HOWTO Configure Multi-Master IPA Servers

From Consultancy.EdVoncken.NET

In larger networks, or in networks with lots of users, a centralized Directory and Identity Management service is essential. Red Hat (and Fedora) offer the IPA Server, which stands for Identity/Policy/Audit. The IPA server is based on LDAP and Kerberos for directory and authentication services.

For redundancy, you should install at least 2 IPA servers. They will operate in "Multi-Master" configuration, meaning that changes can be made on any IPA server. They will be automatically propagated to the other IPA servers.

In this example, we'll be setting up IPA on two servers, "zeus" and "apollo". These virtual machines will run Fedora 10 with FreeIPA.

Contents 1 Installation 2 Configuration 2.1 IPA server 1, Zeus 2.2 IPA server 2, Apollo 3 SSL / TLS Encryption 4 Testing 4.1 Kerberos 4.2 LDAP 5 Troubleshooting 5.1 fedora-ds-base replaced with 389-ds-base 6 Miscellaneous 6.1 SElinux considerations 6.2 Firewall settings 6.3 Starting the service 7 References 8 See Also

[edit] Installation

On both IPA servers, install the following package, for example using yum:

 ipa-server

This will work on Red Hat as well as Fedora 10 (upwards).

[edit] Configuration

First, make sure that your DNS is in order. Both IPA servers must be able to do forward and reverse name resolution, their names should be present in DNS. Alternatively, set up the /etc/hosts files with their names:

 192.168.123.11 zeus.example.local zeus
 192.168.123.22 apollo.example.local apollo

[edit] IPA server 1, Zeus

Log on as root and start the configuration. Just follow the prompts, accept the defaults.

 # ipa-server-install -N

As a by-product of the installation process, this command will generate a sample DNS zone file under /tmp. You will want to keep this file when setting up the appropriate DNS entries for auto-discovery.

Note: The -N option disables NTP configuration since this example uses Xen VMs for the IPA servers.

Prepare information for the replica and copy it to the new replica:

 # ipa-replica-prepare apollo.example.local
 # scp /var/lib/ipa/replica-info-apollo.example.local.gpg apollo:/var/lib/ipa/

[edit] IPA server 2, Apollo

Log on as root and install the replica. Just follow the prompts, accept the defaults.

 # ipa-replica-install -N /var/lib/ipa/replica-info-apollo.example.local.gpg

Note: Due to Bug 509111, this process may fail. As a workaround, you may need to apply a patch to one file and run ipa-replica-install again:

On RHEL5, modify /usr/lib/python2.6/site-packages/ipaserver/install/certs.py and make the following change:

 --- a/ipaserver/install/certs.py
 +++ b/ipaserver/install/certs.py
 @@ -584,6 +584,7 @@ class CertDB(object):
          self.set_perms(self.pwd_conf, uid="apache")
 
      def find_root_cert(self, nickname):
 +        return "CA certificate"
          p = subprocess.Popen(["/usr/bin/certutil", "-d", self.secdir,
                                "-O", "-n", nickname], stdout=subprocess.PIPE)

On Fedora 10 with FreeIPA, the patch needs to be applied to /usr/lib/python2.5/site-packages/ipaserver/certs.py instead:

 --- certs.py 2009/08/06 08:24:29 1.1
 +++ certs.py 2009/08/06 08:25:16
 @@ -305,6 +305,7 @@
          self.set_perms(self.pin_fname)
 
      def find_root_cert(self, nickname):
 +        return "CA certificate"
          p = subprocess.Popen(["/usr/bin/certutil", "-d", self.secdir,
                                "-O", "-n", nickname], stdout=subprocess.PIPE)

[edit] SSL / TLS Encryption

If all is well, IPA comes with SSL and StartTLS enabled.

For more information, read:

• http://directory.fedoraproject.org/wiki/Howto:SSL
• http://github.com/richm/scripts/blob/master/setupssl2.sh?raw=true

[edit] Testing

Once you have the ipa-client package installed, the configuration should be tested.

