RH362 - ch01s04

Bookmark this page

Guided Exercise: The IdM Infrastructure Topology

Review Identity Management server and client services and configuration files.

Outcomes

Review the IdM server and client services and configuration files.

As the student user on the workstation machine, use the lab command to prepare your system for this exercise.

This command prepares your environment and ensures that all required resources are available.

[student@workstation ~]$ lab start idm-topology

Instructions

Verify that the idm machine has the IdM packages and the service installed.

From the workstation machine, open a new terminal and log in to the idm machine as the student user, and then switch to the root user.
```
[student@workstation ~]$ ssh idm
[student@idm ~]$ sudo -i
[sudo] password for student: student
```

Verify that the machine has the IdM server package installed.

[root@idm ~]# rpm -qa | grep ipa
...output omitted...
python3-ipalib-4.10.0-6.el9.noarch
python3-ipaclient-4.10.0-6.el9.noarch
python3-ipaserver-4.10.0-6.el9.noarch
sssd-ipa-2.7.3-4.el9.x86_64
ipa-client-4.10.0-6.el9.x86_64
ipa-server-4.10.0-6.el9.x86_64
ipa-server-dns-4.10.0-6.el9.noarch

Verify that IdM is already installed on the machine.

[root@idm ~]# ipa-server-install

The log file for this installation can be found in /var/log/ipaserver-install.log
IPA server is already configured on this system.
If you want to reinstall the IPA server, please uninstall it first using 'ipa-server-install --uninstall'.
The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information

Review the IdM services and configuration files on the idm machine.

Review the status of the Kerberos database administration service.

[root@idm ~]# systemctl status kadmin
● kadmin.service - Kerberos 5 Password-changing and Administration
     Loaded: loaded (/usr/lib/systemd/system/kadmin.service; disabled; vendor preset: disabled)
     Active: active (running) since Tue 2023-01-03 14:44:41 EST; 25min ago
   Main PID: 7378 (kadmind)
      Tasks: 1 (limit: 22725)
     Memory: 21.9M
        CPU: 153ms
     CGroup: /system.slice/kadmin.service
             └─7378 /usr/sbin/kadmind -P /run/kadmind.pid

Jan 03 14:44:41 idm.lab.example.com systemd[1]: Starting Kerberos 5 Password-changing and Administration...
Jan 03 14:44:41 idm.lab.example.com systemd[1]: Started Kerberos 5 Password-changing and Administration.

Review the status of the Kerberos Authentication and Key Distribution Center (KDC) service.

[root@idm ~]# systemctl status krb5kdc.service
● krb5kdc.service - Kerberos 5 KDC
     Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service; disabled; vendor preset: disabled)
     Active: active (running) since Tue 2023-01-03 14:49:49 EST; 21min ago
   Main PID: 11351 (krb5kdc)
      Tasks: 3 (limit: 22725)
     Memory: 8.3M
        CPU: 81ms
     CGroup: /system.slice/krb5kdc.service
             ├─11351 /usr/sbin/krb5kdc -P /run/krb5kdc.pid -w 2
             ├─11352 /usr/sbin/krb5kdc -P /run/krb5kdc.pid -w 2
             └─11353 /usr/sbin/krb5kdc -P /run/krb5kdc.pid -w 2

Jan 03 14:49:49 idm.lab.example.com systemd[1]: Starting Kerberos 5 KDC...
Jan 03 14:49:49 idm.lab.example.com systemd[1]: krb5kdc.service: Can't open PID file /run/krb5kdc.pid (yet?) after start: Operation not permit>
Jan 03 14:49:49 idm.lab.example.com systemd[1]: Started Kerberos 5 KDC.

Review the status of the LDAP directory server service.

[root@idm ~]# systemctl status dirsrv@LAB-EXAMPLE-COM.service
● dirsrv@LAB-EXAMPLE-COM.service - 389 Directory Server LAB-EXAMPLE-COM.
     Loaded: loaded (/usr/lib/systemd/system/dirsrv@.service; enabled; vendor preset: disabled)
    Drop-In: /usr/lib/systemd/system/dirsrv@.service.d
             └─custom.conf
             /etc/systemd/system/dirsrv@LAB-EXAMPLE-COM.service.d
             └─ipa-env.conf
     Active: active (running) since Tue 2023-01-03 14:49:58 EST; 21min ago
   Main PID: 11375 (ns-slapd)
     Status: "slapd started: Ready to process requests"
...output omitted...

Jan 03 14:49:58 idm.lab.example.com systemd[1]: Started 389 Directory Server LAB-EXAMPLE-COM..
...output omitted...

Review the status of the certificate authority service.

[root@idm ~]# systemctl status pki-tomcatd@pki-tomcat.service
● pki-tomcatd@pki-tomcat.service - PKI Tomcat Server pki-tomcat
     Loaded: loaded (/usr/lib/systemd/system/pki-tomcatd@.service; enabled; vendor preset: disabled)
    Drop-In: /etc/systemd/system/pki-tomcatd@pki-tomcat.service.d
             └─ipa.conf
     Active: active (running) since Tue 2023-01-03 14:47:17 EST; 24min ago
   Main PID: 10440 (java)
      Tasks: 126 (limit: 22725)
...output omitted...

Jan 03 14:47:17 idm.lab.example.com ipa-pki-wait-running[10441]: ipa-pki-wait-running: Success, subsystem ca is running!
Jan 03 14:47:17 idm.lab.example.com systemd[1]: Started PKI Tomcat Server pki-tomcat.

Verify the status of the Apache service.

