From 4ed28179b23b246e56324741218dfdaa0d2d2a56 Mon Sep 17 00:00:00 2001 From: Louis Abel Date: Mon, 8 Jan 2024 00:47:46 -0700 Subject: [PATCH] start modifying ex362 --- docs/training/ex362.md | 260 +++++++++++++++++++++++++++++-- mkdocs.yml | 2 + overrides/partials/comments.html | 56 +++++++ 3 files changed, 308 insertions(+), 10 deletions(-) create mode 100644 overrides/partials/comments.html diff --git a/docs/training/ex362.md b/docs/training/ex362.md index e3fd268d..9c589a8d 100644 --- a/docs/training/ex362.md +++ b/docs/training/ex362.md @@ -1,5 +1,6 @@ --- title: EX362 Exam Prep +comment: true --- This page contains the necessary resources to help you prepare for the Red Hat Certified Specialist in Identity Management exam, EX362. This follows the youtube playlist as much as possible with various examples and ideas. Soon to come, you will also find our own example practice exam for you to try your hand at to test your knowledge. @@ -15,19 +16,34 @@ The list of objectives can be found [here](https://www.redhat.com/en/services/tr The video series goes over setting up FreeIPA in a lab/VM environment by following the objectives as outlined by Red Hat. The list of objectives can be found [here](https://www.redhat.com/en/services/training/ex362-red-hat-certified-specialist-identity-management-exam). +**On this page, you will see a combination of both "manual" and "automated" ways of working with FreeIPA (or Red Hat IdM). This is because we believe in the user understanding and knowing how to do things by hand, how it works by hand, before ever automating it. Automation cannot be fully achieved without having an understanding of the underlying software and applications.** + +**In conclusion, we highly recommend that any user studying for their exam reading this guide understands how to do everything by hand first before attempting to redo it via ansible.** + ## Exam Information -The EX362 exam tests your knowledge in a real world format style test - Meaning just like any Red Hat exam, it is performance-based and you perform tasks as if you were on the job. You are evaluated on the tasks you perform and if they meet the objective criteria. The EX362 is related to FreeIPA or Red Hat Identity Management and counts toward the RHCA (Red Hat Certified Architect). +The EX362 exam tests your knowledge in a real world format style test - Meaning just like any Red Hat exam, it is performance-based and you perform tasks as if you were on the job. You are evaluated on the tasks you perform and if they meet the objective criteria. The EX362 is related to FreeIPA or Red Hat Identity Management and counts toward the RHCA (Red Hat Certified Architect). You are expected to have familiarity with ansible for this exam. **To take the exam, you must have at least an RHCSA. If you are attempting to become a Red Hat Certified Architect, you must have an RHCE.** +## Ansible Information + +As ansible is expected for this exam, you may be required to work with ansible collections to work with FreeIPA. The community version of the collection is simply `freeipa.ansible_freeipa`. This can be installed via `ansible-galaxy` or via `dnf install ansible-freeipa`. You will find that the Red Hat official collection name has a different name entirely. + +Throughout this page, we will be using the `ansible-galaxy` version of the collection, which ensure we are using a FQCN. This is because if you are using Ansible Automation Platform (or AWX), you will need to use the FQCN in just about all cases. + +!!! note + As ansible is a fairly new addition to this exam and to this study guide, there may be inaccuracies. We highly encourage PR's or comments that address problems with the ansible data we provide here. + ## Resources * [FreeIPA](https://www.freeipa.org) +* [FreeIPA Ansible Collection](https://github.com/freeipa/ansible-freeipa) * [Red Hat Documentation](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/) * [Trust Anatomy/SSSD Troubleshooting](https://jhrozek.wordpress.com/2015/08/19/performance-tuning-sssd-for-large-ipa-ad-trust-deployments/) * [Directory Server Tuning](https://access.redhat.com/documentation/en-us/red_hat_directory_server/11/html-single/performance_tuning_guide/index) * [FreeIPA Workshop Curriculum](https://freeipa.readthedocs.io/en/latest/workshop.html) +* [Ansible Documentation](https://docs.ansible.com/ansible/latest/index.html) * [Our Page](https://linuxguideandhints.com/el/freeipa) ## Hardware Recommendations @@ -42,22 +58,164 @@ Per the Red Hat documentation, consider that with at least 10k users and 100 gro View the resources above in the previous section for directory server tuning information. -## IdM Server Installation and Configuration +## Expected lab systems -### Install IdM in a scalable, fault tolerant environment +Below is a list of expected lab systems to perform the work on this page. +| System Name | IP Address | Role | +|-------------------------|---------------|--------------------| +| idm1.example.com | 192.168.15.2 | IdM Server | +| idm2.example.com | 192.168.15.3 | IdM Server | +| client.example.com | 192.168.15.10 | IdM Client | +| nfs.example.com | 192.168.15.11 | NFS Server | +| utility.example.com | 192.168.15.12 | Utility Server | +| ansible.example.com | 192.168.15.50 | Ansible controller | -| Server Name | IP Address | +## Setup Ansible Controller and Clients + +As the exam may expect familiarity with ansible, setting up an ansible controller may be ideal. + +!!! note + **We still recommend basic familiarity with FreeIPA itself is ideal. Learning by hand is important first before attempting to automate. + +### Controller Setup + +``` +# as root, install the necessary packages and create the user +% dnf install ansible -y +% useradd ansible + +# ensure ansible can do root things locally. +% visudo -f /etc/sudoers.d/ansible +ansible ALL=(ALL) NOPASSWD: ALL +``` + +Become the ansible user, and finish the general configuration. + +``` +% ssh-keygen +% ansible-config init --disabled > ansible.cfg +``` + +Configure `ansible.cfg` in any way you see fit. We recommend these settings at a minimum. + +``` ini +[defaults] +roles_path = roles:/usr/share/ansible/roles +collections_paths = collections:/usr/share/ansible/collections +remote_user = ansible +; id_rsa is the default generated key. you can use any format. +private_key_file = /home/ansible/.ssh/id_rsa +ansible_managed = EX362 Study + +[inventory] +enable_plugins = host_list, virtualbox, yaml, constructed, script, ini, auto +``` + +Configure the inventory. For the inventory, you should ensure *all* lab systems are listed. + +``` ini +[ipa:children] +ipaserver +ipareplicas +ipaclients + + +; Based on exam requirements, these vars might have to be set differently +[ipa:vars] +ipaclient_no_ntp=true +ipaclient_mkhomedir=true +ipaclient_ssh_trust_dns=true + +[ipaserver:vars] +ipaadmin_principal=admin +ipaadmin_password='Passw0rd!' +ipadm_password='Passw0rd!' + +ipaserver_domain=example.com +ipaserver_realm=EXAMPLE.COM +ipaserver_setup_dns=true +ipaserver_setup_kra=true +ipaserver_setup_firewalld=true +ipaserver_no_forwarders=true +ipaserver_auto_forwarders=false +ipaserver_no_host_dns=true +ipaserver_reverse_zones='["15.168.192.in-addr.arpa."]' +ipaserver_external_ca=false +ipaserver_setup_adtrust=true + +[ipareplica:vars] +ipaadmin_principal=admin +ipaadmin_password='Passw0rd!' +ipadm_password='Passw0rd!' + +ipaserver_realm=EXAMPLE.COM +ipareplica_domain=example.com +ipareplica_setup_ca=true +ipareplica_setup_dns=true +ipareplica_setup_kra=true +ipareplica_setup_firewalld=true +ipareplica_no_forwarders=true +ipareplica_auto_forwarders=false +ipareplica_setup_adtrust=true + +[ipaclients:vars] +ipaclient_domain=example.com +ipaclient_realm=EXAMPLE.COM +; the reason why we have a separate principal and password +; is because we may have a service account that enrolls instead +ipaadmin_principal=admin +ipaadmin_password='Passw0rd!' + +[ipaserver] +idm1.example.com ansible_host=192.168.15.2 + +[ipareplica] +idm2.example.com ansible_host=192.168.15.2 + +[ipaclients] +ansible.example.com ansible_connection=local +client.example.com ansible_host=192.168.15.10 +nfs.example.com ansible_host=192.168.15.11 +utility.example.com ansible_host=192.168.15.12 +``` + +Install the required collections. + +``` +% ansible-galaxy collection install freeipa.ansible_freeipa + +# if you plan on managing network manager using ansible, use this collection. +% ansible-galaxy collection install community.general + +# if you plan on managing firewalld and other features, use this collection. +% ansible-galaxy collection install ansible.posix +``` + +At this point, you will need to configure all the clients with an ansible user and the public key. See the ansible documentation for my details. + +## Install and configure Red Hat Identity Management (IdM) + +### Install IdM using either scripts or using Ansible Automation Platform + +| System Name | IP Address | |-------------------------|---------------| | idm1.example.com | 192.168.15.2 | | idm2.example.com | 192.168.15.3 | +| ansible.example.com | 192.168.15.50 | + +!!! note "Domain/Realm Information" + The domain/realm for this will be `example.com` !!! note "Static Addresses" IPA Servers should either have a DHCP reservation or a static address. In the event that you have either, DNS should always be pointing at 127.0.0.1, especially if your replica serves DNS. Both of our replicas serve DNS, so loopback is sufficient and recommended for our name server. In later versions of FreeIPA, there is support to force network manager to ensure resolv.conf is loopback without the need to set it by hand with nmcli. +#### Script or CLI Method + ``` bash +% hostnamectl set-hostname idm1.example.com # Set a static address - It's important for your IdM servers # to have static addresses or a DHCP reservation. % nmcli con mod eth0 ipv4.address 192.168.15.2/24 @@ -92,10 +250,7 @@ View the resources above in the previous section for directory server tuning inf ``` ``` bash -# Configure the firewall for RHEL 7 -% firewall-cmd --permanent --add-service={ntp,http,https,freeipa-ldap,freeipa-ldaps,kerberos,freeipa-replication,kpasswd,dns} -# RHEL 8 -% firewall-cmd --permanent --add-service={freeipa-4,ntp,dns} +% firewall-cmd --permanent --add-service={freeipa-4,ntp,dns,freeipa-trust} ``` ``` bash @@ -104,7 +259,78 @@ View the resources above in the previous section for directory server tuning inf % ipa dnsconfig-mod --allow-sync-ptr=True ``` +#### Ansible Method + +Ensure that your ansible controller is setup and install the collections as needed. + +!!! warn "Ensure ansible is operable on all machines" + It is recommended that on all machines in this lab, you are configuring ansible as a user with full sudo rights. + +!!! note "Static Addressing, command vs collection" + Earlier, it was suggested to install community.general as it provides an nmcli module. We will be using this. It should be noted that you may not have access to that collection on the exam. + + We also suggested ansible.posix. You may not also have access to this on the exam. + +``` yaml +% vi role_ipa_server.yml +--- +- name: "Standup IPA Server" + hosts: ipaserver + become: true + + pre_tasks: + # ensure hostname is what is expected + - name: "Set hostname" + ansible.builtin.hostname: + name: idm1.example.com + use: systemd + + # This sets up network manager using community.general. + - name: "Set static address" + community.general.nmcli: + ifname: enp1s0 + conn_name: enp1s0 + type: ethernet + method4: manual + ip4: + - 192.168.15.2/24 + gw4: 192.168.15.1 + dns4_search: example.com + dns4: 127.0.0.1 + autoconnect: true + state: present + + roles: + - role: freeipa.ansible_freeipa.ipaserver + state: present + + post_tasks: + # We need to ensure firewalld was setup the way we wanted it to + - name: "Ensure firewalld rules are accurate" + ansible.posix.firewalld: + service: "{{ item }}" + permanent: true + immediate: true + state: enabled + with_items: + - "freeipa-4" + - "freeipa-trust" + - "dns" + + # We need to make sure that any A records get a PTR record. + - name: "Ensure PTR is in sync" + freeipa.ansible_freeipa.ipadnsconfig: + ipaadmin_principal: "{{ ipaadmin_principal }}" + ipaadmin_password: "{{ ipaadmin_password }}" + allow_sync_ptr: true +``` + +### Install and configure a replica IdM Server + +#### Script or CLI Method + ``` bash +% hostnamectl set-hostname idm2.example.com # Adding a replica % ipa-replica-install --setup-dns \ --setup-ca \ @@ -120,6 +346,8 @@ View the resources above in the previous section for directory server tuning inf --unattended ``` +#### Ansible Method + ### Creating Users, Groups, and Policies | Users | Login Name | Type | Group | Role | UID/GID | @@ -204,7 +432,9 @@ delete: krbLastPwdChange The common question we receive (and even the #freeipa IRC receive) is "Why can't we just set the password to not be expired right away?" See [this page](https://www.freeipa.org/page/New_Passwords_Expired) for information on why this is. You may also look at the [pagure](https://pagure.io/freeipa/issue/5763) page and the [Red Hat bugzilla related bug](https://bugzilla.redhat.com/show_bug.cgi?id=1317060). -### Implement a SSO +## Implement a SSO + +### Create an SSO client To setup a very, very simple SSO, you can setup a simple location that requires a login. @@ -226,6 +456,10 @@ To setup a very, very simple SSO, you can setup a simple location that requires ``` +### Verify SSO client operationg + +... + ## IdM Client Installation and Configuration ### Install and configure IdM Clients @@ -348,7 +582,9 @@ By default, when a certificate request is performed (and succeeds to be signed b ### Create Secret Vaults -When a domain supports the KRA role, it can hold password vaults or anything that's considered "secret". You can add the KRA role by simply running on each relevant domain controller: +When a domain supports the KRA role, it can hold password vaults or anything that's considered "secret". You can add the KRA role by installing the relevant package and installing the role. + +#### Script or CLI Method ``` bash % ipa-kra-install @@ -356,6 +592,10 @@ When a domain supports the KRA role, it can hold password vaults or anything tha (more to come) +#### Ansible Method + +If you are following the ansible method, you already have this role installed based on the inventory configuration. + ## IdM Users and Policies Management In FreeIPA, there are two sets of policies: diff --git a/mkdocs.yml b/mkdocs.yml index dbf18fab..8d0b2861 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -23,6 +23,7 @@ theme: - perl - python - yaml + - ini features: - navigation.expand - navigation.indexes @@ -38,6 +39,7 @@ theme: scheme: slate primary: indigo accent: blue + custom_dir: overrides # Plugins plugins: diff --git a/overrides/partials/comments.html b/overrides/partials/comments.html new file mode 100644 index 00000000..33ca7ca3 --- /dev/null +++ b/overrides/partials/comments.html @@ -0,0 +1,56 @@ +{% if page.meta.comments %} +

{{ lang.t("meta.comments") }}

+ + + + + +{% endif %}