RH362 - ch11s02

Bookmark this page

Lab: Building a Multiple Server IdM Topology

Build a multi-server IdM topology and replication agreements.

Outcomes

Prepare a machine to install the first IdM server and an IdM client.
Use Ansible Roles to install IdM replicas.
Ensure that the topology is resilient by creating replication agreements.

If you did not reset your machines at the end of the last chapter, save any work you want to keep from earlier exercises on those machines, and reset them now.

As the student user on the workstation machine, use the lab command to prepare your environment for this exercise, and to ensure that all required resources are available:

[student@workstation ~]$ lab start compreview-topology

Specifications

Install IdM and its integrated CA and DNS services on the idm machine. Use LAB.EXAMPLE.COM as the Kerberos realm and lab.example.com as the domain. Use RedHat123^ as the admin user password and the Directory Server password. Use 172.25.250.254 as the DNS forwarder and set the default for other options.
Note
If your classroom environment does not have Internet connectivity, then do not configure DNS forwarders during IdM server or replica installation. The following example tests if your classroom has Internet connectivity by querying a public DNS server:
```
[student@workstation ~]$ dig @8.8.8.8 A www.google.com
```
Install an IdM client on the client machine.
On the workstation machine, install the FreeIPA Ansible Content Collection. In the student user home directory, create the hosts inventory file and define the IdM server variables.
Copy the necessary playbooks to install IdM replicas to the student home directory. Install the replica1 and replica2 machines as replicas of idm, with the integrated DNS role but without the CA role. Set 172.25.250.254 as the DNS forwarder.
Use the IdM console to create a replication agreement between the replica2 and replica1 machines for the domain suffix. Use the replica2 machine as the left node for the replication agreement. Set replica-agreement as the name of the replication agreement.

Prepare the idm machine for an IdM server installation.

[student@workstation ~]$ ssh idm
[student@idm ~]$ sudo -i
[sudo] password for student: student
[root@idm ~]#

Ensure that the firewalld service is enabled and running:

[root@idm ~]# systemctl is-enabled firewalld
enabled
[root@idm ~]# systemctl is-active firewalld
active

Use the firewall-cmd command to allow access for the freeipa-ldap, freeipa-ldaps, and dns services:

[root@idm ~]# firewall-cmd --add-service=freeipa-ldap
success
[root@idm ~]# firewall-cmd --add-service=freeipa-ldaps
success
[root@idm ~]# firewall-cmd --add-service=dns
success
[root@idm ~]# firewall-cmd --runtime-to-permanent
success

Verify that the idm machine is configured to use the 172.25.254.254 time server:

[root@idm ~]# grep '^server' /etc/chrony.conf
server 172.25.254.254 iburst

Verify that the file mode creation mask is set to 0022. Verify the hostname of the system. Ensure that the hostname is in the fully qualified domain name (FQDN) format.
```
[root@idm ~]# umask
0022
[root@idm ~]# hostname
idm.lab.example.com
```

Verify the IPv4 DNS configuration for the system. Ensure that the system has forward and reverse DNS entries.

[root@idm ~]# ip address show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 52:54:00:00:fa:08 brd ff:ff:ff:ff:ff:ff
    inet 172.25.250.8/24 brd 172.25.250.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::5054:ff:fe00:fa08/64 scope link
       valid_lft forever preferred_lft forever
[root@idm ~]# dig +short idm.lab.example.com A
172.25.250.8
[root@idm ~]# dig +short -x 172.25.250.8
idm.lab.example.com.

Install IdM on the idm machine with integrated CA and DNS services. Use LAB.EXAMPLE.COM as the Kerberos realm and lab.example.com as the domain. Use RedHat123^ as the admin user password and the Directory Manager password. Use 172.25.250.254 as the DNS forwarder and use the default values for other options.

Note

If your classroom environment does not have Internet connectivity, then do not configure DNS forwarders during IdM server or replica installation. The following example tests if your classroom has Internet connectivity by querying a public DNS server:

[student@workstation ~]$ dig @8.8.8.8 A www.google.com

Install the ipa-server and ipa-server-dns packages:

[root@idm ~]# dnf install ipa-server ipa-server-dns
...output omitted...

Install the IdM server with an integrated DNS and set 172.25.250.254 as the forwarder. Use LAB.EXAMPLE.COM as the Kerberos realm and lab.example.com as the domain. Set RedHat123^ as the Directory Manager password and the admin user password.

Accept the default values when prompted for all other options.

[root@idm ~]# ipa-server-install --realm LAB.EXAMPLE.COM \
  --domain lab.example.com \
  --ds-password RedHat123^ \
  --admin-password RedHat123^ \
  --setup-dns --forwarder 172.25.250.254

The log file for this installation can be found in /var/log/ipaserver-install.log
...output omitted...

