Version 1 - History - IPA and ActiveDirectory - Research and Development Network - projects @ RU

1

Joseph Foley

h1. IPA and ActiveDirectory

2

3

@njord.dev.ru.is@ now has Centos 6.3 installed.  This page is a collaboration between RU's UTS and DevNet on how to set up trust relationships between IPA and ActiveDirectory.  @stufur.dev.ru.is@ is running a Windows Server 2008 with Active Directory installed.

4

5

h2. Proposed Testing Plan

6

7

# create subdomain ipa.dev.ru.is

8

# set njord.dev.ru.is to be the domain and IPA3 server for that subdomain

9

# create subdomain ad.dev.ru.is

10

# set stufur.dev.ru.is to be the AD 2008 server

11

# create cross-forest trust scheme between the two services using SAMBA4 (as per IPA)

12

# put centos and debian/ubuntu clients into the ipa.dev.ru.is subdomain

13

# put windows clients into the ad.dev.ru.is domain

14

# put test AFS server into the ad.dev.ru.is (to prepare for the UTS test case).

15

## Check that authentication against both subdomains works

16

# Investigate synchronization with current DEV.RU.IS zone/cell.

17

# Migrate directory for DEV.RU.IS over to IPA2 (or 3)

18

19

h2. Reference

20

21

Currently IPA3 documentation appears to be missing, but V2 is close.

22

23

* FreeIPA

24

** Main page: http://freeipa.org/page/Main_Page

25

** IPA V3 Architecture http://www.freeipa.org/page/IPAv3_Architecture

26

** Guide for IPA2.2.0 on Fedora https://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/index.html

27

* AD and AFS http://wiki.openafs.org/win2008r2adaskdc/

28

29

h2. Procedure

30

31

Based up on https://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/index.html

32

33

# Installed @njord@ using the PXE server.  Installed Centos 6.3 X64

34

## Picked basic server

35

## standard root password

36

# Logged in as root via ssh

37

# Make sure that the @/etc/hosts@ does not have the ipa server's hostname set to 127.0.0.1.  Instead this should point at the real IP address.

38

<pre>130.208.209.47 njord.dev.ru.is njord</pre>

39

# It is suggested that the IPA server be in a separate domain.  We don't bother for the moment.

40

# Use iptables to allow incoming connections on the relevant ports

41

<pre>

42

# http

43

iptables -A INPUT -p tcp --dport 80 -j ACCEPT

44

iptables -A INPUT -p tcp --dport 443 -j ACCEPT

45

#LDAP

46

iptables -A INPUT -p tcp --dport 636 -j ACCEPT

47

iptables -A INPUT -p tcp --dport 389 -j ACCEPT

48

# Kerberos

49

iptables -A INPUT -p tcp --dport 88 -j ACCEPT

50

iptables -A INPUT -p tcp --dport 464 -j ACCEPT

51

iptables -A INPUT -p udp --dport 88 -j ACCEPT

52

iptables -A INPUT -p udp --dport 464 -j ACCEPT

53

#DNS

54

iptables -A INPUT -p tcp --dport 53 -j ACCEPT

55

iptables -A INPUT -p udp --dport 53 -j ACCEPT

56

# NTP

57

iptables -A INPUT -p udp --dport 53 -j ACCEPT

58

iptables -A INPUT -p tcp --dport 53 -j ACCEPT

59

# Dogtag/LDAP

60

iptables -A INPUT -p udp --dport 123 -j ACCEPT

61

iptables -A INPUT -p tcp --dport 7389 -j ACCEPT

62

</pre>

63

# make sure that the firewall @eir.dev.ru.is@ also allows these ports to be open.  Edit @/etc/shorewall/rules@

64

<pre>## IPA server testing

65

ACCEPT net dmz:130.208.209.47 tcp http

66

ACCEPT net dmz:130.208.209.47 tcp https

67

ACCEPT net dmz:130.208.209.47 tcp ldap

68

ACCEPT net dmz:130.208.209.47 tcp ldaps

69

ACCEPT net dmz:130.208.209.47 tcp,udp kerberos

70

ACCEPT net dmz:130.208.209.47 tcp,udp kpasswd

71

ACCEPT net dmz:130.208.209.47 tcp,udp domain

72

ACCEPT net dmz:130.208.209.47 udp ntp

73

ACCEPT net dmz:130.208.209.47 tcp,udp 7389

74

</pre>

75

# Install the ipa-server packages.  This version also installs a bind nameserver

76

<pre>yum -y install ipa-server bind bind-dyndb-ldap</pre>

Project

General

Profile

Research and Development Network

IPA and ActiveDirectory » History » Version 1