1 00:00:06,930 --> 00:00:08,190 - So, if you want to set up 2 00:00:08,190 --> 00:00:11,220 centralized authentication in your environment, 3 00:00:11,220 --> 00:00:13,020 you need an LDAP server. 4 00:00:13,020 --> 00:00:17,765 There's a couple of choices. The main choice is IPA. 5 00:00:17,765 --> 00:00:21,330 IPA stands for Identity, Policy, and Authorization. 6 00:00:21,330 --> 00:00:24,303 And FreeIPA is a commonly used LDAP server. 7 00:00:25,230 --> 00:00:26,550 It was developed to offer 8 00:00:26,550 --> 00:00:29,190 a Linux-based alternative for Active Directory. 9 00:00:29,190 --> 00:00:32,400 And it can be installed on many distributions, 10 00:00:32,400 --> 00:00:34,323 or even be started as a container. 11 00:00:35,160 --> 00:00:37,230 Administration of free IPA is done 12 00:00:37,230 --> 00:00:38,850 through the LDAP utilities, 13 00:00:38,850 --> 00:00:41,940 or the specialized IPA command line utility, 14 00:00:41,940 --> 00:00:43,923 or the web interface that it provides. 15 00:00:45,450 --> 00:00:47,940 Now, if you want to use IPA, 16 00:00:47,940 --> 00:00:50,163 then you need to prepare for installation. 17 00:00:51,300 --> 00:00:53,400 It does integrate tightly with DNS. 18 00:00:53,400 --> 00:00:57,330 So, you need to make sure that it is set up with a hostname. 19 00:00:57,330 --> 00:01:01,320 And this is a hostname that should be unique, 20 00:01:01,320 --> 00:01:03,333 unique from a DNS perspective. 21 00:01:04,170 --> 00:01:06,540 So, use hostname CTL to set up the host name, 22 00:01:06,540 --> 00:01:07,830 and then also make sure 23 00:01:07,830 --> 00:01:11,250 that only IPA server you can resolve the hostname. 24 00:01:11,250 --> 00:01:12,810 And, and this is an important one, 25 00:01:12,810 --> 00:01:15,903 make sure that you use a unique DNS name. 26 00:01:17,010 --> 00:01:18,810 Unique DNS name, that means 27 00:01:18,810 --> 00:01:21,510 that you can't use example.com, for instance. 28 00:01:21,510 --> 00:01:23,940 You get a complaint that example.com 29 00:01:23,940 --> 00:01:25,710 is already a registered. 30 00:01:25,710 --> 00:01:28,860 So, use one of the local domains, like example.local, 31 00:01:28,860 --> 00:01:31,360 which is exactly what I'm going to do in the demo. 32 00:01:32,460 --> 00:01:34,653 Let me show you how to set up FreeIPA. 33 00:01:35,610 --> 00:01:37,710 I'm doing this on CentOS. 34 00:01:37,710 --> 00:01:39,900 FreeIPA is easily accessible 35 00:01:39,900 --> 00:01:42,513 from the repositories on Red Hat and family. 36 00:01:44,820 --> 00:01:48,660 So, let me start using hostname CTL, 37 00:01:48,660 --> 00:01:53,660 set hostname, FreeIPA.example.local. 38 00:01:53,850 --> 00:01:57,930 As I told you, don't use dot com, because that won't work. 39 00:01:57,930 --> 00:02:00,240 You'll get a conflict message. 40 00:02:00,240 --> 00:02:02,883 Then we need to set up ETC hosts. 41 00:02:03,960 --> 00:02:08,373 It's a local IP address for this example.local. 42 00:02:10,203 --> 00:02:13,203 (keyboard clicking) 43 00:02:19,380 --> 00:02:22,380 And then you can start the actual installation. 44 00:02:22,380 --> 00:02:24,280 So, that will be DNF install 45 00:02:25,230 --> 00:02:29,857 minus Y IPA server, bind, DYNDB, LDAP, 46 00:02:31,260 --> 00:02:34,293 and IPA server DNS. 47 00:02:39,240 --> 00:02:40,073 Alright. 48 00:02:40,073 --> 00:02:41,670 Now that everything is installed, 49 00:02:41,670 --> 00:02:43,593 we can run the installation program. 