FreeIPA 高可用部署
FreeIPA是一個集成安全信息管理解決方案,FreeIPA服務器通過存儲管理計算機網絡安全方面所需的用戶、組、主機和其他對象的數據,提供集中的身份驗證、授權和賬戶信息。結合了Linux、Directory Server、MIT Kerberos、NTP、DNS、Dogtag(認證系統)。它由Web界面和命令行管理工具組成。類似於windows中的AD域
一、機器規划
系統版本CentOS 7.6
| 主機 | IP | 角色 | 域名 |
|---|---|---|---|
| ipa1 | 172.66.31.50 | 主 | ipa1.dc.losinx.com |
| ipa2 | 172.66.31.51 | 主 | ipa2.dc.losinx.com |
二、初始化環境准備
2.1 查看系統信息
# 發行版本
[root@localhost ~]# cat /etc/redhat-release
CentOS Linux release 7.6.1810 (Core)
# 系統內核
[root@localhost ~]# uname -r
3.10.0-957.el7.x86_64
2.2 設置主機名
# ipa1
[root@localhost ~]# hostnamectl set-hostname ipa1.dc.losinx.com
[root@localhost ~]# hostname
ipa1.dc.losinx.com
# ipa2
[root@localhost ~]# hostnamectl set-hostname ipa2.dc.losinx.com
[root@localhost ~]# hostname
ipa2.dc.losinx.com
2.3 配置host解析
cat /etc/hosts
172.66.31.50 ipa1.dc.losinx.com
172.66.31.51 ipa2.dc.losinx.com
2.4 配置域名解析
FreeIPA依賴DNS非常嚴重,我這里使用的域名是阿里雲,因此直接在阿里雲做的解析,直接把域名解析成對應的ip即可。
ipa1.dc.losinx.com 172.66.31.50
ipa2.dc.losinx.com 172.66.31.51
# 注:FreeIPA內部有DNS服務,可以選擇安裝,我這里直接借助阿里雲,所以不介紹DNS配置安裝。
2.5 配置yum源(可選)
[root@ipa1 ~]# wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo
[root@ipa1 ~]# yum clean all # 清除系統所有的yum緩存
[root@ipa1 ~]# yum makecache # 生成yum緩存
2.6 升級內核
內核升級根據實際情況,我這里是因為系統版本內核比較低,安裝過程出現問題才進行的升級
# 如果選擇升級,2台機器都需要進行升級操作,升級后重啟機器
[root@ipa1 ~]# yum update
[root@ipa1 ~]# uname -r
3.10.0-1127.18.2.el7.x86_64
# 注:如果不進行內核升級,系統自帶的內核版本對於FreeIPA 4.6.6版本后面證書生成時,有可能會報類似下面的錯誤
"""
2020-08-05T09:50:36Z DEBUG The ipa-server-install command failed, exception: CalledProcessError: Command '/usr/bin/certutil -d dbm:/etc/dirsrv/slapd-DC-LOSINX-COM/ -O --simple-self-signed -n DC.LOSINX.COM IPA CA -f /etc/dirsrv/slapd-DC-LOSINX-COM/pwdfile.txt' returned non-zero exit status 1
2020-08-05T09:50:36Z ERROR Command '/usr/bin/certutil -d dbm:/etc/dirsrv/slapd-DC-LOSINX-COM/ -O --simple-self-signed -n DC.LOSINX.COM IPA CA -f /etc/dirsrv/slapd-DC-LOSINX-COM/pwdfile.txt' returned non-zero exit status 1
"""
2.7 防火牆
systemctl disable firewalld
systemctl stop firewalld
# 根據需要若是不關閉防火牆,就需要把后面涉及到的服務放行
"""
firewall-cmd --permanent --add-service={ntp,http,https,ldap,ldaps,kerberos,kpasswd}
firewall-cmd --reload
"""
三、安裝服務端
- 安裝ipa-server服務包
[root@ipa1 ~]# yum install ipa-server -y
- 執行安裝命令
[root@ipa1 ~]# ipa-server-install --domain=dc.losinx.com --realm=DC.LOSINX.COM
........
Do you want to configure integrated DNS (BIND)? [no]: no # 選擇是否安裝DNS服務
........
Server host name [ipa1.dc.losinx.com]: # 設置的主機名,默認即可
.........
