網絡上,特別是互聯網中有各型各類的主機,有各種各樣的資源, 這些東西雜散在網絡中, 需要有一定的機制來訪問這些資源, 得到相關的服務, 於是就有了目錄服務.
早期的目錄服務主要是提供文件檢索, NOVELL就是廣爲使用的目錄服務器系統; 隨着互聯網的發展, 網站的定位又成了難題, 於是有了DNS服務,它也是典型的目錄服務,即幫你做域名與IP地址之間的轉換. NETMEETING也是目錄服務器的服務內容之一, 對NetMetting來說,其目錄服務器主要是幫助定位用戶狀態信息的.
在WINDOWS體系中, AD(活動目錄)功能強大, 是符合工業標準的目錄服務器. 在UNIX或LINUX中,也有相應的目錄服務器(如LDAP).
總結一下,目錄服務器的主要功能是提供資源與地址的對應關係, 比如你想找一臺網上的共享打印機或主機時, 你只需要知道名字就可以了, 而不必去關心它真正的物理位置. 而目錄服務器幫助維護這樣的資源-地址映射.
目錄服務是使目錄中所有信息和資源發揮作用的服務,如用戶和資源管理、基於目錄的網絡服務、基於網絡的應用管理等!活動目錄服務將網絡中的各種資源組合起來,進行集中管理,方便網絡資源的搜索,使企業可以輕鬆地管理複雜的網絡環境。
開源項目FreeIPA(http://www.freeipa.org)。
FreeIPA是一個集成的安全信息管理解決方案。它整合了389-ds(LDAP)、Kerberos、NTP、bind、apache、tomcat核心軟件包,形成一個以389-ds(LDAP)爲數據存儲後端,Kerberos爲驗證前端,bind爲主機識別,並且具有統一的命令行管理工具及apache+tomcat提供的web管理界面的集成信息管理系統。
FreeIPA建立在著名的開源組件和標準協議之上,具有易於管理、安裝和配置任務自動化的特點。
目前,Fedora、RHEL、CentOS發行版本中,集成了IPA服務器搭建所需的所有軟件包,下面我們通過CentOS6.5發行版本來看一下如何搭建一個IPA服務器及IPA服務器的應用——用戶的集中化管理。
準備工作:
兩臺物理服務器或兩個虛擬機,本示例中使用的是兩個基於Vmware Workstation的虛擬機;
CentOS6.5 ISO鏡像文件。
配置步驟:
(1)在第一臺虛擬機中安裝CentOS6.5操作系統;
(2)配置系統的網絡參數(配置完成後重啓系統)
[root@localhost ~]#vim /etc/sysconfig/network NETWORKING=yes HOSTNAME=ipa.example.com [root@localhost ~]#vim /etc/sysconfig/network-scripts/ifcfg-eth0 DEVICE=eth0 TYPE=Ethernet ONBOOT=yes BOOTPROTO=static IPADDR=192.168.0.100 NETMASK=255.255.255.0 [root@localhost ~]#vim /etc/hosts(該條目必須是除本地地址以外的第一條,並且ipa.example.com不能指向127.0.0.1) 127.0.0.1 localhost.localdomain localhost ::1 localhost6.localdomain6 localhost6 192.168.0.100 ipa.example.com ipa
(3)配置防火牆,開放指定端口
[root@ipa ~]#iptables -I INPUT -p tcp --dport 80 -j ACCEPT [root@ipa ~]#iptables -I INPUT -p tcp --dport 443 -j ACCEPT [root@ipa ~]#iptables -I INPUT -p tcp --dport 389 -j ACCEPT [root@ipa ~]#iptables -I INPUT -p tcp --dport 636 -j ACCEPT [root@ipa ~]#iptables -I INPUT -p tcp --dport 88 -j ACCEPT [root@ipa ~]#iptables -I INPUT -p tcp --dport 464 -j ACCEPT [root@ipa ~]#iptables -I INPUT -p tcp --dport 53 -j ACCEPT [root@ipa ~]#iptables -I INPUT -p udp --dport 88 -j ACCEPT [root@ipa ~]#iptables -I INPUT -p udp --dport 464 -j ACCEPT [root@ipa ~]#iptables -I INPUT -p udp --dport 53 -j ACCEPT [root@ipa ~]#iptables -I INPUT -p udp --dport 123 -j ACCEPT [root@ipa ~]#service iptables save
| Service | Ports | Type | ||
|---|---|---|---|---|
| HTTP/HTTPS |
| TCP | ||
| LDAP/LDAPS |
| TCP | ||
| Kerberos |
| TCP and UDP | ||
| DNS | 53 | TCP and UDP | ||
| NTP | 123 | UDP | ||
| Dogtag Certificate System - LDAP | 7389 | TCP |
(4)禁用NetworkManager和NetworkManagerDispatcher服務(該服務會影響IPA相關服務運行,如果兩個服務被安裝到系統中,需禁用它們)
[root@ipa ~]#service NetworkManager stop [root@ipa ~]#service NetworkManagerDispatcher stop [root@ipa ~]#chkconfig NetworkManager off [root@ipa ~]#chkconfig NetworkManagerDispatcher off
(5)安裝軟件包
[root@ipa ~]#yum -y install bind bind-dyndb-ldap ipa-server
(6)執行ipa-server-install命令,安裝IPA服務器
[root@ipa ~]# ipa-server-install --setup-dns --forwarder=8.8.8.8 The log file for this installation can be found in /var/log/ipaserver-install.log ============================================================================== This program will set up the IPA Server. This includes: * Configure a stand-alone CA (dogtag) for certificate management * Configure the Network Time Daemon (ntpd) * Create and configure an instance of Directory Server * Create and configure a Kerberos Key Distribution Center (KDC) * Configure Apache (httpd) * Configure DNS (bind) To accept the default shown in brackets, press the Enter key. Existing BIND configuration detected, overwrite? [no]: yes Enter the fully qualified domain name of the computer on which you're setting up server software. Using the form <hostname>.