple APIs (XML/JSONRPC, Python,...)

11

INSTALLATION

System requirements

at least 2 CPUs

1 GB+ memory

10 GB+ hard drive

Linux distributions:FedoraEnterprise Linux (RHEL, CentOS, SL)Debian Sid / Ubuntu 16.04

13

Network requirements

IPv6 should be disabled

Time using ntpd (no chronyd)

Open ports:

80, 443, 8080 (tcp, web server)389, 636 (tcp, ldap/ldaps)88, 464 (tcp/udp, Kerberos)123 (udp, NTP)

14

Installation (1/3)

1 # yum install ipa-server{,-trust-ad}

2 # ipa-server-install

3 ...

4 Do you want to configure integrated DNS (BIND)? [

no]: yes

5 Server host name [st-ipa.stankowic.loc]:

6 Please confirm the domain name [stankowic.loc]:

7 Please provide a realm name [STANKOWIC.LOC]:

Listing 1: Package installation, configuring DNS andRealm

15

Installation (2/3)

1 Directory Manager password:

2 Password (confirm):

3 IPA admin password:

4 Password (confirm):

5 ...

6 Do you want to configure the reverse zone? [yes]:

7 Please specify the reverse zone name [1.22.10.in-

addr.arpa.]:

8 Using reverse zone(s) 1.22.10.in-addr.arpa.

Listing 2: Passwords and Reverse Zones

16

Installation (3/3)

1 The IPA Master Server will be configured with:

2 Hostname: st-ipa.stankowic.loc

3 IP address(es): 10.22.1.3

4 Domain name: stankowic.loc

5 Realm name: STANKOWIC.LOC

6 BIND DNS server will be configured to serve IPA

domain with:

7 Forwarders: 10.22.1.1, 10.22.0.2

8 Reverse zone(s): 1.22.10.in-addr.arpa.

9 Continue to configure the system with these

values? [no]: yes

Listing 3: Summary 17

18

INTEGRATION

Client requirements

freeipa-client registers and configures:KerberosLDAP clientSSSD

Linux distributions:FedoraEnterprise Linux (RHEL, CentOS, SL)Debian Sid / Ubuntu 16.04

20

Excursus: SSSD

System Security Services Daemon

Central authentication, local credentialscache

Integration into LDAP, IPA, AD-DS,Kerberos,...

Offers PAM and NSSmodules

21

Client integration (1/4)

Install freeipa-client package

FreeIPA DNS set? (NS, SRV records)

Valid hostname configured?

Run ipa-client-install:

--mkhomedir - create home folders--uninstall - unregisters host--domain - manually specify domain

22

Client integration (2/4)

1 # yum install -y ipa-client

2 # hostnamectl set-hostname giertz.stankowic.loc

3 # ipa-client-install --mkhomedir

4 Discovery was successful!

5 Hostname: giertz.stankowic.loc

6 Realm: STANKOWIC.LOC

7 DNS Domain: stankowic.loc

8 IPA Server: st-ipa.stankowic.loc

9 BaseDN: dc=stankowic,dc=loc

10 Continue to configure the system with these

values? [no]: yes

Listing 4: Integrating a client 23

Client integration (3/4)

1 User authorized to enrole computers: cstan

2 Synchronizing time with KDC...

3 Password for cstan@STANKOWIC.LOC:

4 Successfully retrieved CA cert

5 ...

6 Configured /etc/openldap/ldap.conf

7 Configured /etc/ssh/sshd_config

8 Client configuration complete.

Listing 5: Integrating a client

24

Client integration (4/4)

1 # kinit cstan

2 Password for cstan@STANKOWIC.LOC:

3 # klist

4 Ticket cache: KEYRING:persistent:35800001:

krb_ccache_xTeMlYY

5 Default principal: cstan@STANKOWIC.LOC

6

7 Valid starting Expires Service principal

8 14.07.2016 23:03:25 15.07.2016 23:03:25 krbtgt/

STANKOWIC.LOC@STANKOWIC.LOC

9 # ssh st-ipa.stankowic.loc

Listing 6: Tests after integration 25

ADMINISTRATION

User(group)s

Defining typical user information

LDAP schema can be extended

Users can be grouped

Example: all DB admins, all FTP users,...

27

28

Host(group)s

Hosts can be part of groups

Example: all web servers, all DB servers,...

Hostgroups can be used in sudo and HBACrules

Always use hosts groups instead of hosts!

29

30

HBAC rules

Controls which user(group)s can accesswhich hostgroups using which service

Example: add DB admins on all DB serversusing SSH

Definitely remove default rule allow_all!

No replacement for firewall rules!

31

32

Sudo rules

Controlling commands and commandgroups

Defining:

User(group)sHost(group)sCommands/command groupsAlternate identities

33

34

Excursus: ipa-sudo-basic-rules (1/2)

Group of common administrationcommands (currently 250)

Automatically creates sudo commands andcommand groups

Python script, deploy’n’play

Download at github.com/stdevel/freeipa-stuff

35

Excursus: ipa-sudo-basic-rules (2/2)

1 $ ./ipa-sudo-basic-rules.py -i

2 INFO:ipa-sudo-basic-rules.py:This definition has

version 0.1.9 and consists of 33 command groups

and 255 commands.

3

4 $ ./ipa-sudo-basic-rules.py -n

5 INFO:ipa-sudo-basic-rules.py:I’d like to execute

the following command: ipa sudocmdgroup-add

firewall --desc=’Managing firewall configuration’

6 ...

Listing 7: Simulating catalog installation36

QUESTIONS?

Links

FreeIPA website: freeipa.org

Deployment Recommendations

Quickstart Guide

Active Directory trust setup

freeipa-stuff repository on GitHub

38

Thanks for your attention!

http://www.stankowic-development.net

39