1 00:00:07,050 --> 00:00:09,360 - So, the easiest way to verify the setup 2 00:00:09,360 --> 00:00:11,970 of this FreeIPA server, very simple. 3 00:00:11,970 --> 00:00:13,930 su - ldapuser2 4 00:00:15,000 --> 00:00:18,510 because we wanna be able to log in on the IPA server. 5 00:00:18,510 --> 00:00:21,720 Well, we can log in on the IPA server. 6 00:00:21,720 --> 00:00:23,400 So, that is one thing. 7 00:00:23,400 --> 00:00:25,380 Of course, there's also LDAP search. 8 00:00:25,380 --> 00:00:27,960 We've seen the LDAP search command before. 9 00:00:27,960 --> 00:00:30,150 It's a nasty command with all the parameters, 10 00:00:30,150 --> 00:00:33,750 and that's why I'm using !ldapse. 11 00:00:33,750 --> 00:00:35,100 And there we can see it repeats 12 00:00:35,100 --> 00:00:36,963 the last LDAP search command. 13 00:00:37,920 --> 00:00:40,620 Now if you would go to another system, 14 00:00:40,620 --> 00:00:42,543 let's check out the Ubuntu system. 15 00:00:44,400 --> 00:00:46,500 Here is the Ubuntu system. 16 00:00:46,500 --> 00:00:48,000 Now on this Ubuntu system, 17 00:00:48,000 --> 00:00:50,460 LDAP search is also going to work. 18 00:00:50,460 --> 00:00:52,230 So from the Ubuntu system, 19 00:00:52,230 --> 00:00:55,470 we can also use the LDAP search command. 20 00:00:55,470 --> 00:00:57,090 And here is the LDAP search command. 21 00:00:57,090 --> 00:00:59,250 Again, I'm making it easy on myself. 22 00:00:59,250 --> 00:01:00,720 Now everything that you need 23 00:01:00,720 --> 00:01:02,910 in the LDAP search command is in the command. 24 00:01:02,910 --> 00:01:07,910 So LDAP is an unsecure LDAP URL to freeipa.example.com. 25 00:01:08,850 --> 00:01:11,430 The base context is DC as example. 26 00:01:11,430 --> 00:01:14,070 DC is local, and sub objectclass is going 27 00:01:14,070 --> 00:01:16,980 to show all the objects right here. 28 00:01:16,980 --> 00:01:19,290 Now setting up a client, as I told you, 29 00:01:19,290 --> 00:01:22,080 that would go beyond the scope of this course 30 00:01:22,080 --> 00:01:26,310 because on IPA you need an IPA setup utility 31 00:01:26,310 --> 00:01:28,545 that's taking care of everything. 32 00:01:28,545 --> 00:01:31,920 But as a generic test that your LDAP server is working, 33 00:01:31,920 --> 00:01:34,770 this LDAP search is doing pretty well. 34 00:01:34,770 --> 00:01:37,452 Okay, even if it doesn't really matter for your LFCS, 35 00:01:37,452 --> 00:01:38,670 I wanna show you how 36 00:01:38,670 --> 00:01:41,670 to easily set up the IPA client software 37 00:01:41,670 --> 00:01:44,340 by using the IPA client utility. 38 00:01:44,340 --> 00:01:48,450 So dnf install ipa-client is what it all starts with. 39 00:01:48,450 --> 00:01:51,573 - y so that we don't have to press Yes. 40 00:01:53,310 --> 00:01:55,680 Alright, so the package is installed. 41 00:01:55,680 --> 00:01:57,210 Before we are going to continue, 42 00:01:57,210 --> 00:02:00,030 there's a couple of things that we need to check. 43 00:02:00,030 --> 00:02:02,170 First, hostnamectl 44 00:02:03,360 --> 00:02:05,280 is showing that my host currently has a name. 45 00:02:05,280 --> 00:02:08,883 However, the host name is set to server4.example.com. 46 00:02:09,750 --> 00:02:12,150 That does matter in an IPA environment. 47 00:02:12,150 --> 00:02:14,220 In an IPA environment, 48 00:02:14,220 --> 00:02:17,010 you need the host name to be part of the same domain. 49 00:02:17,010 --> 00:02:18,610 So I'm using set-hostname 50 00:02:20,670 --> 00:02:22,210 and make that server4 51 00:02:23,391 --> 00:02:25,311 .example 52 00:02:25,311 --> 00:02:26,970 .local. 