Skip to content

Commit

Permalink
add more tabs
Browse files Browse the repository at this point in the history
  • Loading branch information
@nazunalika
nazunalika committed Jan 8, 2024
1 parent 991ff62 commit 248d68c
Showing 1 changed file with 172 additions and 154 deletions.
326 changes: 172 additions & 154 deletions docs/training/ex362.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ The list of objectives can be found [here](https://www.redhat.com/en/services/tr

The video series goes over setting up FreeIPA in a lab/VM environment by following the objectives as outlined by Red Hat. The list of objectives can be found [here](https://www.redhat.com/en/services/training/ex362-red-hat-certified-specialist-identity-management-exam).

**On this page, you will see a combination of both "manual" and "automated" ways of working with FreeIPA (or Red Hat IdM). This is because we believe in the user understanding and knowing how to do things by hand, how it works by hand, before ever automating it. Automation cannot be fully achieved without having an understanding of the underlying software and applications.**
**On this page, you will see a combination of both "Script or CLI" and "Ansible" methods of working with FreeIPA (or Red Hat IdM). This is because we believe in the user understanding and knowing how to do things by hand first and foremost before ever automating it. Automation cannot be fully achieved without having an understanding of the underlying software and applications.**

**In conclusion, we highly recommend that any user studying for their exam reading this guide understands how to do everything by hand first before attempting to redo it via ansible.**

Expand Down Expand Up @@ -343,38 +343,40 @@ At this point, you will need to configure all the clients with an ansible user a

### Install and configure a replica IdM Server

#### Script or CLI Method
=== "Script or CLI Method"

``` bash
% hostnamectl set-hostname idm2.example.com
% nmcli con mod eth0 ipv4.address 192.168.15.3/24
% nmcli con mod eth0 ipv4.gateway 192.168.15.1
% nmcli con mod eth0 ipv4.method manual
% nmcli con mod eth0 ipv4.dns-search example.com
% nmcli con mod eth0 ipv4.dns 192.168.15.2
% nmcli con up eth0
```
``` bash
% hostnamectl set-hostname idm2.example.com
% nmcli con mod eth0 ipv4.address 192.168.15.3/24
% nmcli con mod eth0 ipv4.gateway 192.168.15.1
% nmcli con mod eth0 ipv4.method manual
% nmcli con mod eth0 ipv4.dns-search example.com
% nmcli con mod eth0 ipv4.dns 192.168.15.2
% nmcli con up eth0
```

``` bash
# Adding a replica, optionally change --no-ntp to --ntp-server
% ipa-replica-install --setup-dns \
--setup-ca \
--no-forwarders \
--no-ntp

# Adding a replica unattended without forwarders.
# Optionally set --ntp-server.
% ipa-client-install --realm EXAMPLE.COM --no-ntp
% kinit admin
% ipa hostgroup-add-member --hosts=ipa02.example.com ipaservers
% ipa-replica-install --setup-dns \
--setup-ca \
--no-forwarders \
--no-ntp \
--unattended
```
``` bash
# Adding a replica, optionally change --no-ntp to --ntp-server
% ipa-replica-install --setup-dns \
--setup-ca \
--no-forwarders \
--no-ntp

#### Ansible Method
# Adding a replica unattended without forwarders.
# Optionally set --ntp-server.
% ipa-client-install --realm EXAMPLE.COM --no-ntp
% kinit admin
% ipa hostgroup-add-member --hosts=ipa02.example.com ipaservers
% ipa-replica-install --setup-dns \
--setup-ca \
--no-forwarders \
--no-ntp \
--unattended
```

=== "Ansible Method"

. . .

### Create Users, Groups, and Policies

Expand All @@ -400,61 +402,68 @@ At this point, you will need to configure all the clients with an ansible user a
| | Netgroups administrators |
| | Host enrollment |

!!! note "Custom UID/GID"
It is possible to create the users with a custom uid/gid with the switches --uid and --gidnumber which you will see below. It is also possible to set random passwords with --random.

See ipa user-add --help for more switches.

