Introduction
Red Hat Identity Management Server provides is a centralized identity management server for Linux, Mac, Windows.
In this post we are going to setup and configure a HA deployment of Red Hat IDM on two RHEL 7.x servers.
Red Hat Identity Management Server is based on the upstream project, FreeIPA.
Prerequisites
Only a couple of prerequisites for a simple lab setup
- You need working dns with forward and reverse entries for both IDM servers
- NSCD needs to be disabled on each IDM server
- Proper hostname needs to be set on each IDM node (cannot use localhost)
- IPV6 needs to be enabled, but you do not need to have an IPV6 address on external interfaces
Firewall Configuration
Firewalld needs to be running and enabled. Iptables should be disabled and stopped.
The following ports/services need to be allowed on each node.
Service | Ports | Protocol |
---|---|---|
HTTP/HTTPS | 80, 443 | TCP |
LDAP/LDAPS | 389, 636 | TCP |
Kerberos | 88, 464 | TCP and UDP |
DNS | 53 | TCP and UDP |
NTP | 123 | UDP |
Run the following commands to open these ports
# firewall-cmd –permanent –add-port={80/tcp,443/tcp,389/tcp,636/tcp,88/tcp,464/tcp,53/tcp,123/tcp}
Now reload firewalld
# firewall-cmd –reload
Now verify that the ports are open
# iptables -L
Installing Packages
This procedure as documented with configure the following
- IDM installed without integrated DNS
- IDM with IDM CA as the root CA (default)
Note, as stated above, we are not going to integrate our IDM install with DNS, however if you are interested in this please refer to the following document.
On the first cluster node run the following command.
# yum install ipa-server
Again, on the same node as above, run the following command.
# ipa-server-install
You will be prompted to configure integrated DNS via Bind – select no.
Next, you will be prompted to enter the host name of your server. In this instance our hostname is idm1.lab.localdomain.
Now we will be prompted to enter a Realm name, we will use our domain name here.
We now need to enter a password for Directory Manager.
Next, you will need to enter an password for a IP admin user
Next enter “Yes” to confirm
Allow the install time to run.
Initial Testing
Run the following command, and enter the admin password
# kinit admin
Password for admin@LAB.LOCALDOMAIN:
Now run “ipa user-find admin” If this command returns with the expected output (shown below) you now have a functional IDM server.
# ipa user-find admin
————–
1 user matched
————–
User login: admin
Last name: Administrator
Home directory: /home/admin
Login shell: /bin/bash
Principal alias: admin@LAB.LOCALDOMAIN
UID: 1550800000
GID: 1550800000
Account disabled: False
—————————-
Number of entries returned 1
—————————-
Accessing the WebUI
In your browser of choice, navigate to the following url. Modify the url to fit your environment.
https://<FQDN_of_idm_server>/ipa/ui
Log in using the admin credentials.
HA: Setting up an IDM Replica Server
Replicas share internal user info, along with servers and certificates. Data in kept in sync between servers by a process called replication (duh). Before we move forward lets define a few terms in context of IDM.
- Server: An IDM server. Manages all IDM services.
- Replica: basically a copy of a server, and once in sync, they are identical to servers
- Clients: Belong the the kerberos domain and consume services
You can read more about servers and replicas here. There are a number of prerequisites and assumptions that are worth reading about. We are not going to go into them here.
Preparing a Replica
First and foremost, you will need to configure your replica server to have the same firewall ports open (see above), and you will need to ensure that the ipa-server package is installed.
Below we are going to install the ipa-server package and its dependencies. Ensure that you are installing the same package versions between both hosts.
[root@idm2 ~]# yum install ipa-server
Note that you are not going to run the ipa-server-install script on this host.
Adding the Replica as an IDM Client
Before you can add a replica, you must first add it as an IPA (IDM) client. As you can see the command below is run on the replica-to-be. There are other options for the command below, but since we have not integrated with DNS we will keep things simple.
[root@idm2 ~]# ipa-client-install
See details below.
You will be prompted for your IPA/IDM admin id and password.
We can validate with the command below.
[root@idm2 ~]# getent passwd admin
admin:*:1550800000:1550800000:Administrator:/home/admin:/bin/bash
In the WebUI you should now see both the original IDM host and the future replicant.
Running the Replica Install
Once our replica server has been added as an IDM client, we now are free to configure it as a replica.
Run the command below on the replica-to-be.
[root@idm2 ~]# ipa-replica-install
More output below.
Replicating CA Service
In the screenshot above, you can see that the CA service is not automatically replicated, so we must also run “ipa-ca-install on the replica server [idm2.lab.localdomain].
[root@idm2 ~]# ipa-ca-install
Output below.
More output below.
Additional Resources
LINUX DOMAIN IDENTITY, AUTHENTICATION, AND POLICY GUIDE
Red Hat Identity Manager: Part 1 – Overview and Getting started
Pingback: Latest technical articles & videos. - CertDepot