View
222
Download
0
Category
Preview:
Citation preview
8/18/2019 Summit IdM Lab User Guide 2015
1/39
8/18/2019 Summit IdM Lab User Guide 2015
2/39
Table of Contents
Lab Overview ................................................................................. 3
Background ................................................................................... 3
Red Hat Enterprise Linux Identity Management Overview ........................ 3Red Hat Enterprise Linux Identity Management Benefts: ......................... 4
Enhanes !eurity ................................................................................. 4"r#vides e!!O $enterprise !ing%e !ignn' ............................................ 4(entra%i)es *dministrati#n and (#ntr#% ................................................. 4Imp%ements !tandards&Based+ Integrated (#mp#nents ........................ 4Redues #sts ........................................................................................ 4
IdM ,eatures .............................................................................................. 4
IdM Lab Environment Details ........................................................... 5
IdM Lab objectives .......................................................................... 5
Lab 1: erver Installation ................................................................. !
Lab ": #sers and $assword $olicies .................................................. %
Lab 3: &wo 'actor (ut)entication ..................................................... 11
Lab *: +lient Installation ................................................................ 1*
Lab 5: #ser ,rou-s and .ost ,rou-s Management ............................. 1!
Lab !: Integrating IdM wit) (ctive Director/ .................................... "0
Lab : .ost Based (ccess +ontrol 2 .B(+ ....................................... "
Lab : IdM 4oles Management ........................................................ 3"
Lab %: IdM 4e-lication ................................................................... 3
Lab 10: ervices and e/tabs ......................................................... 3
Red Hat
Summit Labs
8/18/2019 Summit IdM Lab User Guide 2015
3/39
3 6 4ed .at ummit "015 2 4ed .at Enter-rise Linu7 Identit/ Management
Lab Overview
&)is lab guide assumes t)at /ou8re 9ollowing instructorled training and t)at t)is lab
guide is will tr/ to simulate real li9e tasks and scenarios; It goes t)roug) a number o9labs t)at will enable /our to create 9ull 9unctional environment using 4ed .at
Enter-rise Linu7 IdM; (lso /ou will e7-lore IdM 9eatures suc) as users< grou-s< -olicies
and access control rules management; &)e -ur-ose is to give /ou a basic )andson
overview o9 4ed .at Enter-rise Linu7 Identit/ Management and )ow t)e com-onents
are =t toget)er; It will use a combination o9 commandline tools and t)e IdM web
inter9ace; &)is lab is -re-ared to run on environment< t)e setu- is descried in t)is
document on Lab Environment ection;
>our instructor will -rovide /ou wit) an/ additional in9ormation t)at /ou will re?uire< -rimaril/t)e lab setu- and re?uired scenarios;
Background
Red Hat Enterprise Linux dentit! "anagement Overview
Red Hat Enterprise Linux IdM is a way t# reate identity st#res+ entra%i)edauthentiati#n+ d#main #ntr#% -#r er/er#s and 01! servies+ andauth#ri)ati#n p#%iies 2 a%% #n Linux systems+ using native Linux t##%s. It isa%s# supp#rts Linuxnix d#mains.
www.redhat.#m +o-/rig)t @ "015 4ed .at< Inc; 4ed .at< 4ed .at Enter-rise Linu7< t)e )adowman logo< and ABossare trademarks o9 4ed .at< Inc;< registered in ot)er countries; Linu7 is t)e registered trademark o9
Linus &orvalds in t)e #;; and ot)er countries;
8/18/2019 Summit IdM Lab User Guide 2015
4/39
* 6 4ed .at ummit "015 2 4ed .at Enter-rise Linu7 Identit/ Management
Red Hat Enterprise Linux dentit! "anagement Bene#ts$
Enhances Security
(entra%i)es authentiati#n+ auth#ri)ati#n and fne&grained aess #ntr#% -#r41I53Linux envir#nments.
Provides eSSO (enterprise Single Sign-on)
Ena/%es users t# aess many di6erent enterprise res#ures a-ter their initia%%#g&in with#ut having t# type user name and passw#rd again and again.
Centralizes Administration and Control
*%%#ws administrat#rs t# easi%y #ns#%idate and manage identity servers in a41I53Linux envir#nment7 with the #pti#n t# inter#perate with *tive 0iret#ry.
Implements Standards-Based Integrated ComponentsIntegrates the apa/i%ities #- er/er#s+ L0*"+ 01! and x.89 ertifates int#a simp%e identity management s#%uti#n.
