网络上,特别是互联网中有各型各类的主机,有各种各样的资源, 这些东西杂散在网络中, 需要有一定的机制来访问这些资源, 得到相关的服务, 于是就有了目录服务.
早期的目录服务主要是提供文件检索, NOVELL就是广为使用的目录服务器系统; 随着互联网的发展, 网站的定位又成了难题, 于是有了DNS服务,它也是典型的目录服务,即帮你做域名与IP地址之间的转换. NETMEETING也是目录服务器的服务内容之一, 对NetMetting来说,其目录服务器主要是帮助定位用户状态信息的.
在WINDOWS体系中, AD(活动目录)功能强大, 是符合工业标准的目录服务器. 在UNIX或LINUX中,也有相应的目录服务器(如LDAP).
总结一下,目录服务器的主要功能是提供资源与地址的对应关系, 比如你想找一台网上的共享打印机或主机时, 你只需要知道名字就可以了, 而不必去关心它真正的物理位置. 而目录服务器帮助维护这样的资源-地址映射.
目录服务是使目录中所有信息和资源发挥作用的服务,如用户和资源管理、基于目录的网络服务、基于网络的应用管理等!活动目录服务将网络中的各种资源组合起来,进行集中管理,方便网络资源的搜索,使企业可以轻松地管理复杂的网络环境。
开源项目FreeIPA(http://www.freeipa.org)。
FreeIPA是一个集成的安全信息管理解决方案。它整合了389-ds(LDAP)、Kerberos、NTP、bind、apache、tomcat核心软件包,形成一个以389-ds(LDAP)为数据存储后端,Kerberos为验证前端,bind为主机识别,并且具有统一的命令行管理工具及apache+tomcat提供的web管理界面的集成信息管理系统。
FreeIPA建立在著名的开源组件和标准协议之上,具有易于管理、安装和配置任务自动化的特点。
目前,Fedora、RHEL、CentOS发行版本中,集成了IPA服务器搭建所需的所有软件包,下面我们通过CentOS6.5发行版本来看一下如何搭建一个IPA服务器及IPA服务器的应用——用户的集中化管理。
准备工作:
两台物理服务器或两个虚拟机,本示例中使用的是两个基于Vmware Workstation的虚拟机;
CentOS6.5 ISO镜像文件。
配置步骤:
(1)在第一台虚拟机中安装CentOS6.5操作系统;
(2)配置系统的网络参数(配置完成后重启系统)
[root@localhost ~]#vim /etc/sysconfig/network NETWORKING=yes HOSTNAME=ipa.example.com [root@localhost ~]#vim /etc/sysconfig/network-scripts/ifcfg-eth0 DEVICE=eth0 TYPE=Ethernet ONBOOT=yes BOOTPROTO=static IPADDR=192.168.0.100 NETMASK=255.255.255.0 [root@localhost ~]#vim /etc/hosts(该条目必须是除本地地址以外的第一条,并且ipa.example.com不能指向127.0.0.1) 127.0.0.1 localhost.localdomain localhost ::1 localhost6.localdomain6 localhost6 192.168.0.100 ipa.example.com ipa
(3)配置防火墙,开放指定端口
[root@ipa ~]#iptables -I INPUT -p tcp --dport 80 -j ACCEPT [root@ipa ~]#iptables -I INPUT -p tcp --dport 443 -j ACCEPT [root@ipa ~]#iptables -I INPUT -p tcp --dport 389 -j ACCEPT [root@ipa ~]#iptables -I INPUT -p tcp --dport 636 -j ACCEPT [root@ipa ~]#iptables -I INPUT -p tcp --dport 88 -j ACCEPT [root@ipa ~]#iptables -I INPUT -p tcp --dport 464 -j ACCEPT [root@ipa ~]#iptables -I INPUT -p tcp --dport 53 -j ACCEPT [root@ipa ~]#iptables -I INPUT -p udp --dport 88 -j ACCEPT [root@ipa ~]#iptables -I INPUT -p udp --dport 464 -j ACCEPT [root@ipa ~]#iptables -I INPUT -p udp --dport 53 -j ACCEPT [root@ipa ~]#iptables -I INPUT -p udp --dport 123 -j ACCEPT [root@ipa ~]#service iptables save
| Service | Ports | Type | ||
|---|---|---|---|---|
| HTTP/HTTPS |
| TCP | ||
| LDAP/LDAPS |
| TCP | ||
| Kerberos |
| TCP and UDP | ||
| DNS | 53 | TCP and UDP | ||
| NTP | 123 | UDP | ||
| Dogtag Certificate System - LDAP | 7389 | TCP |
(4)禁用NetworkManager和NetworkManagerDispatcher服务(该服务会影响IPA相关服务运行,如果两个服务被安装到系统中,需禁用它们)
[root@ipa ~]#service NetworkManager stop [root@ipa ~]#service NetworkManagerDispatcher stop [root@ipa ~]#chkconfig NetworkManager off [root@ipa ~]#chkconfig NetworkManagerDispatcher off
(5)安装软件包
[root@ipa ~]#yum -y install bind bind-dyndb-ldap ipa-server
(6)执行ipa-server-install命令,安装IPA服务器
[root@ipa ~]# ipa-server-install --setup-dns --forwarder=8.8.8.8 The log file for this installation can be found in /var/log/ipaserver-install.log ============================================================================== This program will set up the IPA Server. This includes: * Configure a stand-alone CA (dogtag) for certificate management * Configure the Network Time Daemon (ntpd) * Create and configure an instance of Directory Server * Create and configure a Kerberos Key Distribution Center (KDC) * Configure Apache (httpd) * Configure DNS (bind) To accept the default shown in brackets, press the Enter key. Existing BIND configuration detected, overwrite? [no]: yes Enter the fully qualified domain name of the computer on which you're setting up server software. Using the form <hostname>.