<domainname> Example: master.example.com. Server host name [ipa.example.com]: Warning: skipping DNS resolution of host ipa.example.com The domain name has been determined based on the host name. Please confirm the domain name [example.com]: The kerberos protocol requires a Realm name to be defined. This is typically the domain name converted to uppercase. Please provide a realm name [EXAMPLE.COM]: Certain directory server operations require an administrative user. This user is referred to as the Directory Manager and has full access to the Directory for system management tasks and will be added to the instance of directory server created for IPA. The password must be at least 8 characters long. Directory Manager password: Password (confirm): The IPA server requires an administrative user, named 'admin'. This user is a regular system account used for IPA server administration. IPA admin password: Password (confirm): Do you want to configure the reverse zone? [yes]: Please specify the reverse zone name [0.168.192.in-addr.arpa.]: Using reverse zone 0.168.192.in-addr.arpa. The IPA Master Server will be configured with: Hostname: ipa.example.com IP address: 192.168.0.100 Domain name: example.com Realm name: EXAMPLE.COM BIND DNS server will be configured to serve IPA domain with: Forwarders: 8.8.8.8 Reverse zone: 0.168.192.in-addr.arpa. Continue to configure the system with these values? [no]: yes The following operations may take some minutes to complete. Please wait until the prompt is returned. Configuring NTP daemon (ntpd) [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd Done configuring NTP daemon (ntpd). Configuring directory server for the CA (pkids): Estimated time 30 seconds [1/3]: creating directory server user [2/3]: creating directory server instance [3/3]: restarting directory server Done configuring directory server for the CA (pkids). Configuring certificate server (pki-cad): Estimated time 3 minutes 30 seconds [1/21]: creating certificate server user [2/21]: creating pki-ca instance [3/21]: configuring certificate server instance [4/21]: disabling nonces [5/21]: creating CA agent PKCS#12 file in /root [6/21]: creating RA agent certificate database [7/21]: importing CA chain to RA certificate database [8/21]: fixing RA database permissions [9/21]: setting up signing cert profile [10/21]: set up CRL publishing [11/21]: set certificate subject base [12/21]: enabling Subject Key Identifier [13/21]: setting audit signing renewal to 2 years [14/21]: configuring certificate server to start on boot [15/21]: restarting certificate server [16/21]: requesting RA certificate from CA [17/21]: issuing RA agent certificate [18/21]: adding RA agent as a trusted user [19/21]: configure certificate renewals [20/21]: configure Server-Cert certificate renewal [21/21]: Configure HTTP to proxy connections Done configuring certificate server (pki-cad). Configuring directory server (dirsrv): Estimated time 1 minute [1/38]: creating directory server user [2/38]: creating directory server instance [3/38]: adding default schema [4/38]: enabling memberof plugin [5/38]: enabling winsync plugin [6/38]: configuring replication version plugin [7/38]: enabling IPA enrollment plugin [8/38]: enabling ldapi [9/38]: disabling betxn plugins [10/38]: configuring uniqueness plugin [11/38]: configuring uuid plugin [12/38]: configuring modrdn plugin [13/38]: enabling entryUSN plugin [14/38]: configuring lockout plugin [15/38]: creating indices [16/38]: enabling referential integrity plugin [17/38]: configuring ssl for ds instance [18/38]: configuring certmap.conf [19/38]: configure autobind for root [20/38]: configure new location for managed entries [21/38]: restarting directory server [22/38]: adding default layout [23/38]: adding delegation layout [24/38]: adding replication acis [25/38]: creating container for managed entries [26/38]: configuring user private groups [27/38]: configuring netgroups from hostgroups [28/38]: creating default Sudo bind user [29/38]: creating default Auto Member layout [30/38]: adding range check plugin [31/38]: creating default HBAC rule allow_all [32/38]: Upload CA cert to the directory [33/38]: initializing group membership [34/38]: adding master entry [35/38]: configuring Posix uid/gid generation [36/38]: enabling compatibility plugin [37/38]: tuning directory server [38/38]: configuring directory to start on boot Done configuring directory server (dirsrv). Configuring Kerberos KDC (krb5kdc): Estimated time 30 seconds [1/10]: adding sasl mappings to the directory [2/10]: adding kerberos container to the directory [3/10]: configuring KDC [4/10]: initialize kerberos container [5/10]: adding default ACIs [6/10]: creating a keytab for the directory [7/10]: creating a keytab for the machine [8/10]: adding the password extension to the directory [9/10]: starting the KDC [10/10]: configuring KDC to start on boot Done configuring Kerberos KDC (krb5kdc). Configuring kadmin [1/2]: starting kadmin [2/2]: configuring kadmin to start on boot Done configuring kadmin. Configuring ipa_memcached [1/2]: starting ipa_memcached [2/2]: configuring ipa_memcached to start on boot Done configuring ipa_memcached. Configuring the web interface (httpd): Estimated time 1 minute [1/13]: setting mod_nss port to 443 [2/13]: setting mod_nss password file [3/13]: enabling mod_nss renegotiate [4/13]: adding URL rewriting rules [5/13]: configuring httpd [6/13]: setting up ssl [7/13]: setting up browser autoconfig [8/13]: publish CA cert [9/13]: creating a keytab for httpd [10/13]: clean up any existing httpd ccache [11/13]: configuring SELinux for httpd [12/13]: restarting httpd [13/13]: configuring httpd to start on boot Done configuring the web interface (httpd). Applying LDAP updates Restarting the directory server Restarting the KDC Configuring DNS (named) [1/9]: adding DNS container [2/9]: setting up our zone [3/9]: setting up reverse zone [4/9]: setting up our own record [5/9]: setting up kerberos principal [6/9]: setting up named.conf [7/9]: restarting named [8/9]: configuring named to start on boot [9/9]: changing resolv.conf to point to ourselves Done configuring DNS (named). Global DNS configuration in LDAP server is empty You can use 'dnsconfig-mod' command to set global DNS options that would override settings in local named.conf files Restarting the web server ============================================================================== Setup complete Next steps: 1. You must make sure these network ports are open: TCP Ports: * 80, 443: HTTP/HTTPS * 389, 636: LDAP/LDAPS * 88, 464: kerberos * 53: bind UDP Ports: * 88, 464: kerberos * 53: bind * 123: ntp 2. You can now obtain a kerberos ticket using the command: 'kinit admin' This ticket will allow you to use the IPA tools (e.g., ipa user-add) and the web user interface. Be sure to back up the CA certificate stored in /root/cacert.p12 This file is required to create replicas. The password for this file is the Directory Manager password
