content:serverbasics:docker-freeipa
Unterschiede
Hier werden die Unterschiede zwischen zwei Versionen der Seite angezeigt.
| Beide Seiten, vorherige ÜberarbeitungVorherige ÜberarbeitungNächste Überarbeitung | Vorherige Überarbeitung | ||
| content:serverbasics:docker-freeipa [2025/06/05 23:38] – [Docker composer] obel1x | content:serverbasics:docker-freeipa [2026/03/06 16:39] (aktuell) – [Setup Sudoers with FreeIPA/SSSD] obel1x | ||
|---|---|---|---|
| Zeile 110: | Zeile 110: | ||
| </ | </ | ||
| - | The caddy_data Volume contains the Certifictes for encryption from Caddy as described in [[.: | + | The caddy_data Volume contains the Certifictes for encryption from Caddy as described in [[: |
| __**STRONG ADVISE: Do not open Ports of your firewall of the services Kerberos, LDAP or DNS until you configured everything first, otherwise your Server will be very insecure at this stage!**__ | __**STRONG ADVISE: Do not open Ports of your firewall of the services Kerberos, LDAP or DNS until you configured everything first, otherwise your Server will be very insecure at this stage!**__ | ||
| - | |||
| - | |||
| ===== Caddyfile ===== | ===== Caddyfile ===== | ||
| Zeile 138: | Zeile 136: | ||
| As the internal Certificate of FreeIPA will be self-signed, | As the internal Certificate of FreeIPA will be self-signed, | ||
| - | ===== Encryption | + | ===== Certificate- Setup - SSL for LDAP and Kerberos |
| First thing you should do, is to secure the (Kerberos and LDAP)- ports with the certificate from letsenrcypt that Caddy gave you when openining the Webservice for IPA at [FQDN_HOSTNAME]. Without those matching certificates in place, Kerberos later won't accept the self signed- certificates that FreeIPA will create during install. | First thing you should do, is to secure the (Kerberos and LDAP)- ports with the certificate from letsenrcypt that Caddy gave you when openining the Webservice for IPA at [FQDN_HOSTNAME]. Without those matching certificates in place, Kerberos later won't accept the self signed- certificates that FreeIPA will create during install. | ||
| Zeile 194: | Zeile 192: | ||
| **Caution: Not renewing those Certificates will LOCK YOU OUT OF FREEIPA COMPLETEY with NOT OPTION to correct that after the certificates have expired!** | **Caution: Not renewing those Certificates will LOCK YOU OUT OF FREEIPA COMPLETEY with NOT OPTION to correct that after the certificates have expired!** | ||
| + | |||
| + | |||
| ==== Explanation of the Commands, Checks and Debugging ==== | ==== Explanation of the Commands, Checks and Debugging ==== | ||
| Zeile 585: | Zeile 585: | ||
| </ | </ | ||
| - | After that, go on with the next chapter https:// | + | After that, go on with the next chapter |
| ---- | ---- | ||
| Zeile 609: | Zeile 609: | ||
| As the time beeing, there is no official Package for Leap 15.6. So you may use mine: | As the time beeing, there is no official Package for Leap 15.6. So you may use mine: | ||
| + | < | ||
| - | < | ||
| zypper addrepo https:// | zypper addrepo https:// | ||
| zypper refresh | zypper refresh | ||
| Zeile 620: | Zeile 620: | ||
| </ | </ | ||
| - | |||
| === Integrate to the Domain === | === Integrate to the Domain === | ||
| Zeile 657: | Zeile 656: | ||
| You should frist check on non-graphical terminal if this will work, because errors will be shown there. Good Luck. | You should frist check on non-graphical terminal if this will work, because errors will be shown there. Good Luck. | ||
| - | |||
| ==== Setup your Browser to trust your IPA-Server ==== | ==== Setup your Browser to trust your IPA-Server ==== | ||
| Zeile 665: | Zeile 663: | ||
| Go to your IPAs ipa.domain.tld/ | Go to your IPAs ipa.domain.tld/ | ||