<domainname> Example: master.example.com. Server host name [ipa.example.com]: Warning: skipping DNS resolution of host ipa.example.com The domain name has been determined based on the host name. Please confirm the domain name [example.com]: The kerberos protocol requires a Realm name to be defined. This is typically the domain name converted to uppercase. Please provide a realm name [EXAMPLE.COM]: Certain directory server operations require an administrative user. This user is referred to as the Directory Manager and has full access to the Directory for system management tasks and will be added to the instance of directory server created for IPA. The password must be at least 8 characters long. Directory Manager password: Password (confirm): The IPA server requires an administrative user, named 'admin'. This user is a regular system account used for IPA server administration. IPA admin password: Password (confirm): Do you want to configure the reverse zone? [yes]: Please specify the reverse zone name [0.168.192.in-addr.arpa.]: Using reverse zone 0.168.192.in-addr.arpa. The IPA Master Server will be configured with: Hostname: ipa.example.com IP address: 192.168.0.100 Domain name: example.com Realm name: EXAMPLE.COM BIND DNS server will be configured to serve IPA domain with: Forwarders: 8.8.8.8 Reverse zone: 0.168.192.in-addr.arpa. Continue to configure the system with these values? [no]: yes The following operations may take some minutes to complete. Please wait until the prompt is returned. Configuring NTP daemon (ntpd) [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd Done configuring NTP daemon (ntpd). Configuring directory server for the CA (pkids): Estimated time 30 seconds [1/3]: creating directory server user [2/3]: creating directory server instance [3/3]: restarting directory server Done configuring directory server for the CA (pkids). Configuring certificate server (pki-cad): Estimated time 3 minutes 30 seconds [1/21]: creating certificate server user [2/21]: creating pki-ca instance [3/21]: configuring certificate server instance [4/21]: disabling nonces [5/21]: creating CA agent PKCS#12 file in /root [6/21]: creating RA agent certificate database [7/21]: importing CA chain to RA certificate database [8/21]: fixing RA database permissions [9/21]: setting up signing cert profile [10/21]: set up CRL publishing [11/21]: set certificate subject base [12/21]: enabling Subject Key Identifier [13/21]: setting audit signing renewal to 2 years [14/21]: configuring certificate server to start on boot [15/21]: restarting certificate server [16/21]: requesting RA certificate from CA [17/21]: issuing RA agent certificate [18/21]: adding RA agent as a trusted user [19/21]: configure certificate renewals [20/21]: configure Server-Cert certificate renewal [21/21]: Configure HTTP to proxy connections Done configuring certificate server (pki-cad). Configuring directory server (dirsrv): Estimated time 1 minute [1/38]: creating directory server user [2/38]: creating directory server instance [3/38]: adding default schema [4/38]: enabling memberof plugin [5/38]: enabling winsync plugin [6/38]: configuring replication version plugin [7/38]: enabling IPA enrollment plugin [8/38]: enabling ldapi [9/38]: disabling betxn plugins [10/38]: configuring uniqueness plugin [11/38]: configuring uuid plugin [12/38]: configuring modrdn plugin [13/38]: enabling entryUSN plugin [14/38]: configuring