Identity Management

1 AIM

Set up Identity Management (IdM) based on the FreeIPA (Identity, Policy and Audit) system

Hosts

• cyber8: ThinkPad X230 set up with CentOS 8.1
• cyber7: ThinkPad X230 set up with CentOS 7.8

Domain Name System (cf. the DNS page for the setup)

• Server: cyber8
• Domain Name: rshome.lan   (FreeIPA requires a compound domain name, i.e. at least 2 terms separated by a dot)

Shared Users Directories across IPA Clients (cf. the Automount page for the setup)

• Server: cyber8
• Location: /home/export
• Auto-mounted onto cyber7

Note

By default IPA-managed users home directories will be set under /home/export (centralised location across IPA clients). However individual users' directories can be changed to be local, i.e. directly under /home. In that case a user will have a separate home directory on each IPA client he logs in from.

IPA

• Server: cyber8
• Client : cyber7

2 IPA Server: cyber8

2.1 Pre-installation

Idm/FreeIPA RPMs Installation

• dnf install @idm:DL1
• dnf module enable idm:DL1
• dnf module install idm:DL1/server
• dnf module install idm:DL1/dns
• dnf module install idm:DL1/adtrust
• dnf install freeipa-server
• dnf install freeipa-server-dns

Firewall   (either use command line instructions or GUI)

• dnf install firewall-config
• Command line instructions
  • firewall-cmd --permanent --add-service={freeipa-ldap,freeipa-ldaps,dns}
  • firewall-cmd --reload
• GUI
  • firewal-config

2.2 IPA Server Installation

Run the command   ipa-server-install

Do you want to configure integrated DNS (BIND)? [no]: 
Server host name [cyber8.rshome.lan]: 
Please provide a realm name [RSHOME.LAN]: 
Directory Manager password: ----
IPA admin password: ----
Do you want to configure chrony with NTP server or pool address? [no]: 
Continue to configure the system with these values? [no]: yes
Setup complete

Please Please add records to your DNS system:
_kerberos-master._tcp.rshome.lan. 86400 IN SRV 0 100 88 cyber8.rshome.lan.
_kerberos-master._udp.rshome.lan. 86400 IN SRV 0 100 88 cyber8.rshome.lan.
_kerberos._tcp.rshome.lan. 86400 IN SRV 0 100 88 cyber8.rshome.lan.
_kerberos._udp.rshome.lan. 86400 IN SRV 0 100 88 cyber8.rshome.lan.
_kerberos.rshome.lan. 86400 IN TXT "RSHOME.LAN"
_kpasswd._tcp.rshome.lan. 86400 IN SRV 0 100 464 cyber8.rshome.lan.
_kpasswd._udp.rshome.lan. 86400 IN SRV 0 100 464 cyber8.rshome.lan.
_ldap._tcp.rshome.lan. 86400 IN SRV 0 100 389 cyber8.rshome.lan.
ipa-ca.rshome.lan. 86400 IN A 192.168.0.53

Next steps:
        1. You must make sure these network ports are open:
                TCP Ports:
                  * 80, 443: HTTP/HTTPS
                  * 389, 636: LDAP/LDAPS
                  * 88, 464: kerberos
                UDP Ports:
                  * 88, 464: kerberos
                  * 123: ntp
        2. You can now obtain a kerberos ticket using the command: 'kinit admin'
           This ticket will allow you to use the IPA tools (e.g., ipa user-add)
           and the web user interface.

