RH362 - ch03s06

Bookmark this page

Guided Exercise: Installing an Identity Management Replica

Configure the system prerequisites and then install an IdM replica server.

Outcomes

Install a replica on a non-domain host.
Install a replica on an IdM client.

As the student user on the workstation machine, use the lab command to prepare your environment for this exercise, and to ensure that all required resources are available.

[student@workstation ~]$ lab start install-replica

Instructions

Create the A record for the replica1 machine and create a one-time password for the replica installation.

[student@workstation ~]$ ssh idm
[student@idm ~]$ kinit admin
Password for admin@LAB.EXAMPLE.COM: RedHat123^
[student@idm ~]$

Review the existing DNS A records in the lab.example.com zone.

[student@idm ~]$ ipa dnsrecord-find
Zone name: lab.example.com
  Record name: @
  NS record: idm.lab.example.com.
...output omitted...

  Record name: idm
  A record: 172.25.250.8
...output omitted...

  Record name: ipa-ca
  A record: 172.25.250.8
...output omitted...

Create the A record for the replica1 machine.

[student@idm ~]$ ipa dnsrecord-add lab.example.com replica1 \
  --a-rec=172.25.250.10
  Record name: replica1
  A record: 172.25.250.10

Add the host entry for the replica1 machine.

[student@idm ~]$ ipa host-add replica1.lab.example.com
-------------------------------------
Added host "replica1.lab.example.com"
-------------------------------------
  Host name: replica1.lab.example.com
  Principal name: host/replica1.lab.example.com@LAB.EXAMPLE.COM
  Principal alias: host/replica1.lab.example.com@LAB.EXAMPLE.COM
  Password: False
  Keytab: False
  Managed by: replica1.lab.example.com

Create a password for the replica1 machine enrollment.

[student@idm ~]$ ipa host-mod replica1.lab.example.com --random
----------------------------------------
Modified host "replica1.lab.example.com"
----------------------------------------
  Host name: replica1.lab.example.com
  Random password: 6Mu&_7SsTBBF^N@uo(1%W;
  Principal name: host/replica1.lab.example.com@LAB.EXAMPLE.COM
  Principal alias: host/replica1.lab.example.com@LAB.EXAMPLE.COM
  Password: True
  Keytab: False
  Managed by: replica1.lab.example.com

Add the replica1 machine to the ipaservers host group.

[student@idm ~]$ ipa hostgroup-add-member ipaservers \
  --hosts replica1.lab.example.com
  Host-group: ipaservers
  Description: IPA server hosts
  Member hosts: idm.lab.example.com, replica1.lab.example.com
-------------------------
Number of members added 1
-------------------------

Install an IdM replica on the replica1 machine with DNS services and configure the bastion machine as the DNS forwarder. Use the one-time password to install the replica.

Note

If your classroom environment does not have Internet connectivity, then do not configure DNS forwarders during IdM server or replica installation. You can use the --no-forwarders option to avoid the configuration of DNS forwarders. The following example tests if your classroom has Internet connectivity by querying a public DNS server:

[student@workstation ~]$ dig @8.8.8.8 A www.google.com

Exit the idm machine. Log in to the replica1 machine and become the root user.

[student@idm ~]$ exit
logout
Connection to idm closed.
[student@workstation ~]$ ssh replica1
[student@replica1 ~]$ sudo -i
[sudo] password for student: student
[root@replica1 ~]#

Ensure that the required firewall ports are open.

[root@replica1 ~]# firewall-cmd --add-service=freeipa-ldap
success
[root@replica1 ~]# firewall-cmd --add-service=freeipa-ldaps
success
[root@replica1 ~]# firewall-cmd --add-service=dns
success
[root@replica1 ~]# firewall-cmd --runtime-to-permanent
success

Install the packages for the replica installation with DNS services.

[root@replica1 ~]# dnf install ipa-server-dns
...output omitted...

Install the replica by using the one-time password created for the replica1 machine. Configure the replica to host DNS services and set the bastion machine as the DNS forwarder.

The one-time password in your environment might be different. Make sure to input the correct string.

[root@replica1 ~]# ipa-replica-install --setup-dns --forwarder 172.25.250.254 \
  -p '6Mu&_7SsTBBF^N@uo(1%W;'
...output omitted...
'dns_lookup_kdc' already set to 'true', nothing to do.
  [5/7]: activating sidgen task
  [6/7]: restarting Directory Server to take MS PAC and LDAP plugins changes into account
  [7/7]: adding fallback group
Fallback group already set, nothing to do
Done.

...output omitted...

The ipa-replica-install command was successful

On the replica1 machine, verify the replica installation by reviewing the running IdM services. Authenticate to the Kerberos realm to query the roles and services assigned to the replica.

Review the status of the services running on the replica.

[root@replica1 ~]# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful

Authenticate to the Kerberos realm and review the roles assigned to the replica.

