Diferencia entre revisiones de «IdM / FreeIPA»

De jagfloriano.com
Ir a la navegaciónIr a la búsqueda
Sin resumen de edición
Sin resumen de edición
Línea 503: Línea 503:
</syntaxhighlight>
</syntaxhighlight>


== Gestionar privilegsios con IdM (sudo) ==
En este ejemplo se configura una regla de sudo en IdM para que los miembros del grupo ''admins-linux'' puedan ejecutar el comando ''systemctl restart NetworkManager'' como ''root'' y **sin introducir contraseña**.
[root@nodo1 ~]# sudo -l -U jadmin
User jadmin is not allowed to run sudo on nodo1.
[root@nodo1 ~]#
=== Crear el comando sudo ===
[root@nodo1 ~]# ipa sudocmd-add "/usr/bin/systemctl restart NetworkManager"
--------------------------------------------------------------
Added Sudo Command "/usr/bin/systemctl restart NetworkManager"
--------------------------------------------------------------
  Sudo Command: /usr/bin/systemctl restart NetworkManager
=== Crear la regla de sudo ===
[root@nodo1 ~]# ipa sudorule-add restart-networkmanager --desc="Permitir reiniciar NetworkManager"
----------------------------------------
Added Sudo Rule "restart-networkmanager"
----------------------------------------
  Rule name: restart-networkmanager
  Description: Permitir reiniciar NetworkManager
  Enabled: True
[root@nodo1 ~]#
=== Asignar grupo de usuarios ===
[root@nodo1 ~]# ipa sudorule-add restart-networkmanager --desc="Permitir reiniciar NetworkManager"
----------------------------------------
Added Sudo Rule "restart-networkmanager"
----------------------------------------
  Rule name: restart-networkmanager
  Description: Permitir reiniciar NetworkManager
  Enabled: True
[root@nodo1 ~]# ipa sudorule-add-user restart-networkmanager --groups=admins-linux
  Rule name: restart-networkmanager
  Description: Permitir reiniciar NetworkManager
  Enabled: True
  User Groups: admins-linux
-------------------------
Number of members added 1
-------------------------
[root@nodo1 ~]#
=== Asignar hosts ===
[root@nodo1 ~]# ipa sudorule-add-host restart-networkmanager --hosts=all
  Rule name: restart-networkmanager
  Description: Permitir reiniciar NetworkManager
  Enabled: True
  User Groups: admins-linux
  External host: all
-------------------------
Number of members added 1
-------------------------
[root@nodo1 ~]#
=== Permitir el comando ===
[root@nodo1 ~]# ipa sudorule-add-allow-command restart-networkmanager --sudocmds="/usr/bin/systemctl restart NetworkManager"
  Rule name: restart-networkmanager
  Description: Permitir reiniciar NetworkManager
  Enabled: True
  User Groups: admins-linux
  External host: all
  Sudo Allow Commands: /usr/bin/systemctl restart NetworkManager
-------------------------
Number of members added 1
-------------------------
[root@nodo1 ~]#
=== Configurar ejecución sin contraseña ===
[root@nodo1 ~]# ipa sudorule-add-option restart-networkmanager --sudooption='!authenticate'
------------------------------------------------------------------
Added option "!authenticate" to Sudo Rule "restart-networkmanager"
------------------------------------------------------------------
  Rule name: restart-networkmanager
  Description: Permitir reiniciar NetworkManager
  Enabled: True
  User Groups: admins-linux
  External host: all
  Sudo Allow Commands: /usr/bin/systemctl restart NetworkManager
  Sudo Option: !authenticate
[root@nodo1 ~]#
=== Verificación ===


== Asociación de usuario a grupo ==
== Alta de cliente IdM en otro servidor ==
== Alta de cliente IdM en otro servidor ==
== Verificación ==
== Verificación ==

Revisión del 09:16 3 feb 2026

Identity Management (IdM / FreeIPA)

Introducción

Identity Management (IdM), basado en FreeIPA, es la solución de Red Hat para la gestión centralizada de identidades. IdM integra varios servicios en una única plataforma:

  • LDAP (389 Directory Server)
  • Kerberos
  • DNS
  • Certificados (Dogtag CA)
  • Gestión de usuarios, grupos y políticas

En RHEL 9, IdM es la solución recomendada y soportada oficialmente para servicios de directorio.


