RH362 - ch06s09

As the student user on the workstation machine, use the lab command to prepare your environment for this exercise, and to ensure that all required resources are available:

[student@workstation ~]$ lab start users-review

Instructions

Use the IdM web UI to create a user according to the following information:
Field Value
User login idmuser07
First name idmuser07
Last name idm
New Password and Verify Password RedHat123^
On workstation, open a browser and navigate to the IdM web UI at https://idm.lab.example.com. Authenticate as the admin user with RedHat123^ as the password.
As the admin user, navigate to Identity → Users → Active users and then click Add.
Create the user according to the following information. Leave all other fields untouched.
Field Value
User login idmuser07
First name idmuser07
Last name idm
New Password and Verify Password RedHat123^
Click Add to create the user.

Field	Value
User login	`idmuser07`
First name	`idmuser07`
Last name	`idm`
New Password and Verify Password	`RedHat123^`

Field	Value
User login	`idmuser07`
First name	`idmuser07`
Last name	`idm`
New Password and Verify Password	`RedHat123^`

On the client machine, change the idmuser07 user shell to /bin/bash.

Authenticate to IdM as the admin user, using RedHat123^ as password:

[student@workstation ~]$ ssh client
[student@client ~]$ kinit admin
Password for admin@LAB.EXAMPLE.COM: RedHat123^

Modify the idmuser07 user login shell:

[student@client ~]$ ipa user-mod --shell=/bin/bash idmuser07
-------------------------
Modified user "idmuser07"
-------------------------
  User login: idmuser07
  First name: idmuser07
  Last name: idm
  Home directory: /home/idmuser07
  Login shell: /bin/bash
  Principal name: idmuser07@LAB.EXAMPLE.COM
  Principal alias: idmuser07@LAB.EXAMPLE.COM
  Email address: idmuser07@lab.example.com
...output omitted...

Log out from the client machine:

[student@client ~]$ logout
Connection to client closed.

Create a host-based access control (HBAC) rule called allow_ssh that allows the idmuser07 user SSH access to the client machine. Make sure that the allow_all rule is disabled.
In the IdM web UI navigate to Policy → Host Based Access Control → HBAC Rules and click Add to create a rule.
When prompted, create a rule named allow_ssh and then click Add and Edit to edit the HBAC rule.
In the Who section, ensure that Specified Users and Groups is selected and then click Add.
Select the idmuser07 user and then click Add to move the user to the Prospective column. Click Add to update the users list.
In the Accessing section, ensure that Specified Hosts and Groups is selected and then click Add. Select the client.lab.example.com host from the Available list and move the host to the Prospective column.
Click Add to update the hosts list.
In the Via Service section, ensure that Specified Services and Groups is selected and then click Add. Enter ssh into the search field and then click Filter. Select the sshd entry and click the Add arrow to move the service to the Prospective column. Click Add.
Ensure that the allow_all rule is disabled. Navigate to Policy → Host Based Access Control → HBAC Rules. If necessary, select the allow_all rule, click Disable, and then click OK.
Ensure that the idmuser07 user can log in to the client machine. Authenticate to IdM using RedHat123^ as the password.
Log in to the client machine as the idmuser07 user. Request a Kerberos ticket for the idmuser07 user. When prompted, enter RedHat123^ as the password:
[student@workstation ~]# ssh idmuser07@client [idmuser07@client ~]$ kinit idmuser07 Password for idmuser07@LAB.EXAMPLE.COM: RedHat123^
Log out from the client machine:
[idmuser07@client ~]$ logout Connection to client closed.

On the client machine, authenticate to IdM as the admin user. Create the mgmt group and add the idmuser07 user as a member. Create a Mgmt attr delegation for the mgmt group so that the members of this group can modify the manager and employeetype attributes of the idmgroup02 group.

[student@workstation ~]$ ssh client
[student@client ~]$ kinit admin
Password for admin@LAB.EXAMPLE.COM: RedHat123^

Create the mgmt group:

[student@client ~]$ ipa group-add mgmt
------------------
Added group "mgmt"
------------------
  Group name: mgmt
  GID: 1285800015

Add the idmuser07 user to the mgmt group:

[student@client ~]$ ipa group-add-member \
  --users=idmuser07 mgmt
  Group name: mgmt
  GID: 1285800015
  Member users: idmuser07
-------------------------
Number of members added 1
-------------------------

Add a new delegation for the mgmt group so that members of this group can modify attributes of members of the idmgroup02 group:

[student@client ~]$ ipa delegation-add "Mgmt attr" \
  --attrs=manager --attrs=employeetype \
  --group=mgmt --membergroup=idmgroup02
--------------------------------
Added delegation "Mgmt attr"
--------------------------------
  Delegation name: Mgmt attr
  Permissions: write
  Attributes: manager, employeetype
  Member user group: idmgroup02
  User group: mgmt

Create a staged user account for a new user, and set the authentication type to otp. Use the following information to create the account:

Field	Value
User login	`idmuser08`
First name	`idmuser08`
Last name	`idm`
New Password and Verify Password	`RedHat123^`

Add the new staged user:

[student@client ~]$ ipa stageuser-add idmuser08 \
  --first=idmuser08 \
  --last=idm \
  --password
Password: RedHat123^
Enter Password again to verify: RedHat123^
-----------------------------
Added stage user "idmuser08"
-----------------------------
  User login: idmuser08
  First name: idmuser08
  Last name: idm
  Full name: idmuser08 idm
  Display name: idmuser08 idm
  Initials: ii
  Home directory: /home/idmuser08
  GECOS: idmuser08 idm
  Login shell: /bin/sh
  Principal name: idmuser08@LAB.EXAMPLE.COM
  Principal alias: idmuser08@LAB.EXAMPLE.COM
  Email address: idmuser08@lab.example.com
...output omitted...
  Password: True
  Kerberos keys available: True

Set the authentication type to otp.

[root@idm ~]# ipa stageuser-mod --user-auth-type=otp idmuser08
--------------------------------
Modified stage user "idmuser08"
--------------------------------
  User login: idmuser08
  First name: idmuser08
  Last name: idm
  Home directory: /home/idmuser08
  Login shell: /bin/sh
  Principal name: idmuser08@LAB.EXAMPLE.COM
  Principal alias: idmuser08@LAB.EXAMPLE.COM
...output omitted...
  User authentication types: otp
  Password: True
  Kerberos keys available: True

Log out from the client machine:

[student@client ~]$ logout
Connection to client closed.

Evaluation

As the student user on the workstation machine, use the lab command to grade your work. Correct any reported failures and rerun the command until successful.

[student@workstation ~]$ lab grade users-review

Finish

On the workstation machine, change to the student user home directory and use the lab command to complete this exercise. This step is important to ensure that resources from previous exercises do not impact upcoming exercises.

[student@workstation ~]$ lab finish users-review

Discuss Red Hat Security: Identity Management and Authentication

Go to community

Welcome to the Red Hat Security: Identity Management and Active Directory Integration group!

Syed

26 wrz 2023

We are excited to launch a space dedicated to the Red Hat Training course Red Hat Security: Identity Management and Active Directory Integration! To gain the most value from this group - click the "Join Group" button in the upper right hand corner of the group home page.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to RH362.Read more about Red Hat Security: Identity Management and Active Directory Integration here.

215

Revision: rh362-9.1-4c6fdb8