2023-04-25 08:50:45 +08:00
|
|
|
|
[#]: subject: "How to Install FreeIPA Server on RHEL 8 | Rocky Linux 8 | AlmaLinux 8"
|
|
|
|
|
[#]: via: "https://www.linuxtechi.com/install-freeipa-rhel-rocky-almalinux/"
|
|
|
|
|
[#]: author: "Pradeep Kumar https://www.linuxtechi.com/author/pradeep/"
|
|
|
|
|
[#]: collector: "lkxed"
|
|
|
|
|
[#]: translator: "geekpi"
|
2023-05-05 16:07:06 +08:00
|
|
|
|
[#]: reviewer: "wxy"
|
|
|
|
|
[#]: publisher: "wxy"
|
|
|
|
|
[#]: url: "https://linux.cn/article-15783-1.html"
|
2023-04-25 08:50:45 +08:00
|
|
|
|
|
2023-05-05 16:07:06 +08:00
|
|
|
|
如何在 RHEL 8 上安装 FreeIPA 服务器
|
2023-04-25 08:50:45 +08:00
|
|
|
|
======
|
|
|
|
|
|
2023-05-05 16:07:06 +08:00
|
|
|
|
![][0]
|
|
|
|
|
|
2023-04-25 08:50:45 +08:00
|
|
|
|
你是否正在寻找有关如何在 Linux 上安装 FreeIPA 服务器的简单指南?
|
|
|
|
|
|
|
|
|
|
此页面上的分步指南将展示如何在 RHEL 8、Rocky Linux 8 和 AlmaLinux 8 上安装 FreeIPA 服务器。
|
|
|
|
|
|
2023-05-05 16:07:06 +08:00
|
|
|
|
[FreeIPA][1] 是一个自由开源的基于 Linux 系统的集中式身份和访问管理工具,它是 Red Hat 身份管理器的上游项目。使用 FreeIPA,我们可以轻松地管理集中式身份验证以及帐户管理、策略(基于主机的访问控制)和审计。
|
2023-04-25 08:50:45 +08:00
|
|
|
|
|
2023-05-05 16:07:06 +08:00
|
|
|
|
FreeIPA 基于以下开源项目:
|
2023-04-25 08:50:45 +08:00
|
|
|
|
|
|
|
|
|
- LDAP 服务器 – 基于 389 项目
|
|
|
|
|
- KDC – 基于 MIT Kerberos 实现
|
|
|
|
|
- 基于 Dogtag 项目的 PKI
|
|
|
|
|
- 用于活动目录集成的 Samba 库
|
|
|
|
|
- 基于 BIND 和 Bind-DynDB-LDAP 插件的 DNS 服务器
|
|
|
|
|
- NTP
|
|
|
|
|
|
2023-05-05 16:07:06 +08:00
|
|
|
|
### 先决条件
|
2023-04-25 08:50:45 +08:00
|
|
|
|
|
|
|
|
|
- 预装 RHEL 8 或 Rocky Linux 8 或 AlmaLinux 8
|
|
|
|
|
- 具有管理员权限的 Sudo 用户
|
|
|
|
|
- 内存 = 2 GB
|
|
|
|
|
- CPU = 2 个 vCPU
|
|
|
|
|
- 磁盘 = 根目录有 12GB 可用空间
|
|
|
|
|
- 互联网连接
|
|
|
|
|
|
2023-05-05 16:07:06 +08:00
|
|
|
|
### FreeIPA 的实验室详细信息
|
2023-04-25 08:50:45 +08:00
|
|
|
|
|
|
|
|
|
- IP 地址 = 192.168.1.102
|
|
|
|
|
- Hostanme = ipa.linuxtechi.lan
|
|
|
|
|
- 操作系统:RHEL 8 或 Rocky Linux 8 或 AlmaLinux 8
|
|
|
|
|
|
|
|
|
|
事不宜迟,让我们深入了解 FreeIPA 安装步骤。
|
|
|
|
|
|
2023-05-05 16:07:06 +08:00
|
|
|
|
### 1、设置主机名并安装更新
|
2023-04-25 08:50:45 +08:00
|
|
|
|
|
2023-05-05 16:07:06 +08:00
|
|
|
|
打开服务器的终端并使用 `hostnamectl` 命令设置主机名:
|
2023-04-25 08:50:45 +08:00
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
$ sudo hostnamectl set-hostname "ipa.linuxtechi.lan"
|
|
|
|
|
$ exec bash
|
|
|
|
|
```
|
|
|
|
|
|
2023-05-05 16:07:06 +08:00
|
|
|
|
