Instalasi FreeIPA pada CentOS 7¶

#
# setenforce -
setenforce 0
# nano /etc/sysconfig/selinux
sed -i -r 's/^#?(SELINUX)=enforcing/\1=permissive/' /etc/sysconfig/selinux
# SELINUX=permissive
#
IP_PUBLIC=$(curl -s checkip.dyndns.org | sed -e 's/.*Current IP Address: //' -e 's/<.*$//')
FQDN="host.sub.domain.tld"
# 
echo $FQDN > /etc/hostname
echo $IP_PUBLIC $FQDN >> /etc/hosts
#
nano /etc/hosts
nano /etc/hostname
cat /etc/cloud/templates/hosts.redhat.tmpl
cat /etc/sysconfig/network-scripts/ifcfg-eth0
yum update -y && yum install firewalld
systemctl start firewalld
# firewall-cmd --permanent --add-port={80/tcp,443/tcp,389/tcp,636/tcp,88/tcp,464/tcp,53/tcp,88/udp,464/udp,53/udp,123/udp}
firewall-cmd --permanent --zone=public --add-port={80/tcp,443/tcp,389/tcp,636/tcp,88/tcp,464/tcp,53/tcp,88/udp,464/udp,53/udp,123/udp}
firewall-cmd --get-services
firewall-cmd --permanent --list-all
firewall-cmd --reload
yum -y install ipa-server ipa-server-dns bind bind-dyndb-ldap bind-chroot  bind-utils rng-tools
ip addr
#
IPV4_ADDRESS="127.0.0.1"
IPV6_ADDRESS="fe00::00"
#
dig +short $FQDN A
dig +short $FQDN AAAA
dig +short -x $IPV4_ADDRESS
dig +short -x $IPV6_ADDRESS
#
hostname $FQDN
#
systemctl start rngd
systemctl enable rngd
systemctl status rngd
#
ipa-server-install
# yum -y install ipa-server ipa-server-dns bind-dyndb-ldap
ipa-server-install --setup-dns
ipa-server-install --setup-dns --reverse="0.0.127.in-addr.arpa."
# ipa-server-install --setup-dns --auto-reverse
# ipa-server-install -v --setup-dns --hostname="ipa.domain.tld" -n domain.tld -r DOMAIN.tld --no-host-dns --reverse="0.0.127.in-addr.arpa." --forwarder="8.8.8.8"
#
kinit admin
ipa user-find admin
#
ipa user-add
ipa passwd USERNAME
kinit USERNAME

Install/Setup Postfix to forward e-mails¶

yum remove -y sendmail
yum install -y postfix
yum install -y mailx
sed -i ‘s/inet_interfaces = localhost/inet_interfaces = all/g’ /etc/postfix/main.cf
echo “virtual_alias_domains = DOMAIN.TLD” >> /etc/postfix/main.cf
echo “virtual_alias_maps = hash:/etc/postfix/virtual” >> /etc/postfix/main.cf
echo “@<domain> <e-mail to forward to>” >> /etc/postfix/virtual
postmap /etc/postfix/virtual
systemctl enable postfix
systemctl restart postfix

LDAP connectivity¶

#
ldapsearch -H ldap://host.sub.domain.tld:389 -b '' -s base -x -LLL vendorVersion
ldapsearch -H ldaps://host.sub.domain.tld:636 -b '' -s base -x -LLL vendorVersion
# Basic searching
ldapsearch -H ldap://host.sub.domain.tld:389 -b '' -s base -x namingContexts
ldapsearch -H ldap://host.sub.domain.tld:389 -x -b 'dc=sub,dc=domain,dc=tld'
ldapsearch -H ldap://host.sub.domain.tld:389 -x -b 'ou=Groups,dc=host,dc=sub,dc=domain,dc=tld'
# TLS connection
ldapsearch -x -h host.sub.domain.tld -b dc=host,dc=sub,dc=domain,dc=tld uid=admin -ZZ
# Modified from console
ldapmodify -x -D 'cn=Directory Manager' -W
#
#
dn: uid=binduser,cn=sysaccounts,cn=etc,dc=host,dc=sub,dc=domain,dc=tld
changetype: add
objectclass: account
objectclass: simplesecurityobject
uid: binduser
userPassword: password-for-bind-user
passwordExpirationTime: 20380119031407Z
nsIdleTimeout: 0

^D
# 
dn: uid=anotherbinduser,cn=sysaccounts,cn=etc,dc=host,dc=sub,dc=domain,dc=tld
changetype: add
objectclass: account
objectclass: simplesecurityobject
uid: system
userPassword: another-password-for-bind-user
passwordExpirationTime: 20380119031407Z
nsIdleTimeout: 0

^D
# 
ldapsearch -x -D "uid=system,cn=sysaccounts,cn=etc,dc=host,dc=sub,dc=domain,dc=tld" -W "uid=directoryuser"
ldapsearch -x -D "uid=binduser,cn=sysaccounts,cn=etc,dc=host,dc=sub,dc=domain,dc=tld" -W
ldapsearch -H ldap://host.sub.domain.tld:389 -x -D "uid=binduser,cn=sysaccounts,cn=etc,dc=host,dc=sub,dc=domain,dc=tld" -W ""
ldapsearch -H ldap://host.sub.domain.tld:389 -x -D "uid=anotherbinduser,cn=sysaccounts,cn=etc,dc=host,dc=sub,dc=domain,dc=tld" -W ""

Perintah-perintah `ldapsearch`¶

dasar¶

parameter-parameter yang dapat digunakan¶

ldapsearch \
  -x \ # Simple authentication
  -u \ # include User Friendly entry names in the output
  -n \ # show what would be done but don't actually do it
  -v \ # run in verbose mode (diagnostics to standard output)
  -L \ # print responses in LDIFv1 format
  -ZZ \ # require successful response
  -H ldap://host.sub.domain.tld \ # URI yang akan digunakan. Gabungan protokol, nama host, dan porta yang digunakan
  -b 'dc=host=dc=sub,dc=domain,dc=tld' \ # BaseDN yang digunakan
  -D "uid=binduser,cn=sysaccounts,cn=etc,dc=host,dc=sub,dc=domain,dc=tld" #BindDN otentikasi pengguna yang dapat melakukan kueri \

kueri anonim¶

ldapsearch -xvun -H ldap://host.sub.domain.tld:389 -x -b "dc=sub,dc=domain,dc=tld"

mengunci kueri anonim¶

melalui host jalankan

ldapmodify -x -D 'cn=Directory Manager' -W

Enter LDAP Password:
dn: cn=config
changetype: modify
replace: nsslapd-allow-anonymous-access
nsslapd-allow-anonymous-access: rootdse
<blank line>
^D

restart-dirsrv

Instalasi FreeIPA pada CentOS 7¶

Install/Setup Postfix to forward e-mails¶

LDAP connectivity¶

Perintah-perintah ldapsearch¶

dasar¶

parameter-parameter yang dapat digunakan¶

kueri anonim¶

mengunci kueri anonim¶

rujukan¶

Perintah-perintah `ldapsearch`¶