Directory Manager password: 12345678 # 輸入目錄服務管理員的密碼
Password (confirm): 12345678 # 確認密碼
.........
IPA admin password: 12345678 # 輸入IPA UI管理員登錄密碼
Password (confirm): 12345678 # 確認密碼
.........
Continue to configure the system with these values? [no]: yes # 確認配置
.........
The ipa-client-install command was successful
Please add records in this file to your DNS system: /tmp/ipa.system.records.VBLPLU.db
==============================================================================
Setup complete
Next steps:
1. You must make sure these network ports are open:
TCP Ports:
* 80, 443: HTTP/HTTPS
* 389, 636: LDAP/LDAPS
* 88, 464: kerberos
UDP Ports:
* 88, 464: kerberos
* 123: ntp
2. You can now obtain a kerberos ticket using the command: 'kinit admin'
This ticket will allow you to use the IPA tools (e.g., ipa user-add)
and the web user interface.
Be sure to back up the CA certificates stored in /root/cacert.p12
These files are required to create replicas. The password for these
files is the Directory Manager password
# 出現以上信息表示已經安裝成功
- 查看服務狀態
[root@ipa1 ~]# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
ntpd Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa: INFO: The ipactl command was successful
- 生成 kerberos 票據
[root@ipa1 ~]# kinit admin
Password for admin@DC.LOSINX.COM: # 上面admin密碼
- 查看生成的票據
[root@ipa1 ~]# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: admin@DC.LOSINX.COM
Valid starting Expires Service principal
08/05/2020 18:39:40 08/06/2020 18:39:35 krbtgt/DC.LOSINX.COM@DC.LOSINX.COM
- 訪問
# 直接輸入域名,因為證書問題,這里忽略繼續使用即可
https://ipa1.dc.losinx.com
四、復制服務器
4.1 安裝FreeIPA客戶端
[root@ipa2 ~]# yum install freeipa-client -y
4.2 執行安裝命令
[root@ipa2 ~]# ipa-client-install
DNS discovery failed to determine your DNS domain
Provide the domain name of your IPA server (ex: example.com): dc.losinx.com #
Provide your IPA server name (ex: ipa.example.com): ipa1.dc.losinx.com # ipa1節點域名
The failure to use DNS to find your IPA server indicates that your resolv.conf file is not properly configured.
Autodiscovery of servers for failover cannot work with this configuration.
If you proceed with the installation, services will be configured to always access the discovered server for all operations and will not fail over to other servers in case of failure.
Proceed with fixed values and no DNS discovery? [no]: yes # 不使用DNS
Client hostname: ipa2.dc.losinx.com
Realm: DC.LOSINX.COM
DNS Domain: dc.losinx.com
IPA Server: ipa1.dc.losinx.com
BaseDN: dc=dc,dc=losinx,dc=com
Continue to configure the system with these values? [no]: yes # 確認配置
Synchronizing time with KDC...
Attempting to sync time using ntpd. Will timeout after 15 seconds
User authorized to enroll computers: admin # 用戶名
Password for admin@DC.LOSINX.COM: # 密碼
Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=DC.LOSINX.COM
Issuer: CN=Certificate Authority,O=DC.LOSINX.COM
Valid From: 2020-08-06 01:15:31
Valid Until: 2040-08-06 01:15:31
Enrolled in IPA realm DC.LOSINX.COM
Created /etc/ipa/default.conf
New SSSD config will be created
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm DC.LOSINX.COM
trying https://ipa1.dc.losinx.com/ipa/json
[try 1]: Forwarding 'schema' to json server 'https://ipa1.dc.losinx.com/ipa/json'
trying https://ipa1.dc.losinx.com/ipa/session/json
[try 1]: Forwarding 'ping' to json server 'https://ipa1.dc.losinx.com/ipa/session/json'
[try 1]: Forwarding 'ca_is_enabled' to json server 'https://ipa1.dc.losinx.com/ipa/session/json'
Systemwide CA database updated.
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
[try 1]: Forwarding 'host_mod' to json server 'https://ipa1.dc.losinx.com/ipa/session/json'
Could not update DNS SSHFP records.
SSSD enabled
Configured /etc/openldap/ldap.conf
No SRV records of NTP servers found. IPA server address will be used
NTP enabled
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Configuring dc.losinx.com as NIS domain.
Client configuration complete.