!educes costs
(an rep%ae third&party user diret#ries #r Identity Management !#%uti#ns
d" %eatures
• Integrated+ native user+ h#st+ and servie authentiati#n and aess
#ntr#%.
• (#nsistent and managea/%e identity management -#r Linux and nixsystems.
• Inter#pera/i%ity with Mir#s#-t *tive 0iret#ry d#mains.
• !tandards&/ased+ trusted tehn#%#gies.
• Easier and %earer t# imp%ement+ maintain+ and understand
authentiati#n and aess #ntr#% p#%iies.
• ,%exi/%e aess #ntr#% ru%es /ased #n sud# ru%es+ h#st&/ased ru%es+
and #ther riteria.
• (#nsistent and universa% passw#rd p#%iies -#r users.
• Integrate esta/%ished Linuxnix servies %i;e 1,!+ aut#m#unt+ 1I!+1
8/18/2019 Summit IdM Lab User Guide 2015
5/39
5 6 4ed .at ummit "015 2 4ed .at Enter-rise Linu7 Identit/ Management
d" Lab Environment &etails
E%ement RL sername "assw#rd
IdM !erver http:idm&server.examp%e.#m admin passw#rd
IdM !erver ssh: idm&server.examp%e.#m r##t redhat
IdM %ient ssh: idm&%ient.examp%e.#m r##t redhat
IdM aesseva%uati#n
ssh: idm&aess.examp%e.#m r##t redhat
IdM Rep%iati#n ssh idm&rep%ia.examp%e.#m r##t redhat
>ind#ws *tive0iret#ry
?irtua% Mahine (#ns#%e administrat#r !eret@=3
d" Lab ob'ectives
0ep%#y /#th %ient and server entra%i)ed and high avai%a/%e authentiati#n
using Red Hat Enterprise Linux Identity Management $IdM' and pr#vide a
w#r;ing entra% authentiati#n server+ imp%ement additi#na% aess #ntr#%s
and sud# ru%es -#r %ient and aess mahines.
www.redhat.#m +o-/rig)t @ "015 4ed .at< Inc; 4ed .at< 4ed .at Enter-rise Linu7< t)e )adowman logo< and ABossare trademarks o9 4ed .at< Inc;< registered in ot)er countries; Linu7 is t)e registered trademark o9
Linus &orvalds in t)e #;; and ot)er countries;
8/18/2019 Summit IdM Lab User Guide 2015
6/39
! 6 4ed .at ummit "015 2 4ed .at Enter-rise Linu7 Identit/ Management
1#te: Ma;e sure that a%% virtua% mahines starting with AId"-# are running.
*-ter fnishing La/@+ y#u an start the >ind#ws&0( mahine whih is running
the *tive 0iret#ry
Lab ($ Server nstallation
$arget server% idm&server.examp%e.#mAccess% ssh r##tCidm&server.examp%e.#m
• L#g int# idm&server.examp%e.#m+ via ssh.
• Ma;e sure that h#sts f%e is pr#per%y #nfgured+ y#u sh#u%d fnd this
%ine:
cat /etc/hosts | grep idm
192.168.10.10 idm-server.example.com idm-server
• Insta%% the IdM pa;ages:
yum -y install bind-dyndb-ldap ipa-server
• Run as r##t:
root!idm-server "#$ ipa-server-install --setup-dns --ssh-trust-dns %
--m&homedir
• >hen y#u pr#mpt -#r these Duesti#ns use the respetive answers:
'xisting ()*+ con,iguration detected overrite no# es3
4erver host name idm-server.example.com# 5ress 'nter3
5lease con,irm the domain name example.com# 5ress 'nter3
5lease provide a realm name '75'.:;# 5ress 'nter3
+irectory anager passord 3
5assord ?con,irm@
8/18/2019 Summit IdM Lab User Guide 2015
7/39
6 4ed .at ummit "015 2 4ed .at Enter-rise Linu7 Identit/ Management
+omain name example.com
Fealm name '75'.:;
()*+ +*4 server ill be con,igured to serve )57 domain ith
Gorarders 8.8.8.8
Feverse Cone 10.168.192.in-addr.arpa.
A&ter installation% (he; the IdM we/ inter-ae via idm&server.examp%e.#m+ use the admin username and passw#rd.
• (he; main I"* #nfgurati#n: etipade-au%t.#n- /ase 01+ rea%m.