Requisitos previos

  • IP estática configurada
  • Hostname con FQDN correcto
  • Resolución de nombre funcional
  • Sincronización horaria activa (NTP)
  • Acceso a repositorios oficiales de RHEL

Ejemplo:

192.168.1.81 nodo1.jagfloriano.com nodo1

Preparación del sistema

Comprobar hostname y FQDN: 

[root@nodo1 ~]# hostname
nodo1
[root@nodo1 ~]# hostname -f
nodo1.jagfloriano.com
[root@nodo1 ~]# hostnamectl
 Static hostname: nodo1
       Icon name: computer-vm
         Chassis: vm 🖴
      Machine ID: 20ff935e15e14490a6e182f1a7979010
         Boot ID: daaaf7f2b9104421820d256e95a711c3
  Virtualization: oracle
Operating System: Red Hat Enterprise Linux 9.7 (Plow)
     CPE OS Name: cpe:/o:redhat:enterprise_linux:9::baseos
          Kernel: Linux 5.14.0-570.12.1.el9_6.x86_64
    Architecture: x86-64
Firmware Version: VirtualBox

Comprobar resolución de nombre: 

[root@nodo1 ~]# getent hosts nodo1
fe80::a00:27ff:fef3:3c51 nodo1

Verificar sincronización horaria: 

[root@nodo1 ~]# timedatectl
               Local time: Tue 2026-02-03 09:19:15 CET
           Universal time: Tue 2026-02-03 08:19:15 UTC
                 RTC time: Tue 2026-02-03 08:19:15
                Time zone: Europe/Madrid (CET, +0100)
System clock synchronized: yes
              NTP service: active
          RTC in local TZ: no


Instalación de paquetes IdM

Instalar el grupo de paquetes del servidor IdM: 

dnf install -y ipa-server ipa-server-dns

Verificar instalación: 

[root@nodo1 ~]# rpm -qa | grep ipa
python3-iniparse-0.4-45.el9.noarch
libipa_hbac-2.9.7-4.el9_7.1.x86_64
sssd-ipa-2.9.7-4.el9_7.1.x86_64
device-mapper-multipath-libs-0.8.7-39.el9_7.1.x86_64
device-mapper-multipath-0.8.7-39.el9_7.1.x86_64
ipa-client-common-4.12.2-22.el9_7.1.noarch
python3-libipa_hbac-2.9.7-4.el9_7.1.x86_64
ipa-selinux-4.12.2-22.el9_7.1.noarch
ipa-common-4.12.2-22.el9_7.1.noarch
ipa-healthcheck-core-0.16-9.el9.noarch
redhat-logos-ipa-90.5-1.el9_6.1.noarch
ipa-server-common-4.12.2-22.el9_7.1.noarch
python3-ipalib-4.12.2-22.el9_7.1.noarch
python3-ipaclient-4.12.2-22.el9_7.1.noarch
ipa-client-4.12.2-22.el9_7.1.x86_64
python3-ipaserver-4.12.2-22.el9_7.1.noarch
ipa-server-4.12.2-22.el9_7.1.x86_64
ipa-server-dns-4.12.2-22.el9_7.1.noarch


Configuración inicial del servidor IdM

La configuración inicial se realiza mediante el asistente `ipa-server-install`.

Ejecutar el instalador: 

ipa-server-install

Durante el asistente se solicitará:

  • Nombre de dominio (ej: jagfloriano.com)
  • Realm Kerberos (ej: JAGFLORIANO.COM)
  • Contraseña del usuario admin
  • Configuración del DNS integrado
  • Reenvíos DNS (forwarders)
  • Confirmación de instalación

Valores recomendados:

  • Usar DNS integrado
  • Configurar al menos un DNS forwarder
  • Mantener el realm en mayúsculas


[root@nodo1 ~]# ipa-server-install

The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will set up the IPA Server.
Version 4.12.2

This includes:
  * Configure a stand-alone CA (dogtag) for certificate management
  * Configure the NTP client (chronyd)
  * Create and configure an instance of Directory Server
  * Create and configure a Kerberos Key Distribution Center (KDC)
  * Configure Apache (httpd)
  * Configure SID generation
  * Configure the KDC to enable PKINIT

To accept the default shown in brackets, press the Enter key.

