FreeIPA
banners
Contribute to FreeIPA!

From Free IPA

SCOPE: PAGE IS OBSOLETE.

Contents

[edit]

Overview

This page describes the steps to configure IPA server.

[edit]

Prerequisites

  • Install IPA server.
[edit]

Configuration 

% ipa-server-install
Server host name [ipa.example.com]:
Please confirm the domain name [example.com]:
Please provide a realm name [EXAMPLE.COM]:
Directory Manager password: Secret123
Password (confirm): Secret123
IPA admin password: Secret123
Password (confirm): Secret123

To restart IPA: 

% ipactl restart

If you need to uninstall: 

% ipa-server-install --uninstall
[edit]

Verification 

% kinit admin
Password for admin@EXAMPLE.COM: Secret123

% klist

% ipa-finduser admin
[edit]

Web UI

Start Firefox, open http://ipa.example.com.

Open about:config, set the following parameters as follows:

  • network.auth.use-sspi: false
  • network.negotiate-auth.trusted-uris: .example.com.
  • network.negotiate-auth.delegation-uris: .example.com.

Go back to http://ipa.example.com, click Import the IPA Certificate Authority.

Click Configure Firefox button.

Reload the page.

[edit]

LDAP Client

Hostname: ipa.example.com
Port: 389
Bind DN: cn=Directory Manager
Password: Secret123

% ldapsearch -x -b dc=example,dc=com

% ldapsearch -Y GSSAPI -b dc=example,dc=com
[edit]

Configure Listen Host 

% ldapmodify -h ipa.example.com -p 389 -x -D "cn=Directory Manager" -w Secret123
dn: cn=config
changetype: modify
replace: nsslapd-listenhost
nsslapd-listenhost: ipa.example.com
-
replace: nsslapd-securelistenhost
nsslapd-securelistenhost: ipa.example.com
-

Restart DS: 

% service dirsrv restart
[edit]

Configure Kerberos

Edit /etc/krb5.conf: 

[dbmodules]
  EXAMPLE.COM = {
    ...
    ldap_servers = ldap://ipa.example.com/
    ...
  }

Restart Kerberos: 

% service krb5kdc restart
[edit]

Enable Change Log

Enable Retro Changelog plugin: 

% ldapmodify -h ipa.example.com -p 389 -x -D "cn=Directory Manager" -w Secret123
dn: cn=Retro Changelog Plugin,cn=plugins,cn=config
changetype: modify
replace: nsslapd-pluginEnabled
nsslapd-pluginEnabled: on
-

Restart DS: 

% service dirsrv restart

% ldapsearch -h ipa.example.com -p 389 -x -D "cn=Directory Manager" -w Secret123 -b "cn=changelog"
[edit]

Create Sync User Account 

% ldapadd -h ipa.example.com -p 389 -x -D "cn=Directory Manager" -w Secret123
dn: uid=sync,cn=sysaccounts,cn=etc,dc=example,dc=com
objectClass: account
objectClass: simpleSecurityObject
uid: sync
userPassword: Secret123

% ldapmodify -h ipa.example.com -p 389 -x -D "cn=Directory Manager" -w Secret123
dn: dc=example,dc=com
changetype: modify
add: aci
aci: (targetattr="*")(version 3.0; acl "Sync user can access everything."; allow 
 (all) userdn = "ldap:///uid=sync,cn=sysaccounts,cn=etc,dc=example,dc=com";)
-

dn: cn=changelog
changetype: modify
add: aci
aci: (targetattr="*")(version 3.0; acl "Sync user can access everything."; allow 
 (all) userdn = "ldap:///uid=sync,cn=sysaccounts,cn=etc,dc=example,dc=com";)
-
[edit]

References

Retrieved from "http://www.freeipa.com/page/IPAv3_Configuration"
Views Article Discussion Edit History
Personal tools:  Log in / create account
Toolbox What links here Related changes Upload file Special pages Printable version