IPAv3_Configuration#

Overview#

This page describes the steps to configure IPA server.

Prerequisites#

Install IPA server.

Configuration#

% ipa-server-install
Server host name [ipa.example.com]:
Please confirm the domain name [example.com]:
Please provide a realm name [EXAMPLE.COM]:
Directory Manager password: Secret123
Password (confirm): Secret123
IPA admin password: Secret123
Password (confirm): Secret123

To restart IPA:

% ipactl restart

If you need to uninstall:

% ipa-server-install --uninstall

Verification#

% kinit admin
Password for admin@EXAMPLE.COM: Secret123

% klist

% ipa-finduser admin

Web UI#

Start Firefox, open http://ipa.example.com.

Open about:config, set the following parameters as follows:

network.auth.use-sspi: false
network.negotiate-auth.trusted-uris: .example.com.
network.negotiate-auth.delegation-uris: .example.com.

Go back to http://ipa.example.com, click Import the IPA Certificate Authority.

Click Configure Firefox button.

Reload the page.

LDAP Client#

Hostname: ipa.example.com
Port: 389
Bind DN: cn=Directory Manager
Password: Secret123

% ldapsearch -x -b dc=example,dc=com

% ldapsearch -Y GSSAPI -b dc=example,dc=com

Configure Listen Host#

% ldapmodify -h ipa.example.com -p 389 -x -D "cn=Directory Manager" -w Secret123
dn: cn=config
changetype: modify
replace: nsslapd-listenhost
nsslapd-listenhost: ipa.example.com
-
replace: nsslapd-securelistenhost
nsslapd-securelistenhost: ipa.example.com
-

Restart DS:

% service dirsrv restart

Configure Kerberos#

Edit /etc/krb5.conf:

[dbmodules]
  EXAMPLE.COM = {
  ...
    ldap_servers = ldap://ipa.example.com/
    ...
  }

Restart Kerberos:

% service krb5kdc restart

Enable Change Log#

Enable Retro Changelog plugin:

% ldapmodify -h ipa.example.com -p 389 -x -D "cn=Directory Manager" -w Secret123
dn: cn=Retro Changelog Plugin,cn=plugins,cn=config
changetype: modify
replace: nsslapd-pluginEnabled
nsslapd-pluginEnabled: on
-