!!! note "Password Expiration"
When you make a user with the --password switch or use ipa passwd to set a password, it is automatically expired and must be changed on next login. If you want to avoid this from happening, you will need to set a random password via --password or --random, and then use kpasswd username to change it to the desired password. This does not make the account non-expiring.

``` bash
# Creating users with a password, create all the accounts from the table (except from syshost)
% ipa user-add --first="John" --last="Smith" --password jsmith

# Create the system account with a password of Sup3R$ecre7! and a UID of 10000
% ipa user-add --first="SysHost" --last="Management" --uid=10000 --gidnumber=10000 --password syshostmgt

# Stage a user
% ipa stageuser-add --first="Robert" --last="Cole" rcole

# Preserve a user
% ipa user-del tsynder --preserve

# Create a regular (POSIX) group
% ipa group-add corp

# Create a member only group
% ipa group-add --nonposix HelpDesk
% ipa group-add --nonposix enrollers

# Add the HelpDesk group to the helpdesk policy
# Add the enrollers group to the Enrollment Administrator role
% ipa role-add-member "helpdesk" --groups=HelpDesk
% ipa role-add-member "Enrollment Administrator" --groups=enrollers

# Create a role with privileges
% ipa role-add "Host Manager"
% ipa role-add-privilege "Host Manager" \
--privileges="Host administrators" \
--privileges="Host group administrators" \
--privileges="Netgroups administrators" \
--privileges="Host enrollment"

# Add the syshostmgt user as a member of the role
% ipa role-add-member "Host Manager" --users="syshostmgt"
=== "Script or CLI Method"

# Set our user passwords to CentOS123!$ so that way we don't have to change them later
% kpasswd jsmith
!!! note "Custom UID/GID"
It is possible to create the users with a custom uid/gid with the switches --uid and --gidnumber which you will see below. It is also possible to set random passwords with --random.

See ipa user-add --help for more switches.

!!! note "Password Expiration"
When you make a user with the --password switch or use ipa passwd to set a password, it is automatically expired and must be changed on next login. If you want to avoid this from happening, you will need to set a random password via --password or --random, and then use kpasswd username to change it to the desired password. This does not make the account non-expiring.

``` bash
# Creating users with a password, create all the accounts from the table (except from syshost)
% ipa user-add --first="John" --last="Smith" --password jsmith

# Create the system account with a password of Sup3R$ecre7! and a UID of 10000
% ipa user-add --first="SysHost" --last="Management" --uid=10000 --gidnumber=10000 --password syshostmgt

# Stage a user
% ipa stageuser-add --first="Robert" --last="Cole" rcole

# Preserve a user
% ipa user-del tsynder --preserve

# Create a regular (POSIX) group
% ipa group-add corp

# Create a member only group
% ipa group-add --nonposix HelpDesk
% ipa group-add --nonposix enrollers

# Add the HelpDesk group to the helpdesk policy
# Add the enrollers group to the Enrollment Administrator role
% ipa role-add-member "helpdesk" --groups=HelpDesk
% ipa role-add-member "Enrollment Administrator" --groups=enrollers

# Create a role with privileges
% ipa role-add "Host Manager"
% ipa role-add-privilege "Host Manager" \
--privileges="Host administrators" \
--privileges="Host group administrators" \
--privileges="Netgroups administrators" \
--privileges="Host enrollment"

# Add the syshostmgt user as a member of the role
% ipa role-add-member "Host Manager" --users="syshostmgt"

# Set our user passwords to CentOS123!$ so that way we don't have to change them later
% kpasswd jsmith

# If we already set the password we want but we don't want it to expire without making a policy or prompt for a password change (NOT RECOMMENDED)
% ldapmodify -x -w 'Passw0rd!' -D 'cn=Directory Manager'
dn: uid=syshostmgt,cn=users,cn=accounts,dc=example,dc=com
changetype: modify
delete: krbLastPwdChange

(Press CTRL+D)
```

# If we already set the password we want but we don't want it to expire without making a policy or prompt for a password change (NOT RECOMMENDED)
% ldapmodify -x -w 'Passw0rd!' -D 'cn=Directory Manager'
dn: uid=syshostmgt,cn=users,cn=accounts,dc=example,dc=com
changetype: modify
delete: krbLastPwdChange
=== "Ansible Method"

(Press CTRL+D)
```
. . .