[root@idm ~]# systemctl status httpd
● httpd.service - The Apache HTTP Server
     Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled)
    Drop-In: /etc/systemd/system/httpd.service.d
             └─ipa.conf
     Active: active (running) since Tue 2023-01-03 14:47:23 EST; 24min ago
       Docs: man:httpd.service(8)
...output omitted...

Jan 03 14:50:40 idm.lab.example.com [10817]: GSSAPI client step 1
Jan 03 14:50:40 idm.lab.example.com [10818]: GSSAPI client step 1

Review the overall service status of the IdM server.

[root@idm ~]# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful

Return to the workstation machine as the student user. Open a web browser and navigate to https://idm.lab.example.com and verify that it displays the IdM interface. Close the web browser after it displays the login page.
```
[root@idm ~]# exit
exit
[student@idm ~]$ exit
logout
Connection to idm closed.
[student@workstation ~]$ firefox https://idm.lab.example.com
```

Review the services and configuration files on the client machine.

From workstation, log in to the client machine as the student user and then switch to the root user.

[student@workstation ~]$ ssh client
[student@client ~]$ sudo -i
[sudo] password for student: student

Verify that the client machine has the IdM client package installed.

[root@idm ~]# rpm -qa | grep ipa
...output omitted...
ipa-selinux-4.10.0-6.el9.noarch
ipa-common-4.10.0-6.el9.noarch
python3-ipalib-4.10.0-6.el9.noarch
python3-ipaclient-4.10.0-6.el9.noarch
sssd-ipa-2.7.3-4.el9.x86_64
ipa-client-4.10.0-6.el9.x86_64

Verify that the IdM client is already installed on the machine.

[root@idm ~]# ipa-client-install
This program will set up IPA client.
Version 4.10.0

IPA client is already configured on this system.
If you want to reinstall the IPA client, uninstall it first using 'ipa-client-install --uninstall'.
The ipa-client-install command failed. See /var/log/ipaclient-install.log for more information

Review the /etc/krb5.conf configuration file.

[root@client ~]# cat /etc/krb5.conf
#File modified by ipa-client-install
...output omitted...
[libdefaults]
  default_realm = LAB.EXAMPLE.COM
...output omitted...
[realms]
  LAB.EXAMPLE.COM = {
    kdc = idm.lab.example.com:88
    master_kdc = idm.lab.example.com:88
    admin_server = idm.lab.example.com:749
    kpasswd_server = idm.lab.example.com:464
    default_domain = lab.example.com
    pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
    pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem
  }

[domain_realm]
  .lab.example.com = LAB.EXAMPLE.COM
  lab.example.com = LAB.EXAMPLE.COM
  client.lab.example.com = LAB.EXAMPLE.COM
...output omitted...

Review the /etc/sssd/sssd.conf configuration file.

[root@client ~]# cat /etc/sssd/sssd.conf
[domain/lab.example.com]

id_provider = ipa
ipa_server = _srv_, idm.lab.example.com
ipa_domain = lab.example.com
ipa_hostname = client.lab.example.com
auth_provider = ipa
chpass_provider = ipa
access_provider = ipa
cache_credentials = True
ldap_tls_cacert = /etc/ipa/ca.crt
krb5_store_password_if_offline = True
[sssd]
services = nss, pam, ssh, sudo

domains = lab.example.com
...output omitted...

Review the status of the sssd service.

[root@client ~]# systemctl status sssd
● sssd.service - System Security Services Daemon
     Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled; vendor preset: enabled)
     Active: active (running) since Tue 2023-01-03 14:50:43 EST; 53min ago
   Main PID: 24208 (sssd)
      Tasks: 7 (limit: 10666)
     Memory: 69.5M
        CPU: 410ms
     CGroup: /system.slice/sssd.service
             ├─24208 /usr/sbin/sssd -i --logger=files
             ├─24426 /usr/libexec/sssd/sssd_be --domain lab.example.com --uid 0 --gid 0 --logger=files
             ├─24597 /usr/libexec/sssd/sssd_nss --uid 0 --gid 0 --logger=files
             ├─24598 /usr/libexec/sssd/sssd_pam --uid 0 --gid 0 --logger=files
             ├─24600 /usr/libexec/sssd/sssd_ssh --uid 0 --gid 0 --logger=files
             ├─24601 /usr/libexec/sssd/sssd_sudo --uid 0 --gid 0 --logger=files
             └─24605 /usr/libexec/sssd/sssd_pac --uid 0 --gid 0 --logger=files

Jan 03 15:05:43 client.lab.example.com sssd_be[24426]: GSSAPI client step 1
Jan 03 15:05:43 client.lab.example.com sssd_be[24426]: GSSAPI client step 2
...output omitted...

Return to the workstation machine as the student user.

[root@client ~]# exit
exit
[student@client ~]$ exit
logout
Connection to client closed.

Finish

On the workstation machine, change to the student user home directory and use the lab command to complete this exercise. This step is important to ensure that resources from previous exercises do not impact upcoming exercises.

[student@workstation ~]$ lab finish idm-topology

Discuss Red Hat Security: Identity Management and Authentication

Go to community

Welcome to the Red Hat Security: Identity Management and Active Directory Integration group!

Syed

26 wrz 2023

We are excited to launch a space dedicated to the Red Hat Training course Red Hat Security: Identity Management and Active Directory Integration! To gain the most value from this group - click the "Join Group" button in the upper right hand corner of the group home page.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to RH362.Read more about Red Hat Security: Identity Management and Active Directory Integration here.

215

Revision: rh362-9.1-4c6fdb8