Unterschiede

Hier werden die Unterschiede zwischen zwei Versionen der Seite angezeigt.

--- content:serverbasics:docker-freeipa [2025/12/07 10:34] – obel1x
+++ content:serverbasics:docker-freeipa [2026/03/06 16:39] (aktuell) – [Setup Sudoers with FreeIPA/SSSD] obel1x
@@ Zeile 136: / Zeile 136: @@
 As the internal Certificate of FreeIPA will be self-signed, the verification is turned off first. Later the Cert is replaced by the ACME- letsencrypt- Certificate of Caddy, so you may turn this on again. But there is no benefit, as the SSL Connection is always internally proxied by Caddy, so there will be NO insecured Connections to the net.
-===== Encryption =====
+===== Certificate- Setup - SSL for LDAP and Kerberos =====
 First thing you should do, is to secure the (Kerberos and LDAP)- ports with the certificate from letsenrcypt that Caddy gave you when openining the Webservice for IPA at [FQDN_HOSTNAME]. Without those matching certificates in place, Kerberos later won't accept the self signed- certificates that FreeIPA will create during install.
@@ Zeile 192: / Zeile 192: @@
 **Caution: Not renewing those Certificates will LOCK YOU OUT OF FREEIPA COMPLETEY with NOT OPTION to correct that after the certificates have expired!**
 ==== Explanation of the Commands, Checks and Debugging ====
@@ Zeile 688: / Zeile 690: @@
 This is quite a cool feature to have client admin- users managed by putting them in an IPA- group. When Loggin in with SSSD they will get added to the sudoers, making them admin on the given machines. Check this out: [[https://www.howtoforge.de/anleitung/wie-integriere-ich-sudoers-in-den-freeipa-server/|https://www.howtoforge.de/anleitung/wie-integriere-ich-sudoers-in-den-freeipa-server/]]
+==== Additional Groups ====
+You can also add System- Groups in IPA, that the client may have. E.g. a very nice group to have, would be a group named "wheel". That group enables all users in it to install Software without beeing asked for a password.
+You can add the clientadmins- group to the wheel- group so all users of the clientadmins group will be in wheel to (check in IPA with the "indirect members" view, if wheel has all users, which clientsadmins has as "direct members" to make it work !).
 ===== Next Steps =====
 Next, you can integrate a Middleware for Authentication. You could, but you should NOT use FreeIPAs LDAP- Service directly as Authentication- Source for anything, as LDAP is very costy and would not deliver all needed APIs e.g. for SSO. This is part of your Middleware, so checkout [[:content:serverbasics:docker-authentik|]] to read further.
+===== Special Annotations =====
+Here are some Points, tha may be relevant in special Cases.
+==== Backup and Restore ====
+If you ever need to restore your IPA- Volumes (wihcih may be for e.g. after broken Updates), be very careful about ownership of the files. IPA contains many Services, that are critical about which user owns the configurationfiles. When you are Backing up with Nextclouds-Borg, you CANNOT restore those files 1:1 from your Host itself - as this may destroy ownerships.
+Here are a few special files and users to pay attention to:
+User Dirsrv
+<code>
+# chgrp named /data/etc/named.conf
+# chown named:named /etc/named.keytab
+# chown root:named -R -h -L /data/etc/named
+# chown named:named -R -h -L /data/var/named
+# chown dirsrv:dirsrv -R -h -L /data/var/lib/dirsrv
+# chown dirsrv:dirsrv -R -h -L /data/var/log/dirsrv
+# chown dirsrv:dirsrv -R -h -L /data/etc/dirsrv
+# chown root:pkiuser /data/var/lib/ipa/pki-ca/publish -h -L
+# chown pkiuser:pkiuser /data/var/lib/ipa/pki-ca/publish/* -h -L
+# chown pkiuser:pkiuser /data/etc/sysconfig/pki-tomcat -h -L -R
+# chown pkiuser:pkiuser /data/etc/sysconfig/pki/tomcat/pki-tomcat -h -L -R
+# chown pkiuser:pkiuser /data/etc/pki/pki-tomcat -h -L -R
+# chown pkiuser:pkiuser /data/etc/pki/pki-tomcat -h -L -R
+# chown pkiuser:pkiuser /data/var/lib/pki/pki-tomcat -h -L -R
+# chown pkiuser:pkiuser /data/var/log/pki/pki-tomcat -h -L -R
+# chown root:named -h -L /etc/rndc.key
+# chown root:ipaapi /data/var/lib/ipa/ra-agent.* -h -L
+</code>
+so e.g.:
+<code>
+# ls -lZ /etc/dirsrv/ds.keytab
+-rw——-. dirsrv dirsrv system_u:object_r:dirsrv_config_t:s0 /etc/dirsrv/ds.keytab
+</code>