#### New Passwords Expired

Expand Down Expand Up @@ -498,37 +507,43 @@ To setup a very, very simple SSO, you can setup a simple location that requires
| nfs.example.com | 192.168.15.11 |
| utility.example.com | 192.168.15.12 |

!!! note
Depending on your architecture and setup, IdM clients should either be pointing directly at the IdM servers for DNS (at least two of them) or pointing at the DNS server in the environment that is delegating that domain to the IdM domain controllers.
=== "Script or CLI Method"

!!! note
Depending on your architecture and setup, IdM clients should either be pointing directly at the IdM servers for DNS (at least two of them) or pointing at the DNS server in the environment that is delegating that domain to the IdM domain controllers.

In our lab, our IdM servers are our only DNS servers, thus it makes sense that our clients should point to them. In that scenario, you would configure your DHCP server to use the IdM servers as the name servers and/or configure them in a static manner depending on your environment.

``` bash
# If your client is not pointing at the IdM DNS and you
# don't have another DNS server that's performing delegation,
# change your name servers.
% nmcli con mod eth0 ipv4.dns 192.168.15.2
% nmcli con mod eth0 +ipv4.dns 192.168.15.3
% nmcli con mod eth0 ipv4.dns-search example.com

In our lab, our IdM servers are our only DNS servers, thus it makes sense that our clients should point to them. In that scenario, you would configure your DHCP server to use the IdM servers as the name servers and/or configure them in a static manner depending on your environment.
# Optionally, if your clients don't have DHCP
# reservations, set a static address.
% nmcli con mod eth0 ipv4.address 192.168.15.10/24
% nmcli con mod eth0 ipv4.gateway 192.168.15.1
% nmcli con mod eth0 ipv4.method manual

``` bash
# If your client is not pointing at the IdM DNS and you
# don't have another DNS server that's performing delegation,
# change your name servers.
% nmcli con mod eth0 ipv4.dns 192.168.15.2
% nmcli con mod eth0 +ipv4.dns 192.168.15.3
% nmcli con mod eth0 ipv4.dns-search example.com

# Optionally, if your clients don't have DHCP
# reservations, set a static address.
% nmcli con mod eth0 ipv4.address 192.168.15.10/24
% nmcli con mod eth0 ipv4.gateway 192.168.15.1
% nmcli con mod eth0 ipv4.method manual

# It might be a good idea to set your hostname if you haven't already
% hostnamectl set-hostname client.example.com
% hostname client.example.com

# Install the ipa-client packages
% dnf install ipa-client -y
# Optionally set --no-ntp to --ntp-server
% ipa-client-install --realm EXAMPLE.COM --domain example.com --no-ntp
. . .
% id admin
uid=686600000(admin) gid=686600000(admins) groups=686600000(admins)
```
# It might be a good idea to set your hostname if you haven't already
% hostnamectl set-hostname client.example.com
% hostname client.example.com

# Install the ipa-client packages
% dnf install ipa-client -y
# Optionally set --no-ntp to --ntp-server
% ipa-client-install --realm EXAMPLE.COM --domain example.com --no-ntp
. . .
% id admin
uid=686600000(admin) gid=686600000(admins) groups=686600000(admins)
```

=== "Ansible Method"

. . .

### Configure Kerberized services

Expand Down Expand Up @@ -613,20 +628,20 @@ By default, when a certificate request is performed (and succeeds to be signed b

When a domain supports the KRA role, it can hold password vaults or anything that's considered "secret". You can add the KRA role by installing the relevant package and installing the role.

#### Script or CLI Method
=== "Script or CLI Method"

On each IdM server, you will need to enable the role.
On each IdM server, you will need to enable the role.

``` bash
% dnf install ipa-server-kra
% ipa-kra-install
```
``` bash
% dnf install ipa-server-kra
% ipa-kra-install
```

(more to come)
(more to come)

#### Ansible Method
=== "Ansible Method"

If you are following the ansible method, you already have this role installed based on the inventory configuration. Now it's a matter of creating a simple secret.
If you are following the ansible method, you already have this role installed based on the inventory configuration. Now it's a matter of creating a simple secret.