•O/tain a ;er/er#s ti;et:
&init admin
&list
• (he; aut#matia%%y reated 01! re#rds $*+ !R?':
ipa dnsCone-,ind
ipa dnsrecord-,ind --nameHidm-server Iall
Jone name example.com
7ctive Cone DF
8/18/2019 Summit IdM Lab User Guide 2015
8/39
6 4ed .at ummit "015 2 4ed .at Enter-rise Linu7 Identit/ Management
• (he; IdM server de-au%ts:
ipa con,ig-sho
ipa con,ig-mod --de,aultshellH/bin/bash
•
8/18/2019 Summit IdM Lab User Guide 2015
9/39
% 6 4ed .at ummit "015 2 4ed .at Enter-rise Linu7 Identit/ Management
Lab )$ *sers and +assword +olicies
$arget server% idm&server.examp%e.#mAccess% ssh r##tCidm&server.examp%e.#m
@. *dd new users $reate a username with y#ur pre-erenes in thepr#mpt m#de'+ then run the #ther #mmands:
ipa user-add
ipa user-add --,irstHMohn --lastH4mith Nsmith
ipa user-add --,irstHatt --lastHOell --managerHNsmith %
--emailHmell!example.com --homedirH/home/mell mell
=. M#di-y ser attri/utes:ipa user-mod Nsmith --addattrHdepartmentnumberH101
ipa user-sho Nsmith --all
ipa user-mod mell --titleHP4ystem 'ngineerP
3. M#di-y sers passw#rd as admin:
ipa user-mod mell --passord
ipa user-mod Nsmith --passord
4. (he; i- the system re#gni)e the users:
id Nsmith
getent group mell
8. (he; the de-au%t "assw#rd "#%ies:
ipa help ppolicy
ipa ppolicy-sho
ipa ppolicy-mod --maxli,eH60
. *s smith login via ssh t# idm&server+ y#u wi%% /e pr#mpted t# hange
the passw#rd -#r frst time.
8/18/2019 Summit IdM Lab User Guide 2015
10/39
10 6 4ed .at ummit "015 2 4ed .at Enter-rise Linu7 Identit/ Management
J. *s *dmin:
ipa ppolicy-mod --minli,eH0 --max,ailHK
ipa ppolicy-sho
K. *s mwe%%+ %#gin t# the idm&server+ hange the @st time passw#rd andthen+ hange passw#rd with Aipa passwd + it wi%% sueed as wehanged the minimum %i-etime #- users passw#rd.
. On the >e/ I he; the -#%%#wing:
G *dd a user.G (he; passw#rd expiry.G Edit user detai%s.
!e&erence%Red Hat 0#umentati#n : Managing ser r#ups
www.redhat.#m +o-/rig)t @ "015 4ed .at< Inc; 4ed .at< 4ed .at Enter-rise Linu7< t)e )adowman logo< and ABossare trademarks o9 4ed .at< Inc;< registered in ot)er countries; Linu7 is t)e registered trademark o9
Linus &orvalds in t)e #;; and ot)er countries;
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/user-groups.htmlhttps://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/user-groups.htmlhttps://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/user-groups.html
8/18/2019 Summit IdM Lab User Guide 2015
11/39
11 6 4ed .at ummit "015 2 4ed .at Enter-rise Linu7 Identit/ Management
Lab ,$ Two %actor -ut.entication
8/18/2019 Summit IdM Lab User Guide 2015
12/39
1" 6 4ed .at ummit "015 2 4ed .at Enter-rise Linu7 Identit/ Management
L#g #ut -r#m the admin sessi#n+ %#gin with smith+ then navigate t# O$P$oens then %i; #n *dd. In the *dd O
8/18/2019 Summit IdM Lab User Guide 2015
13/39
13 6 4ed .at ummit "015 2 4ed .at Enter-rise Linu7 Identit/ Management
On the smartph#ne+#pen ,reeO
8/18/2019 Summit IdM Lab User Guide 2015
14/39
1* 6 4ed .at ummit "015 2 4ed .at Enter-rise Linu7 Identit/ Management
Lab /$ Client nstallation
$arget server% idm&%ient.examp%e.#m and idm&aess.examp%e.#mAccess% ssh r##tCidm&%ient.examp%e.#m
• (he; in /#th servers res#%v.#n- p#int t# IdM server $@=.@K.@9.@9':
echo Qnameserver 192.168.10.10Q 3 /etc/resolv.con,
cat /etc/resolv.con,
nameserver 192.168.10.10
• ?eri-y that idm&%ientidm&aess res#%vers arep#inting t# idm&server
dig example.com
example.com. K600 )* 4;7 idm-server.example.com. hostmaster.example.com. 1K968ARR06
K600 900 1209600 K600
• Insta%% the IdM %ient $sssd':
yum install ipa-client
• #n IdM server+ ma;e sure that "R< re#rds are reatedupdated in new
%ient insta%%ati#ns:
ipa dnsCone-mod --allo-sync-ptrHDF
8/18/2019 Summit IdM Lab User Guide 2015
15/39
15 6 4ed .at ummit "015 2 4ed .at Enter-rise Linu7 Identit/ Management
• !#me adustment.
