在 CentOS / RHEL 7 上，安裝 FreedIPA 服務

學習目標：

• 在 CentOS / RHEL 7 Linux 作業系統上，安裝 FreeIPA 服務！
• 需要先架設好自有 DNS Server ！

安裝設定流程：

1. 安裝相關必要軟體安裝工作！

   # yum -y upgrade
   # reboot
   

2. 設定主機名稱：

   # hostnamectl set-hostname dns.example.com
   # echo "192.168.100.120 dns.example.com dns" >> /etc/hosts
   # echo "nameserver 127.0.0.1" > /etc/resolv.conf
   

3. 安裝 IPA Server 套件軟體！

   # yum install -y ipa-server ipa-server-dns
   

4. 進行設定 IPA Server 工作！

   # ipa-server-install --setup-dns
   （以下就依實際需要修改！）
   Server host name [dns.example.com]:
   Please confirm the domain name [example.com]:
   Please provide a realm name [EXAMPLE.COM]:
   Directory Manager password:
   Password (confirm):
   IPA admin password: 
   Password (confirm):
   Do you want to configure DNS forwarders? [yes]:
   Do you want to configure these servers as DNS forwarders? [yes]: no
   Enter an IP address for a DNS forwarder, or press Enter to skip:
   Do you want to search for missing reverse zones? [yes]:
   Continue to configure the system with these values? [no]: yes
   ...略...
   (看到以下項目，表示安裝成功！)
   ==============================================================================
   Setup complete
   
   Next steps:
    1. You must make sure these network ports are open:
     TCP Ports:
       * 80, 443: HTTP/HTTPS
       * 389, 636: LDAP/LDAPS
       * 88, 464: kerberos
       * 53: bind
     UDP Ports:
       * 88, 464: kerberos
       * 53: bind
       * 123: ntp
   
    2. You can now obtain a kerberos ticket using the command: 'kinit admin'
       This ticket will allow you to use the IPA tools (e.g., ipa user-add)
       and the web user interface.
   
   Be sure to back up the CA certificates stored in /root/cacert.p12
   These files are required to create replicas. The password for these
   files is the Directory Manager password
   

5. 進行初始化設定：

   # kinit admin
   Password for admin@EXAMPLE.COM:
   

6. 進行檢查列表：

   # klist
   Ticket cache: KEYRING:persistent:0:0
   Default principal: admin@EXAMPLE.COM
   
   Valid starting       Expires              Service principal
   2018-10-29T12:25:08  2018-10-30T12:24:57  krbtgt/EXAMPLE.COM@EXAMPLE.COM
   

7. 更改常用的 shell ：

   # ipa config-mod --defaultshell=/bin/bash 
   

8. 設定防火牆！

   # firewall-cmd --add-service={http,https,freeipa-ldap,freeipa-ldaps,dns,ntp,kerberos} --permanent
   # firewall-cmd --reload
   

參考文獻：

• https://www.server-world.info/en/note?os=CentOS_7&p=ipa&f=1
• https://www.howtoing.com/how-to-set-up-centralized-linux-authentication-with-freeipa-on-centos-7