## Create and configure IdM users and user policies

Expand Down Expand Up @@ -672,50 +687,54 @@ lrwxrwxrwx. 1 root root 27 Jan 14 2020 system-auth -> /etc/authselect/system-a

On a typical Red Hat system, the most common ones (such as `su`, `sshd`, `sudo`) imports the `system-auth` file, so the login request is processed through those means. When defining HBAC rules, you either must allow "all" services or be selective. For example, if an HBAC rule allows "sshd", a user is allowed to ssh into a system, but wouldn't allow them to login locally on the console, as that goes through `login`. If you want the user to be able to run the `su` and `sudo` commands, you would also need to allow those services. Otherwise, the user is denied, even if sudo policies are available.

``` bash
[label@mgt ~]$ sudo -i
[sudo] password for label:
sudo: PAM account management error: Permission denied
```
=== "Script or CLI Method"

In FreeIPA, there is typically a rule already predefined that allows everyone to access all systems and all services. This can be removed or disabled and this removes host access to everything immediately. This is typically recommended in most environments where there are security standards and procedures in place.
``` bash
[label@mgt ~]$ sudo -i
[sudo] password for label:
sudo: PAM account management error: Permission denied
```

``` bash
# To disable
% ipa hbacrule-disable allow_all
# To delete instead
% ipa hbacrule-del allow_all
```
In FreeIPA, there is typically a rule already predefined that allows everyone to access all systems and all services. This can be removed or disabled and this removes host access to everything immediately. This is typically recommended in most environments where there are security standards and procedures in place.

When performing a FreeIPA installation, it is possible to add `--no-hbac-allow` that will disable the allow_all rule.
``` bash
# To disable
% ipa hbacrule-disable allow_all
# To delete instead
% ipa hbacrule-del allow_all
```

Below are some examples of adding access.
When performing a FreeIPA installation, it is possible to add `--no-hbac-allow` that will disable the allow_all rule.

``` bash
# Allow all admins to access all systems
% ipa hbacrule-add --hostcat=all --servicecat=all --desc='Allow all admins to access all systems' All_Admins
% ipa hbacrule-add-user --groups=admins All_Admins
Below are some examples of adding access.

# And then test...
% ipa hbactest --rules=All_Admins --user=jsmith --host=client.example.com --service=login
```
``` bash
# Allow all admins to access all systems
% ipa hbacrule-add --hostcat=all --servicecat=all --desc='Allow all admins to access all systems' All_Admins
% ipa hbacrule-add-user --groups=admins All_Admins

# And then test...
% ipa hbactest --rules=All_Admins --user=jsmith --host=client.example.com --service=login
```

``` bash
# Allow the corp users to access the client system only using the sshd pam services
% ipa hbacrule-add --desc='Allow corp users to access client on ssh' corp_access
% ipa hbacrule-add-user --groups=corp corp_access
% ipa hbacrule-add-host --hosts=client.example.com corp_access
% ipa hbacrule-add-service --hbacsvcs=sshd corp_access

# And then test...
% ipa hbactest --rules=corp_access --user=brufus --host=client.example.com --service=sshd
```
``` bash
# Allow the corp users to access the client system only using the sshd pam services
% ipa hbacrule-add --desc='Allow corp users to access client on ssh' corp_access
% ipa hbacrule-add-user --groups=corp corp_access
% ipa hbacrule-add-host --hosts=client.example.com corp_access
% ipa hbacrule-add-service --hbacsvcs=sshd corp_access

# And then test...
% ipa hbactest --rules=corp_access --user=brufus --host=client.example.com --service=sshd
```

To do this the ansible way, you can make a playbook like this.
=== "Ansible Method"

``` yaml
To do this the ansible way, you can make a playbook like this.

```
``` yaml
---
```

### Configure roaming or automounted home directories

Expand Down Expand Up @@ -1218,4 +1237,3 @@ The test should pass without any issues.
Groups in Active Directory have three types. These three types can actually change the behavior of how SSSD on the IPA domain controllers resolve them or if they'll even be resolvable at all. The three types are 'Domain Local', 'Global', and 'Universal'. If at all possible, avoid groups being 'Global'. Domain Local or Universal is recommended.

0 comments on commit 248d68c

Please sign in to comment.