企业级集中身份认证及授权管理实践freeipa

注：转载自http://blog.csdn.net/xuyaqun/article/details/51596018 关于freeipa写的很全面，推荐

一、背景
随着公司服务器、服务、用户越来越多，以前单机用户管理、单机sudo授权的方式已不是发展的要求，故需要做企业级的集中身份认证授权管理（比如：ldap、kerberos、ca、dns、sudo、密码策略），原因有三：
1、便于大规模集中管理，
2、能够实现单点登录SSO，
3、结合堡垒机实现双层授权、双层审计。

经过简单考察发现freeipa是个不错的选择：
1、all in one，所有我需要的好东西都全部集成了，几条命令就能搞定，省的一个个做适配，极大的节省实施部署时间
2、背后redhat支持的开源项目，是IDM的开源版本，持续维护有保证
3、支持多主复制避免单点，毕竟是企业级应用必须得考虑高可用
4、接口丰富，支持web ui、cli、api，非常棒
5、客户端能够自动注册到ipa服务器（结合kickstart或后期脚本，本文有介绍）

freeipa官网：http://www.freeipa.org/

二、freeipa官方推荐的生产环境部署方案：
原文：http://www.freeipa.org/page/Deployment_Recommendations

freeipa生产环境部署方案主要内容：
1、域名是 Kerberos的基础，为避免domain的冲突，在搭建前一定要规划好域名体系，推荐采用申请的有管理权限的域名，即使在内网使用，也不建议随便使用没有管理权限的域名，比如使用baidu.com就不是一个好的选择；
2、freeipa只能从头搭建，不能在测试环境搭建好，修改一下域名啥的就能在生产环境使用的
It is not possible to change FreeIPA primary domain and realm after installation. Plan carefully. Do not expect move from lab/staging environment to production environment (e.g. change lab.example.com to prod.example.com)
3、建议采用集成的dns server，虽然可以使用外部的dns server，但配置起来较为复杂且出错概率较大。
freeIPA domain may be either served from an integrated DNS service or an external name service. A FreeIPA domain delegated to the integrated DNSservice is a recommended approach.
4、为了性能和稳定性，freeipa server上不要安装其他的应用。
5、多主复制环境根据规模大小、访问频度，每个数据中心推荐2-3个副本，但不要超过4个。
Generally it is recommended to have at least 2-3 replicas in each datacenter. There should be at least one replica in each datacenter with additional FreeIPA services like PKI or DNS if used. Note that it is not recommended to have more than 4 replication agreements per replica.
6、客户端至少需要配置2个dns server来增加冗余性。
Every client should have at least 2 DNS servers configured in /etc/resolv.conf for resiliency
7、备份与恢复：场景不同有不同的方法，但方法都较复杂，简单可行的方法是用虚拟机来搭建并定期做快照。
http://www.freeipa.org/page/Backup_and_Restore

三、具体部署环境及方案架构
1、部署环境：
freeipa server：fedara server 23
freeipa version：4.2.4
$ ipa –version
VERSION: 4.2.4, API_VERSION: 2.156
client host：centos 6.5
网络环境：全内网访问，freeipa server不对外暴露
域名：example.com (这个用法不推荐的，因为example.com不是我申请的域名，但内网使用到不影响)

2、方案架构–多主复制：
freeipa101.example.com
freeipa102.example.com

3、公司环境都是centos为什么freeipa不部署在centos上？
在centos 6上安装会有各种各样的问题，freeipa版本还比较老，为了简化安装步骤，采用fedora server 23。
在centos 6上会有这个问题，即使解决了也无法成功安装ipa server，所以最终放弃了，转战fedora。
yum install ipa-server
Transaction Check Error:
file /usr/share/man/man3/XML::SAX::Base.3pm.gz conflicts between attempted installs of perl-XML-SAX-0.96-7.el6.noarch and perl-XML-SAX-Base-1.04-1.el6.rf.noarch
file /usr/share/man/man3/XML::SAX::Exception.3pm.gz conflicts between attempted installs of perl-XML-SAX-0.96-7.el6.noarch and perl-XML-SAX-Base-1.04-1.el6.rf.noarch

