Centos7 FreeIPA 高可用部署
阿新 • • 發佈:2020-08-07
FreeIPA 高可用部署
FreeIPA是一個整合安全資訊管理解決方案,FreeIPA伺服器通過儲存管理計算機網路安全方面所需的使用者、組、主機和其他物件的資料,提供集中的身份驗證、授權和賬戶資訊。結合了Linux、Directory Server、MIT Kerberos、NTP、DNS、Dogtag(認證系統)。它由Web介面和命令列管理工具組成。類似於windows中的AD域
一、機器規劃
系統版本CentOS 7.6
| 主機 | IP | 角色 | 域名 |
|---|---|---|---|
| ipa1 | 10.66.31.50 | 主 | ipa1.dc.losinx.com |
| ipa2 | 10.66.31.51 | 主 | ipa2.dc.losinx.com |
二、初始化環境準備
2.1 檢視系統資訊
# 發行版本
[root@localhost ~]# cat /etc/redhat-release
CentOS Linux release 7.6.1810 (Core)
# 系統核心
[root@localhost ~]# uname -r
3.10.0-957.el7.x86_64
2.2 設定主機名
# ipa1 [root@localhost ~]# hostnamectl set-hostname ipa1.dc.losinx.com [root@localhost ~]# hostname ipa1.dc.losinx.com # ipa2 [root@localhost ~]# hostnamectl set-hostname ipa2.dc.losinx.com [root@localhost ~]# hostname ipa2.dc.losinx.com
2.3 配置host解析
cat /etc/hosts
10.66.31.50 ipa1.dc.losinx.com
10.66.31.51 ipa2.dc.losinx.com
2.4 配置域名解析
FreeIPA依賴DNS非常嚴重,我這裡使用的域名是阿里雲,因此直接在阿里雲做的解析,直接把域名解析成對應的ip即可。
ipa1.dc.losinx.com 10.66.31.50
ipa2.dc.losinx.com 10.66.31.51
# 注:FreeIPA內部有DNS服務,可以選擇安裝,我這裡直接藉助阿里雲,所以不介紹DNS配置安裝。
2.5 配置yum源(可選)
[root@ipa1 ~]# wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo [root@ipa1 ~]# yum clean all # 清除系統所有的yum快取 [root@ipa1 ~]# yum makecache # 生成yum快取
2.6 升級核心
核心升級根據實際情況,我這裡是因為系統版本核心比較低,安裝過程出現問題才進行的升級
# 如果選擇升級,2臺機器都需要進行升級操作,升級後重啟機器
[root@ipa1 ~]# yum update
[root@ipa1 ~]# uname -r
3.10.0-1127.18.2.el7.x86_64
# 注:如果不進行核心升級,系統自帶的核心版本對於FreeIPA 4.6.6版本後面證書生成時,有可能會報類似下面的錯誤
"""
2020-08-05T09:50:36Z DEBUG The ipa-server-install command failed, exception: CalledProcessError: Command '/usr/bin/certutil -d dbm:/etc/dirsrv/slapd-DC-LOSINX-COM/ -O --simple-self-signed -n DC.LOSINX.COM IPA CA -f /etc/dirsrv/slapd-DC-LOSINX-COM/pwdfile.txt' returned non-zero exit status 1
2020-08-05T09:50:36Z ERROR Command '/usr/bin/certutil -d dbm:/etc/dirsrv/slapd-DC-LOSINX-COM/ -O --simple-self-signed -n DC.LOSINX.COM IPA CA -f /etc/dirsrv/slapd-DC-LOSINX-COM/pwdfile.txt' returned non-zero exit status 1
"""
2.7 防火牆
systemctl disable firewalld
systemctl stop firewalld
# 根據需要若是不關閉防火牆,就需要把後面涉及到的服務放行
"""
firewall-cmd --permanent --add-service={ntp,http,https,ldap,ldaps,kerberos,kpasswd}
firewall-cmd --reload
"""
三、安裝服務端
- 安裝ipa-server服務包
[root@ipa1 ~]# yum install ipa-server -y
- 執行安裝命令
[root@ipa1 ~]# ipa-server-install --domain=dc.losinx.com --realm=DC.LOSINX.COM
........
Do you want to configure integrated DNS (BIND)? [no]: no # 選擇是否安裝DNS服務
........