[root@replica1 ~]# kinit admin
Password for admin@LAB.EXAMPLE.COM: RedHat123^
[root@replica1 ~]# ipa server-find
---------------------
2 IPA servers matched
---------------------
  Server name: idm.lab.example.com
  Min domain level: 1
  Max domain level: 1

  Server name: replica1.lab.example.com
  Min domain level: 1
  Max domain level: 1
----------------------------
Number of entries returned 2
----------------------------
[root@replica1 ~]# ipa server-show replica1.lab.example.com
  Server name: replica1.lab.example.com
  Managed suffixes: domain
  Min domain level: 1
  Max domain level: 1
  Enabled server roles: DNS server, IPA master

Review the services installed on the replica.

[root@replica1 ~]# ipa service-find
...output omitted...
  Principal name: DNS/replica1.lab.example.com@LAB.EXAMPLE.COM
  Principal alias: DNS/replica1.lab.example.com@LAB.EXAMPLE.COM
  Keytab: True

  Principal name: HTTP/replica1.lab.example.com@LAB.EXAMPLE.COM
  Principal alias: HTTP/replica1.lab.example.com@LAB.EXAMPLE.COM
...output omitted...

  Principal name: ipa-dnskeysyncd/replica1.lab.example.com@LAB.EXAMPLE.COM
  Principal alias: ipa-dnskeysyncd/replica1.lab.example.com@LAB.EXAMPLE.COM
...output omitted...

  Principal name: ldap/replica1.lab.example.com@LAB.EXAMPLE.COM
  Principal alias: ldap/replica1.lab.example.com@LAB.EXAMPLE.COM
...output omitted...

Install an IdM replica on the replica2 machine with the DNS service. The replica2 machine is already part of the lab.example.com domain as a client.

Exit the replica1 machine and log in to the replica2 machine.

[root@replica1 ~]# logout
[student@replica1 ~]$ logout
Connection to replica1 closed.
[student@workstation ~]$ ssh replica2
[student@replica2 ~]$ sudo -i
[sudo] password for student: student
[root@replica2 ~]#

Ensure that the required firewall ports are open.

[root@replica2 ~]# firewall-cmd --add-service=freeipa-ldap
success
[root@replica2 ~]# firewall-cmd --add-service=freeipa-ldaps
success
[root@replica2 ~]# firewall-cmd --add-service=dns
success
[root@replica2 ~]# firewall-cmd --runtime-to-permanent
success

Install the packages for the replica installation.

[root@replica2 ~]# dnf install ipa-server-dns
...output omitted...

Install the replica.

[root@replica2 ~]# ipa-replica-install -w 'RedHat123^' \
  --setup-dns --forwarder 172.25.250.254
...output omitted...

The ipa-replica-install command was successful

On the replica2 machine, verify the replica installation by reviewing the running IdM services. Authenticate to the Kerberos realm to query the roles and services assigned to the replica.

Review the status of the services running on the replica.

[root@replica2 ~]# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful

Authenticate to the Kerberos realm and review the roles assigned to the replica.

[root@replica2 ~]# kinit admin
Password for admin@LAB.EXAMPLE.COM: RedHat123^
[root@replica2 ~]# ipa server-find
---------------------
3 IPA servers matched
---------------------
  Server name: idm.lab.example.com
  Min domain level: 1
  Max domain level: 1

  Server name: replica1.lab.example.com
  Min domain level: 1
  Max domain level: 1

  Server name: replica2.lab.example.com
  Min domain level: 1
  Max domain level: 1
----------------------------
Number of entries returned 3
----------------------------
[root@replica2 ~]# ipa server-show replica2.lab.example.com
  Server name: replica2.lab.example.com
  Managed suffixes: domain
  Min domain level: 1
  Max domain level: 1
  Enabled server roles: DNS server, IPA master

Review the services installed on the replica.

[root@replica2 ~]# ipa service-find
...output omitted...
  Principal name: HTTP/replica2.lab.example.com@LAB.EXAMPLE.COM
  Principal alias: HTTP/replica2.lab.example.com@LAB.EXAMPLE.COM
...output omitted...

  Principal name: ipa-dnskeysyncd/replica2.lab.example.com@LAB.EXAMPLE.COM
  Principal alias: ipa-dnskeysyncd/replica2.lab.example.com@LAB.EXAMPLE.COM
...output omitted...

  Principal name: ldap/replica2.lab.example.com@LAB.EXAMPLE.COM
  Principal alias: ldap/replica2.lab.example.com@LAB.EXAMPLE.COM
...output omitted...

Return to the student user on the workstation machine.

[root@replica2 ~]# logout
[student@replica2 ~]$ logout
Connection to replica2 closed.
[student@workstation ~]$

Finish

On the workstation machine, change to the student user home directory and use the lab command to complete this exercise. This step is important to ensure that resources from previous exercises do not impact upcoming exercises.

[student@workstation ~]$ lab finish install-replica

Discuss Red Hat Security: Identity Management and Authentication

Go to community

Welcome to the Red Hat Security: Identity Management and Active Directory Integration group!

Syed

26 wrz 2023

We are excited to launch a space dedicated to the Red Hat Training course Red Hat Security: Identity Management and Active Directory Integration! To gain the most value from this group - click the "Join Group" button in the upper right hand corner of the group home page.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to RH362.Read more about Red Hat Security: Identity Management and Active Directory Integration here.

215

Revision: rh362-9.1-4c6fdb8