Do you want to configure integrated DNS (BIND)? [no]:

Enter the fully qualified domain name of the computer
on which you're setting up server software. Using the form
<hostname>.<domainname>
Example: master.example.com


Server host name [nodo1.jagfloriano.com]:

The domain name has been determined based on the host name.

Please confirm the domain name [jagfloriano.com]:

The kerberos protocol requires a Realm name to be defined.
This is typically the domain name converted to uppercase.

Please provide a realm name [JAGFLORIANO.COM]:
Certain directory server operations require an administrative user.
This user is referred to as the Directory Manager and has full access
to the Directory for system management tasks and will be added to the
instance of directory server created for IPA.
The password must be at least 8 characters long.

Directory Manager password:
Password (confirm):

The IPA server requires an administrative user, named 'admin'.
This user is a regular system account used for IPA server administration.

IPA admin password:
Password (confirm):

Trust is configured but no NetBIOS domain name found, setting it now.
Enter the NetBIOS name for the IPA domain.
Only up to 15 uppercase ASCII letters, digits and dashes are allowed.
Example: EXAMPLE.


NetBIOS domain name [JAGFLORIANO]:

Do you want to configure chrony with NTP server or pool address? [no]:

The IPA Master Server will be configured with:
Hostname:       nodo1.jagfloriano.com
IP address(es): 192.168.1.81
Domain name:    jagfloriano.com
Realm name:     JAGFLORIANO.COM

The CA will be configured with:
Subject DN:   CN=Certificate Authority,O=JAGFLORIANO.COM
Subject base: O=JAGFLORIANO.COM
Chaining:     self-signed

Continue to configure the system with these values? [no]: yes

The following operations may take some minutes to complete.
Please wait until the prompt is returned.

Disabled p11-kit-proxy
Synchronizing time
No SRV records of NTP servers found and no NTP server or pool address was provided.
Using default chrony configuration.
Attempting to sync time with chronyc.
Time synchronization was successful.
Configuring directory server (dirsrv). Estimated time: 30 seconds

Configuring client side components
This program will set up IPA client.
Version 4.12.2

Using existing certificate '/etc/ipa/ca.crt'.
Client hostname: nodo1.jagfloriano.com
Realm: JAGFLORIANO.COM
DNS Domain: jagfloriano.com
IPA Server: nodo1.jagfloriano.com
BaseDN: dc=jagfloriano,dc=com

Configured /etc/sssd/sssd.conf
Systemwide CA database updated.
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Could not update DNS SSHFP records.
SSSD enabled
Configured /etc/openldap/ldap.conf
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config.d/04-ipa.conf
Configuring jagfloriano.com as NIS domain.
Client configuration complete.
The ipa-client-install command was successful

unable to resolve host name nodo1.jagfloriano.com. to IP address, ipa-ca DNS record will be incomplete
unable to resolve host name nodo1.jagfloriano.com. to IP address, ipa-ca DNS record will be incomplete
Please add records in this file to your DNS system: /tmp/ipa.system.records.h3qbc22f.db
==============================================================================
Setup complete

Next steps:
        1. You must make sure these network ports are open:
                TCP Ports:
                  * 80, 443: HTTP/HTTPS
                  * 389, 636: LDAP/LDAPS
                  * 88, 464: kerberos
                  * 53: bind
                UDP Ports:
                  * 88, 464: kerberos
                  * 53: bind
                  * 123: ntp

        2. You can now obtain a kerberos ticket using the command: 'kinit admin'
           This ticket will allow you to use the IPA tools (e.g., ipa user-add)
           and the web user interface.

Be sure to back up the CA certificates stored in /root/cacert.p12
These files are required to create replicas. The password for these
files is the Directory Manager password
The ipa-server-install command was successful


Arranque y verificación

Comprobar el estado de los servicios de IdM: 

[root@nodo1 ~]# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa: INFO: The ipactl command was successful

Todos los servicios deben aparecer en estado *RUNNING*.