The ipa-client-install command was successful # 安裝完成
4.3 安裝FreeIPA復制服務
- 安裝服務端組件
[root@ipa2 ~]# yum install ipa-server -y
- 執行復制安裝命令
[root@ipa2 ~]# ipa-replica-install
Password for admin@DC.LOSINX.COM: # 輸入admin密碼
Run connection check to master
Connection check OK
Configuring NTP daemon (ntpd)
[1/4]: stopping ntpd
[2/4]: writing configuration
[3/4]: configuring ntpd to start on boot
[4/4]: starting ntpd
Done configuring NTP daemon (ntpd).
Configuring directory server (dirsrv). Estimated time: 30 seconds
[1/42]: creating directory server instance
[2/42]: enabling ldapi
[3/42]: configure autobind for root
[4/42]: stopping directory server
[5/42]: updating configuration in dse.ldif
[6/42]: starting directory server
[7/42]: adding default schema
[8/42]: enabling memberof plugin
[9/42]: enabling winsync plugin
[10/42]: configure password logging
[11/42]: configuring replication version plugin
[12/42]: enabling IPA enrollment plugin
[13/42]: configuring uniqueness plugin
[14/42]: configuring uuid plugin
[15/42]: configuring modrdn plugin
[16/42]: configuring DNS plugin
[17/42]: enabling entryUSN plugin
[18/42]: configuring lockout plugin
[19/42]: configuring topology plugin
[20/42]: creating indices
[21/42]: enabling referential integrity plugin
[22/42]: configuring certmap.conf
[23/42]: configure new location for managed entries
[24/42]: configure dirsrv ccache
[25/42]: enabling SASL mapping fallback
[26/42]: restarting directory server
[27/42]: creating DS keytab
[28/42]: ignore time skew for initial replication
[29/42]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress, 3 seconds elapsed
Update succeeded
[30/42]: prevent time skew after initial replication
[31/42]: adding sasl mappings to the directory
[32/42]: updating schema
[33/42]: setting Auto Member configuration
[34/42]: enabling S4U2Proxy delegation
[35/42]: initializing group membership
[36/42]: adding master entry
[37/42]: initializing domain level
[38/42]: configuring Posix uid/gid generation
[39/42]: adding replication acis
[40/42]: activating sidgen plugin
[41/42]: activating extdom plugin
[42/42]: configuring directory to start on boot
Done configuring directory server (dirsrv).
Configuring Kerberos KDC (krb5kdc)
[1/5]: configuring KDC
[2/5]: adding the password extension to the directory
[3/5]: creating anonymous principal
[4/5]: starting the KDC
[5/5]: configuring KDC to start on boot
Done configuring Kerberos KDC (krb5kdc).
Configuring kadmin
[1/2]: starting kadmin
[2/2]: configuring kadmin to start on boot
Done configuring kadmin.
Configuring directory server (dirsrv)
[1/3]: configuring TLS for DS instance
[2/3]: importing CA certificates from LDAP
[3/3]: restarting directory server
Done configuring directory server (dirsrv).
Configuring the web interface (httpd)
[1/22]: stopping httpd
[2/22]: setting mod_nss port to 443
[3/22]: setting mod_nss cipher suite
[4/22]: setting mod_nss protocol list to TLSv1.2
[5/22]: setting mod_nss password file
[6/22]: enabling mod_nss renegotiate
[7/22]: disabling mod_nss OCSP
[8/22]: adding URL rewriting rules
[9/22]: configuring httpd
[10/22]: setting up httpd keytab
[11/22]: configuring Gssproxy
[12/22]: setting up ssl
[13/22]: configure certmonger for renewals
[14/22]: importing CA certificates from LDAP
[15/22]: publish CA cert
[16/22]: clean up any existing httpd ccaches
[17/22]: configuring SELinux for httpd
[18/22]: create KDC proxy config
[19/22]: enable KDC proxy
[20/22]: starting httpd
[21/22]: configuring httpd to start on boot
[22/22]: enabling oddjobd
Done configuring the web interface (httpd).
Configuring ipa-otpd
[1/2]: starting ipa-otpd
[2/2]: configuring ipa-otpd to start on boot
Done configuring ipa-otpd.
