**This is an old revision of the document!**
FreeIPA
FreeIPA is an Identity Policy and Authentication solution. We are currently using this for our internal management networks.
Server
Basically follow this. Also DNS is suuuuuuupppppeeeerrrrr important.
Client
On RHEL based ones, install freeipa-client
. Super easy. However, if you're on debian-master-race, you don't need hand holding and an “automated client”. Let's dig into some config files.
Debian Installation
- Install
sssd
- Copy the configuration file to
/etc/sssd/sssd.conf
- Don't forget to
s/name.ubnetdef.net/your-hostname.ubnetdef.net/g
chown root:root /etc/sssd/sssd.conf
andchmod 0600 /etc/sssd/sssd.conf
- Grab your krb5.keytab, and dump it to
/etc/krb5.keytab
ipa-getkeytab -p host/name.ubnetdef.net -k /tmp/keytab
- Append the following line to
/etc/pam.d/common-session
session required pam_mkhomedir.so skel=/etc/skel/
- GG, you're done.
- /etc/sssd/sssd.conf
[domain/ubnetdef.net] cache_credentials = True krb5_store_password_if_offline = True id_provider = ipa auth_provider = ipa access_provider = ipa chpass_provider = ipa sudo_provider = ldap # Configure IPA ipa_domain = ubnetdef.net ipa_hostname = name.ubnetdef.net # Configure sudo ldap_uri = ldaps://master.ubnetdef.net ldap_sudo_search_base = ou=sudoers,dc=ubnetdef,dc=net ldap_sasl_mech = GSSAPI ldap_sasl_authid = host/name.ubnetdef.net ldap_sasl_realm = UBNETDEF.NET krb5_server = master.ubnetdef.net krb5_realm = UBNETDEF.NET [sssd] services = nss, pam, ssh, sudo config_file_version = 2 domains = ubnetdef.net
LDAP Integrations
Include the specific settings (search stuff, bind user, etc). Link to each service's page on how to finalize the configuration.
General
- Bind User: uid=bind,cn=users,cn=accounts,dc=ubnetdef,dc=net
- Search Base DN: cn=users,cn=accounts,dc=ubnetdef,dc=net
- User Search Pattern: (&(objectClass=inetorgperson)(uid=#USERNAME#))
- Group Search Base DN: cn=groups,cn=accounts,dc=ubnetdef,dc=net
- Group Search Pattern: (&(objectClass=groupofnames)(cn=#GROUPNAME#))