Comprobar acceso administrativo obteniendo un ticket Kerberos: 

[root@nodo1 ~]# kinit admin
Password for admin@JAGFLORIANO.COM:

Verificar que el ticket Kerberos se ha obtenido correctamente: 

[root@nodo1 ~]# klist
Ticket cache: KCM:0
Default principal: admin@JAGFLORIANO.COM

Valid starting       Expires              Service principal
02/03/2026 09:34:32  02/04/2026 09:23:23  krbtgt/JAGFLORIANO.COM@JAGFLORIANO.COM


Ver información global del dominio IdM: 

[root@nodo1 ~]# ipa config-show
  Maximum username length: 32
  Maximum hostname length: 64
  Home directory base: /home
  Default shell: /bin/sh
  Default users group: ipausers
  Default e-mail domain: jagfloriano.com
  Search time limit: 2
  Search size limit: 100
  User search fields: uid,givenname,sn,telephonenumber,ou,title
  Group search fields: cn,description
  Enable migration mode: False
  Certificate Subject base: O=JAGFLORIANO.COM
  Password Expiration Notification (days): 4
  Password plugin features: AllowNThash, KDC:Disable Last Success
  SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$sysadm_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023
  Default SELinux user: unconfined_u:s0-s0:c0.c1023
  Default PAC types: MS-PAC, nfs:NONE
  IPA masters: nodo1.jagfloriano.com
  IPA master capable of PKINIT: nodo1.jagfloriano.com
  IPA CA servers: nodo1.jagfloriano.com
  IPA CA renewal master: nodo1.jagfloriano.com

Este comando muestra, entre otros datos:

  • Dominio IPA
  • Realm Kerberos
  • Servidores configurados


Ver dominios asociados al realm Kerberos: 

[root@nodo1 ~]# ipa realmdomains-show
  Domain: jagfloriano.com


Ver información del servidor IdM: 

[root@nodo1 ~]# ipa server-show nodo1.jagfloriano.com
  Server name: nodo1.jagfloriano.com
  Managed suffixes: domain, ca
  Min domain level: 1
  Max domain level: 1
  Enabled server roles: CA server, IPA master

Acceso web

IdM proporciona una interfaz web de administración. 

https://nodo1.jagfloriano.com

Acceder con el usuario admin.

Firewall

Durante la instalación, IdM configura automáticamente el firewall. Puertos principales utilizados:

  • 389/TCP (LDAP)
  • 636/TCP (LDAPS)
  • 88/TCP y UDP (Kerberos)
  • 464/TCP y UDP (Kerberos)
  • 443/TCP (Web UI)
  • 53/TCP y UDP (DNS, si se habilita)


Resultado de la instalación

Al finalizar la instalación:

  • IdM está operativo
  • LDAP, Kerberos y DNS funcionan de forma integrada
  • El sistema está listo para crear usuarios y grupos
  • Los clientes pueden unirse al dominio


Creación de grupo y usuario en IdM

Crear un grupo en IdM 

[root@nodo1 ~]# ipa group-add admins-linux --desc="Grupo de administradores Linux"
--------------------------
Added group "admins-linux"
--------------------------
  Group name: admins-linux
  Description: Grupo de administradores Linux
  GID: 1010400003

Crear usuario 

[root@nodo1 ~]# ipa user-add jadmin  --first=Juan  --last=Admin --password
Password:
Enter Password again to verify:
-------------------
Added user "jadmin"
-------------------
  User login: jadmin
  First name: Juan
  Last name: Admin
  Full name: Juan Admin
  Display name: Juan Admin
  Initials: JA
  Home directory: /home/jadmin
  GECOS: Juan Admin
  Login shell: /bin/sh
  Principal name: jadmin@JAGFLORIANO.COM
  Principal alias: jadmin@JAGFLORIANO.COM
  User password expiration: 20260203085841Z
  Email address: jadmin@jagfloriano.com
  UID: 1010400004
  GID: 1010400004
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True

Añadir usuario a un grupo: 

[root@nodo1 ~]# ipa group-add-member admins-linux --users=jadmin
  Group name: admins-linux
  Description: Grupo de administradores Linux
  GID: 1010400003
  Member users: jadmin
-------------------------
Number of members added 1
-------------------------

Verificaciones:

Grupos: 