Server host name [ipa1.dc.losinx.com]: # 設定的主機名,預設即可
.........
Directory Manager password: 12345678 # 輸入目錄服務管理員的密碼
Password (confirm): 12345678 # 確認密碼
.........
IPA admin password: 12345678 # 輸入IPA UI管理員登入密碼
Password (confirm): 12345678 # 確認密碼
.........
Continue to configure the system with these values? [no]: yes # 確認配置
.........
The ipa-client-install command was successful
Please add records in this file to your DNS system: /tmp/ipa.system.records.VBLPLU.db
==============================================================================
Setup complete
Next steps:
1. You must make sure these network ports are open:
TCP Ports:
* 80, 443: HTTP/HTTPS
* 389, 636: LDAP/LDAPS
* 88, 464: kerberos
UDP Ports:
* 88, 464: kerberos
* 123: ntp
2. You can now obtain a kerberos ticket using the command: 'kinit admin'
This ticket will allow you to use the IPA tools (e.g., ipa user-add)
and the web user interface.
Be sure to back up the CA certificates stored in /root/cacert.p12
These files are required to create replicas. The password for these
files is the Directory Manager password
# 出現以上資訊表示已經安裝成功
- 檢視服務狀態
[root@ipa1 ~]# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
ntpd Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa: INFO: The ipactl command was successful
- 生成 kerberos 票據
[root@ipa1 ~]# kinit admin
Password for [email protected]: # 上面admin密碼
- 檢視生成的票據
[root@ipa1 ~]# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: [email protected]
Valid starting Expires Service principal
08/05/2020 18:39:40 08/06/2020 18:39:35 krbtgt/[email protected]
- 訪問
# 直接輸入域名,因為證書問題,這裡忽略繼續使用即可
https://ipa1.dc.losinx.com
四、複製伺服器
4.1 安裝FreeIPA客戶端
[root@ipa2 ~]# yum install freeipa-client -y
4.2 執行安裝命令
[root@ipa2 ~]# ipa-client-install
DNS discovery failed to determine your DNS domain
Provide the domain name of your IPA server (ex: example.com): dc.losinx.com #
Provide your IPA server name (ex: ipa.example.com): ipa1.dc.losinx.com # ipa1節點域名
The failure to use DNS to find your IPA server indicates that your resolv.conf file is not properly configured.
Autodiscovery of servers for failover cannot work with this configuration.
If you proceed with the installation, services will be configured to always access the discovered server for all operations and will not fail over to other servers in case of failure.
Proceed with fixed values and no DNS discovery? [no]: yes # 不使用DNS
Client hostname: ipa2.dc.losinx.com
Realm: DC.LOSINX.COM
DNS Domain: dc.losinx.com
IPA Server: ipa1.dc.losinx.com
BaseDN: dc=dc,dc=losinx,dc=com
Continue to configure the system with these values? [no]: yes # 確認配置
Synchronizing time with KDC...
Attempting to sync time using ntpd. Will timeout after 15 seconds
User authorized to enroll computers: admin # 使用者名稱
Password for [email protected]: # 密碼
Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=DC.LOSINX.COM
Issuer: CN=Certificate Authority,O=DC.LOSINX.COM
Valid From: 2020-08-06 01:15:31
Valid Until: 2040-08-06 01:15:31
Enrolled in IPA realm DC.LOSINX.COM
Created /etc/ipa/default.conf
New SSSD config will be created
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm DC.LOSINX.COM
trying https://ipa1.dc.losinx.com/ipa/json
[try 1]: Forwarding 'schema' to json server 'https://ipa1.dc.losinx.com/ipa/json'
trying https://ipa1.dc.losinx.com/ipa/session/json
[try 1]: Forwarding 'ping' to json server 'https://ipa1.dc.losinx.com/ipa/session/json'
[try 1]: Forwarding 'ca_is_enabled' to json server 'https://ipa1.dc.losinx.com/ipa/session/json'
Systemwide CA database updated.
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
[try 1]: Forwarding 'host_mod' to json server 'https://ipa1.dc.losinx.com/ipa/session/json'
Could not update DNS SSHFP records.
SSSD enabled
Configured /etc/openldap/ldap.conf
No SRV records of NTP servers found. IPA server address will be used
NTP enabled
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Configuring dc.losinx.com as NIS domain.
Client configuration complete.