| - | For me, the Button '' | + | For me, the Button '' |
| Than open Firefox settings, Privacy and Security, Authorities- Tab and select Import. Use the downloaded file and select all Checkboxes. This installs your IPA- Authority to your Browser as trusted CA. | Than open Firefox settings, Privacy and Security, Authorities- Tab and select Import. Use the downloaded file and select all Checkboxes. This installs your IPA- Authority to your Browser as trusted CA. | ||
| Zeile 674: | Zeile 672: | ||
| If not, check if your klist shows some vaild Tickets. Otherwise inspect if this works: | If not, check if your klist shows some vaild Tickets. Otherwise inspect if this works: | ||
| - | |||
| < | < | ||
| + | |||
| HOSTNAME:~ # kinit admin | HOSTNAME:~ # kinit admin | ||
| Password for admin@DOMAIN.TLD: | Password for admin@DOMAIN.TLD: | ||
| Zeile 692: | Zeile 690: | ||
| This is quite a cool feature to have client admin- users managed by putting them in an IPA- group. When Loggin in with SSSD they will get added to the sudoers, making them admin on the given machines. Check this out: [[https:// | This is quite a cool feature to have client admin- users managed by putting them in an IPA- group. When Loggin in with SSSD they will get added to the sudoers, making them admin on the given machines. Check this out: [[https:// | ||
| + | |||
| + | ==== Additional Groups ==== | ||
| + | |||
| + | You can also add System- Groups in IPA, that the client may have. E.g. a very nice group to have, would be a group named " | ||
| + | |||
| + | You can add the clientadmins- group to the wheel- group so all users of the clientadmins group will be in wheel to (check in IPA with the " | ||
| ===== Next Steps ===== | ===== Next Steps ===== | ||
| - | Next, you can integrate a Middleware for Authentication. You could, but you should NOT use FreeIPAs LDAP- Service directly as Authentication- Source for anything, as LDAP is very costy and would not deliver all needed APIs e.g. for SSO. This is part of your Middleware, so checkout [[.: | + | Next, you can integrate a Middleware for Authentication. You could, but you should NOT use FreeIPAs LDAP- Service directly as Authentication- Source for anything, as LDAP is very costy and would not deliver all needed APIs e.g. for SSO. This is part of your Middleware, so checkout [[: |
| + | |||
| + | ===== Special Annotations ===== | ||
| + | |||
| + | Here are some Points, tha may be relevant in special Cases. | ||
| + | |||
| + | ==== Backup and Restore ==== | ||
| + | |||
| + | If you ever need to restore your IPA- Volumes (wihcih may be for e.g. after broken Updates), be very careful about ownership of the files. IPA contains many Services, that are critical about which user owns the configurationfiles. When you are Backing up with Nextclouds-Borg, | ||
| + | |||
| + | Here are a few special files and users to pay attention to: | ||
| + | |||
| + | User Dirsrv | ||
| + | |||
| + | < | ||
| + | # chgrp named / | ||
| + | # chown named:named / | ||
| + | # chown root:named -R -h -L / | ||
| + | # chown named:named -R -h -L / | ||
| + | |||
| + | # chown dirsrv: | ||
| + | # chown dirsrv: | ||
| + | # chown dirsrv: | ||
| + | |||
| + | # chown root: | ||
| + | # chown pkiuser: | ||
| + | # chown pkiuser: | ||
| + | # chown pkiuser: | ||
| + | # chown pkiuser: | ||
| + | # chown pkiuser: | ||
| + | # chown pkiuser: | ||
| + | # chown pkiuser: | ||
| + | |||
| + | # chown root:named -h -L / | ||
| + | |||
| + | # chown root:ipaapi / | ||
| + | |||
| + | </ | ||
| + | |||
| + | so e.g.: | ||
| + | |||
| + | < | ||
| + | # ls -lZ / | ||
| + | -rw——-. dirsrv dirsrv system_u: | ||
| + | |||
| + | </ | ||
content/serverbasics/docker-freeipa.1749159488.txt.gz · Zuletzt geändert: von obel1x