[root@nodo1 ~]# ipa group-show admins-linux
  Group name: admins-linux
  Description: Grupo de administradores Linux
  GID: 1010400003
  Member users: jadmin

Usuarios: 

[root@nodo1 ~]# ipa group-show admins-linux
  Group name: admins-linux
  Description: Grupo de administradores Linux
  GID: 1010400003
  Member users: jadmin
[root@nodo1 ~]# ipa user-show jadmin
  User login: jadmin
  First name: Juan
  Last name: Admin
  Home directory: /home/jadmin
  Login shell: /bin/sh
  Principal name: jadmin@JAGFLORIANO.COM
  Principal alias: jadmin@JAGFLORIANO.COM
  Email address: jadmin@jagfloriano.com
  UID: 1010400004
  GID: 1010400004
  Account disabled: False
  Password: True
  Member of groups: admins-linux, ipausers
  Kerberos keys available: True

Confirmar que el usuario lo ve el sistema: 

[root@nodo1 ~]# id jadmin
uid=1010400004(jadmin) gid=1010400004(jadmin) groups=1010400004(jadmin),1010400003(admins-linux)

Gestionar privilegsios con IdM (sudo)

En este ejemplo se configura una regla de sudo en IdM para que los miembros del grupo admins-linux puedan ejecutar el comando systemctl restart NetworkManager como root y **sin introducir contraseña**.

[root@nodo1 ~]# sudo -l -U jadmin User jadmin is not allowed to run sudo on nodo1. [root@nodo1 ~]#

Crear el comando sudo

[root@nodo1 ~]# ipa sudocmd-add "/usr/bin/systemctl restart NetworkManager"

Added Sudo Command "/usr/bin/systemctl restart NetworkManager" 

 Sudo Command: /usr/bin/systemctl restart NetworkManager

Crear la regla de sudo

[root@nodo1 ~]# ipa sudorule-add restart-networkmanager --desc="Permitir reiniciar NetworkManager"

Added Sudo Rule "restart-networkmanager" 

 Rule name: restart-networkmanager
 Description: Permitir reiniciar NetworkManager
 Enabled: True

[root@nodo1 ~]#

Asignar grupo de usuarios

[root@nodo1 ~]# ipa sudorule-add restart-networkmanager --desc="Permitir reiniciar NetworkManager"

Added Sudo Rule "restart-networkmanager" 

 Rule name: restart-networkmanager
 Description: Permitir reiniciar NetworkManager
 Enabled: True

[root@nodo1 ~]# ipa sudorule-add-user restart-networkmanager --groups=admins-linux 

 Rule name: restart-networkmanager
 Description: Permitir reiniciar NetworkManager
 Enabled: True
 User Groups: admins-linux

Number of members added 1

[root@nodo1 ~]#

Asignar hosts

[root@nodo1 ~]# ipa sudorule-add-host restart-networkmanager --hosts=all 

 Rule name: restart-networkmanager
 Description: Permitir reiniciar NetworkManager
 Enabled: True
 User Groups: admins-linux
 External host: all

Number of members added 1

[root@nodo1 ~]#

Permitir el comando

[root@nodo1 ~]# ipa sudorule-add-allow-command restart-networkmanager --sudocmds="/usr/bin/systemctl restart NetworkManager" 

 Rule name: restart-networkmanager
 Description: Permitir reiniciar NetworkManager
 Enabled: True
 User Groups: admins-linux
 External host: all
 Sudo Allow Commands: /usr/bin/systemctl restart NetworkManager

Number of members added 1

[root@nodo1 ~]#

Configurar ejecución sin contraseña

[root@nodo1 ~]# ipa sudorule-add-option restart-networkmanager --sudooption='!authenticate'

Added option "!authenticate" to Sudo Rule "restart-networkmanager" 

 Rule name: restart-networkmanager
 Description: Permitir reiniciar NetworkManager
 Enabled: True
 User Groups: admins-linux
 External host: all
 Sudo Allow Commands: /usr/bin/systemctl restart NetworkManager
 Sudo Option: !authenticate

[root@nodo1 ~]#

Verificación

Alta de cliente IdM en otro servidor

Verificación

Obtenido de «http://wiki.jagfloriano.com/index.php?title=IdM_/_FreeIPA&oldid=446»