8/18/2019 Summit IdM Lab User Guide 2015
16/39
1! 6 4ed .at ummit "015 2 4ed .at Enter-rise Linu7 Identit/ Management
Lab 0$ *ser 1roups and Host 1roups "anagement
$arget server% idm&server.examp%e.#mAccess% ssh r##tCidm&server.examp%e.#m
*tivities -#r %a/ 4:
• (reate users gr#up $Either thr#ugh #mmand %ine #r >e/ I'.
• *dding r#up Mem/ers.
• 0e%eting users gr#up.
• Exp%#re IdM gr#up management thr#ugh #mmand %ine+ a new gr#up
named servers wi%% /e added+ then user mwe%% wi%% /e mem/er #- servers+ adding #ther gr#up named %ients and fna%%y adding smith
t# %ients gr#up:
ipa group-add --descHQusers server groupQ servers
ipa group-add-member servers --usersHmell
ipa group-add --descHQusers client groupQ clients
ipa group-add-member clients --usersHNsmith
ipa group-,ind
ipa group-del group name3
ipa help group
On the >e/ I he; the -#%%#wing:•
8/18/2019 Summit IdM Lab User Guide 2015
17/39
1 6 4ed .at ummit "015 2 4ed .at Enter-rise Linu7 Identit/ Management
8/18/2019 Summit IdM Lab User Guide 2015
18/39
1 6 4ed .at ummit "015 2 4ed .at Enter-rise Linu7 Identit/ Management
*s reDuired reate new gr#up a%%ed Arestricted and Aaccess:
1#w the h#st gr#up is reated+ %i; #n Arestricted t# add the h#sts
www.redhat.#m +o-/rig)t @ "015 4ed .at< Inc; 4ed .at< 4ed .at Enter-rise Linu7< t)e )adowman logo< and ABossare trademarks o9 4ed .at< Inc;< registered in ot)er countries; Linu7 is t)e registered trademark o9
Linus &orvalds in t)e #;; and ot)er countries;
8/18/2019 Summit IdM Lab User Guide 2015
19/39
1% 6 4ed .at ummit "015 2 4ed .at Enter-rise Linu7 Identit/ Management
8/18/2019 Summit IdM Lab User Guide 2015
20/39
"0 6 4ed .at ummit "015 2 4ed .at Enter-rise Linu7 Identit/ Management
Lab 2$ ntegrating d" wit. -ctive &irector!
$arget server% idm&server.examp%e.#m+ idm&%ient.examp%e.#m andwinad.examp%e.#mAccess% ssh r##tCidm&server.examp%e.#m+ ssh r##tCidm&%ient.examp%e.#m and #ns#%e aess t# winad.examp%e.#m
One #- the avai%a/%e mahines is running >ind#ws *tive 0iret#ry+ themahine is ready with *0. Ma;e sure that y#u have aess t# the >ind#wsmahine using username Aadministrat#r and the passw#rd is A!eret@=3.*%s# we wi%% insta%% the *0 trust and win/ind %ients.
8/18/2019 Summit IdM Lab User Guide 2015
21/39
"1 6 4ed .at ummit "015 2 4ed .at Enter-rise Linu7 Identit/ Management
Running the dnsmd #mmand sh#u%d return the same #utput:
On the >ind#ws 0es;t#p+ #u wi%% fnd 01! i#n $sh#rtut'+ it wi%% #pen 01!servie #n wind#ws+ we want t# veri-y the new res#ures reated+ d#u/%e%i; #n 01! i#n and -#%%#w the 01! tree as sh#wn /%#w:
8/18/2019 Summit IdM Lab User Guide 2015
22/39
"" 6 4ed .at ummit "015 2 4ed .at Enter-rise Linu7 Identit/ Management
?eri-y that !R? re#rds are res#%va/%e #n IdM server:
root!idm-server "#$ dig 4FU Vldap.Vtcp.inad.example.com
T 33 +iW 9.9.B-FedEat-9.9.B-18.elRV1.1 33 4FU Vldap.Vtcp.inad.example.com
TT global options XcmdTT Wot anser
TT -33E'7+'F- opcode Ye an veri-y that the re#rd it add t# the %dap using %dapsearh:
ldapsearch - W4475) -b cnHdnsdcHexampledcHcom idnsnameHexample.com.
