RH362 - ch04s02

Preface A: Introduction

Section A.1: Red Hat Security: Identity Management and Authentication

Section A.2: Orientation to the Classroom Environment

Section A.3: Performing Lab Exercises

Chapter 1: Identity Management in Red Hat Enterprise Linux

Section 1.1: The IdM Ecosystem

Section 1.2: Quiz: The IdM Ecosystem

Section 1.3: The IdM Infrastructure Topology

Section 1.4: Guided Exercise: The IdM Infrastructure Topology

Section 1.5: The IdM Administrative Interfaces

Section 1.6: Guided Exercise: The IdM Administrative Interfaces

Section 1.7: Quiz: Identity Management in Red Hat Enterprise Linux

Section 1.8: Summary

Chapter 2: Identity Management Core Technologies

Section 2.1: The System Security Services Framework

Section 2.2: Guided Exercise: The System Security Services Framework

Section 2.3: The Kerberos Authentication Protocol

Section 2.4: Guided Exercise: The Kerberos Authentication Protocol

Section 2.5: The Public Key Infrastructure

Section 2.6: Guided Exercise: Managing Certificates

Section 2.7: Lab: Working with Identity Management Core Technologies

Section 2.8: Summary

Chapter 3: Installing Identity Management in Red Hat Enterprise Linux

Section 3.1: Installing an Identity Management Server

Section 3.2: Guided Exercise: Installing an Identity Management Server

Section 3.3: Installing an Identity Management Client

Section 3.4: Guided Exercise: Installing an Identity Management Client

Section 3.5: Installing an Identity Management Replica

Section 3.6: Guided Exercise: Installing an Identity Management Replica

Section 3.7: Automating an Identity Management Installation

Section 3.8: Guided Exercise: Automating an Identity Management Installation

Section 3.9: Lab: Installing Identity Management in Red Hat Enterprise Linux

Section 3.10: Summary

Chapter 4: Implementing an Identity Management Topology

Section 4.1: Establishing Replication Agreements

SectionSection 4.2: Guided Exercise: Establishing Replication Agreements

Section 4.3: Managing the Essential IdM Server Roles

Section 4.4: Guided Exercise: Managing the Essential IdM Server Roles

Section 4.5: Lab: Implementing an Identity Management Topology

Section 4.6: Summary

Chapter 5: Managing the CA and DNS Integrated Services

Section 5.1: Managing the Integrated Certificate Authority

Section 5.2: Guided Exercise: Managing the Integrated Certificate Authority

Section 5.3: Managing the Integrated DNS Service

Section 5.4: Guided Exercise: Managing the Integrated DNS Service

Section 5.5: Lab: Managing the CA and DNS Integrated Services

Section 5.6: Summary

Chapter 6: Managing Users and Configuring User Access

Section 6.1: Managing IdM Users and Hosts

Section 6.2: Guided Exercise: Managing IdM Users and Hosts

Section 6.3: Implementing IdM User Access Control

Section 6.4: Guided Exercise: Managing IdM User Access Control

Section 6.5: Managing Kerberos Principals, Policies, and External Authentication

Section 6.6: Guided Exercise: Managing Kerberos Principals, Policies, and External Authentication

Section 6.7: Configuring Network-shared Home Directories

Section 6.8: Guided Exercise: Configuring Network-shared Home Directories

Section 6.9: Lab: Managing Users and Configuring User Access

Section 6.10: Summary

Chapter 7: Configuring Alternative Authentication Services

Section 7.1: Managing Smart Card Authentication

Section 7.2: Guided Exercise: Managing Smart Card Authentication

Section 7.3: Working with Vaults in Identity Management

Section 7.4: Guided Exercise: Working with Vaults in Identity Management

Section 7.5: Implementing Two-factor Authentication

Section 7.6: Guided Exercise: Implementing Two-factor Authentication

Section 7.7: Lab: Configuring Alternative Authentication Services

Section 7.8: Summary

Chapter 8: Integrating Identity Management with Active Directory

Section 8.1: Establishing a Trust Relationship between IdM and AD

Section 8.2: Guided Exercise: Establishing a Trust Relationship between IdM and AD

