IdM Server Deployment Guide

The following instructions are for deploying the IdM server.

Prerequisites

This guide is written for a Red Hat Enterprise Linux 8 based operating system which is operating within a cluster of systems and the following are the prerequisites:

• IdM Server OS Installation Guide

Follow-on Deployments

The following guides can be applied after the deployment of their associated nodes.

• NFS Client Deployment Guide

• RSyslog Deployment Guide

• Telegraf Deployment Guide

References

These instructions were written for FreeIPA 4.9.11

Instructions are based on the following documentation:
1. https://computingforgeeks.com/install-and-configure-freeipa-server-on-rocky-linux/
2. https://www.digitalocean.com/community/tutorials/how-to-set-up-centralized-linux-authentication-with-freeipa-on-centos-7
3. https://www.digitalocean.com/community/tutorials/how-to-configure-a-freeipa-client-on-centos-7

Post Deployment

The IdM Management Dashboard can be accessed at the following URL:
https://idm.engwsc.example.com

Username: admin
Password: ADMIN_PASSWORD (from step 15)

It is recommended that the default shell settings within IdM for user accounts be changed to /bin/bash from /bin/sh.

Deployment Scripts

An example bash script of the instructions has been provided: deploy-idm-server.sh

Deployment Steps

The IdM server can either be deployed as a standalone VM or on the NFS server. IdM and NFS are both required for users to log in and deploying both on the same server reduces the number of required systems to be online before users can log in.

This guide is writen for a standalone VM instance.

Note

Instructions assume execution using the root account.

1. Connect the system to the NFS server:

See Guide: NFS Client Deployment Guide

2. Install the Random Number Generator Service

dnf -y install rng-tools
systemctl enable --now rngd

3. Set the hostname to a FQDN:

hostnamectl set-hostname idm.engwsc.example.com

4. Ensure the timezone is properly set:

timedatectl set-timezone America/New_York
timedatectl set-local-rtc 0

5. Optional Add hostname to /etc/hosts if DNS does not resolve the FQDN:

Note

If synchronizing hosts files across systems ensure the FQDN name is before any short names.

IP_ADDRESS HOST_FQDN HOST_SHORTNAME

Important

Replace IP_ADDRESS with the real host IPv4 address (ex. 192.168.1.80)
Replace HOST_FQDN with the real FQDN. (ex. app01.engwsc.example.com)
Replace HOST_SHORTNAME with the host short name. (ex. app01)

sh -c 'cat >> /etc/hosts <<EOL

IP_ADDRESS  HOST_FQDN  HOST_SHORTNAME

EOL'

6. Verify hostname resolves to an IPv4 address that is not equal to the loopback address:

Important

Replace idm.engwsc.example.com with your hostname.

dig +short idm.engwsc.example.com A

7. Verify reverse DNS configuration (PTR records):

Important

Replace 192.168.1.80 with your IPv4 address.

dig +short -x 192.168.1.80

8. Install Chrony NTP server:

dnf -y install chrony

9. Configure Chrony to allow remote clients:

Note

Change the IP address to your network’s subnet.

sed -i 's@#allow 192.168.0.0/16@allow 192.168.1.0/24@g' /etc/chrony.conf

10. Restart chrondy service

systemctl restart chronyd

11. Verify IdM module information:

dnf module info idm:DL1

12. Enable the idm:DL1 stream and sync repositories:

dnf module -y enable idm:DL1
dnf distro-sync

13. Install IdM Server module without an integrated DNS:

Note

There are other IdM Server installation types, see the IdM/FreeIPA documentation for more information.

dnf module -y install idm:DL1/server

14. Suppress Negotiate Headers:

Note

This is optional and prevents falling back to HTML login boxes in Windows browsers.

mkdir -p /etc/httpd/conf.d/
cat > /etc/httpd/conf.d/gssapi.conf <<EOF
BrowserMatch Windows gssapi-no-negotiate
EOF

15. Install IdM Server:

Note

Remove --unattended to walk-through installation questions.

Important

Replace DM_PASSWORD with a confidential strong password that will be used to access the Directory Manager (DM).
Replace ADMIN_PASSWORD with a confidential strong password that will be used for the IdM administrator’s admin account.

ipa-server-install \
  --domain=engwsc.example.com \
  --realm=ENGWSC.EXAMPLE.COM \
  --ds-password=DM_PASSWORD \
  --admin-password=ADMIN_PASSWORD \
  --unattended

16. Configure firewalld rules:

Important

Replace the IPv4 address and subnet mask with the values within your network.

systemctl enable --now firewalld
firewall-cmd --zone=public --add-source=192.168.1.0/24 --permanent
firewall-cmd --zone=public --add-service={http,https,ntp,freeipa-4} --permanent
firewall-cmd --reload