RH362 - ch03s02

Ensure that you recreate your classroom environment before starting this exercise. The IdM installation process requires clean systems to work properly.

As the student user on the workstation machine, use the lab command to prepare your environment for this exercise, and to ensure that all required resources are available.

[student@workstation ~]$ lab start install-idmserver

Instructions

Verify that the idm machine has the required firewall configuration.

[student@workstation ~]$ ssh idm
[student@idm ~]$ sudo -i
[sudo] password for student: student
[root@idm ~]#

Ensure that the firewalld service is enabled and running.

[root@idm ~]# systemctl is-enabled firewalld
enabled
[root@idm ~]# systemctl is-active firewalld
active

Use the firewall-cmd command to allow access for the freeipa-ldap, freeipa-ldaps, and dns services.

[root@idm ~]# firewall-cmd --add-service=freeipa-ldap
success
[root@idm ~]# firewall-cmd --add-service=freeipa-ldaps
success
[root@idm ~]# firewall-cmd --add-service=dns
success
[root@idm ~]# firewall-cmd --runtime-to-permanent
success

Verify that the services were added correctly.

[root@idm ~]# firewall-cmd --list-services
cockpit dhcpv6-client dns freeipa-ldap freeipa-ldaps ssh

Verify that the idm machine has the required DNS and NTP configuration.

Verify that the idm machine is configured to use the 172.25.254.254 time server.

[root@idm ~]# grep '^server' /etc/chrony.conf
server 172.25.254.254 iburst

Verify that the file mode creation mask is set to 0022.
```
[root@idm ~]# umask
0022
```
Verify the hostname of the system. Ensure that the hostname is in the fully qualified domain name (FQDN) format.
```
[root@idm ~]# hostname
idm.lab.example.com
```

Verify the IPv4 DNS configuration for the system. Ensure that the system has forward and reverse DNS entries.

[root@idm ~]# ip address show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 52:54:00:00:fa:08 brd ff:ff:ff:ff:ff:ff
    inet 172.25.250.8/24 brd 172.25.250.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::5054:ff:fe00:fa08/64 scope link
       valid_lft forever preferred_lft forever
[root@idm ~]# dig +short idm.lab.example.com A
172.25.250.8
[root@idm ~]# dig +short -x 172.25.250.8
idm.lab.example.com.

Verify that the _ntp._udp DNS SRV record exists. The IdM installation can discover the NTP server by querying for this type of record in the DNS server.

[root@idm ~]# dig _ntp._udp SRV
...output omitted...
;; ANSWER SECTION:
_ntp._udp.              3600    IN      SRV     0 0 123 172.25.254.254.
...output omitted...

Install IdM on the idm machine. Install the DNS service as an integrated service.

Note

If your classroom environment does not have Internet connectivity, then do not configure DNS forwarders during IdM server or replica installation. You can use the --no-forwarders option to avoid the configuration of DNS forwarders. The following example tests if your classroom has Internet connectivity by querying a public DNS server:

[student@workstation ~]$ dig @8.8.8.8 A www.google.com

Install the ipa-server and ipa-server-dns packages.

[root@idm ~]# dnf install ipa-server ipa-server-dns
...output omitted...

Install the IdM server interactively with an integrated DNS and set 172.25.250.254 as the forwarder. Use LAB.EXAMPLE.COM as the Kerberos realm and lab.example.com as the domain. Set RedHat123^ as the Directory Server password and the admin user password.

Accept the default values when prompted for options. When prompt for confirmation of the installation values, enter yes.

[root@idm ~]# ipa-server-install --realm LAB.EXAMPLE.COM \
  --domain lab.example.com \
  --ds-password RedHat123^ \
  --admin-password RedHat123^ \
  --setup-dns --forwarder 172.25.250.254

The log file for this installation can be found in /var/log/ipaserver-install.log
...output omitted...