Be sure to back up the CA certificates stored in /root/cacert.p12
These files are required to create replicas. The password for these
files is the Directory Manager password
The ipa-server-install command was successful

2.3 Post-installation

Firewall update

• firewall-cmd --permanent --add-port={80/tcp,443/tcp,389/tcp,636/tcp,88/tcp,88/udp,464/tcp,464/udp,53/tcp,53/udp,123/udp}
• firewall-cmd --reload

DNS update

• Add requested records to /var/named/named.rshome.lan
• systemctl restart named

Get Kerberos ticket

• kinit admin

Set the default users home directory base   (shared location across IPA clients)

• ipa config-mod --homedirectory=/home/export

Set the system to automatically create users' home directories at first login

• already_selected="`authselect   current   --raw`"
• authselect select   $already_selected   with-mkhomedir   --force
• systemctl enable oddjobd.service
• systemctl restart oddjobd.service

3 IPA Client: cyber7

3.1 Pre-installation

RPMs Installation

• yum install ipa-client

Firewall

• firewall-cmd --permanent --add-port={80/tcp,443/tcp,389/tcp,636/tcp,88/tcp,88/udp,464/tcp,464/udp,53/tcp,53/udp,123/udp}
• firewall-cmd --permanent --add-service={freeipa-ldap,freeipa-ldaps,dns}
• firewall-cmd --reload

3.2 IPA Client Installation

Run the command   ipa-client-install

Discovery was successful!
Client hostname: cyber7.rshome.lan
Realm: RSHOME.LAN
DNS Domain: rshome.lan
IPA Server: cyber8.rshome.lan
BaseDN: dc=rshome,dc=lan
Continue to configure the system with these values? [no]: yes
Synchronizing time with KDC...
Attempting to sync time using ntpd.  Will timeout after 15 seconds
Unable to sync time with NTP server, assuming the time is in sync. Please check that 123 UDP port is opened.
User authorized to enroll computers: admin
Password for admin@RSHOME.LAN: ----
...
The ipa-client-install command was successful

3.3 Post-installation

Get Kerberos ticket

• kinit admin

Check installation by listing users

• ipa user-find

--------------
1 user matched
--------------
  User login: admin
  Last name: Administrator
  Home directory: /home/admin
  Login shell: /bin/bash
  Principal alias: admin@RSHOME.LAN
  UID: 221000000
  GID: 221000000
  Account disabled: False
----------------------------
Number of entries returned 1

Set the system to automatically create users directories at first login when set locally, i.e. directly under /home

• authconfig --enablemkhomedir --update

Note

• If a user has his/her home directory under /home/export, that directory will be shared across all IPA clients;
• However if a user's directory is set directly under /home, that user will have a separate home directory on each IPA client.

4 Web UI

Identity Management can be performed either with command line instructions (e.g. ipa user-add ...) or using the provided Web UI

To launch Web UI

• From either cyber7 or cyber8 start firefox and point it to the URL https://cyber8
• Log in as admin

5 Degraded Mode: IPA + Home Directory Server Down

Recall: cyber8 hosts the IPA server as well as the /home/export'd users directories .

The following test were performed to check the system behaviour when cyber8 is off line.

5.1 User's Directory on /home/export

1. Turn on both cyber7 and cyber8
2. Create an IPA user "SharedDirUser" with home directory set on /home/export
3. From a cyber8 xterm, type "su - SharedDirUser"

   /home/export/SharedDirUser is created with basic bash programs

4. Type "exit"   (log out SharedDirUser)
5. From a cyber7 xterm, type "su - SharedDirUser" and enter the password

   The present working directory is /home/export/SharedDirUser

6. Type "exit"   (log out SharedDirUser)
7. Turn off cyber8
8. Try to log back in SharedDirUser from cyber7

   → The login process will FAIL with the "su" command hanging

5.2 User's Directory on /home

1. Turn on both cyber7 and cyber8
2. Create an IPA user "LocalDirUser" with home directory set on /home (do not log in)
3. Turn off cyber8
4. From a cyber7 xterm, type "su - LocalDirUser" and enter the password

   → The login process will FAIL due to Authentication failure

5. Turn on cyber8
6. From a cyber7 xterm, type "su - LocalDirUser" and enter the password

   /home/LocalDirUser is created with basic bash programs

7. Type "exit"   (log out LocalDirUser)
8. Turn off cyber8
9. Log back in from cyber7, typing "su - LocalDirUser" and entering the password

   → This time the login process will SUCCEED

Analysis

Once a successful login from the IPA client has occurred (IPA server up at the time), then all the next login attempts will be successful regardless whether the IPA server is up or not.