The IPA Master Server will be configured with:
Hostname:       idm.lab.example.com
IP address(es): 172.25.250.8
Domain name:    lab.example.com
Realm name:     LAB.EXAMPLE.COM

The CA will be configured with:
Subject DN:   CN=Certificate Authority,O=LAB.EXAMPLE.COM
Subject base: O=LAB.EXAMPLE.COM
Chaining:     self-signed

BIND DNS server will be configured to serve IPA domain with:
Forwarders:       172.25.250.254
Forward policy:   only
Reverse zone(s):  No reverse zone

Continue to configure the system with these values? [no]: yes
...output omitted...
Setup complete
...output omitted...
The ipa-server-install command was successful

Verify that the IdM services are running on the idm machine:

[root@idm ~]# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful

Authenticate to the Kerberos realm and review the roles assigned to the server:

[root@idm ~]# kinit admin
Password for admin@LAB.EXAMPLE.COM: RedHat123^
[root@replica1 ~]# ipa server-find
...output omitted...
  Server name: idm.lab.example.com
...output omitted...
----------------------------
Number of entries returned 1
----------------------------
[root@idm ~]# ipa server-show idm.lab.example.com
  Server name: idm.lab.example.com
  Managed suffixes: domain, ca
...output omitted...
  Enabled server roles: CA server, DNS server, IPA master

Exit the idm machine:

[root@idm ~]# exit
logout
[student@idm ~]$ exit
logout
Connection to idm closed.

Install the IdM client software on the client machine.

[student@workstation ~]$ ssh client
[student@client ~]$ sudo -i
[sudo] password for student: student

Set the idm machine as the DNS server for the client. Verify that you can resolve DNS records for IdM services.

[root@client ~]# nmcli connection modify "System eth0" ipv4.dns 172.25.250.8
[root@client ~]# nmcli connection up "System eth0"
Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/2)
[root@client ~]# dig SRV _ldap._tcp.lab.example.com
...output omitted...
;; ANSWER SECTION:
_ldap._tcp.lab.example.com. 86400 IN  SRV 0 100 389 idm.lab.example.com.
...output omitted...
[root@client ~]# dig SRV _kerberos._tcp.lab.example.com
...output omitted...
;; ANSWER SECTION:
_kerberos._tcp.lab.example.com. 86400 IN SRV  0 100 88 idm.lab.example.com.
...output omitted...

Install the ipa-client package:

[root@client ~]# dnf install ipa-client
...output omitted...

Install the client using the unattended option. Provide the principal and password as arguments to the ipa-client-install command.

[root@client ~]# ipa-client-install \
  --principal=admin \
  --password=RedHat123^ \
  --unattended
This program will set up IPA client.
Version 4.10.0

Discovery was successful!
Client hostname: client.lab.example.com
Realm: LAB.EXAMPLE.COM
DNS Domain: lab.example.com
IPA Server: idm.lab.example.com
BaseDN: dc=lab,dc=example,dc=com

Synchronizing time
Configuration of chrony was changed by installer.
Attempting to sync time with chronyc.
Time synchronization was successful.
Successfully retrieved CA cert
    Subject:     CN=Certificate Authority,O=LAB.EXAMPLE.COM
    Issuer:      CN=Certificate Authority,O=LAB.EXAMPLE.COM
    Valid From:  2023-07-15 21:17:18
    Valid Until: 2043-07-15 21:17:18

...output omitted...
Configuring lab.example.com as NIS domain.
Client configuration complete.
The ipa-client-install command was successful

Verify that you can authenticate to IdM as the admin user. View the admin user's Kerberos ticket-granting ticket and then exit from the client machine.

[root@client ~]# kinit admin
Password for admin@LAB.EXAMPLE.COM: RedHat123^
[root@client ~]# klist
Ticket cache: KCM:0
Default principal: admin@LAB.EXAMPLE.COM

Valid starting     Expires            Service principal
05/09/23 08:43:15  05/10/23 08:31:37  krbtgt/LAB.EXAMPLE.COM@LAB.EXAMPLE.COM
[root@client ~]# exit
logout
[student@client ~]$ exit
logout
Connection to client closed.

On the workstation machine, install the FreeIPA Ansible Content Collection. Create the hosts inventory file in the student home directory, and then specify the IdM server variables.

Copy the necessary playbooks to install IdM replicas to the student user home directory. Install the replica1 and replica2 machines as replicas of idm, with the integrated DNS role but without the CA role. Set 172.25.250.254 as the DNS forwarder.

Install the ansible-freeipa package. Review the installed playbooks in the /usr/share/doc/ansible-freeipa/playbooks/ directory.