The ipa-client-install command was successful # 安裝完成
4.3 安裝FreeIPA複製服務
- 安裝服務端元件
[root@ipa2 ~]# yum install ipa-server -y
- 執行復制安裝命令
[root@ipa2 ~]# ipa-replica-install
Password for [email protected]: # 輸入admin密碼
Run connection check to master
Connection check OK
Configuring NTP daemon (ntpd)
[1/4]: stopping ntpd
[2/4]: writing configuration
[3/4]: configuring ntpd to start on boot
[4/4]: starting ntpd
Done configuring NTP daemon (ntpd).
Configuring directory server (dirsrv). Estimated time: 30 seconds
[1/42]: creating directory server instance
[2/42]: enabling ldapi
[3/42]: configure autobind for root
[4/42]: stopping directory server
[5/42]: updating configuration in dse.ldif
[6/42]: starting directory server
[7/42]: adding default schema
[8/42]: enabling memberof plugin
[9/42]: enabling winsync plugin
[10/42]: configure password logging
[11/42]: configuring replication version plugin
[12/42]: enabling IPA enrollment plugin
[13/42]: configuring uniqueness plugin
[14/42]: configuring uuid plugin
[15/42]: configuring modrdn plugin
[16/42]: configuring DNS plugin
[17/42]: enabling entryUSN plugin
[18/42]: configuring lockout plugin
[19/42]: configuring topology plugin
[20/42]: creating indices
[21/42]: enabling referential integrity plugin
[22/42]: configuring certmap.conf
[23/42]: configure new location for managed entries
[24/42]: configure dirsrv ccache
[25/42]: enabling SASL mapping fallback
[26/42]: restarting directory server
[27/42]: creating DS keytab
[28/42]: ignore time skew for initial replication
[29/42]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress, 3 seconds elapsed
Update succeeded
[30/42]: prevent time skew after initial replication
[31/42]: adding sasl mappings to the directory
[32/42]: updating schema
[33/42]: setting Auto Member configuration
[34/42]: enabling S4U2Proxy delegation
[35/42]: initializing group membership
[36/42]: adding master entry
[37/42]: initializing domain level
[38/42]: configuring Posix uid/gid generation
[39/42]: adding replication acis
[40/42]: activating sidgen plugin
[41/42]: activating extdom plugin
[42/42]: configuring directory to start on boot
Done configuring directory server (dirsrv).
Configuring Kerberos KDC (krb5kdc)
[1/5]: configuring KDC
[2/5]: adding the password extension to the directory
[3/5]: creating anonymous principal
[4/5]: starting the KDC
[5/5]: configuring KDC to start on boot
Done configuring Kerberos KDC (krb5kdc).
Configuring kadmin
[1/2]: starting kadmin
[2/2]: configuring kadmin to start on boot
Done configuring kadmin.
Configuring directory server (dirsrv)
[1/3]: configuring TLS for DS instance
[2/3]: importing CA certificates from LDAP
[3/3]: restarting directory server
Done configuring directory server (dirsrv).
Configuring the web interface (httpd)
[1/22]: stopping httpd
[2/22]: setting mod_nss port to 443
[3/22]: setting mod_nss cipher suite
[4/22]: setting mod_nss protocol list to TLSv1.2
[5/22]: setting mod_nss password file
[6/22]: enabling mod_nss renegotiate
[7/22]: disabling mod_nss OCSP
[8/22]: adding URL rewriting rules
[9/22]: configuring httpd
[10/22]: setting up httpd keytab
[11/22]: configuring Gssproxy
[12/22]: setting up ssl
[13/22]: configure certmonger for renewals
[14/22]: importing CA certificates from LDAP
[15/22]: publish CA cert
[16/22]: clean up any existing httpd ccaches
[17/22]: configuring SELinux for httpd
[18/22]: create KDC proxy config
[19/22]: enable KDC proxy
[20/22]: starting httpd
[21/22]: configuring httpd to start on boot
[22/22]: enabling oddjobd
Done configuring the web interface (httpd).
Configuring ipa-otpd
[1/2]: starting ipa-otpd
[2/2]: configuring ipa-otpd to start on boot
Done configuring ipa-otpd.
Configuring ipa-custodia
[1/4]: Generating ipa-custodia config file
[2/4]: Generating ipa-custodia keys
[3/4]: starting ipa-custodia
[4/4]: configuring ipa-custodia to start on boot
Done configuring ipa-custodia.