使用 `yum`/`dnf` 命令安装更新,然后重新启动:
|
2023-04-25 08:50:45 +08:00
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
$ sudo dnf update -y
|
|
|
|
|
$ sudo reboot
|
|
|
|
|
```
|
|
|
|
|
|
2023-05-05 16:07:06 +08:00
|
|
|
|
### 2、更新主机文件并将 SELinux 设置为许可
|
2023-04-25 08:50:45 +08:00
|
|
|
|
|
2023-05-05 16:07:06 +08:00
|
|
|
|
运行以下 `tee` 命令更新 `/etc/hosts` 文件,根据你的设置替换 IP 地址和主机名。
|
2023-04-25 08:50:45 +08:00
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
$ echo -e "192.168.1.102\tipa.linuxtechi.lan\t ipa" | sudo tee -a /etc/hosts
|
|
|
|
|
```
|
|
|
|
|
|
2023-05-05 16:07:06 +08:00
|
|
|
|
将 SELinux 设置为许可,运行以下命令:
|
2023-04-25 08:50:45 +08:00
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
$ sudo setenforce 0
|
|
|
|
|
$ sudo sed -i 's/^SELINUX=.*/SELINUX=permissive/g' /etc/selinux/config
|
2023-05-05 16:07:06 +08:00
|
|
|
|
$ getenforce
|
2023-04-25 08:50:45 +08:00
|
|
|
|
Permissive
|
|
|
|
|
```
|
|
|
|
|
|
2023-05-05 16:07:06 +08:00
|
|
|
|
### 3、安装 FreeIPA 及其组件
|
2023-04-25 08:50:45 +08:00
|
|
|
|
|
2023-05-05 16:07:06 +08:00
|
|
|
|
Appstream 包仓库中提供了 FreeIPA 包及其依赖项。由于我们计划安装集成 DNS 的 FreeIPA,因此我们还将安装 `ipa-server-dns` 和 `bind-dyndb-ldap`。
|
2023-04-25 08:50:45 +08:00
|
|
|
|
|
2023-05-05 16:07:06 +08:00
|
|
|
|
运行以下命令安装 FreeIPA 及其依赖项:
|
2023-04-25 08:50:45 +08:00
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
$ sudo dnf -y install @idm:DL1
|
|
|
|
|
$ sudo dnf install freeipa-server ipa-server-dns bind-dyndb-ldap -y
|
|
|
|
|
```
|
|
|
|
|
|
2023-05-05 16:07:06 +08:00
|
|
|
|
### 4、开始安装 FreeIPA
|
2023-04-25 08:50:45 +08:00
|
|
|
|
|
2023-05-05 16:07:06 +08:00
|
|
|
|
成功安装 FreeIPA 包及其依赖项后,使用以下命令启动 FreeIPA 安装设置。
|
2023-04-25 08:50:45 +08:00
|
|
|
|
|
2023-05-05 16:07:06 +08:00
|
|
|
|
它将提示几件事,例如配置集成 DNS、主机名、域名和领域名。
|
2023-04-25 08:50:45 +08:00
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
$ sudo ipa-server-install
|
|
|
|
|
```
|
|
|
|
|
|
2023-05-05 16:07:06 +08:00
|
|
|
|
上述命令的输出如下所示:
|
2023-04-25 08:50:45 +08:00
|
|
|
|
|
|
|
|
|
![][2]
|
|
|
|
|
|
|
|
|
|
![][3]
|
|
|
|
|
|
2023-05-05 16:07:06 +08:00
|
|
|
|
在上面的窗口中输入 “yes” 后,需要一些时间来配置你的 FreeIPA 服务器,设置成功后,我们将得到下面的输出:
|
2023-04-25 08:50:45 +08:00
|
|
|
|
|
|
|
|
|
![][4]
|
|
|
|
|
|
|
|
|
|
以上输出确认 FreeIPA 已成功安装。
|
|
|
|
|
|
2023-05-05 16:07:06 +08:00
|
|
|
|
### 5、在防火墙中允许 FreeIPA 端口
|
2023-04-25 08:50:45 +08:00