(7)執行命令,獲取使用ipa命令行工具和web管理界面的票據,列出票據
[root@ipa ~]# kinit admin Password for [email protected]: [root@ipa ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: [email protected] Valid starting Expires Service principal 05/17/14 21:20:12 05/18/14 21:20:09 krbtgt/[email protected]
(8)設置相關服務隨系統自動啓動,保證在服務器重啓後IPA能夠正常運行
[root@ipa ~]# chkconfig pki-cad on [root@ipa ~]# chkconfig named on [root@ipa ~]# chkconfig krb5kdc on [root@ipa ~]# chkconfig kadmin on [root@ipa ~]# chkconfig ipa_memcached on [root@ipa ~]# chkconfig httpd on [root@ipa ~]# chkconfig dirsrv on
到此爲止,IPA服務器安裝完成。我們可以通過IPA命令行工具或登陸WEB界面對服務器進行管理。
下面簡單介紹ipa命令的使用方法:
ipa命令使用格式:
ipa [global-options] COMMAND ...
用戶管理相關COMMAND:
user-add Add a new user.
user-del Delete a user.
user-disable Disable a user account.
user-enable Enable a user account.
user-find Search for users.
user-mod Modify a user.
user-show Display information about a user.
user-status Lockout status of a user account
user-unlock Unlock a user account
如需獲得更多使用方法可以查看ipa命令手冊
[root@ipa ~]# man ipa
在這裏我們添加三個測試用戶user01、user02、user03
[root@ipa ~]# ipa user-add user01 --first=user01 --last=testuser --password Password: Enter Password again to verify: ------------------- Added user "user01" ------------------- User login: user01 First name: user01 Last name: testuser Full name: user01 testuser Display name: user01 testuser Initials: ut Home directory: /home/user01 GECOS field: user01 testuser Login shell: /bin/sh Kerberos principal: [email protected] Email address: [email protected] UID: 1682400001 GID: 1682400001 Password: True Kerberos keys available: True [root@ipa ~]# ipa user-add user02 --first=user02 --last=testuser --password Password: Enter Password again to verify: ------------------- Added user "user02" ------------------- User login: user02 First name: user02 Last name: testuser Full name: user02 testuser Display name: user02 testuser Initials: ut Home directory: /home/user02 GECOS field: user02 testuser Login shell: /bin/sh Kerberos principal: [email protected] Email address: [email protected] UID: 1682400003 GID: 1682400003 Password: True Kerberos keys available: True [root@ipa ~]# ipa user-add user03 --first=user03 --last=testuser --password Password: Enter Password again to verify: ------------------- Added user "user03" ------------------- User login: user03 First name: user03 Last name: testuser Full name: user03 testuser Display name: user03 testuser Initials: ut Home directory: /home/user03 GECOS field: user03 testuser Login shell: /bin/sh Kerberos principal: [email protected] Email address: [email protected] UID: 1682400004 GID: 1682400004 Password: True Kerberos keys available: True
添加的用戶如果沒有家目錄,可以修改配置文件system-auth,添加以下信息
[root@ipa ~]# vim /etc/pam.d/system-auth session optional pam_mkhomedir.so skel=/etc/skel umak=077
禁用、啓用、解鎖用戶賬號
[root@ipa ~]# ipa user-disable user01 ------------------------------ Disabled user account "user01" ------------------------------ [root@ipa ~]# ipa user-enable user01 ----------------------------- Enabled user account "user01" ----------------------------- [root@ipa ~]# ipa user-unlock user01 ------------------------- Unlocked account "user01" -------------------------
修改用戶登陸shell