The IPA Master Server will be configured with:
Hostname:       idm.lab.example.com
IP address(es): 172.25.250.8
Domain name:    lab.example.com
Realm name:     LAB.EXAMPLE.COM

The CA will be configured with:
Subject DN:   CN=Certificate Authority,O=LAB.EXAMPLE.COM
Subject base: O=LAB.EXAMPLE.COM
Chaining:     self-signed

BIND DNS server will be configured to serve IPA domain with:
Forwarders:       172.25.250.254
Forward policy:   only
Reverse zone(s):  No reverse zone

Continue to configure the system with these values? [no]: yes
...output omitted...

Review the /var/log/ipaserver-install.log file to verify that the installation was successful.

[root@idm ~]# tail /var/log/ipaserver-install.log
...output omitted...
2023-04-19T01:23:50Z DEBUG stderr=
2023-04-19T01:23:50Z INFO The ipa-server-install command was successful

Verify the IdM services and test the DNS service. Verify the dc=lab,dc=example,dc=com base distinguished name.

Verify that the IdM services are running on the idm machine.

[root@idm ~]# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful

Verify the IdM IP address.

[root@idm ~]# ip addr
...output omitted...
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
...output omitted...
    inet 172.25.250.8/24 brd 172.25.250.255 scope global noprefixroute eth0
...output omitted...

Query the idm.lab.example.com domain name with the IdM DNS server.

[root@idm ~]# dig @172.25.250.8 idm.lab.example.com
...output omitted...
;; ANSWER SECTION:
idm.lab.example.com.    1200    IN      A       172.25.250.8
...output omitted...

Verify the access with the admin user. The base distinguished name (DN) is constructed with the provided dc=lab,dc=example,dc=com domain name.

[root@idm ~]# ldapsearch -h 172.25.250.8 -b 'dc=lab,dc=example,dc=com' \
  -D 'uid=admin,cn=users,cn=accounts,dc=lab,dc=example,dc=com' -w RedHat123^ \
  uid=admin
...output omitted...
uid: admin
krbPrincipalName: admin@LAB.EXAMPLE.COM
krbPrincipalName: root@LAB.EXAMPLE.COM
...output omitted...

Verify the IdM web UI. Navigate to https://idm.lab.example.com. Authenticate as the admin user with RedHat123^ as the password.
1. From workstation, open a web browser and navigate to https://idm.lab.example.com.
  If you accepted the IdM certificate in a previous exercise, then you see an error message. Delete the previous certificate from the browser database to fix the error.
  To delete the certificate, open the browser menu in the upper right corner and click Settings. Enter Certificates in the search bar and click View Certificates. Click the Server tab, select the certificate, and click Delete…. Confirm the deletion and close the certificate window.
2. The browser displays a certificate warning because the IdM server is using a self-signed certificate. Click Advanced, and then click Add Exception. Click Confirm Security Exception to accept the self-signed certificate.
3. Enter admin in the Username field and RedHat123^ in the Password field. Log in as admin with RedHat123^ as the password.
Browse the sections of the web UI for the management of users, groups, and policies.
1. Click Identity, and then click the Users and Groups tabs to familiarize yourself with the interface for user and group administration.
2. Click the Policy tab. Notice the tabs for managing host-based access control, Sudo, SELinux user maps, passwords, and Kerberos tickets.
Click Administrator and then click Logout to log out of the web UI.

Return to the student user on the workstation system.

[root@idm ~]# logout
[student@idm ~]# logout
[student@workstation ~]$

Finish

On the workstation machine, use the lab command to complete this exercise. This step is important to ensure that resources from previous exercises do not impact upcoming exercises.

[student@workstation ~]$ lab finish install-idmserver

Discuss Red Hat Security: Identity Management and Authentication

Go to community

Welcome to the Red Hat Security: Identity Management and Active Directory Integration group!

Syed

26 wrz 2023

We are excited to launch a space dedicated to the Red Hat Training course Red Hat Security: Identity Management and Active Directory Integration! To gain the most value from this group - click the "Join Group" button in the upper right hand corner of the group home page.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to RH362.Read more about Red Hat Security: Identity Management and Active Directory Integration here.

215

Revision: rh362-9.1-4c6fdb8