lockout plugin [15/38]: creating indices [16/38]: enabling referential integrity plugin [17/38]: configuring ssl for ds instance [18/38]: configuring certmap.conf [19/38]: configure autobind for root [20/38]: configure new location for managed entries [21/38]: restarting directory server [22/38]: adding default layout [23/38]: adding delegation layout [24/38]: adding replication acis [25/38]: creating container for managed entries [26/38]: configuring user private groups [27/38]: configuring netgroups from hostgroups [28/38]: creating default Sudo bind user [29/38]: creating default Auto Member layout [30/38]: adding range check plugin [31/38]: creating default HBAC rule allow_all [32/38]: Upload CA cert to the directory [33/38]: initializing group membership [34/38]: adding master entry [35/38]: configuring Posix uid/gid generation [36/38]: enabling compatibility plugin [37/38]: tuning directory server [38/38]: configuring directory to start on boot Done configuring directory server (dirsrv). Configuring Kerberos KDC (krb5kdc): Estimated time 30 seconds [1/10]: adding sasl mappings to the directory [2/10]: adding kerberos container to the directory [3/10]: configuring KDC [4/10]: initialize kerberos container [5/10]: adding default ACIs [6/10]: creating a keytab for the directory [7/10]: creating a keytab for the machine [8/10]: adding the password extension to the directory [9/10]: starting the KDC [10/10]: configuring KDC to start on boot Done configuring Kerberos KDC (krb5kdc). Configuring kadmin [1/2]: starting kadmin [2/2]: configuring kadmin to start on boot Done configuring kadmin. Configuring ipa_memcached [1/2]: starting ipa_memcached [2/2]: configuring ipa_memcached to start on boot Done configuring ipa_memcached. Configuring the web interface (httpd): Estimated time 1 minute [1/13]: setting mod_nss port to 443 [2/13]: setting mod_nss password file [3/13]: enabling mod_nss renegotiate [4/13]: adding URL rewriting rules [5/13]: configuring httpd [6/13]: setting up ssl [7/13]: setting up browser autoconfig [8/13]: publish CA cert [9/13]: creating a keytab for httpd [10/13]: clean up any existing httpd ccache [11/13]: configuring SELinux for httpd [12/13]: restarting httpd [13/13]: configuring httpd to start on boot Done configuring the web interface (httpd). Applying LDAP updates Restarting the directory server Restarting the KDC Configuring DNS (named) [1/9]: adding DNS container [2/9]: setting up our zone [3/9]: setting up reverse zone [4/9]: setting up our own record [5/9]: setting up kerberos principal [6/9]: setting up named.conf [7/9]: restarting named [8/9]: configuring named to start on boot [9/9]: changing resolv.conf to point to ourselves Done configuring DNS (named). Global DNS configuration in LDAP server is empty You can use 'dnsconfig-mod' command to set global DNS options that would override settings in local named.conf files Restarting the web server ============================================================================== Setup complete Next steps: 1. You must make sure these network ports are open: TCP Ports: * 80, 443: HTTP/HTTPS * 389, 636: LDAP/LDAPS * 88, 464: kerberos * 53: bind UDP Ports: * 88, 464: kerberos * 53: bind * 123: ntp 2. You can now obtain a kerberos ticket using the command: 'kinit admin' This ticket will allow you to use the IPA tools (e.g., ipa user-add) and the web user interface. Be sure to back up the CA certificate stored in /root/cacert.p12 This file is required to create replicas. The password for this file is the Directory Manager password
