ipa-server是红帽身份验证的一个完整解决方案,上游的开源项目是freeIPA,它本身不提供具体功能,而是整合了389-ds、ipa-server-dns、krb5-server等核心软件包,形成一个以389-ds(ldap)为数据存储后端,krb5-server为验证前端,ipa-server-dns为主机识别,apache+tomcat提供的一个web管理界面,统一的命令行管理界面的身份识别系统。
存储的是主机名(域名)、IP地址、用户名、密码等,以读为主,因此非常适合ldap的特性。
验证服务: Kerberos KDC
存储服务: Red Hat Directory Server
证书系统: Red Hat Certificate System
域名解析服务: DNS
安全管理服务: SSSD
时间同步服务: NTP
Servers Servers manage all of the services used by domain members.
Replicas Replica are copies of servers. Once a replica is installed, it is functionally identical to a server.
Clients Clients, which belong to the Kerberos domains, receive certificates and tickets issued by the servers, and use other centralized services for authentication and authorization.
IPA Server和Replica
IPA Client
相关服务端口
Service Ports Type
HTTP/HTTPS , TCP
LDAP/LDAPS , TCP
Kerberos , TCP and UDP
DNS TCP and UDP
NTP UDP
环境概览
角色 主机名 IP地址 网关 DNS
IPA-Server ipa.example.com 192.168.136.251/24 192.168.136.2 192.168.136.2
IPA-Replica replica.example.com 192.268.136.252/24 192.168.136.2 192.168.136.251 192.168.136.2
IPA-Client client1.example.com 192.168.136.100/24 192.168.136.2 192.168.136.251 192.168.136.252 192.168.136.2
IPA-Server
设置机器名
# hostnamectl set-hostname ipa.example.com
开放防火墙端口
安装软件包
# yum install ipa-server ipa-server-dns
ipa-server-install参数
--hostname=host name
-r realm_name
-n domain_name
--subject=subject_DN
-a ipa_admin_password
-p directory_manager_password
-P kerberos_master_password
--idmax=number
--idstart=number
--ip-address
--setup-dns
--forwarder=forwarder
--no-forwarders
--no-reverse
安装IPA Server
This program will set up the IPA Server. This includes:
* Configure a stand-alone CA (dogtag) for certificate management
* Configure the Network Time Daemon (ntpd)
* Create and configure an instance of Directory Server
* Create and configure a Kerberos Key Distribution Center (KDC)
* Configure Apache (httpd)
* Configure DNS (bind)
卸载IPA Server # ipa-server-install --uninstall
IPA-Replica
设置机器名
# hostnamectl set-hostname replica.example.com
开放防火墙端口
安装软件包
# yum install ipa-server ipa-server-dns
生成gpg文件
在IPA Server上运行
# ipa-replica-prepare replica.example.com --ip-address 192.168.136.252
# scp /var/lib/ipa/replica-info-replica.example.com.gpg root@replica:/var/lib/ipa/
安装IPA Replica
# ipa-replica-install /var/lib/ipa/replica-info-replica.example.com.gpg \
--setup-dns --forwarder 192.168.136.2 \
-p DM_password -w admin_password
测试IPA Replica
# ipa user-add test_user --first=Test --last=User
# ipa user-show test_user
卸载IPA Replica # ipa-replica-manage del replica.example.com
# ipa-server-install --uninstall
IPA-Client
设置机器名
# hostnamectl set-hostname client1.example.com
开放防火墙端口
安装软件包
# yum install ipa-client
安装IPA Client
# ipa-client-install --enable-dns-updates --domain EXAMPLE.COM --mkhomedir --no-ntp -p admin
IPA 管理
服务管理
# ipactl start|stop|restart|status (IPA服务启动,停止,重启,状态)
用户管理
添加用户
# ipa user-add jsmith
修改用户
# ipa user-mod jsmith --title="Editor III"
删除用户
# ipa user-del jsmith
查找用户
# ipa user-find smith