www.redhat.#m +o-/rig)t @ "015 4ed .at< Inc; 4ed .at< 4ed .at Enter-rise Linu7< t)e )adowman logo< and ABossare trademarks o9 4ed .at< Inc;< registered in ot)er countries; Linu7 is t)e registered trademark o9
Linus &orvalds in t)e #;; and ot)er countries;
8/18/2019 Summit IdM Lab User Guide 2015
23/39
"3 6 4ed .at ummit "015 2 4ed .at Enter-rise Linu7 Identit/ Management
8/18/2019 Summit IdM Lab User Guide 2015
24/39
"* 6 4ed .at ummit "015 2 4ed .at Enter-rise Linu7 Identit/ Management
Wroup name adVadminsVexternal
+escription adVdomain admins external map
(reate a "O!I5 #mp%iant gr#up t# /e %in;ed t# the externa% gr#up:
root!idm-server "#$ ipa group-add --descHQadVdomain adminsQ adVadmins
-----------------------
7dded group PadVadminsP
-----------------------
Wroup name adVadmins
+escription adVdomain admins
W)+ 1861200012
*dd mem/ers #- 0#main *dmins t# the reated IdM gr#up:
root!idm-server "#$ ipa group-add-member adVadminsVexternal --external %
QO)*7+%+omain 7dminsQ
member user# 5ress 'nter3
member group# 5ress 'nter3
Wroup name adVadminsVexternal
+escription adVdomain admins external map
'xternal member 4-1-A-21-18A092929B-226KB11AA8-106089K0KK-A12
-------------------------
*umber o, members added 1
-------------------------
*dding mem/ers -r#m externa% *0 gr#up t# IdM "O!I5 #mp%iant gr#up:
root!idm-server "#$ ipa group-add-member adVadmins --group adVadminsVexternal
Wroup name adVadmins
+escription adVdomain admins
W)+ 1861200016
ember groups adVadminsVexternal
-------------------------
*umber o, members added 1
8/18/2019 Summit IdM Lab User Guide 2015
25/39
"5 6 4ed .at ummit "015 2 4ed .at Enter-rise Linu7 Identit/ Management
1#w+ this is the testing time7 w/in-# wi%% retrieve the !I0 ass#iated with theusername speifed:
&init admin
&vno -4 EDD5 ZhostnameZ
ipa trust-sho inad.example.com
&destroy
&list
&init 7dministrator!O)*7+.'75'.:;
&list
&vno -4 ci,s dc.inad.example.com
bin,o -n QO)*7+%+omain 7dminsQ
4-1-A-21-66A0AARR-8B8A0KKK9-K10AB8K0KK-A12 4)+V+;VWF;e an reate a shared dis; t# *0 *dmins+ these #mmands wi%% reate andnew diret#ry A0linu/share and ma;e it avai%a/%e t# *0 admins:
m&dir /linuxshare
4)+HZbin,o -n QO)*7+%+omain 7dminsQ|a& Q[print\1]QZ
net con, setparm QshareQ QcommentQ QDrust test shareQ
net con, setparm QshareQ Qread onlyQ QnoQ
net con, setparm QshareQ Qvalid usersQ P\4)+P
net con, setparm QshareQ QpathQ Q/linuxshareQ
cd /linuxshare
touch )d-roc&s
ind#ws*dmins+ %ater we an avai% users shares i- needed+ #n wind#ws mahines #pen(#mputer then map the share t# a >ind#wsdrive -#%%#wing the same pr#edures:
www.redhat.#m +o-/rig)t @ "015 4ed .at< Inc; 4ed .at< 4ed .at Enter-rise Linu7< t)e )adowman logo< and ABossare trademarks o9 4ed .at< Inc;< registered in ot)er countries; Linu7 is t)e registered trademark o9
Linus &orvalds in t)e #;; and ot)er countries;
mailto:Administrator@WINAD.EXAMPLE.COMmailto:Administrator@WINAD.EXAMPLE.COM
8/18/2019 Summit IdM Lab User Guide 2015
26/39
"! 6 4ed .at ummit "015 2 4ed .at Enter-rise Linu7 Identit/ Management
* new dia%#g wi%% #pen as dia%#g wi%% /e #pened t# defne the share it wi%% as;-#r the user passw#rd+ use the administrat#r as user and the passw#rd isASecret1'2:
#u wi%% fnd the #ntens #- A0linu/share avai%a/%e+ the f%e that we reatedAId"-rocs wi%% /e there aessi/%e. #u an reate -#%ders #n >ind#ws andhe; them /a; #n the idm&server.examp%e.#m.