50 00:02:44,490 --> 00:02:49,490 That is IPA server install, dash dash, set up DNS. 51 00:02:51,990 --> 00:02:54,750 So, this is going to ask a couple of questions. 52 00:02:54,750 --> 00:02:56,970 And you can even see in the middle of the screen 53 00:02:56,970 --> 00:02:59,010 what exactly it's going to do. 54 00:02:59,010 --> 00:03:02,220 So, it's installing a standalone certificate authority 55 00:03:02,220 --> 00:03:06,030 an NTP client, the directory server, KDC 56 00:03:06,030 --> 00:03:09,510 which is about Kerberos Keys and more. 57 00:03:09,510 --> 00:03:10,770 You don't need to know about it, 58 00:03:10,770 --> 00:03:12,780 but it's cool to see what it is doing. 59 00:03:12,780 --> 00:03:17,523 So next, server hostname. You can just accept the defaults. 60 00:03:18,360 --> 00:03:21,660 As we have just used hostname CTL set hostname, 61 00:03:21,660 --> 00:03:23,880 we have all this information set up correctly. 62 00:03:23,880 --> 00:03:26,670 So, free IPA example.local 63 00:03:26,670 --> 00:03:29,490 which will be the domain, which will be the realm. 64 00:03:29,490 --> 00:03:31,560 Next, we need a password 65 00:03:31,560 --> 00:03:36,560 for the directory manager, as well as for the IPA admin. 66 00:03:36,570 --> 00:03:38,770 These are the two administrative entities 67 00:03:40,470 --> 00:03:43,380 where the admin user is the most important one. 68 00:03:43,380 --> 00:03:45,990 Then it's asking for a DNS forwarder. 69 00:03:45,990 --> 00:03:48,930 This is how it's connecting this IPA server 70 00:03:48,930 --> 00:03:51,090 to the DNS hierarchy. 71 00:03:51,090 --> 00:03:52,500 You normally do want to set 72 00:03:52,500 --> 00:03:57,480 up a DNS forwarder and use a client to pick it. 73 00:03:57,480 --> 00:04:00,180 It picks it up automatically from the resolve.com. 74 00:04:00,180 --> 00:04:01,380 Just use it. 75 00:04:01,380 --> 00:04:03,900 And if there's more forwarders that you would like to use, 76 00:04:03,900 --> 00:04:04,860 you can enter them here. 77 00:04:04,860 --> 00:04:07,660 Normally that's not needed, so just press enter to skip. 78 00:04:08,700 --> 00:04:12,960 Next, it is asking for reversed DNS and that's okay as well. 79 00:04:12,960 --> 00:04:15,930 So just press enter three times 80 00:04:15,930 --> 00:04:18,900 in order to accept all the default settings. 81 00:04:18,900 --> 00:04:23,160 Likewise for the netBIOS domain name, press enter again. 82 00:04:23,160 --> 00:04:24,930 No time synchronization. 83 00:04:24,930 --> 00:04:27,420 And then the, then you see an overview 84 00:04:27,420 --> 00:04:30,120 with all the current settings and there you type "yes", 85 00:04:30,120 --> 00:04:33,423 and then free IPA setup will be started. 86 00:04:36,960 --> 00:04:39,600 Alright, as you can see, setup is complete. 87 00:04:39,600 --> 00:04:42,330 And the next thing that we need to do, we need to make sure 88 00:04:42,330 --> 00:04:45,810 that the ports in the firewall are open. 89 00:04:45,810 --> 00:04:48,720 We'll take care of that in just a little bit. 90 00:04:48,720 --> 00:04:51,840 And then if you want to use the IPA tools, 91 00:04:51,840 --> 00:04:53,820 we need kinit admin. 92 00:04:53,820 --> 00:04:57,930 We'll do that in a while, but not yet. 93 00:04:57,930 --> 00:04:59,550 Also it's telling us, "be sure to back 94 00:04:59,550 --> 00:05:04,550 up the CA certificate stored in /route/cacert.p12", 95 00:05:05,460 --> 00:05:07,800 and these are required to create replica. 