Configuring certificate server (pki-tomcatd)
[1/2]: configure certmonger for renewals
[2/2]: Importing RA key
Done configuring certificate server (pki-tomcatd).
Configuring Kerberos KDC (krb5kdc)
[1/1]: installing X509 Certificate for PKINIT
Done configuring Kerberos KDC (krb5kdc).
Applying LDAP updates
Upgrading IPA:. Estimated time: 1 minute 30 seconds
[1/10]: stopping directory server
[2/10]: saving configuration
[3/10]: disabling listeners
[4/10]: enabling DS global lock
[5/10]: disabling Schema Compat
[6/10]: starting directory server
[7/10]: upgrading server
[8/10]: stopping directory server
[9/10]: restoring configuration
[10/10]: starting directory server
Done.
Finalize replication settings
Restarting the KDC
WARNING: The CA service is only installed on one server (ipa1.dc.losinx.com).
It is strongly recommended to install it on another server.
Run ipa-ca-install(1) on another master to accomplish this.
"""
這裡複製服務已經安裝完成,可以看到最後顯示ca伺服器只在ipa1伺服器安裝,所以我們需要按照提示進行
ipa-ca-install 進行ca複製
"""
- CA複製服務
[root@ipa2 ~]# ipa-ca-install
Directory Manager (existing master) password: # 輸入前面的密碼
Run connection check to master
Connection check OK
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
[1/27]: creating certificate server db
[2/27]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress, 3 seconds elapsed
Update succeeded
[3/27]: creating ACIs for admin
[4/27]: creating installation admin user
[5/27]: configuring certificate server instance
[6/27]: reindex attributes
[7/27]: exporting Dogtag certificate store pin
[8/27]: stopping certificate server instance to update CS.cfg
[9/27]: backing up CS.cfg
[10/27]: disabling nonces
[11/27]: set up CRL publishing
[12/27]: enable PKIX certificate path discovery and validation
[13/27]: destroying installation admin user
[14/27]: starting certificate server instance
[15/27]: Finalize replication settings
[16/27]: setting audit signing renewal to 2 years
[17/27]: restarting certificate server
[18/27]: authorizing RA to modify profiles
[19/27]: authorizing RA to manage lightweight CAs
[20/27]: Ensure lightweight CAs container exists
[21/27]: configure certificate renewals
[22/27]: configure Server-Cert certificate renewal
[23/27]: Configure HTTP to proxy connections
[24/27]: restarting certificate server
[25/27]: updating IPA configuration
[26/27]: enabling CA instance
[27/27]: configuring certmonger renewal for lightweight CAs
Done configuring certificate server (pki-tomcatd).
- 檢視狀態
# ipa2
[root@ipa2 ~]# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
ntpd Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa: INFO: The ipactl command was successful
# ipa1
[root@ipa1 ~]# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
ntpd Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa: INFO: The ipactl command was successful
# 可以看到2臺機器服務狀態一致
五、總結
1) FreeIPA 的安裝過程,主要包含了Kerberos,LDAP,NTP 等基礎服務。
1、Auth-A 服務可以方便管理 CentOS 伺服器的認證,FreeIPA 集成了 Kerberos,SSSD。
2、Auth-Z 服務可以方便管理 CentOS 伺服器的授權,FreeIPA 集成了 Kerberos,SSSD。
3、CA 服務可以方便管理企業的證書,FreeIPA 集成了 Dogtag。
4、NTP 服務可以方便時間同步,FreeIPA 集成了 chromed。
5、LDAP 服務可以同意管理使用者名稱和密碼以及與其他子系統整合, FreeIPA 集成了 389 Directory Server。
- 解除安裝
# ipa1 伺服器執行
[root@ipa1 ~]# ipa-replica-manage del ipa2.dc.losinx.com
[root@ipa1 ~]# ipa-server-install --uninstall
# ipa2
[root@ipa2 ~]# ipa-server-install --uninstall
- 訪問
FreeIPA 的複製屬於主主複製,即兩個伺服器都是主節點,會將更改相互發送給其他節點。
注意:部署好後,可以隨便登入2個地址,檢視並修改對應的配置。
ipa1.dc.losinx.com
ipa2.dc.losinx.com