1#w+ the administrat#r user an %#gin t# Linux mahines with#ut passw#rds+remem/er that we didnt #nfgure the H#st Based *ess (#ntr#%+ s# a%%users an %#gin t# a%% servers it is n#t re#mmend t# run this #nfgurati#n inthe pr#duti#n. 1ext %a/ we wi%% have a HB*( #nfgured and it wi%% sh#w h#wt# defne new ru%es and examining the existing ru%es.
www.redhat.#m +o-/rig)t @ "015 4ed .at< Inc; 4ed .at< 4ed .at Enter-rise Linu7< t)e )adowman logo< and ABossare trademarks o9 4ed .at< Inc;< registered in ot)er countries; Linu7 is t)e registered trademark o9
Linus &orvalds in t)e #;; and ot)er countries;
8/18/2019 Summit IdM Lab User Guide 2015
27/39
" 6 4ed .at ummit "015 2 4ed .at Enter-rise Linu7 Identit/ Management
On the >ind#ws 0es;t#p y#u wi%% fnd putty $a ssh %ient' use idm&%ient.examp%e.#m as the H#st 1ame:
ind#ws Integrati#n uide
www.redhat.#m +o-/rig)t @ "015 4ed .at< Inc; 4ed .at< 4ed .at Enter-rise Linu7< t)e )adowman logo< and ABossare trademarks o9 4ed .at< Inc;< registered in ot)er countries; Linu7 is t)e registered trademark o9
Linus &orvalds in t)e #;; and ot)er countries;
mailto:Administrator@winad.example.comhttps://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/index.htmlmailto:Administrator@winad.example.comhttps://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/index.html
8/18/2019 Summit IdM Lab User Guide 2015
28/39
" 6 4ed .at ummit "015 2 4ed .at Enter-rise Linu7 Identit/ Management
Lab 3$ Host Based -ccess Control 4 HB-C
$arget server% idm&server.examp%e.#m+ idm&%ient.examp%e.#m and idm&aess.examp%e.#mAccess% ssh r##tCidm&server.examp%e.#m+ ssh r##tCidm&%ient.examp%e.#m and ssh r##tCidm&%ient.examp%e.#m
In this La/ we wi%% restrita%%#w aess /ased #n h#st gr#ups that we defnedin the previ#us %a/s. By de-au%t IdM is having a%%#w aess permissi#n t# a%%res#ures+ we #u%d disa/%e it during the insta%%ati#n time thr#ugh--no3h4ac3allo,.
0isa/%e the de-au%t a%%#wSa%% ru%e thr#ugh we/ inter-ae.
www.redhat.#m +o-/rig)t @ "015 4ed .at< Inc; 4ed .at< 4ed .at Enter-rise Linu7< t)e )adowman logo< and ABossare trademarks o9 4ed .at< Inc;< registered in ot)er countries; Linu7 is t)e registered trademark o9
Linus &orvalds in t)e #;; and ot)er countries;
@
@
=
=
mailto:root@idm-server.example.commailto:root@idm-client.example.commailto:root@idm-client.example.commailto:root@idm-client.example.commailto:root@idm-server.example.commailto:root@idm-server.example.commailto:root@idm-client.example.commailto:root@idm-client.example.commailto:root@idm-client.example.commailto:root@idm-client.example.commailto:root@idm-client.example.commailto:root@idm-client.example.com
8/18/2019 Summit IdM Lab User Guide 2015
29/39
"% 6 4ed .at ummit "015 2 4ed .at Enter-rise Linu7 Identit/ Management
>e want t# grant aess permissi#ns t# users in Aservers5 gr#up t# aessa%% mahines #nsidering the -#%%#wing:
• sers in Aservers gr#up an aess Arestricted h#st gr#up servers.
• sers in Aclients6 gr#up an %#gin int# Aaccess h#st gr#ups #n%y.
hat %#gin servies an /e aessed.
• !etting H#st&Based *ess #ntr#% Ru%es.
G HB*( Ru%e with name Aaccess-rule thr#ugh the we/ inter-ae.
www.redhat.#m +o-/rig)t @ "015 4ed .at< Inc; 4ed .at< 4ed .at Enter-rise Linu7< t)e )adowman logo< and ABossare trademarks o9 4ed .at< Inc;< registered in ot)er countries; Linu7 is t)e registered trademark o9
Linus &orvalds in t)e #;; and ot)er countries;
@
=
3
8/18/2019 Summit IdM Lab User Guide 2015
30/39
30 6 4ed .at ummit "015 2 4ed .at Enter-rise Linu7 Identit/ Management
(%i; #n the access-rule HB*( and add users #r users gr#ups that this ru%ewi%% /e app%ied #n.
