The most important thing is to configure ntp time synchronization, otherwise other servers may cause authentication failure! ! !
Centos8
# configuration requirements
Memory: 4G (preferably 8G)
CPU; 4 nuclei
Hard disk: 500G
#Set the local time zone
The software is basically based on UTC, the system is best not to set the domestic time zone
timedatectl set-timezone UTC
#Upgrade kernel and software
yum -y update
1. Preparation
a. Set static IP
Refer to the common command to set the ip method
b. Set the host name
hostnamectl set-hostname yin.111.com
c. Edit the host file
vi /etc/hosts
Fill in the local ip address and host name
d. Close selinux and firewall
setenforce 0
vim /etc/selinux/config
#Change SELINUX=ENFORCING to SELINUX=disabed #
systemctl stop firewalld
systemctl disable firewalld
#Without closing the firewall, open all freeipa port services
firewall-cmd --add-service=freeipa-ldap --add-service=freeipa-ldaps --permanent
e. Configure the random number generator
Next we will configure the random number generator in CentOS. This will allow FreeIPA to preform the cryptographic functions it needs to authenticate.
Setting up FreeIPA requires a lot of random data to run its cryptographic operations on. By default, a virtual machine will quickly run out of random data or entropy. To solve this problem, we will use the rngd software random number generator. rngd works by taking data from hardware devices connected to other servers and feeding it to the kernel's random number generator.
yum -y install rng-tools
systemctl start rngd
systemctl enable rngd
systemctl status rngd
2. Install freeipa
a. Enable idm:DL1 repository
By default, the FreeIPA package is not available in the CentOS standard repositories. Therefore, you will need to enable the idm:DL1 repository in your system.
dnf -y module enable idm:DL1
Next, sync the repository with the following command:
dnf -y distro-sync
b. Installer and dependencies
yum install -y ipa-server bind bind-dyndb-ldap ipa-server-dns
c. Configure freeipa after installation
Configure with the following command
ipa-server-install
Do you want to configure integrated DNS (BIND)? [no]: no
The hostname of the server needs to be provided: press enter to represent the default hostname
Set directory manager password
Set IPA administrator password
Do you want to configure chrony with NTP server or pool address?[no]:no
Continue to configure the system with these values? [no]: yes
The creation of this CA instance is very slow, and there may be errors. If there is an error, it can only be uninstalled and reinstalled.
I made a mistake here, the dbus service is abnormal
Restart the dbus service
systemctl restart dbus.service
systemctl restart dbus.socket
Uninstall freeIPA first, then reinstall it
ipa-server-install --uninstall
Execute the installation command again
ipa-server-install
If there is no error message, the installation is successful
3. Verify the FreeIPA service function
a. First, verify that the Kerberos realm is properly installed by attempting to initialize a Kerberos token for the admin user.
Initialize the admin user, execute klist, and check the validity period of the ticket
it's admin
clist
b. Verify that the IPA server is running normally
ipa user-find admin
4. Log in to the web interface
The browser enters the local IP address to access
Access from other computers, first configure the host file
a. Win10 configuration
192.168.3.109 ipa.trunk.tech ipa
b. Linux system
vi /etc/hosts
Fill in the freeipa server ip address and host name