[root@ipa ~]# ipa user-mod --shell=/bin/bash User login: user01 ---------------------- Modified user "user01" ---------------------- User login: user01 First name: user01 Last name: testuser Home directory: /home/user01 Login shell: /bin/bash Email address: [email protected] UID: 1682400001 GID: 1682400001 Account disabled: False Password: True Member of groups: ipausers Kerberos keys available: True [root@ipa ~]# ipa user-mod user02 --shell=/bin/bash ---------------------- Modified user "user02" ---------------------- User login: user02 First name: user02 Last name: testuser Home directory: /home/user02 Login shell: /bin/bash Email address: [email protected] UID: 1682400003 GID: 1682400003 Account disabled: False Password: True Member of groups: ipausers Kerberos keys available: True [root@ipa ~]# ipa user-mod user03 --shell=/bin/bash ---------------------- Modified user "user03" ---------------------- User login: user03 First name: user03 Last name: testuser Home directory: /home/user03 Login shell: /bin/bash Email address: [email protected] UID: 1682400004 GID: 1682400004 Account disabled: False Password: True Member of groups: ipausers Kerberos keys available: True
添加組,向組中添加用戶,將用戶從組中刪除,刪除組
[root@ipa ~]# ipa group-add testgroup Description: test group ----------------------- Added group "testgroup" ----------------------- Group name: testgroup Description: test group GID: 1682400005 [root@ipa ~]# ipa group-add-member testgroup --user=user01,user02,user03 Group name: testgroup Description: test group GID: 1682400005 Member users: user01, user02, user03 ------------------------- Number of members added 3 ------------------------- [root@ipa ~]# ipa group-remove-member testgroup --user=user03 Group name: testgroup Description: test group GID: 1682400005 Member users: user01, user02 --------------------------- Number of members removed 1 --------------------------- [root@ipa ~]# ipa group-del testgroup ------------------------- Deleted group "testgroup" -------------------------
查看用戶或組的詳細信息
[root@ipa ~]# ipa user-show --all User login: user01 dn: uid=user01,cn=users,cn=accounts,dc=example,dc=com User login: user01 First name: user01 Last name: testuser Full name: user01 testuser Display name: user01 testuser Initials: ut Home directory: /home/user01 GECOS field: user01 testuser Login shell: /bin/sh Kerberos principal: [email protected] Email address: [email protected] UID: 1682400001 GID: 1682400001 Account disabled: False Password: True Member of groups: ipausers Kerberos keys available: True ipauniqueid: 528dadee-ddca-11e3-94ff-000c295c5708 krbextradata: AAJWaXdTcm9vdC9hZG1pbkBFWEFNUExFLkNPTQA= krblastadminunlock: 20140517140215Z krblastpwdchange: 20140517135118Z krbloginfailedcount: 0 krbpasswordexpiration: 20140517135118Z krbpwdpolicyreference: cn=global_policy,cn=EXAMPLE.COM,cn=kerberos,dc=example,dc=com mepmanagedentry: cn=user01,cn=groups,cn=accounts,dc=example,dc=com objectclass: top, person, organizationalperson, inetorgperson, inetuser, posixaccount, krbprincipalaux, krbticketpolicyaux, ipaobject, ipasshuser, ipaSshGroupOfPubKeys, mepOriginEntry [root@ipa ~]# ipa group-show --all Group name: ipausers dn: cn=ipausers,cn=groups,cn=accounts,dc=example,dc=com Group name: ipausers Description: Default group for all users Member users: user01, user02, user03 ipauniqueid: c2f5e7e8-ddae-11e3-a95a-000c295c5708 objectclass: top, groupofnames, nestedgroup, ipausergroup, ipaobject
我們除了可以使用ipa命令進行服務管理外,也可以通過WEB界面進行服務管理。我們可以選擇網絡中任何一臺主機,將該主機DNS服務器指向IPA服務器,打開瀏覽器,輸入http://ipa.example.com即可訪問到IPA服務器的WEB管理界面。
關於IPA服務更多的使用和配置方法,大家可以查看RedHat官方手冊:
https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/index.html