Configuring ipa-custodia
[1/4]: Generating ipa-custodia config file
[2/4]: Generating ipa-custodia keys
[3/4]: starting ipa-custodia
[4/4]: configuring ipa-custodia to start on boot
Done configuring ipa-custodia.
Configuring certificate server (pki-tomcatd)
[1/2]: configure certmonger for renewals
[2/2]: Importing RA key
Done configuring certificate server (pki-tomcatd).
Configuring Kerberos KDC (krb5kdc)
[1/1]: installing X509 Certificate for PKINIT
Done configuring Kerberos KDC (krb5kdc).
Applying LDAP updates
Upgrading IPA:. Estimated time: 1 minute 30 seconds
[1/10]: stopping directory server
[2/10]: saving configuration
[3/10]: disabling listeners
[4/10]: enabling DS global lock
[5/10]: disabling Schema Compat
[6/10]: starting directory server
[7/10]: upgrading server
[8/10]: stopping directory server
[9/10]: restoring configuration
[10/10]: starting directory server
Done.
Finalize replication settings
Restarting the KDC
WARNING: The CA service is only installed on one server (ipa1.dc.losinx.com).
It is strongly recommended to install it on another server.
Run ipa-ca-install(1) on another master to accomplish this.
"""
這里復制服務已經安裝完成,可以看到最后顯示ca服務器只在ipa1服務器安裝,所以我們需要按照提示進行
ipa-ca-install 進行ca復制
"""
- CA復制服務
[root@ipa2 ~]# ipa-ca-install
Directory Manager (existing master) password: # 輸入前面的密碼
Run connection check to master
Connection check OK
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
[1/27]: creating certificate server db
[2/27]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress, 3 seconds elapsed
Update succeeded
[3/27]: creating ACIs for admin
[4/27]: creating installation admin user
[5/27]: configuring certificate server instance
[6/27]: reindex attributes
[7/27]: exporting Dogtag certificate store pin
[8/27]: stopping certificate server instance to update CS.cfg
[9/27]: backing up CS.cfg
[10/27]: disabling nonces
[11/27]: set up CRL publishing
[12/27]: enable PKIX certificate path discovery and validation
[13/27]: destroying installation admin user
[14/27]: starting certificate server instance
[15/27]: Finalize replication settings
[16/27]: setting audit signing renewal to 2 years
[17/27]: restarting certificate server
[18/27]: authorizing RA to modify profiles
[19/27]: authorizing RA to manage lightweight CAs
[20/27]: Ensure lightweight CAs container exists
[21/27]: configure certificate renewals
[22/27]: configure Server-Cert certificate renewal
[23/27]: Configure HTTP to proxy connections
[24/27]: restarting certificate server
[25/27]: updating IPA configuration
[26/27]: enabling CA instance
[27/27]: configuring certmonger renewal for lightweight CAs
Done configuring certificate server (pki-tomcatd).
- 查看狀態
# ipa2
[root@ipa2 ~]# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
ntpd Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa: INFO: The ipactl command was successful
# ipa1
[root@ipa1 ~]# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
ntpd Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa: INFO: The ipactl command was successful
# 可以看到2台機器服務狀態一致
五、總結
1) FreeIPA 的安裝過程,主要包含了Kerberos,LDAP,NTP 等基礎服務。
1、Auth-A 服務可以方便管理 CentOS 服務器的認證,FreeIPA 集成了 Kerberos,SSSD。
2、Auth-Z 服務可以方便管理 CentOS 服務器的授權,FreeIPA 集成了 Kerberos,SSSD。
3、CA 服務可以方便管理企業的證書,FreeIPA 集成了 Dogtag。
4、NTP 服務可以方便時間同步,FreeIPA 集成了 chromed。
5、LDAP 服務可以同意管理用戶名和密碼以及與其他子系統集成, FreeIPA 集成了 389 Directory Server。
- 卸載
# ipa1 服務器執行
[root@ipa1 ~]# ipa-replica-manage del ipa2.dc.losinx.com
[root@ipa1 ~]# ipa-server-install --uninstall
# ipa2
[root@ipa2 ~]# ipa-server-install --uninstall
- 訪問
FreeIPA 的復制屬於主主復制,即兩個服務器都是主節點,會將更改相互發送給其他節點。
注意:部署好后,可以隨便登錄2個地址,查看並修改對應的配置。
ipa1.dc.losinx.com
ipa2.dc.losinx.com