Section 8.3: Managing AD User Integration with ID Views

Section 8.4: Guided Exercise: Managing AD User Integration with ID Views

Section 8.5: Quiz: Integrating Identity Management with Active Directory

Section 8.6: Summary

Chapter 9: Integrating Identity Management with Red Hat Utilities

Section 9.1: Implementing Single Sign-on

Section 9.2: Guided Exercise: Implementing Single Sign-on

Section 9.3: Integrating IdM with Red Hat Satellite

Section 9.4: Guided Exercise: Integrating IdM with Red Hat Satellite

Section 9.5: Configuring Automation Controller with IdM Authentication

Section 9.6: Guided Exercise: Configuring Automation Controller with IdM Authentication

Section 9.7: Lab: Integrating Identity Management with Red Hat Utilities

Section 9.8: Summary

Chapter 10: Troubleshooting and Disaster Recovery Planning for IdM

Section 10.1: Recovering IdM with Backups and Replication

Section 10.2: Guided Exercise: Recovering IdM with Backups and Replication

Section 10.3: Troubleshooting IdM

Section 10.4: Guided Exercise: Troubleshooting IdM

Section 10.5: Lab: Troubleshooting and Disaster Recovery Planning for IdM

Section 10.6: Summary

Chapter 11: Comprehensive Review

Section 11.1: Comprehensive Review

Section 11.2: Lab: Building a Multiple Server IdM Topology

Section 11.3: Lab: Working with Identity Management

Section 11.4: Lab: Working with Single Sign-on Technology

Bookmark this page

P 1 2 3 4 5 6 7 8 9 10 11

Guided Exercise: Establishing Replication Agreements

Implement a resilient topology for a three-server site by creating multiple replication agreements.

Outcomes

Create and delete topology segments.
Configure a hidden replica.

As the student user on the workstation machine, use the lab command to prepare your system for this exercise.

This command prepares your environment and ensures that all required resources are available.

[student@workstation ~]$ lab start topology-replication

Instructions

Create a topology segment for the domain suffix between replica1 and replica2 using the topology graph.
1. On workstation, navigate to the IdM web UI at https://idm.lab.example.com. Log in as the admin user with RedHat123^ as the password.
2. Navigate to IPA Server → Topology → IPA Servers. Note that the domain suffix is present on all servers, however the ca suffix is only present on the idm machine.
3. In the left navigation bar, click Topology Graph. Note that the topology is not resilient as the loss of the idm machine would disconnect the replica1 and replica2 machines.
4. Hover over the replica1 node and click the domain suffix. Select replica2 as the other end of the new topology segment. Enter replica-domain-segment as the segment name, and then click Add.

On the idm machine, review the existing topology segments for the domain suffix. Delete the domain topology segments between the idm and replica1 machines, and between the replica1 and replica2 machines.

[student@workstation ~]$ ssh idm
[student@idm ~]$ kinit admin
Password for admin@LAB.EXAMPLE.COM: RedHat123^

List the topology segments for the domain suffix.

[student@idm ~]$ ipa topologysegment-find domain
------------------
3 segments matched
------------------
  Segment name: idm.lab.example.com-to-replica1.lab.example.com
  Left node: idm.lab.example.com
  Right node: replica1.lab.example.com
  Connectivity: both

  Segment name: idm.lab.example.com-to-replica2.lab.example.com
  Left node: idm.lab.example.com
  Right node: replica2.lab.example.com
  Connectivity: both

  Segment name: replica-domain-segment
  Left node: replica1.lab.example.com
  Right node: replica2.lab.example.com
  Connectivity: both
----------------------------
Number of entries returned 3
----------------------------

Delete the domain topology segment between the idm and replica1 machines.

[student@idm ~]$ ipa topologysegment-del \
  domain idm.lab.example.com-to-replica1.lab.example.com
-----------------------------------------------------------------
Deleted segment "idm.lab.example.com-to-replica1.lab.example.com"
-----------------------------------------------------------------

Delete the domain topology segment between the replica1 and replica2 machines.

[student@idm ~]$ ipa topologysegment-del \
  domain replica-domain-segment
ipa: ERROR: Server is unwilling to perform: Removal of Segment disconnects topology.Deletion not allowed.

Note that IdM prevents you from creating a disconnected topology.

Install the IdM healthcheck utility and review the health of the topology.

Install the ipa-healthcheck package on the idm machine.

[student@idm ~]$ sudo dnf install ipa-healthcheck
[sudo] password for student: student
...output omitted...
Is this ok [y/N]: y
...output omitted...
Complete!

Review the available health checks. Authenticate to IdM if required.

[student@idm ~]$ ipa-healthcheck --list-sources
...output omitted...
ipahealthcheck.ipa.topology
   IPATopologyDomainCheck
...output omitted...

