Red Hat Enterprise IPA on CentOS 5.2
For over a decade, several organizations used the Network Information Services (NIS) to render the central management of identity and policy for users and machines in the Linux and Unix environment. However, NIS had some serious infirmities that caused its failure to certain security compliance audits.
NIS is rather insecure for today’s standards. Host authentication mechanisms are not available and all information is passed unencrypted, over the network. Due to this, extreme care has to be taken while setting up a network that uses NIS.
Red Hat Enterprise IPA will help to enable significant risk reduction and efficiency gains for the IT industry. IPA stands for Identity, Policy, and Audit. RHE IPA aims to simplify the central management of the identity of users and machines, policies configuration and access control, and audit. The present release – RHE IPA 1.0 – takes care of “Identity” part. “Policy” and “Audit” are scheduled for future releases.
RPM’s for Enterprise IPA are not available from the CentOS repositories as yet. You can use the Enterprise IPA RPM’s that is provided by PU_IAS, which is a custom Red Hat Distribution maintained by the members of the computing staff of Princeton University and the Institute for Advanced Study.
Prepare the Server:
CentOS 5.2.X server needs to be installed first, for accessing the IPA web interface. Add custom yum repository for IPA by creating a file /etc/yum.repos.d/CentOS-IPA.repo with the following content:
[baseipa] name=CentOS-5.2-IPA baseurl=http://www.math.ias.edu/PU_IAS/RHEIPA/5.2/i386/
Import GPG key for the repository:
$ rpm --import http://www.math.ias.edu/PU_IAS/5.2/en/os/i386/RPM-GPG-KEY
Install the required RPM’s:
$ yum install ipa-server
Configure the DNS server and then set forward and reverse resolution for the machine hostname. It is very essential that you set the forward and reverse resolution correctly.
Install and Configure IPA Server:
- Server’s host name, realm name and other details can be set interactively.
- Restart the ssh server so that the modified Name Service Switch file is re-read.
- Test the configuration by requesting a kerberos ticket.
$ kinit admin Password for admin@EXAMPLE.COM:
List the kerberos tickets using klist command.
$ klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: admin@EXAMPLE.COM Valid starting Expires Service principal 02/26/09 15:08:56 02/27/09 15:08:51 krbtgt/EXAMPLE.COM@EXAMPLE.COM
Configure IPA service discovery through DNS:
Assuming that the zone is example.com and the IPA server hostname is ipaserver.example.com, the DNS records for example.com should contain the following records:
ipaserver IN A 192.168.8.1 ; ldap servers _ldap._tcp IN SRV 0 100 389 ipaserver ;kerberos realm _kerberos IN TXT EXAMPLE.COM ; kerberos servers _kerberos._tcp IN SRV 0 100 88 ipaserver _kerberos._udp IN SRV 0 100 88 ipaserver _kerberos-master._tcp IN SRV 0 100 88 ipaserver _kerberos-master._udp IN SRV 0 100 88 ipaserver _kpasswd._tcp IN SRV 0 100 464 ipaserver _kpasswd._udp IN SRV 0 100 464 ipaserver
Accessing web interface:
In order to access the web interface, you need to configure Firefox accordingly. Type “about:config” in the Address Bar and set the following:
network.negotiate-auth.trusted-uris .example.com network.negotiate-auth.delegation-uris .example.com network.negotiate-auth.using-native-gsslib true
Start Firefox and navigate to the IPA server using the link: http://ipaserver.example.com
Install and Configure IPA client:
Install CentOS 5.2 and setup the IPA yum repository as mentioned above.
Install IPA client RPM’s:
$ yum install ipa-client ipa-admintools
Add name servers to /etc/resolv.conf:
Configure the forward and reverse resolutions for the client hostname in the DNS server.
Install and setup the client:
The script should setup the client without any further prompting, if the DNS discovery is configured correctly.
Test IPA client:
For testing the IPA client, you need to SSH into the IPA client as an IPA user, and check the user ID and group ID using the id command.
$ id uid=999(admin) gid=1001(admins) groups=1001(admins)
Also, the “getent passwd” and “getent group” commands will list out the IPA user details and group details respectively.
What is the most exciting about Red Hat Enterprise IPA 1.0 is that it provides for future functionality. The Red Hat Enterprise IPA Version 1 is mainly focused only on the central management of users and authentication. The future versions will also add the central management of machine, virtual machine, and service identity. With IPA, the company can comply with the regulations, reduces risks, and thus becomes much more efficient. At present, you can manage your Linux/Unix users and their authentication centrally with an ease that was not available earlier. And in the future, Red Hat IPA will also help you manage your Linux/Unix machines, services, policy, and audit information centrally.
For detailed documentation, refer http://www.redhat.com/docs/en-US/Red_Hat_Enterprise_IPA/.
For compiling IPA RPMs from source, refer http://www.howtoforge.com/how-to-build-rhel-ipa-rpms-for-centos-5.
About the Author:
Vishnu Ram is an MTech. in Communication Systems from IIT Madras. He joined Bobcares in 2003, and has been working for Poornam since then. He is currently the Information Security Manager of the company. His areas of interest are Performance tuning, Server monitoring, and Security. During his past time, Vishnu practices Karate, or read books or listen to music.