The IdM Admin client is configured to allow administrators to perform common IdM server tasks such as user account management from an IdM client. The Admin client is configured similar to any IdM client, but is also configured with the ipa-admintools package. Red Hat Enterprise Linux 7 is demonstrated here but either Red Hat Enterprise Linux 6 or 7 can be deployed as an IdM Admin client.
5.2.1 Configure Firewall Ports
On the IdM Admin client (admin1) create a new chain (ipa-client-chain) and add the appropriate firewall rules for the ports required by IdM.
1. The default firewall service on Red Hat Enterprise Linux 7 uses firewalld. To avoid potential conflicts, stop and prevent the iptables (IPV4) and ip6tables (IPV6) services from running.
# systemctl stop iptables
# systemctl mask iptables
ln -s '/dev/null' '/etc/systemd/system/iptables.service' # systemctl status iptables
iptables.service
Loaded: masked (/dev/null) Active: inactive (dead)
Jun 20 19:12:35 admin1.interop.example.com systemd[1]: Stopped IPv4 firewall with iptables.
# systemctl stop ip6tables
# systemctl mask ip6tables
ln -s '/dev/null' '/etc/systemd/system/ip6tables.service' # systemctl status ip6tables
ip6tables.service
Loaded: masked (/dev/null) Active: inactive (dead)
Jun 20 19:12:35 admin1.interop.example.com systemd[1]: Stopped IPv6 firewall with ip6tables.
2. Start firewalld and enable it start on boot.
# systemctl start firewalld
# systemctl enable firewalld
# systemctl status firewalld
firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled) Active: active (running) since Fri 2014-06-20 15:00:14 EDT; 4h 12min ago Main PID: 637 (firewalld)
CGroup: /system.slice/firewalld.service
└─637 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid Jun 20 19:12:51 admin1.interop.example.com systemd[1]: Started firewalld -
dynamic firewall daemon.
3. Create a new chain (ipa-client-chain) and add the appropriate firewall rules for the ports required by IdM.
# firewall-cmd --permanent --direct --add-chain ipv4 filter ipa-client-chain
success
# firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -m conntrack --ctstate NEW -j ipa-server-chain
success
# firewall-cmd --permanent --direct --add-rule ipv4 filter ipa-client-chain 0 --proto tcp --destination-port 80 --jump ACCEPT
success
# firewall-cmd --permanent --direct --add-rule ipv4 filter ipa-client-chain 0 --proto tcp --destination-port 80 --jump ACCEPT
success
# firewall-cmd --permanent --direct --add-rule ipv4 filter ipa-client-chain 0 --proto tcp --destination-port 443 --jump ACCEPT
success
# firewall-cmd --permanent --direct --add-rule ipv4 filter ipa-client-chain 0 --proto tcp --destination-port 389 --jump ACCEPT
success
# firewall-cmd --permanent --direct --add-rule ipv4 filter ipa-client-chain 0 --proto tcp --destination-port 636 --jump ACCEPT
success
# firewall-cmd --permanent --direct --add-rule ipv4 filter ipa-client-chain 0 --proto tcp --destination-port 88 --jump ACCEPT
success
# firewall-cmd --permanent --direct --add-rule ipv4 filter ipa-client-chain 0 --proto tcp --destination-port 464 --jump ACCEPT
success
# firewall-cmd --permanent --direct --add-rule ipv4 filter ipa-client-chain 0 --proto udp --destination-port 88 --jump ACCEPT
success
# firewall-cmd --permanent --direct --add-rule ipv4 filter ipa-client-chain 0 --proto udp --destination-port 464 --jump ACCEPT
success
# firewall-cmd --permanent --direct --add-rule ipv4 filter ipa-client-chain 0 --proto tcp --destination-port 53 --jump ACCEPT
success
# firewall-cmd --permanent --direct --add-rule ipv4 filter ipa-client-chain 0 --proto udp --destination-port 53 --jump ACCEPT
success
# firewall-cmd --permanent --direct --add-rule ipv4 filter ipa-client-chain 0 --proto udp --destination-port 123 --jump ACCEPT
success
# firewall-cmd --reload
success
Each of the ports are described in further detail in Table 3.3.4 Network Ports. 4. Verify the entries.