*dd Aclients users gr#up t# the aess&ru%e in >HO fe%d.
8/18/2019 Summit IdM Lab User Guide 2015
31/39
31 6 4ed .at ummit "015 2 4ed .at Enter-rise Linu7 Identit/ Management
1#w we want t# add the servie that wi%% /e a%%#wed+ se%et the sshd and%#gin servies:
• In previ#us steps we reated the aess&ru%e that wi%% a%%#w Aclients
users gr#up t# aess servers in AAccess h#st gr#up+ !ine *essh#st gr#up d#esnt have any #ther server exept idm&aess.examp%e.#m7 we a%%#wed aess t# idm&aess.examp%e.#m
#r any server that wi%% /e added t# this h#st gr#up• (reate additi#na% HB*( with namerestricted-rule that a%%#ws
Aservers users gr#up t# aess servers in Arestricted h#st gr#upusing the previ#us steps used t# reate the Aallo,-rule. !# the stepsare adding Aservers user gr#up+ *essing Arestricted h#st gr#upand servies via Asshd and %#gin
•
8/18/2019 Summit IdM Lab User Guide 2015
32/39
3" 6 4ed .at ummit "015 2 4ed .at Enter-rise Linu7 Identit/ Management
Lab 5$ d" Roles "anagement
IdM R#%e Management pr#vides rights #r permissi#ns that users have /een
granted t# per-#rm #perati#ns within IdM #n #ther users #r #/ets:• >h# an per-#rm the #perati#n.
• >hat an /e aessed.
• >hat type #- #perati#n an /e per-#rmed.
• Existing "redefned R#%es.
R#%e&/ased aess #ntr#% grants a very di6erent ;ind #- auth#rity t# users#mpared t# se%-&servie and de%egati#n aess #ntr#%s. R#%e&/ased aess#ntr#%s are -undamenta%%y administrative+ with the p#tentia% t#+ -#r examp%e+add+ de%ete+ #r signifant%y m#di-y entries.
In this %a/ we wi%% pr#vide privi%eges t# mwe%% #r his gr#up t# hange histheirgr#up mem/ership
Open the AIPA Server ta/ in the t#p menu+ and se%et the A!ole BasedAccess Control su/ta/.
(%i; the AAdd %in; at the t#p #- the %ist #- r#%e&/ased *(Is:
www.redhat.#m +o-/rig)t @ "015 4ed .at< Inc; 4ed .at< 4ed .at Enter-rise Linu7< t)e )adowman logo< and ABossare trademarks o9 4ed .at< Inc;< registered in ot)er countries; Linu7 is t)e registered trademark o9
Linus &orvalds in t)e #;; and ot)er countries;
@
@
8/18/2019 Summit IdM Lab User Guide 2015
33/39
33 6 4ed .at ummit "015 2 4ed .at Enter-rise Linu7 Identit/ Management
Enter the r#%e name and a desripti#n:
(%i; the AAdd and Edit /utt#n t# save the new r#%e and g# t# the#nfgurati#n page.
(%i; #n the R#%e that y#u ust reated+ then %i; #n A*dd
www.redhat.#m +o-/rig)t @ "015 4ed .at< Inc; 4ed .at< 4ed .at Enter-rise Linu7< t)e )adowman logo< and ABossare trademarks o9 4ed .at< Inc;< registered in ot)er countries; Linu7 is t)e registered trademark o9
Linus &orvalds in t)e #;; and ot)er countries;
@
@
8/18/2019 Summit IdM Lab User Guide 2015
34/39
3* 6 4ed .at ummit "015 2 4ed .at Enter-rise Linu7 Identit/ Management
!e%et the users #n the %e-t and use the P78 /utt#n t# m#ve them t# theAProspective #%umn.
*t the t#p #- the APrivileges ta/+ %i; AAdd.
www.redhat.#m +o-/rig)t @ "015 4ed .at< Inc; 4ed .at< 4ed .at Enter-rise Linu7< t)e )adowman logo< and ABossare trademarks o9 4ed .at< Inc;< registered in ot)er countries; Linu7 is t)e registered trademark o9
Linus &orvalds in t)e #;; and ot)er countries;
@
@
=
8/18/2019 Summit IdM Lab User Guide 2015
35/39
35 6 4ed .at ummit "015 2 4ed .at Enter-rise Linu7 Identit/ Management
!e%et the privi%eges #n the %e-t and use the P7P /utt#n t# m#ve them t# theAProspective #%umn.
