FreeIPA Introduction

Filip Pytloun

What is FreeIPA?

Authentication vs. Authorization

A little sidenote on naming:

Authentication is the process of ascertaining that somebody really is who he claims to be.

Authorization refers to rules that determine who is allowed to do what.

FreeIPA Server Components

LDAP

uid=admin,cn=users,cn=accounts,dc=example,dc=com

^- dn (distinquished name = absolute address) of admin user

dn: uid=admin,cn=users,cn=accounts,dc=example,dc=com
krbLastSuccessfulAuth: 20160229111009Z
krbLoginFailedCount: 0
krbLastFailedAuth: 20160223145934Z

memberOf: cn=admins,cn=groups,cn=accounts,dc=example,dc=com
memberOf: cn=Replication Administrators,cn=privileges,cn=pbac,dc=example,dc=com
...

objectClass: top
objectClass: person
objectClass: posixaccount
objectClass: krbprincipalaux
objectClass: krbticketpolicyaux
objectClass: inetuser
objectClass: ipaobject
objectClass: ipasshuser
objectClass: ipaSshGroupOfPubKeys

uid: admin
krbPrincipalName: admin@EXAMPLE.COM
cn: Administrator
sn: Administrator
uidNumber: 96400000
gidNumber: 96400000
homeDirectory: /home/admin
loginShell: /bin/bash
gecos: Administrator

LDAP client usage

ldapsearch \
 -D uid=apache,cn=users,cn=accounts,dc=example,dc=com \  # Bind DN
 -w somersecretpassword \
 -b dc=example,dc=com   \  # Base DN
 -h idm01.example.com   \  # Host to bind
 -ZZ \  # Use and enforce TLS (non-encrypted binds may be disabled)
 "(uid=admin)"  # Search expression

Kerberos

Architecture

Example service - Apache

It may be also necessary to authorize users by group membership. This can be achieved by using authnz_ldap module.

Unfortunately it doesn't support GSSAPI LDAP bind so we need to use password.

AuthLDAPBindDN "uid=apache,cn=users,cn=accounts,dc=example,dc=com
AuthLDAPBindPassword secretpassword
AuthLDAPURL "ldaps://idm01.example.com idm02.example.com/dc=example,dc=com?krbPrincipalName"
Require ldap-attribute memberOf="cn=docs,cn=groups,cn=accounts,dc=example,dc=com"

NTP

Another FreeIPA service is NTP (Network Time Protocol).

It's very important to have clock in sync on all kerberos-integrated machines because tickets are timestamped.

If you experience any troubles with kerberos, check that your clock is in sync with clock on the server.

DNS

DNS dynamic updates

# Set server, otherwise it will use NS records
# (which may point only to DNS slaves)
server idm01.example.com
# First delete old records
update delete doc.example.com. IN A
update delete doc.example.com. IN AAAA
send
# Also delete reverse record
update delete 82.98.22.185.in-addr.arpa PTR
send

# Set A record for given zone
update add doc.example.com. 1800 IN A 185.22.98.82
send
# ..and the same for reverse
update add 82.98.22.185.in-addr.arpa 1800 PTR doc.example.com
send

FreeIPA Client

PAM Framework

Name Service Switch

FreeIPA Management

Example client

Add hosts

Client join

Since that, client is enrolled, can kinit and authenticate to other services (eg. to update DNS records, etc.)

Add services

Keytab for webserver

Now we can simply obtain keytabs for our HTTP service.

Hostgroups

ipa hostgroup-add --hosts=web01.fpy.vpc20.cloudlab.cz fpy-servers
ipa hostgroup-add --hosts=fpy-web.example.com fpy-servers

Role-Based Access Control

Sudo rules

Next topics

Advanced

Reference

SpaceForward
Right, Down, Page DownNext slide
Left, Up, Page UpPrevious slide
POpen presenter console
HToggle this help