FreeIPA
banners
Contribute to FreeIPA!

From Free IPA

Back to Client Configuration Guide

This page has been deprecated. You should refer to the Client Configuration Guide for links to the most up-to-date information.

Contents

[edit]

Fedora 7, 8, and 9

This document distinguishes between commands to be run as root versus a regular user. Commands to be run as root are prefixed with a # symbol. Commands to be run as a regular user are prefixed with a $ symbol.

Image:Note.pngNote:
Before starting the freeIPA installation, ensure that you update your system with all the latest packages.

1. freeIPA is currently only in the Fedora 7 and 8 updates-testing repository. It is in the regular repository for rawhide (Fedora 9). To install freeIPA you need to enable the updates-testing repository. You can do this either by editing the /etc/yum.repos.d/updates-testing.repo file, or on the command line, as shown in step 2:

2. Install the client and tools with: 

# yum install --enablerepo=updates-testing ipa-client ipa-admintools

For Fedora 9 you do not need to include --enablerepo=updates-testing.

This should install all the dependencies as well.

2. If your IPA server was set up for DNS, and is in the same domain as the client, add the server's IP address to the client's /etc/resolv.conf file.

[edit]

Configuring Client Authentication

Image:Note.pngNote:
The IPA client requires that an IPA server already exist.

1. Use the following command to set up the freeIPA client: 

# ipa-client-install

The script should set up the IPA client without prompting for any further information.

When the script has finished configuring the freeIPA client, it will display information about the realm, DNS domain, IPA server, etc. You should see output similar to the following: 

Discovery was successful!
Realm: EXAMPLE.COM
DNS Domain: example.com
IPA Server: ipaserver.example.com
BaseDN: dc=example,dc=com
Image:Note.pngNote:
If your IPA server and client are not in the same domain, the setup script will prompt you for the information that it requires.
[edit]

Red Hat Linux 2.1

[edit]

Configuring Client Authentication

1. Ensure that the following packages are installed on the LDAP client machines:

  • openldap
  • openldap-clients
  • nss_ldap

2. Edit the /etc/slapd.conf file, and include the following information:

  • The Base Distinguished Name (DN). Also referred to as the suffix. For example:
"dc=example,dc=com"
  • The entry to be used for administrative access to the database (rootdn). For example:
“cn=root, dc=example, dc=com”
  • A plain text password for that administrative DN (rootpw). For example:
{crypt}5UhYwQ9oJSKpT2
You can also encrypt the password using the slappasswd command or by running the following perl command:
perl -e “print crypt('text-password','salt-string');”

3. Edit the /etc/ldap.conf file (create it if necessary), and set the appropriate values for the server hostname, ports, etc.

4. Edit the /etc/nsswitch.conf file and append "ldap" to list of sources which should be consulted for passwd, shadow, and group information.

5. Run authconfig (text mode) or authconfig-gtk (GUI) and specify the LDAP server by its FQDN or IP.

[edit]

Configuring Client TLS

The SSL/TLS settings are only required if you want to use SSL between the clients and the server when performing operations such as account lookups.

To set up TLS on the clients:

1. While running authconfig, select "Use TLS to encrypt connections" after you choose the LDAP authentication domain.

2. Edit the /etc/ldap.conf file and update the SSL options: 

# OpenLDAP SSL options
# Require and verify server certificate (yes/no)
# Default is "no"

tls_checkpeer yes

# CA certificates for server certificate verification
# At least one of these are required if tls_checkpeer is "yes"

tls_cacertdir /etc/openldap/cacerts

3. Create a new file /etc/ldap.secret and insert the clear text password for the Directory Manager user. This file should be made read-only for root. The rootbinddn is needed so that the root user can change passwords on the client machine, and have those changes replicated to the LDAP server.

4. Edit the /etc/nssswitch.conf file and ensure that the entries for users, groups and all the data to be read from the LDAP server contain the string "ldap" (as in "files ldap").

5. Copy the certificate from the server /etc/openldap/cacerts. It should be owned by user root, group root and have permissions 0644.

6. Refer to the additional instructions in section 10c. (I couldn't find this reference in the source document. I don't know what it refers to.)

[edit]

Testing the Configuration

You should test the client configuration to make sure that you can successfully connect to the IPA server.

Refer to Verifying the Client/Server Connection for details on how to test the various connection methods.

[edit]

Red Hat Enterprise Linux 3, 4 and 5

[edit]

Software Prerequisites

The following packages must be installed in order to successfully configure Red Hat Enterprise Linux 3, 4, and 5 systems to function as IPA clients:

  • authconfig
  • krb5-libs
  • krb5-workstation
  • pam_krb5
  • nss_ldap
  • openldap

To perform a graphical configuration, we recommend that you install the authconfig-gtk package.

These packages can be installed using the up2date client on Red Hat Enterprise Linux 3 and 4 and using the yum client on Red Hat Enterprise Linux 5. After the packages have been installed, the system is ready to be configured as an IPA client.

[edit]

System Prerequisites

It is important that all IPA machines, servers, replicas and clients, have time synchronization correctly configured. Kerberos in particular will not function correctly if the time difference between machines is too great.