|
|
|
|
|
2023-05-05 16:07:06 +08:00
|
|
|
|
如果正在你的服务器上运行系统防火墙,那么运行如下 `firewall-cmd` 命令以允许 FreeIPA 端口:
|
2023-04-25 08:50:45 +08:00
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
$ sudo firewall-cmd --add-service={http,https,dns,ntp,freeipa-ldap,freeipa-ldaps} --permanent
|
|
|
|
|
$ sudo firewall-cmd --reload
|
|
|
|
|
```
|
|
|
|
|
|
2023-05-05 16:07:06 +08:00
|
|
|
|
### 6、访问 FreeIPA 管理门户
|
2023-04-25 08:50:45 +08:00
|
|
|
|
|
2023-05-05 16:07:06 +08:00
|
|
|
|
执行下面的 `ipactl` 命令查看 FreeIPA 的所有服务是否都在运行:
|
2023-04-25 08:50:45 +08:00
|
|
|
|
|
|
|
|
|
```
|
2023-05-05 16:07:06 +08:00
|
|
|
|
$ ipactl status
|
2023-04-25 08:50:45 +08:00
|
|
|
|
You must be root to run ipactl.
|
2023-05-05 16:07:06 +08:00
|
|
|
|
$ sudo ipactl status
|
2023-04-25 08:50:45 +08:00
|
|
|
|
Directory Service: RUNNING
|
|
|
|
|
krb5kdc Service: RUNNING
|
|
|
|
|
kadmin Service: RUNNING
|
|
|
|
|
named Service: RUNNING
|
|
|
|
|
httpd Service: RUNNING
|
|
|
|
|
ipa-custodia Service: RUNNING
|
|
|
|
|
pki-tomcatd Service: RUNNING
|
|
|
|
|
ipa-otpd Service: RUNNING
|
|
|
|
|
ipa-dnskeysyncd Service: RUNNING
|
|
|
|
|
ipa: INFO: The ipactl command was successful
|
2023-05-05 16:07:06 +08:00
|
|
|
|
$
|
2023-04-25 08:50:45 +08:00
|
|
|
|
```
|
|
|
|
|
|
2023-05-05 16:07:06 +08:00
|
|
|
|
让我们使用 `kinit` 命令验证管理员用户是否会通过 Kerberos 获取令牌,使用我们在 FreeIPA 安装期间提供的相同管理员用户密码。
|
2023-04-25 08:50:45 +08:00
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
$ kinit admin
|
|
|
|
|
$ klist
|
|
|
|
|
```
|
|
|
|
|
|
2023-05-05 16:07:06 +08:00
|
|
|
|
以上命令的输出:
|
2023-04-25 08:50:45 +08:00
|
|
|
|
|
|
|
|
|
![][5]
|
|
|
|
|
|
2023-05-05 16:07:06 +08:00
|
|
|
|
完美,上面的输出确认管理员获得了令牌。现在,尝试访问 FreeIPA Web 控制台,在网络浏览器上输入以下 URL:
|
2023-04-25 08:50:45 +08:00
|
|
|
|
|
2023-05-05 16:07:06 +08:00
|
|
|
|
```
|
2023-04-25 08:50:45 +08:00
|
|
|
|
https://ipa.linuxtechi.lan/ipa/ui
|
2023-05-05 16:07:06 +08:00
|
|
|
|
```
|
2023-04-25 08:50:45 +08:00
|
|
|
|
|
|
|
|
|
或者
|
|
|
|
|
|
2023-05-05 16:07:06 +08:00
|
|
|
|
```
|
2023-04-25 08:50:45 +08:00
|
|
|
|
https://<Server-IPAddress>/ipa/ui
|
2023-05-05 16:07:06 +08:00
|
|
|
|
```
|
2023-04-25 08:50:45 +08:00
|
|
|
|
|
2023-05-05 16:07:06 +08:00
|
|
|
|
使用我们在安装过程中指定的用户名 `admin` 和密码。
|
2023-04-25 08:50:45 +08:00
|
|
|
|
|
|
|
|
|
![][6]
|
|
|
|
|
|
2023-05-05 16:07:06 +08:00
|
|
|
|
