Commit 87fc8acd authored by Louis Abel's avatar Louis Abel

EL8 changes

parent 4f1bdb4d
Pipeline #60249388 (#112) passed with stages
in 1 minute and 32 seconds
......@@ -2,9 +2,9 @@ FreeIPA
^^^^^^^
.. meta::
:description: How to install/configure FreeIPA on CentOS 7 with replicas, configuring clients for FreeIPA, policies (eg sudo), and host based access control methods.
:description: How to install/configure FreeIPA on CentOS 7/8 with replicas, configuring clients for FreeIPA, policies (eg sudo), and host based access control methods.
This tutorial goes over how to install and configure FreeIPA on CentOS 7 (and later 8) servers with replicas, as well as configuring client machines to connect and utilize FreeIPA resources, policies (eg sudo), and host based access control methods. We will also go over a scenario of configuring a trust with an Active Directory domain. The client setup will work for Fedora users as the packages are the same, just newer versions.
This tutorial goes over how to install and configure FreeIPA on CentOS 7 or 8 servers with replicas, as well as configuring client machines to connect and utilize FreeIPA resources, policies (eg sudo), and host based access control methods. We will also go over a scenario of configuring a trust with an Active Directory domain. The client setup will work for Fedora users as the packages are the same, just newer versions.
.. contents::
......@@ -119,7 +119,12 @@ To install the server, make sure the hostname is set to the A records and NS del
10.200.0.230 server1.ipa.example.com
10.200.0.231 server2.ipa.example.com
# RHEL 7
% yum install ipa-server ipa-server-dns ipa-client sssd sssd-ipa -y
# RHEL 8
% yum module enable idm:DL1
% yum module install idm:DL1/{dns,adtrust,client,server}
# Setup
% firewall-cmd --permanent --add-service={ntp,http,https,freeipa-ldap,freeipa-ldaps,kerberos,freeipa-replication,kpasswd,dns}
% firewall-cmd --complete-reload
% ipa-server-install --no_hbac_allow \
......@@ -274,10 +279,10 @@ In some cases, it is a requirement to disable *all* anonymous binds. If this is
Client Setup
------------
RHEL 7
RHEL 8
++++++
RHEL 6
RHEL 7
++++++
Mac Clients
......
......@@ -39,15 +39,17 @@ Installing FreeIPA/Red Hat IdM with replicas for growth and scale
+-------------------------+---------------+
| Server Name | IP Address |
+=========================+===============+
| ipa01.example.com | 192.168.15.2 |
| idm1.example.com | 192.168.15.2 |
+-------------------------+---------------+
| ipa02.example.com | 192.168.15.3 |
| idm2.example.com | 192.168.15.3 |
+-------------------------+---------------+
.. note::
IPA Servers should either have a DHCP reservation or a static address. In the even that you have either, DNS should always be pointing at 127.0.0.1, especially if your replica serves DNS. Both of our replicas serve DNS, so loopback is sufficient for our name server.
In later versions of FreeIPA, there is support to force network manager to ensure resolv.conf is loopback without the need to set it by hand with nmcli.
.. code-block:: shell
# Set a static address - It's important for your IdM servers
......@@ -65,6 +67,11 @@ Installing FreeIPA/Red Hat IdM with replicas for growth and scale
.. code-block:: shell
# Examples of using ipa-server-install
# RHEL 7
% yum install ipa-server ipa-server-dns ipa-server-trust-ad
# RHEL 8
% yum module enable idm:DL1
% yum module install idm:DL1/{server,dns,adtrust,client}
% ipa-server-install
% ipa-server-install --domain example.com --realm EXAMPLE.COM \
--reverse-zone=15.168.192.in-addr.arpa. \
......@@ -285,10 +292,7 @@ Below are two ways to create a bind account (bind DN). The first way is the LDAP
% kinit admin
% ldapadd -Y GSSAPI
SASL/GSSAPI authentication started
SASL username: admin@EXAMPLE.COM
SASL SSF: 256
SASL data security layer installed.
. . .
dn: uid=binder,cn=sysaccounts,cn=etc,dc=example,dc=com
objectclass: account
objectclass: simplesecurityobject
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment