The IPA (Identity Policy Audit) server allows you to manage your kerberos, DNS, hosts, users, sudo rules, password policies, and automounts in a central location. IPA is a combination of packages, including—but not limited to—bind
, ldap
, pam
, and so on. It combines all of these to provide identity management for your environment.
In this recipe, I will opt for an integrated DNS setup, although it is possible to use your existing DNS infrastructure.
First, we'll install the server component, followed by what needs to be done on an IPA client.
Follow these instructions to install an IPA server:
~]# yum install -y ipa-server bind bind-dyndb-ldap
ipa
installer, as follows:~]# ipa-server-install
At this stage, you will be asked a couple of questions on how to set up your IPA server.
Do you want to configure integrated DNS (BIND)? [no]: yes
/etc/resolv.conf
as follows:Existing BIND configuration detected, overwrite? [no]: yes
Server host name [localhost.localdomain]: master.example.com
Please confirm the domain name [example.com]:
Please provide the IP address to be used for this host name: 192.168.0.1
realm
name, as follows:Please provide a realm name [EXAMPLE.COM]:
Directory Manager password:
IPA admin password:
Do you want to configure DNS forwarders? [yes]: no
Do you want to configure the reverse zone? [yes]: Please specify the reverse zone name [0.168.192.in-addr.arpa.]:
The installer will now provide an overview similar to the following:
The IPA Master Server will be configured with: Hostname: master.example.com IP address: 192.168.0.1 Domain name: example.com Realm name: EXAMPLE.COM BIND DNS server will be configured to serve IPA domain with: Forwarders: No forwarders Reverse zone: 0.168.192.in-addr.arpa.
Continue to configure the system with these values? [no]: yes
At this point, you will see a lot of information scrolling on your screen, indicating what the installer is doing: installing or configuring NTP, LDAP, BIND, Kerberos, HTTP, the certificate server, and IPA-related modifications to the preceding examples.
The installation and configuration process can take a while, so be patient.
Perform these steps to install and configure the IPA client on your system:
~]# yum install -y ipa-client
~]# cat /etc/resolv.conf search example.com nameserver 192.168.0.1
~]# ipa-client-install --enable-dns-updates
The installer will now show an overview of the detected IPA server and ask for a user (the IPA manager) and password to register your system, as shown in the following screenshot:
Once installed, you can manage your IPA environment using the command line tool IPA or the web interface, which can be accessed by pointing your browser to your IPA master server over HTTPS. In this case, the URL is https://master.example.com
.
By default, the IPA client doesn't create homedirs
for new users at first login. If you want to enable this, use the --mkhomedir
argument with ipa-client-install
. If you happen to have forgotten about this, there's no need to reinstall the IPA client. You can just reconfigure this by executing the following command:
~]# authconfig --enablemkhomedir --update
For more in-depth information about installing and configuring your IPA server, go to https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/installing-ipa.html.
For more information about managing your IPA environment through the command line, read the ipa (1) man pages.