Error Summary

解决方法：
http://www.linuxidc.com/Linux/2013-09/90530.htm(已验证)
https://github.com/repoforge/rpms/issues/211

四、freeipa server基本系统准备工作
1、安装fedara server 23，推荐在虚拟机里做，好处你懂的
2、更新系统：
yum update
3、设置完全合格的主机名并配置hosts
[root@freeipa101 ~]# hostname
freeipa101.example.com
[root@freeipa101 ~]# more /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.0.101 freeipa101.example.com freeipa101
[root@freeipa101 ~]#

4、设置dns服务器为freeipa101
more /etc/resolv.conf
nameserver 192.168.0.101

5、为避免不必要的麻烦，关闭防火墙，关闭开机启动
systemctl stop firewalld
systemctl disable firewalld (fedara下关闭firewall开机启动好像不太起作用，大家注意一下防火墙)

6、vm做快照（略）

五、安装主freeipa server
[root@freeipa101 ~]# yum install freeipa-server

[root@freeipa101 ~]# ipa-server-install
安装报错，需要安装freeipa-server-dns包
ipa.ipapython.install.cli.install_tool(Server): ERROR Integrated DNS requires ‘freeipa-server-dns’ package
[root@freeipa101 ~]# yum install freeipa-server-dns -y

安装完ipa-server后注意一下提示：
Be sure to back up the CA certificates stored in /root/cacert.p12
These files are required to create replicas. The password for these
files is the Directory Manager password

测试：[root@freeipa101 ~]# ldapsearch -x -b “dc=example, dc=com”

测试没问题后做个vm快照-_-

六、安装配置副本ipa server
创建ipa 副本参考：https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/creating-the-replica.html
删除ipa副本参考：https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/removing-replica.html
Installing the Replica Packages
[root@freeipa102 ~]# yum install freeipa-server freeipa-server-dns -y
副本ipa server不执行ipa-server-install安装操作。
Creating the Replica
ipa的多主复制还是很赞的：Full multi master replication for higher redundancy and scalability
1、在主freeipa101上，创建replica information file
[root@freeipa101 ~]# ipa-replica-prepare freeipa102.example.com –ip-address 192.168.0.102

2、Copy the replica information file to the replica server:
[root@freeipa101 ~]# scp /var/lib/ipa/replica-info-freeipa102.example.com.gpg freeipa102.example.com:/var/lib/ipa/

3、On the replica server
[root@freeipa102 ~]# ipa-replica-install –setup-ca –setup-dns –no-forwarders /var/lib/ipa/replica-info-freeipa102.example.com.gpg

4、Verify that the proper DNS entries were created so that IdM clients can discover the new server. DNS entries are required for required domain services:
_ldap._tcp
_kerberos._tcp
_kerberos._udp
_kerberos-master._tcp
_kerberos-master._udp
_ntp._udp
If the initial IdM server was created with DNS enabled, then the replica is created with the proper DNS entries. For example:
[root@freeipa102 ~]# DOMAIN=example.com
[root@freeipa102 ~]# NAMESERVER=freeipa102
[root@ipareplica ~]# for i in ldap._tcp _kerberos._tcp _kerberos._udp _kerberos-master._tcp _kerberos-master._udp _ntp._udp; do echo “”; dig @ NAMESERVER {i}.${DOMAIN} srv +nocmd +noquestion +nocomments +nostats +noaa +noadditional +noauthority; done | egrep -v “^;” | egrep
[root@freeipa102 ~]# for i in ldap._tcp _kerberos._tcp _kerberos._udp _kerberos-master._tcp _kerberos-master._udp _ntp._udp; do echo “”; dig @ NAMESERVER {i}.${DOMAIN} srv +nocmd +noquestion +nocomments +nostats +noaa +noadditional +noauthority; done | egrep -v “^;” | egrep
_ldap._tcp.example.com. 86400 IN SRV 0 100 389 freeipa102.example.com.
_ldap._tcp.example.com. 86400 IN SRV 0 100 389 freeipa101.example.com.
_kerberos._tcp.example.com. 86400 IN SRV 0 100 88 freeipa102.example.com.
_kerberos._tcp.example.com. 86400 IN SRV 0 100 88 freeipa101.example.com.
…8<…

5、Optional. Set up DNS services for the replica
[root@freeipa102 ~]# ipa-dns-install
[root@freeipa102 ~]# ipa dnsrecord-add example.com @ –ns-rec freeipa102.example.com.