[edit]

Configuring Client Authentication

[edit]

Using the Graphical Interface

1. Start the client configuration utility. The configuration utility command name will differ depending on the version of Red Hat Enterprise Linux that the client system is running: 

# redhat-config-authentication (RHEL3)
# system-config-authentication (RHEL4 and 5)
Image:Note.png Note:
The above two commands require that a graphical interface, such as an X server, be installed and running on the system. For those systems that do not have an X server installed, use the authconfig command to access the configuration utility. The authconfig command can be used on RHEL 3, 4, and 5. Refer to Using the Text-Based Interface.

2. Configure the LDAP client.

IPA stores user information in LDAP, so you need to configure the LDAP client on the system so that it knows how to access information about users logging in to the system.
2.1 On the User Information tab, select Enable LDAP Support and clear all other options.
2.2 Click Configure LDAP and complete the required details for the LDAP server host name and base DN. For example, the base DN could be set to dc=example,dc=com and the server could be set to freeipa.example.com
2.3 If TLS is required, select Use TLS to encrypt connections.

3. Configure the krb5 client.

IPA uses MIT Kerberos to provide authentication for users, so you need to configure the krb5 client on the system.
3.1 On the Authentication tab, select Enable Kerberos Support, and clear all other options, such as LDAP and SMB authentication support, if they are selected.
3.2 Click Configure Kerberos and complete the details for the fields on that screen. For Realm, enter your Kerberos Realm information. For example, EXAMPLE.COM
3.3 Complete the information for the KDC. For IPA, this is the IPA server. For example, freeipa.example.com:88
3.4 Complete the information for the Admin Servers. Again, for IPA, this is the IPA server. For example, freeipa.example.com:749
3.5 Select the Use DNS to resolve hosts to realms and Use DNS to locate KDCs for realms checkboxes, and then click Ok.
3.6 Refer to Completing the Kerberos Configuration to complete the Kerberos configuration.

Using the graphical interface to configure authentication

Using the graphical interface to configure LDAP and Kerberos
[edit]

Using the Text-Based Interface

1. Start the client configuration utility. 

# authconfig

2. In the User Information section, ensure that Use LDAP is selected, and that all other options are cleared.

3. In the Authentication section, ensure that Use Kerberos is selected, and that all other options are cleared.

4. On the LDAP Settings screen, complete the required details for the LDAP server host name and base DN. For example, the base DN could be set to dc=example,dc=com and the server could be set to ldap://freeipa.example.com

5. If TLS is required, select Use TLS.

6. On the Kerberos Settings screen, enter the following details:

  • Your Kerberos realm (for example, EXAMPLE.COM)
  • Your KDC information (for example, freeipa.example.com:88)
  • Your Admin Server information (for example, freeipa.example.com:749)

7. Select the Use DNS to resolve hosts to realms and Use DNS to locate KDCs for realms checkboxes, and then press Next.

8. Refer to Completing the Kerberos Configuration to complete the Kerberos configuration.

Using the authconfig utility to configure LDAP and Kerberos

Using the authconfig utility to configure LDAP and Kerberos

[edit]

Completing the Kerberos Configuration

Only a basic Kerberos configuration file is created as part of the Client Configuration Procedures described above. You need to perform the remaining configuration changes manually.

1. Modify the /etc/krb5.conf file on the client as shown below. Ensure that you replace the example values with those that apply to your deployment. 

[libdefaults]
 default_realm = EXAMPLE.COM
 dns_lookup_realm = true
 dns_lookup_kdc = true
 forwardable = yes
 ticket_lifetime = 24h

[realms]
 EXAMPLE.COM = {
  kdc = freeipa.example.com:88
  admin_server = freeipa.example.com:749
  default_domain = example.com
 }
[domain_realm]
 .example.com = EXAMPLE.COM
 example.com = EXAMPLE.COM
[edit]

Configuring Client TLS

The SSL/TLS settings are only required if you want to use SSL between the clients and the server when performing operations such as account lookups.

TLS Client Configuration for Linux clients is detailed at http://directory.fedora.redhat.com/wiki/Howto:SSL. Refer to this link if any additional information is required. The basic steps required are:

1. Modify the following in the /etc/ldap.conf file: 

URI     ldap://freeipa.example.com
BASE dc=example,dc=com
HOST freeipa.example.com
TLS_CACERTDIR /etc/cacerts/
TLS_REQCERT allow
Image:Note.png Note:
Ensure that the directory you specify for TLS_CACERTDIR actually exists.

2. Export your CA certificate to ASCII using the certutil utility with -a option.

3. Install this certificate in the /etc/cacerts directory as follows: 

# cp cacert.asc /etc/cacerts/`openssl x509 -noout \ 
  -hash -in cacert.asc`.0

The file name is the hash of the contents with a ".0" filename extension.

4. If the TLS_CACERTDIR directive does not work, set the cacert file directly:

# TLS_CACERT /etc/cacerts/cacert.asc

If more than one CA certificate is required, concatenate these certificates into a single file.

[edit]

Testing the Configuration

You should test the client configuration to make sure that you can successfully connect to the IPA server.

Refer to Verifying the Client/Server Connection for details on how to test the various connection methods.

Retrieved from "http://www.freeipa.org/page/ConfiguringLinuxClients"
Views Article Discussion Edit History
Personal tools:  Log in / create account
Toolbox What links here Related changes Upload file Special pages Printable version