Run the ipa-healthcheck command with the ipahealthcheck.ipa.topology source. Use the --all option to display all results.

[student@idm ~]$ ipa-healthcheck --source=ipahealthcheck.ipa.topology --all
[
  {
    "source": "ipahealthcheck.ipa.topology",
    "check": "IPATopologyDomainCheck",
    "result": "SUCCESS",
    "uuid": "68732542-3b04-46b3-904e-e73a373218fa",
    "when": "20230427095523Z",
    "duration": "0.185348",
    "kw": {
      "suffix": "domain"
    }
  },
  {
    "source": "ipahealthcheck.ipa.topology",
    "check": "IPATopologyDomainCheck",
    "result": "SUCCESS",
    "uuid": "7dadeeab-3a62-4fa8-b58e-75cc533f415a",
    "when": "20230427095523Z",
    "duration": "0.206531",
    "kw": {
      "suffix": "ca"
    }
  }
]

The check succeeds because no servers are disconnected, even though the current topology is not resilient to a failure of the replica2 node.

Restore the topology segment between idm and replica1 to create a resilient topology.

Create the topology segment for the domain suffix between the idm and replica1 machines.

[student@idm ~]$ ipa topologysegment-add domain \
  idm.lab.example.com-to-replica1.lab.example.com \
  --leftnode=idm.lab.example.com \
  --rightnode=replica1.lab.example.com
---------------------------------------------------------------
Added segment "idm.lab.example.com-to-replica1.lab.example.com"
---------------------------------------------------------------
  Segment name: idm.lab.example.com-to-replica1.lab.example.com
  Left node: idm.lab.example.com
  Right node: replica1.lab.example.com
  Connectivity: both

Review the topology graph; refresh the view if required. The topology should now be resilient to a single node failure.

Identify the IdM master and domain replicas. Verify the domain SRV records for LDAP and Kerberos. Change the replica2 machine to a hidden replica.

On the idm machine, verify the _ldap and _krb SRV records for the domain.

[student@idm ~]$ dig +short _ldap._tcp.lab.example.com SRV
0 100 389 replica2.lab.example.com.
0 100 389 replica1.lab.example.com.
0 100 389 idm.lab.example.com.
[student@idm ~]$ dig +short _kerberos._tcp.lab.example.com SRV
0 100 88 idm.lab.example.com.
0 100 88 replica2.lab.example.com.
0 100 88 replica1.lab.example.com.

Verify that the idm machine is the CA renewal master.

[student@idm ~]$ ipa config-show
...output omitted...
  IPA CA renewal master: idm.lab.example.com
...output omitted...

Set the state of replica2 to hidden.

[student@idm ~]$ ipa server-state \
  replica2.lab.example.com --state=hidden
---------------------------------------------------
Changed server state of "replica2.lab.example.com".
---------------------------------------------------

Review the SRV records for the domain again.

[student@idm ~]$ dig +short _ldap._tcp.lab.example.com SRV
0 100 389 replica1.lab.example.com.
0 100 389 idm.lab.example.com.
[student@idm ~]$ dig +short _kerberos._tcp.lab.example.com SRV
0 100 88 replica1.lab.example.com.
0 100 88 idm.lab.example.com.

Note that there are no SRV records for replica2 now that it is hidden.

Set the state of replica2 to enabled.

[student@idm ~]$ ipa server-state \
  replica2.lab.example.com --state=enabled
---------------------------------------------------
Changed server state of "replica2.lab.example.com".
---------------------------------------------------

Log out of the idm machine.

[student@idm ~]$ logout
Connection to idm closed.
[student@workstation ~]$

Finish

On the workstation machine, change to the student user home directory and use the lab command to complete this exercise. This step is important to ensure that resources from previous exercises do not impact upcoming exercises.

[student@workstation ~]$ lab finish topology-replication

Discuss Red Hat Security: Identity Management and Authentication

Go to community

Welcome to the Red Hat Security: Identity Management and Active Directory Integration group!

Syed

26 wrz 2023

We are excited to launch a space dedicated to the Red Hat Training course Red Hat Security: Identity Management and Active Directory Integration! To gain the most value from this group - click the "Join Group" button in the upper right hand corner of the group home page.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to RH362.Read more about Red Hat Security: Identity Management and Active Directory Integration here.

215

Revision: rh362-9.1-4c6fdb8