(7)执行命令,获取使用ipa命令行工具和web管理界面的票据,列出票据
[root@ipa ~]# kinit admin Password for admin@EXAMPLE.COM: [root@ipa ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: admin@EXAMPLE.COM Valid starting Expires Service principal 05/17/14 21:20:12 05/18/14 21:20:09 krbtgt/EXAMPLE.COM@EXAMPLE.COM
(8)设置相关服务随系统自动启动,保证在服务器重启后IPA能够正常运行
[root@ipa ~]# chkconfig pki-cad on [root@ipa ~]# chkconfig named on [root@ipa ~]# chkconfig krb5kdc on [root@ipa ~]# chkconfig kadmin on [root@ipa ~]# chkconfig ipa_memcached on [root@ipa ~]# chkconfig httpd on [root@ipa ~]# chkconfig dirsrv on
到此为止,IPA服务器安装完成。我们可以通过IPA命令行工具或登陆WEB界面对服务器进行管理。
下面简单介绍ipa命令的使用方法:
ipa命令使用格式:
ipa [global-options] COMMAND ...
用户管理相关COMMAND:
user-add Add a new user.
user-del Delete a user.
user-disable Disable a user account.
user-enable Enable a user account.
user-find Search for users.
user-mod Modify a user.
user-show Display information about a user.
user-status Lockout status of a user account
user-unlock Unlock a user account
如需获得更多使用方法可以查看ipa命令手册
[root@ipa ~]# man ipa
在这里我们添加三个测试用户user01、user02、user03
[root@ipa ~]# ipa user-add user01 --first=user01 --last=testuser --password Password: Enter Password again to verify: ------------------- Added user "user01" ------------------- User login: user01 First name: user01 Last name: testuser Full name: user01 testuser Display name: user01 testuser Initials: ut Home directory: /home/user01 GECOS field: user01 testuser Login shell: /bin/sh Kerberos principal: user01@EXAMPLE.COM Email address: user01@example.com UID: 1682400001 GID: 1682400001 Password: True Kerberos keys available: True [root@ipa ~]# ipa user-add user02 --first=user02 --last=testuser --password Password: Enter Password again to verify: ------------------- Added user "user02" ------------------- User login: user02 First name: user02 Last name: testuser Full name: user02 testuser Display name: user02 testuser Initials: ut Home directory: /home/user02 GECOS field: user02 testuser Login shell: /bin/sh Kerberos principal: user02@EXAMPLE.COM Email address: user02@example.com UID: 1682400003 GID: 1682400003 Password: True Kerberos keys available: True [root@ipa ~]# ipa user-add user03 --first=user03 --last=testuser --password Password: Enter Password again to verify: ------------------- Added user "user03" ------------------- User login: user03 First name: user03 Last name: testuser Full name: user03 testuser Display name: user03 testuser Initials: ut Home directory: /home/user03 GECOS field: user03 testuser Login shell: /bin/sh Kerberos principal: user03@EXAMPLE.COM Email address: user03@example.com UID: 1682400004 GID: 1682400004 Password: True Kerberos keys available: True
添加的用户如果没有家目录,可以修改配置文件system-auth,添加以下信息
[root@ipa ~]# vim /etc/pam.d/system-auth session optional pam_mkhomedir.so skel=/etc/skel umak=077
禁用、启用、解锁用户账号
[root@ipa ~]# ipa user-disable user01 ------------------------------ Disabled user account "user01" ------------------------------ [root@ipa ~]# ipa user-enable user01 ----------------------------- Enabled user account "user01" ----------------------------- [root@ipa ~]# ipa user-unlock user01 ------------------------- Unlocked account "user01" -------------------------
修改用户登陆shell