(%i; the AAdd /utt#n t# save.
www.redhat.#m +o-/rig)t @ "015 4ed .at< Inc; 4ed .at< 4ed .at Enter-rise Linu7< t)e )adowman logo< and ABossare trademarks o9 4ed .at< Inc;< registered in ot)er countries; Linu7 is t)e registered trademark o9
Linus &orvalds in t)e #;; and ot)er countries;
=
8/18/2019 Summit IdM Lab User Guide 2015
36/39
3! 6 4ed .at ummit "015 2 4ed .at Enter-rise Linu7 Identit/ Management
L#g #ut the admin user+ and %#gin with mwe%% user. 1avigate thr#ughA9et,or Services+ then 01! su/ta/ menu Q then %i; #n examp%e.#m.*-ter getting examp%e.#m res#ures7 %i; #n AAdd:
>e need t# test that user Am,ell an add new re#rds+ reate new re#rdAnoti&y
8/18/2019 Summit IdM Lab User Guide 2015
37/39
3 6 4ed .at ummit "015 2 4ed .at Enter-rise Linu7 Identit/ Management
Lab 6$ d" Replication
$arget server% idm&server.examp%e.#m and idm&rep%ia.examp%e.#mAccess% ssh r##tCidm&server.examp%e.#m ssh r##tCidm&rep%ia.examp%e.#m
On the idm&rep%ia.examp%e.#m run:
yum install ipa-server bind-dyndb-ldap
On
8/18/2019 Summit IdM Lab User Guide 2015
38/39
3 6 4ed .at ummit "015 2 4ed .at Enter-rise Linu7 Identit/ Management
Lab (7$ Services and 8e!tabs
$arget server% idm&server.examp%e.#m #r idm&%ient.examp%e.#m
Access% ssh r##tCidm&server.examp%e.#m ssh r##tCidm&%ient.examp%e.#m
L#g in t# idm&aess mahine:
yum install httpd modVnss modVsgi modVauthV&erb ipa-admintools
"repare #ntent -#r idm&aess:
cp or&shop.con, /etc/httpd/con,.d/or&shop.con,
cp or&shop.sgi /var//cgi-bin/or&shop.sgi
chmod Xx /var//cgi-bin/or&shop.sgi
(reate the I"* servie entry -#r idm&aess:
&init
5assord ,or admin!'75'.:;
ipa service-add EDD5/ZhostnameZ
ipa service-sho EDD5/ZhostnameZ
Retrieve a ;eyta/ -#r httpd servie #n idm&aess:
ipa-get&eytab -p EDD5/ZhostnameZ -& http.&eytab -s idm-server.example.com
&list -&t http.&eytab
(#nfgure idm&aess t# use the ;eyta/:
mv http.&eytab /etc/httpd/con,/
chon apacheapache /etc/httpd/con,/http.&eytab
chmod 0B00 /etc/httpd/con,/http.&eytab
service httpd restart
*ess idm&%ient and run:
yum install ,ire,ox xorg-x11-xinit.x86V6B
exit
ssh root! idm-client.example.com -
,ire,ox
In ,ire-#x+ aess idm&aess.examp%e.#mtest+ when y#u exit ,ire-#x he;:
&list
www.redhat.#m +o-/rig)t @ "015 4ed .at< Inc; 4ed .at< 4ed .at Enter-rise Linu7< t)e )adowman logo< and ABossare trademarks o9 4ed .at< Inc;< registered in ot)er countries; Linu7 is t)e registered trademark o9
Linus &orvalds in t)e #;; and ot)er countries;
mailto:root@idm-server.example.commailto:root@idm-server.example.commailto:root@idm-server.example.commailto:root@idm-server.example.commailto:root@idm-server.example.commailto:root@idm-server.example.commailto:root@idm-server.example.com
8/18/2019 Summit IdM Lab User Guide 2015
39/39
3% 6 4ed .at ummit "015 2 4ed .at Enter-rise Linu7 Identit/ Management
It might n#t w#r; as se%inux wi%% deny the http&;eyta/.
:d /root
grep httpdVt /var/log/audit/audit.log | audit2allo -m http-&eytab 3 http-&eytab.te
grep httpdVt /var/log/audit/audit.log | audit2allo - http-&eytab
semodule -i http-&eytab.pp
1#w+ he; again ,ire-#x+ a-ter authentiati#n it sh#u%d print:
EelloL
Feceived connection ,rom 192.168.10.11
7L ^erberos authentication or&sL
Femote user is admin!'75'.:;
Recommended