# firewall-cmd --permanent --direct --get-all-rules
ipv4 filter INPUT 0 -m conntrack --ctstate NEW -j ipa-client-chain
ipv4 filter ipa-client-chain 0 --proto tcp --destination-port 443 --jump ACCEPT ipv4 filter ipa-client-chain 0 --proto tcp --destination-port 389 --jump ACCEPT ipv4 filter ipa-client-chain 0 --proto tcp --destination-port 636 --jump ACCEPT ipv4 filter ipa-client-chain 0 --proto tcp --destination-port 88 --jump ACCEPT ipv4 filter ipa-client-chain 0 --proto tcp --destination-port 464 --jump ACCEPT ipv4 filter ipa-client-chain 0 --proto udp --destination-port 88 --jump ACCEPT ipv4 filter ipa-client-chain 0 --proto udp --destination-port 464 --jump ACCEPT ipv4 filter ipa-client-chain 0 --proto tcp --destination-port 53 --jump ACCEPT ipv4 filter ipa-client-chain 0 --proto udp --destination-port 53 --jump ACCEPT ipv4 filter ipa-client-chain 0 --proto udp --destination-port 123 --jump ACCEPT
5.2.2 Install Packages
On the IdM Admin client (admin1) install the IPA client package.
# yum install ipa-client
5.2.3 Configure DNS
Edit the DNS resolver file (/etc/resolv.conf) to include the name of the IdM server and replica.
domain interop.example.com search interop.example.com
nameserver 10.19.140.101 nameserver 10.19.140.102
nameserver 10.19.143.247
5.2.4 Install/Configure IdM Client
Configure the IdM admin client to automatically update DNS on the the IdM server with any IP address changes (--enable-dns-updates), trust DNS SSH finger prints (--ssh-trust- dns) and create home directories (--mkhomedir) on first login.
# hostname
admin1.interop.example.com
# ipa-client-install --enable-dns-updates --ssh-trust-dns --mkhomedir
Discovery was successful!
Hostname: admin1.interop.example.com Realm: INTEROP.EXAMPLE.COM
DNS Domain: interop.example.com
IPA Server: idm-srv1.interop.example.com BaseDN: dc=interop,dc=example,dc=com
Continue to configure the system with these values? [no]: yes
User authorized to enroll computers: admin Synchronizing time with KDC...
Unable to sync time with IPA NTP server, assuming the time is in sync. Please check that 123 UDP port is opened.
Password for [email protected]: *******
Successfully retrieved CA cert
Issuer: CN=Certificate Authority,O=INTEROP.EXAMPLE.COM Valid From: Tue Jun 17 14:25:45 2014 UTC
Valid Until: Sat Jun 17 14:25:45 2034 UTC Enrolled in IPA realm INTEROP.EXAMPLE.COM Created /etc/ipa/default.conf
New SSSD config will be created Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm INTEROP.EXAMPLE.COM trying https://idm-srv1.interop.example.com/ipa/xml
Forwarding 'ping' to server 'https://idm-srv1.interop.example.com/ipa/xml' Forwarding 'env' to server 'https://idm-srv1.interop.example.com/ipa/xml' Hostname (admin1.interop.example.com) not found in DNS
DNS server record set to: admin1.interop.example.com -> 10.19.140.100 Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub Forwarding 'host_mod' to server 'https://idm-
srv1.interop.example.com/ipa/xml' SSSD enabled Configured /etc/openldap/ldap.conf NTP enabled Configured /etc/ssh/ssh_config Configured /etc/ssh/sshd_config Client configuration complete.
Should any issues be encountered during the installation, the IdM client can be removed as follows:
# ipa-client-install --uninstall
and the installation restarted as previously described above.
Should any issues be encountered, consult the client installation chapter of the Red Hat Enterprise Linux 7 - Linux Domain, Identity, Authentication and Policy Guide on the Red Hat customer portal.
5.2.5 Verify IdM Admin Client
Confirm the client is able to correctly lookup user accounts within IdM.
# id
uid=0(root) gid=0(root) groups=0(root)
context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 # id admin
uid=1550200000(admin) gid=1550200000(admins) groups=1550200000(admins) # id ose-admin1
uid=889000001(ose-admin1) gid=889000001 groups=889000001 # id ose-dev1
uid=889000002(ose-dev1) gid=889000002 groups=889000002 # id ose-user1
uid=889000003(ose-user1) gid=889000003 groups=889000003
5.2.6 Install Admin Tools (optional)
On the IdM admin system (admin1) install and configure the IPA Admin Tools package.
# yum install ipa-admintools
The IPA Admin Tools package permits any IdM client to manage user accounts, groups. Installation is optional but recommended for any IdM client performing IdM server