6、测试https://freeipa102.example.com

iptables屏蔽191的端口，或者关机，测试192是否能正常工作，登录啥的，反之亦然，高可用这块没啥要说的，自己多模拟几次故障即可。

七、在安装配置过程中遇到的几个大坑
大坑1:
hostname的完全合格域名不应该有下划线，但可以用连字符。
完全合格主机名：freeipa101.example.com
不合格主机名:-freeipa101
这是历史原因造成的，历史服务器的hostname都不是完全合格的域名，并且hostname含有下划线，freeipa不支持。

大坑2:
安装ipa server的时候
Your system is running out of entropy, you may experience long delays
因虚拟机配置不太高，系统自带的random设备没有足够的随机数生成能力，导出计算的过程异常缓慢，有可能不成功，等不起啊，

解决方案如下：
yum install -y haveged
systemctl start haveged.service
systemctl stop firewalld

参考：
https://www.redhat.com/archives/freeipa-devel/2014-May/msg00459.html
http://blog-ftweedal.rhcloud.com/

大坑3：freeipa相关服务没有开机自启动的话，一reboot就傻眼了。
检查ipa各个服务的运行状态，如果有服务没有起来的话，尝试restart一下试试
[root@freeipa102 ldapuser1]# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
ipa_memcached Service: RUNNING
httpd Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeyscd Service: RUNNING
ipa: INFO: The ipactl command was successful

[root@freeipa102 ldapuser1]# ipactl –help
Usage: ipactl start|stop|restart|status

八、手动配置client host加入到freeipa server：
1、安装ipa client包
[root@client ~]# yum install ipa-client

2、设置dns为 192.168.0.101
/etc/resolv.conf

3、安装（不用指定太多参数，客户端能自动发现server）
[root@client ~]# ipa-client-install –enable-dns-updates –mkhomedir
当然你也可以指定参数
[root@client ~]# ipa-client-install –domain=example.com –enable-dns-updates –mkhomedir –server=freeipa101.example.com
[root@vm-dev50 ~]# ipa-client-install –mkhomedir –hostname=vm-dev50.example.com
Discovery was successful!
Hostname: vm-dev50.example.com
Realm: example.com
DNS Domain: example.com
IPA Server: freeipa101.example.com
BaseDN: dc=yunniao,dc=com
Continue to configure the system with these values? [no]: yes
User authorized to enroll computers: admin
Schronizing time with KDC…
Password for admin@example.com:
Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=example.com
Issuer: CN=Certificate Authority,O=example.com
Valid From: Fri May 06 12:02:57 2016 UTC
Valid Until: Tue May 06 12:02:57 2036 UTC
Enrolled in IPA realm example.com
Attempting to get host TGT…
Created /etc/ipa/default.conf
New SSSD config will be created
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm example.com
trying https://freeipa101.example.com/ipa/xml
Forwarding ‘env’ to server u’https://freeipa101.example.com/ipa/xml’
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub
Forwarding ‘host_mod’ to server u’https://freeipa101.example.com/ipa/xml’
SSSD enabled
Configuring example.com as NIS domain
Configured /etc/openldap/ldap.conf
NTP enabled
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Client configuration complete.
[root@vm-dev50 ~]#

4、测试
[jsmith@client ~] id[jsmith@client ] getent passwd admin
[jsmith@client ~]$ getent group admins

5、如果你愿意也可以安装ipa、ldap管理工具
yum install ipa-client ipa-admintools openldap-clients -y
yum install nss-pam-ldapd

九、自动注册client到freeipa server，
结合kickstart在装机完成后执行post脚本：
1、在ipa server提前创建host实体和一次性密码（注册后密码失效）
ipa host-add client1.example.com – password=secret
2、安装ipa-client
3、注册
ipa-client-install –domain= example.com –enable-dns- updates –mkhomedir -w secret –realm=example.com –server=freeipa101.example.com –hostname=client1.example.com –unattended

kickstart的弊端：
每次添加新主机，admin都需要提前在ipa服务器上创建host，很难完全自动化注册。
if you trust your network you can create a host admin that would have the host add privilege and host enroll privilege and nothing else and use this admin.