[edit] Kerberos

 # kinit admin

[edit] LDAP

Verify the available SASL methods:

 # ldapsearch -H ldap://zeus.example.local/ -x -b "" -s base -LLL supportedSASLMechanisms
 dn:
 supportedSASLMechanisms: EXTERNAL
 supportedSASLMechanisms: GSSAPI
 supportedSASLMechanisms: DIGEST-MD5
 supportedSASLMechanisms: CRAM-MD5
 supportedSASLMechanisms: ANONYMOUS
 supportedSASLMechanisms: LOGIN
 supportedSASLMechanisms: PLAIN

All the methods below should work:

Simple auth, no encryption

ldapsearch -H ldap://zeus.example.local/ -b dc=example,dc=local -x

Simple auth, SSL via LDAPS

ldapsearch -H ldaps://zeus.example.local/ -b dc=example,dc=local -x

Simple auth, SSL via StartTLS

ldapsearch -H ldap://zeus.example.local/ -ZZ -b dc=example,dc=local -x

SASL auth, no encryption

ldapsearch -H ldap://zeus.example.local/ -b dc=example,dc=local

SASL auth, SSL via LDAPS

ldapsearch -H ldaps://zeus.example.local/ -b dc=example,dc=local

SASL auth, SSL via StartTLS

ldapsearch -H ldap://zeus.example.local/ -ZZ -b dc=example,dc=local

Some common configuration errors:

References:

• http://aput.net/~jheiss/krbldap/howto.html
• http://research.imb.uq.edu.au/~l.rathbone/ldap/gssapi.shtml
• http://www.openldap.org/lists/openldap-software/200812/msg00104.html

[edit] Troubleshooting

If you suspect something is wrong with your directory service, check the following:

Check system logs on IPA Server and Clients

Really, these logs are there for a reason ;-)

Try running getent passwd

This should display a list of network users. If not, check if the LDAP servers are available (look in /var/log/messages) and verify that /etc/nsswitch.conf contains references to LDAP.

Check your /etc/ldap.conf and /etc/openldap/ldap.conf settings

Check the URI and BASE parameters in both files. /etc/ldap.conf is modified by ipa-client-install, but /etc/openldap/ldap.conf is not.

[edit] fedora-ds-base replaced with 389-ds-base

My IPA Servers stopped working after applying updates to my Fedora 10 installations. Network users could no longer be found, LDAP queries timed out.

It turns out that the fedora-ds-base package was replaced with 389-ds-base. For some reason, the dirsrv service was no longer configured to start automatically:

 # rpm -qf /etc/init.d/dirsrv
 389-ds-base-1.2.1-1.fc10.x86_64
 # chkconfig --list dirsrv
 service dirsrv supports chkconfig, but is not referenced in any runlevel (run 'chkconfig --add dirsrv')
 # chkconfig dirsrv on
 # service dirsrv start
 Starting dirsrv: 
   EXAMPLE-LOCAL...                                     [  OK  ]

[edit] Miscellaneous

[edit] SElinux considerations

SElinux settings are automatically configured by the ipa-server installer.

[edit] Firewall settings

Your firewall should allow inbound traffic for all IPA-related ports so your clients can connect to the HTTP/HTTPS, LDAP/LDAPS and Kerberos servers. Sample entries for /etc/sysconfig/iptables:

 # IPA Server: HTTP/HTTPS
 -A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
 -A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
 # IPA Server: LDAP/LDAPS
 -A INPUT -m state --state NEW -m tcp -p tcp --dport 389 -j ACCEPT
 -A INPUT -m state --state NEW -m tcp -p tcp --dport 636 -j ACCEPT
 # IPA Server: Kerberos
 -A INPUT -m state --state NEW -m tcp -p tcp --dport 88 -j ACCEPT
 -A INPUT -m state --state NEW -m tcp -p tcp --dport 464 -j ACCEPT
 -A INPUT -m state --state NEW -m udp -p udp --dport 88 -j ACCEPT
 -A INPUT -m state --state NEW -m udp -p udp --dport 464 -j ACCEPT

Note: If you wish to disable plaintext (and StartTLS!) connections, you can block incoming traffic on port 389.

[edit] Starting the service

Services are automatically started, and added to the startup by the ipa-server installer:

• dirsrv
• ipa_kpasswd
• ipa_webgui

[edit] References

• FreeIPA
• How To Build Red Hat Enterprise IPA RPMs for CentOS 5

[edit] See Also

for income to an insured person's family, burial, funeral and other final expenses. Life insurance policies often allow the option ,