对于 FreeIPA Web 控制台,使用自签名 SSL 证书,这就是我们看到此窗口的原因,因此单击“<ruby>接受风险并继续<rt>Accept the Risk and Continue</rt></ruby>”。
|
2023-04-25 08:50:45 +08:00
|
|
|
|
|
|
|
|
|
![][7]
|
|
|
|
|
|
2023-05-05 16:07:06 +08:00
|
|
|
|
输入凭据后,单击“<ruby>登录<rt>Log in</rt></ruby>”。
|
2023-04-25 08:50:45 +08:00
|
|
|
|
|
|
|
|
|
![][8]
|
|
|
|
|
|
|
|
|
|
这证实我们已在 RHEL 8/Rocky Linux 8 / AlmaLinux8 上成功设置 FreeIPA。
|
|
|
|
|
|
|
|
|
|
这就是全部,我希望你觉得它提供了很多信息。请在下面的评论部分中发表你的疑问和反馈。
|
|
|
|
|
|
2023-05-05 16:07:06 +08:00
|
|
|
|
*(题图:MJ/9df57ea0-b5a0-48f9-a323-853a28ca6162)*
|
2023-04-25 08:50:45 +08:00
|
|
|
|
|
|
|
|
|
--------------------------------------------------------------------------------
|
|
|
|
|
|
|
|
|
|
via: https://www.linuxtechi.com/install-freeipa-rhel-rocky-almalinux/
|
|
|
|
|
|
|
|
|
|
作者:[Pradeep Kumar][a]
|
|
|
|
|
选题:[lkxed][b]
|
|
|
|
|
译者:[geekpi](https://github.com/geekpi)
|
2023-05-05 16:07:06 +08:00
|
|
|
|
校对:[wxy](https://github.com/wxy)
|
2023-04-25 08:50:45 +08:00
|
|
|
|
|
|
|
|
|
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
|
|
|
|
|
|
|
|
|
|
[a]: https://www.linuxtechi.com/author/pradeep/
|
|
|
|
|
[b]: https://github.com/lkxed/
|
|
|
|
|
[1]: https://www.freeipa.org/page/Main_Page
|
|
|
|
|
[2]: https://www.linuxtechi.com/wp-content/uploads/2018/11/IPA-Server-Install-Command-RHEL-RockyLinux-AlmaLinux.png?ezimgfmt=ng:webp/ngcb22
|
|
|
|
|
[3]: https://www.linuxtechi.com/wp-content/uploads/2018/11/IPA-Install-Directory-Manager-IPA-Admin-Password.png?ezimgfmt=ng:webp/ngcb22
|
|
|
|
|
[4]: https://www.linuxtechi.com/wp-content/uploads/2018/11/IPA-Installation-Successful-Message-RHEL-AlmaLinux-RockyLinux.png?ezimgfmt=ng:webp/ngcb22
|
|
|
|
|
[5]: https://www.linuxtechi.com/wp-content/uploads/2018/11/FeeIPA-kinit-admin-token.png
|
|
|
|
|
[6]: https://www.linuxtechi.com/wp-content/uploads/2018/11/Accept-Risk-FreeIPA-WebConsole-URL-1024x556.png?ezimgfmt=ng:webp/ngcb22
|
|
|
|
|
[7]: https://www.linuxtechi.com/wp-content/uploads/2018/11/FreeIPA-Login-Page-RHEL-RockyLinux-AlmaLinux-1024x586.png?ezimgfmt=ng:webp/ngcb22
|
|
|
|
|
[8]: https://www.linuxtechi.com/wp-content/uploads/2018/11/FreeIPA-Dashboard-RHEL-RockyLinux-AlmaLinux-1024x585.png?ezimgfmt=ng:webp/ngcb22
|
2023-05-05 16:07:06 +08:00
|
|
|
|
[0]: https://img.linux.net.cn/data/attachment/album/202305/05/160246m3vu7phhy7eyuo7j.png
|