全自动化注册client：
enroll帐号 - 只用于注册主机
新建帐号 autoenroll，需要登录一下web，更新一下密码。
web ui创建 enroll帐号的步骤：
IPS Server -> Role Based ACL -> ROLES添加Enroll组 -> 选择PRIVILEGES权限组Host Enrollment，并添加授予权限的用户autoenroll。
PRIVILEGES权限组需要在添加一个 add hosts 的单个权限
ipa-client-install –enable-dns-updates –mkhomedir -p autoenroll -w passwordxxx -U

或者指定hostname
ipa-client-install –enable-dns-updates –mkhomedir –hostname=-netpay141.example.com -p autoenroll -w passwordxxx -U

不建议指定freeipa server的参数，这样的话注册的client就不支持ipa server的自动failover：
ipa-client-install –enable-dns-updates –mkhomedir –domain=example.com –server=freeipa101.example.com -p autoenroll -w passwordxxx -U
Autodiscovery of servers for failover cannot work with this configuration.
If you proceed with the installation, services will be configured to always access the discovered server for all operations and will not fail over to other servers in case of failure.

小问题：
开始的时候不能自动注册，
1、dns没有配置
2、autoenroll的权限不对，重新设置权限后有缓存需要等一会才生效。
3、网卡重启后dns设置恢复原来的配置,原因dns写在了网卡配置文件，并启用了networkmanage

十、用户修改密码及密码策略：
特别提醒：freeipa的密码策略是新建用户第一次强制修改密码
用户可以在任意一台已注册到freeipa的机器上修改自己的密码：
passwd username

如果提示如下错误：
[u3@vm-tf51 ~]$ passwd
Changing password for user u3.
Current Password:
New password:
Retype new password:
Password change failed. Server message: Current password’s minimum life has not expired

Password not changed.
passwd: Authentication token manipulation error
[u3@vm-tf51 ~]$

解决方法：
1、设置密码策略的minimum life为0（单位为小时），
ipa pwpolicy-mod global_policy –minlife 0 –maxlife 90
也可以通过web界面修改。

2、通过ldap修改
ldappasswd -x -D ‘cn=Directory Manager’ -W uid=u3,cn=users,cn=accounts,dc=,dc=com -A -S

可以登录freeipa web ui自助修改密码

提供专门修改密码的机器
[root@vm-passwd195 ~]# tail -n 18 /etc/bashrc

add by ldapuser1 for freeipa user to change self password accordingly 2016052

8
if [ $UID -ge 894400000 ];then
echo
cat <

Sudo Option: !authenticate

Added option “!authenticate” to Sudo rule “readfiles”

sudo权限控制自己去web页面看看，很简单

十二、automount用户家目录
暂没实现，很酷的功能。

十三、双因素认证otp
暂没实现，很流利的功能。

十四、客户端sssd支持主备
cat /etc/sssd/sssd.conf : ipa-server: _srv, ipaserver,ipareplica

十五、关于时间不同步造成的一个小错误
一定要保证所有服务器时间同步：
[ldapuser1@admin40 ~]$ kinit
Password for ldapuser1@example.com:
kinit: Clock skew too great while getting initial credentials

The clock on you system (Linux/UNIX) is too far off from the correct time. Your machine needs to be within 5 minutes of the Kerberos servers in order to get any tickets. You will need to run ntp, or a similar service to keep your clock within the five minute window.

很不错一篇QA：http://www.0zu.net/freeipa/freeipa-qa.html
强烈推荐：
Red Hat Enterprise Linux 6 Identity Management Guide
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/index.html

其他参考链接：
http://inbaudwetrust.com/2014/02/12/freeipa-serverclient-setup-on-centos-6-5/
http://linsec.ca/Using_FreeIPA_for_User_Authentication/
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/index.html