[student@workstation ~]$ sudo dnf install ansible-freeipa
[sudo] password for student: student
...output omitted...
[student@workstation ~]$ ls -l /usr/share/doc/ansible-freeipa/playbooks/
total 152
...output omitted...
-rw-r--r--. 1 root root  153 Aug 16  2022 install-client.yml
-rw-r--r--. 1 root root  344 Aug 16  2022 install-cluster.yml
-rw-r--r--. 1 root root  133 Aug 16  2022 install-replica.yml
-rw-r--r--. 1 root root  129 Aug 16  2022 install-server.yml
...output omitted...

Create the hosts inventory file and define the idm machine. Define the admin principal and password, domain, realm, and the forwarder used for the IdM server. Provide the student user password so that Ansible can run commands as the root user.

[ipaserver]
idm.lab.example.com ansible_become_password=student

[ipaserver:vars]
ipaserver_domain=lab.example.com
ipaserver_realm=LAB.EXAMPLE.COM
ipaserver_setup_dns=yes
ipaserver_forwarders=172.25.250.254
ipaadmin_password=RedHat123^

Add the replica1 and replica2 machines to the inventory. Define the admin principal and password, and the DNS forwarder. Do not install the integrated CA service for the replicas.

...output omitted...

[ipareplicas]
replica1.lab.example.com ansible_become_password=student
replica2.lab.example.com ansible_become_password=student

[ipareplicas:vars]
ipareplica_setup_ca=false
ipareplica_setup_dns=yes
ipareplica_forwarders=172.25.250.254
ipaadmin_principal=admin
ipaadmin_password=RedHat123^

Copy the /usr/share/doc/ansible-freeipa/playbooks/install-replica.yml playbook to the student user home directory.
```
[student@workstation ~]$ cp \
  /usr/share/doc/ansible-freeipa/playbooks/install-replica.yml ~/
```

Install the replica1 and replica2 machines.

Note

If the installation fails, update the hosts file has and ensure it has the correct values. Uninstall the replicas by using the uninstall-replica.yml playbook reboot the machine before attempting to reinstall.

[student@workstation ~]$ ansible-playbook install-replica.yml -i hosts
PLAY [Playbook to configure IPA replicas] **************************************

TASK [Gathering Facts] *********************************************************
ok: [replica1.lab.example.com]
ok: [replica2.lab.example.com]
...output omitted...

PLAY RECAP *********************************************************************
replica1.lab.example.com  : ok=55  changed=39  unreachable=0  failed=0  skipped=29  rescued=0  ignored=0
replica2.lab.example.com  : ok=55  changed=39  unreachable=0  failed=0  skipped=29  rescued=0  ignored=0

[student@workstation ~]$ ssh client
[student@client ~]$ kinit admin
Password for admin@LAB.EXAMPLE.COM: RedHat123^
[student@client ~]$ ipa server-find
...output omitted...
  Server name: replica1.lab.example.com
...output omitted...
  Server name: replica2.lab.example.com
----------------------------
Number of entries returned 3
----------------------------

Verify that the replicas have the desired roles assigned, and then exit from the client machine:

[student@client ~]$ ipa server-show replica1.lab.example.com
  Server name: replica1.lab.example.com
...output omitted...
  Enabled server roles: DNS server, IPA master
[student@client ~]$ ipa server-show replica2.lab.example.com
  Server name: replica2.lab.example.com
...output omitted...
  Enabled server roles: DNS server, IPA master
[student@client ~]$ exit
logout
Connection to client closed.

Use the IdM console to create a replication agreement between the replica2 and replica1 machines for the domain suffix. Use the replica2 machine as the left node for the replication agreement. Set replica-agreement as the name of the replication agreement.
1. On workstation, navigate to the IdM web UI at https://idm.lab.example.com. Log in as the admin user with RedHat123^ as the password.
2. Navigate to IPA Server → Topology → IPA Servers. Verify that the domain suffix is present on all servers, and the ca suffix is only present on the idm machine.
3. In the left navigation bar, click Topology Graph.
4. Hover over the replica1 node and click the domain suffix. Select replica2 as the other end of the new topology segment. Enter replica-agreement as the segment name, and then click Add.
5. Log out of the IdM console and close the browser.

Evaluation

As the student user on the workstation machine, use the lab command to grade your work. Correct any reported failures and rerun the command until successful.

[student@workstation ~]$ lab grade compreview-topology

Finish

On the workstation machine, change to the student user home directory and use the lab command to complete this exercise. This step is important to ensure that resources from previous exercises do not impact upcoming exercises.

[student@workstation ~]$ lab finish compreview-topology

Discuss Red Hat Security: Identity Management and Authentication

Go to community

Welcome to the Red Hat Security: Identity Management and Active Directory Integration group!

Syed

26 wrz 2023

We are excited to launch a space dedicated to the Red Hat Training course Red Hat Security: Identity Management and Active Directory Integration! To gain the most value from this group - click the "Join Group" button in the upper right hand corner of the group home page.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to RH362.Read more about Red Hat Security: Identity Management and Active Directory Integration here.

215

Revision: rh362-9.1-4c6fdb8