96 00:05:07,800 --> 00:05:09,990 That's not something that we are going to do. 97 00:05:09,990 --> 00:05:12,750 So IPA server install commands are successful. 98 00:05:12,750 --> 00:05:13,830 That's what matters now. 99 00:05:13,830 --> 00:05:17,463 To take care of the firewall, let's create a short loop. 100 00:05:23,910 --> 00:05:26,763 Okay, we get a warning that can safely be ignored. 101 00:05:28,110 --> 00:05:30,630 Now we can activate a firewall using firewall 102 00:05:30,630 --> 00:05:33,990 CMD, dash dash reload, right. 103 00:05:33,990 --> 00:05:36,750 That's a good start, time for part two. 104 00:05:36,750 --> 00:05:38,220 Let me show you on the slide what we are 105 00:05:38,220 --> 00:05:40,420 going to do in the second part of this demo. 106 00:05:42,510 --> 00:05:43,530 Here, you can see the steps 107 00:05:43,530 --> 00:05:45,510 that I'm going to perform right now. 108 00:05:45,510 --> 00:05:47,940 We need to create a couple of LDAP users, 109 00:05:47,940 --> 00:05:50,643 and we are going to use the IPA commands to do so. 110 00:05:53,010 --> 00:05:57,090 Now, in IPA, Kerberos is used everywhere. 111 00:05:57,090 --> 00:06:00,660 And in order to get Kerberized access, I need kinit admin. 112 00:06:00,660 --> 00:06:02,970 That's like the login command. 113 00:06:02,970 --> 00:06:04,440 That's prompting for a password, 114 00:06:04,440 --> 00:06:06,510 and here you are entering the secret password 115 00:06:06,510 --> 00:06:10,290 that you have used while installing FreeIPA. 116 00:06:10,290 --> 00:06:11,550 So next I'm using klist. 117 00:06:11,550 --> 00:06:13,380 Klist is a convenient command. 118 00:06:13,380 --> 00:06:16,560 It's showing me all the Kerberos tickets that exist. 119 00:06:16,560 --> 00:06:21,560 And I'm going to use IPA, user add, LDAP user one. 120 00:06:23,670 --> 00:06:26,193 It's opening an interactive interface. 121 00:06:28,350 --> 00:06:31,560 So I need to provide my information to create LDAP user one 122 00:06:31,560 --> 00:06:33,603 and let's also create LDAP user two. 123 00:06:35,473 --> 00:06:39,030 (keyboard clicking) 124 00:06:39,030 --> 00:06:41,160 Now the interactive interface is convenient 125 00:06:41,160 --> 00:06:43,380 if you want to create a couple of users. 126 00:06:43,380 --> 00:06:45,450 If you would like to have more users, 127 00:06:45,450 --> 00:06:47,820 then you should import them using L diff, 128 00:06:47,820 --> 00:06:49,470 the LDAP import format. 129 00:06:49,470 --> 00:06:50,970 That goes beyond what you need to know 130 00:06:50,970 --> 00:06:53,520 about LDAP for the LFCS exam. 131 00:06:53,520 --> 00:06:55,920 So, I want to keep it simple and that is why 132 00:06:55,920 --> 00:07:00,920 I'm also going to show you IPA pass WD LDAP user one, 133 00:07:01,680 --> 00:07:04,830 another interactive command that is prompting 134 00:07:04,830 --> 00:07:06,003 for the password. 135 00:07:08,520 --> 00:07:12,030 And I want to set the password for LDAP user two, as well. 136 00:07:15,360 --> 00:07:17,433 Oops. Typo, apparently. 137 00:07:19,980 --> 00:07:23,040 And there we go. Now the LDAP users are ready. 138 00:07:23,040 --> 00:07:25,230 So the next thing is to use these users. 139 00:07:25,230 --> 00:07:27,330 So, we need to have a look at the LDAP client. 140 00:07:27,330 --> 00:07:29,780 That's what we are going to do in the next video.