[root@ipa ~]# ipa user-mod --shell=/bin/bash User login: user01 ---------------------- Modified user "user01" ---------------------- User login: user01 First name: user01 Last name: testuser Home directory: /home/user01 Login shell: /bin/bash Email address: user01@example.com UID: 1682400001 GID: 1682400001 Account disabled: False Password: True Member of groups: ipausers Kerberos keys available: True [root@ipa ~]# ipa user-mod user02 --shell=/bin/bash ---------------------- Modified user "user02" ---------------------- User login: user02 First name: user02 Last name: testuser Home directory: /home/user02 Login shell: /bin/bash Email address: user02@example.com UID: 1682400003 GID: 1682400003 Account disabled: False Password: True Member of groups: ipausers Kerberos keys available: True [root@ipa ~]# ipa user-mod user03 --shell=/bin/bash ---------------------- Modified user "user03" ---------------------- User login: user03 First name: user03 Last name: testuser Home directory: /home/user03 Login shell: /bin/bash Email address: user03@example.com UID: 1682400004 GID: 1682400004 Account disabled: False Password: True Member of groups: ipausers Kerberos keys available: True
添加组,向组中添加用户,将用户从组中删除,删除组
[root@ipa ~]# ipa group-add testgroup Description: test group ----------------------- Added group "testgroup" ----------------------- Group name: testgroup Description: test group GID: 1682400005 [root@ipa ~]# ipa group-add-member testgroup --user=user01,user02,user03 Group name: testgroup Description: test group GID: 1682400005 Member users: user01, user02, user03 ------------------------- Number of members added 3 ------------------------- [root@ipa ~]# ipa group-remove-member testgroup --user=user03 Group name: testgroup Description: test group GID: 1682400005 Member users: user01, user02 --------------------------- Number of members removed 1 --------------------------- [root@ipa ~]# ipa group-del testgroup ------------------------- Deleted group "testgroup" -------------------------
查看用户或组的详细信息
[root@ipa ~]# ipa user-show --all User login: user01 dn: uid=user01,cn=users,cn=accounts,dc=example,dc=com User login: user01 First name: user01 Last name: testuser Full name: user01 testuser Display name: user01 testuser Initials: ut Home directory: /home/user01 GECOS field: user01 testuser Login shell: /bin/sh Kerberos principal: user01@EXAMPLE.COM Email address: user01@example.com UID: 1682400001 GID: 1682400001 Account disabled: False Password: True Member of groups: ipausers Kerberos keys available: True ipauniqueid: 528dadee-ddca-11e3-94ff-000c295c5708 krbextradata: AAJWaXdTcm9vdC9hZG1pbkBFWEFNUExFLkNPTQA= krblastadminunlock: 20140517140215Z krblastpwdchange: 20140517135118Z krbloginfailedcount: 0 krbpasswordexpiration: 20140517135118Z krbpwdpolicyreference: cn=global_policy,cn=EXAMPLE.COM,cn=kerberos,dc=example,dc=com mepmanagedentry: cn=user01,cn=groups,cn=accounts,dc=example,dc=com objectclass: top, person, organizationalperson, inetorgperson, inetuser, posixaccount, krbprincipalaux, krbticketpolicyaux, ipaobject, ipasshuser, ipaSshGroupOfPubKeys, mepOriginEntry [root@ipa ~]# ipa group-show --all Group name: ipausers dn: cn=ipausers,cn=groups,cn=accounts,dc=example,dc=com Group name: ipausers Description: Default group for all users Member users: user01, user02, user03 ipauniqueid: c2f5e7e8-ddae-11e3-a95a-000c295c5708 objectclass: top, groupofnames, nestedgroup, ipausergroup, ipaobject
我们除了可以使用ipa命令进行服务管理外,也可以通过WEB界面进行服务管理。我们可以选择网络中任何一台主机,将该主机DNS服务器指向IPA服务器,打开浏览器,输入http://ipa.example.com即可访问到IPA服务器的WEB管理界面。
关于IPA服务更多的使用和配置方法,大家可以查看RedHat官方手册:
https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/index.html
转载于:https://blog.51cto.com/blkart/1413000
1647
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