53 00:02:26,970 --> 00:02:28,770 That's because example.com is a 54 00:02:28,770 --> 00:02:30,630 registered internet domain name. 55 00:02:30,630 --> 00:02:31,653 We can't use that. 56 00:02:32,490 --> 00:02:34,773 So my IP address is 142. 57 00:02:35,700 --> 00:02:37,800 I'm going to put an entry in etc/host 58 00:02:37,800 --> 00:02:39,573 that allows for resolving. 59 00:02:41,400 --> 00:02:42,930 And that should do it. 60 00:02:42,930 --> 00:02:45,090 Then the final thing is also important. 61 00:02:45,090 --> 00:02:48,150 That is the DNS configuration. 62 00:02:48,150 --> 00:02:50,610 IPA has integrated DNS, 63 00:02:50,610 --> 00:02:54,240 and in order to work with the integrated DNS 64 00:02:54,240 --> 00:02:56,770 we should set the name server 65 00:02:57,930 --> 00:03:00,300 to the IPA IP address. 66 00:03:00,300 --> 00:03:02,190 IPA is the DNS name server. 67 00:03:02,190 --> 00:03:04,710 IPA is connected to the DNS hierarchy. 68 00:03:04,710 --> 00:03:08,523 So, that is going to forward everything to the internet. 69 00:03:09,510 --> 00:03:10,680 Now that we have done that, 70 00:03:10,680 --> 00:03:13,650 we can use ipa-client- 71 00:03:13,650 --> 00:03:14,483 install. 72 00:03:19,080 --> 00:03:21,870 Here, like the set of procedure of the IPA server, 73 00:03:21,870 --> 00:03:24,270 it's safe to press Enter on most of the prompts. 74 00:03:25,680 --> 00:03:28,920 On most of the prompts, there's one prompt only. 75 00:03:28,920 --> 00:03:31,208 That's because it has successfully discovered. 76 00:03:31,208 --> 00:03:35,310 If it has not successfully discovered the DNS configuration, 77 00:03:35,310 --> 00:03:36,600 there's multiple prompts. 78 00:03:36,600 --> 00:03:38,370 But here there's one only. 79 00:03:38,370 --> 00:03:39,810 We can see the summary. 80 00:03:39,810 --> 00:03:42,060 And the summary is telling me that it's going to 81 00:03:42,060 --> 00:03:45,570 use the IPA server freeipa.example.local. 82 00:03:45,570 --> 00:03:48,360 And do we want to continue with these settings? 83 00:03:48,360 --> 00:03:49,920 Yes, we do. 84 00:03:49,920 --> 00:03:52,350 So, it has set up time synchronization. 85 00:03:52,350 --> 00:03:55,080 That's an important part because in IPA, 86 00:03:55,080 --> 00:03:57,870 Kerberos tickets are used for authentication. 87 00:03:57,870 --> 00:03:59,220 And they are time based. 88 00:03:59,220 --> 00:04:00,810 So the time should really be the same 89 00:04:00,810 --> 00:04:02,970 on the server as well as on the clients. 90 00:04:02,970 --> 00:04:03,960 And now it's prompting me 91 00:04:03,960 --> 00:04:08,040 for an admin authorized to enroll computers. 92 00:04:08,040 --> 00:04:11,940 In order to work with IPA I need to register this computer 93 00:04:11,940 --> 00:04:13,680 with the IPA server. 94 00:04:13,680 --> 00:04:16,130 And that is why it needs this admin user account. 95 00:04:17,250 --> 00:04:19,710 That is what is happening right now. 96 00:04:19,710 --> 00:04:24,360 And it is extending the IPA server configuration. 97 00:04:24,360 --> 00:04:27,000 And at this moment, it should be good. 98 00:04:27,000 --> 00:04:28,380 How are we testing? 99 00:04:28,380 --> 00:04:29,247 Well, su - 100 00:04:30,308 --> 00:04:31,141 ldap 101 00:04:31,141 --> 00:04:31,974 user2. 102 00:04:33,270 --> 00:04:37,140 And there we can see that I'm currently ldapuser2@server4. 103 00:04:37,140 --> 00:04:40,173 That means that my IPA client is set up successfully.