RH362 - ch09s04

As the student user on the workstation machine, use the lab command to prepare your environment for this exercise, and to ensure that all required resources are available:

[student@workstation ~]$ lab start products-satellite

Instructions

Prepare the Satellite Server to be an IdM client of the LAB.EXAMPLE.COM realm.

[student@workstation ~]$ ssh satellite
[student@satellite ~]$ sudo -i
[sudo] password for student: student

Configure Satellite Server to use the idm machine for DNS resolution:

[root@satellite ~]# nmcli conn mod eth0 ipv4.dns "172.25.250.8"
[root@satellite ~]# systemctl restart NetworkManager

On the satellite machine, verify that you can use DNS to get LDAP SRV records for _ldap._tcp.lab.example.com.

[root@satellite ~]# dig SRV _ldap._tcp.lab.example.com
...output omitted...
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45646
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 4
...output omitted...

;; ANSWER SECTION:
_ldap._tcp.lab.example.com. 86400 IN  SRV  0 100 389 replica1.lab.example.com.
_ldap._tcp.lab.example.com. 86400 IN  SRV  0 100 389 idm.lab.example.com.
_ldap._tcp.lab.example.com. 86400 IN  SRV  0 100 389 replica2.lab.example.com.

...output omitted...

Configure Satellite Server as a client of the LAB.EXAMPLE.COM IdM realm.

Install the ipa-client package:

[root@satellite ~]# satellite-maintain packages install ipa-client
Running install packages in unlocked session
================================================================================
Confirm installer run is allowed:

WARNING: This script runs satellite-installer after the yum execution
to ensure the Satellite is in a consistent state.
As a result some of your services may be restarted.

Do you want to proceed?, [y(yes), q(quit)] y
...output omitted...
Is this ok [y/N]: y
...output omitted...
  Success!
...output omitted...

Configure the Satellite Server as an IdM client. When prompted, use the admin user and the RedHat123^ password to gain authorization for the enrollment. Ignore the NTP configuration.

[root@satellite ~]# ipa-client-install
This program will set up IPA client.
Version 4.9.8

Discovery was successful!
Do you want to configure chrony with NTP server or pool address? [no]: Enter
Client hostname: satellite.lab.example.com
Realm: LAB.EXAMPLE.COM
DNS Domain: lab.example.com
IPA Server: replica2.lab.example.com
BaseDN: dc=lab,dc=example,dc=com

Continue to configure the system with these values? [no]: yes
...output omitted...
User authorized to enroll computers: admin
Password for admin@LAB.EXAMPLE.COM: RedHat123^
Successfully retrieved CA cert
    Subject:     CN=Certificate Authority,O=LAB.EXAMPLE.COM
    Issuer:      CN=Certificate Authority,O=LAB.EXAMPLE.COM
    Valid From:  2023-08-02 01:48:53
    Valid Until: 2043-08-02 01:48:53

...output omitted...
Client configuration complete.
The ipa-client-install command was successful

Create a service principal for Satellite Server.

Authenticate to IdM as the admin user with the RedHat123^ password:

[root@satellite ~]# kinit admin
Password for admin@LAB.EXAMPLE.COM: RedHat123^

Create a service principal for the Satellite service:

[root@satellite ~]# ipa service-add HTTP/satellite.lab.example.com
--------------------------------------------------------------
Added service "HTTP/satellite.lab.example.com@LAB.EXAMPLE.COM"
--------------------------------------------------------------
  Principal name: HTTP/satellite.lab.example.com@LAB.EXAMPLE.COM
  Principal alias: HTTP/satellite.lab.example.com@LAB.EXAMPLE.COM
  Managed by: satellite.lab.example.com

Enable IdM authentication for the Satellite Server.

Configure the Satellite Server for IdM authentication in the web UI.

[root@satellite ~]# satellite-installer --foreman-ipa-authentication=true
2023-08-01 22:54:43 [NOTICE] [root] Loading installer configuration. This will take some time.
...output omitted...
2023-08-01 23:04:45 [NOTICE] [configure] System configuration has finished.
  Success!
  * Satellite is running at https://satellite.lab.example.com
...output omitted...
  The full log is at /var/log/foreman-installer/satellite.log
Package versions are being locked.

Restart the Satellite service:

[root@satellite ~]# satellite-maintain service restart
Running Restart Services
================================================================================
Check if command is run as root user:                                 [OK]
--------------------------------------------------------------------------------
Restart applicable services:
...output omitted...

Starting the following service(s):
redis, postgresql, pulpcore-api, pulpcore-content, pulpcore-worker@1.service, pulpcore-worker@2.service, pulpcore-worker@3.service, pulpcore-worker@4.service, pulpcore-worker@5.service, pulpcore-worker@6.service, pulpcore-worker@7.service, pulpcore-worker@8.service, tomcat, dynflow-sidekiq@orchestrator, foreman, httpd, dynflow-sidekiq@worker-1, dynflow-sidekiq@worker-hosts-queue-1, foreman-proxy
| All services started                                                [OK]
--------------------------------------------------------------------------------

Verify IdM authentication by logging in to the Satellite web UI.
1. From workstation, connect to https://satellite.lab.example.com using the Firefox web browser.
2. Accept the Satellite Server self-signed certificate by clicking Advanced, and then Accept the Risk and Continue.
3. Authenticate as the idmuser01 user with RedHat123^ as the password.
  The Satellite dashboard shows a Permission denied message because the user does not have the required permissions to view the dashboard.
4. In the upper right of the page, click the user profile name, and then choose My Account. Notice that you have successfully logged in as the idmuser01 user, even though you do not have access to the dashboard.
5. Return to the terminal and log out of the satellite machine:
```
[root@satellite ~]# logout
[student@satellite ~]$ logout
Connection to satellite closed.
```

Finish

On the workstation machine, change to the student user home directory and use the lab command to complete this exercise. This step is important to ensure that resources from previous exercises do not impact upcoming exercises.

[student@workstation ~]$ lab finish products-satellite

Discuss Red Hat Security: Identity Management and Authentication

Go to community

Welcome to the Red Hat Security: Identity Management and Active Directory Integration group!

Syed

26 wrz 2023

We are excited to launch a space dedicated to the Red Hat Training course Red Hat Security: Identity Management and Active Directory Integration! To gain the most value from this group - click the "Join Group" button in the upper right hand corner of the group home page.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to RH362.Read more about Red Hat Security: Identity Management and Active Directory Integration here.

215

Revision: rh362-9.1-4c6fdb8