Summit IdM Lab User Guide 2015

8/18/2019 Summit IdM Lab User Guide 2015

1/39


2/39

Table of Contents

Lab Overview ................................................................................. 3

Background ................................................................................... 3

Red Hat Enterprise Linux Identity Management Overview ........................ 3Red Hat Enterprise Linux Identity Management Benefts: ......................... 4

Enhanes !eurity ................................................................................. 4"r#vides e!!O $enterprise !ing%e !ignn' ............................................ 4(entra%i)es *dministrati#n and (#ntr#% ................................................. 4Imp%ements !tandards&Based+ Integrated (#mp#nents ........................ 4Redues #sts ........................................................................................ 4

IdM ,eatures .............................................................................................. 4

IdM Lab Environment Details ........................................................... 5

IdM Lab objectives .......................................................................... 5

Lab 1: erver Installation ................................................................. !

Lab ": #sers and $assword $olicies .................................................. %

Lab 3: &wo 'actor (ut)entication ..................................................... 11

Lab *: +lient Installation ................................................................ 1*

Lab 5: #ser ,rou-s and .ost ,rou-s Management ............................. 1!

Lab !: Integrating IdM wit) (ctive Director/ .................................... "0

Lab : .ost Based (ccess +ontrol 2 .B(+ ....................................... "

Lab : IdM 4oles Management ........................................................ 3"

Lab %: IdM 4e-lication ................................................................... 3

Lab 10: ervices and e/tabs ......................................................... 3

Red Hat

Summit Labs


3/39

3 6 4ed .at ummit "015 2 4ed .at Enter-rise Linu7 Identit/ Management

Lab Overview

&)is lab guide assumes t)at /ou8re 9ollowing instructorled training and t)at t)is lab

guide is will tr/ to simulate real li9e tasks and scenarios; It goes t)roug) a number o9labs t)at will enable /our to create 9ull 9unctional environment using 4ed .at

Enter-rise Linu7 IdM; (lso /ou will e7-lore IdM 9eatures suc) as users< grou-s< -olicies

and access control rules management; &)e -ur-ose is to give /ou a basic )andson

overview o9 4ed .at Enter-rise Linu7 Identit/ Management and )ow t)e com-onents

are =t toget)er; It will use a combination o9 commandline tools and t)e IdM web

inter9ace; &)is lab is -re-ared to run on environment< t)e setu- is descried in t)is

document on Lab Environment ection;

>our instructor will -rovide /ou wit) an/ additional in9ormation t)at /ou will re?uire< -rimaril/t)e lab setu- and re?uired scenarios;

Background

Red Hat Enterprise Linux dentit! "anagement Overview

Red Hat Enterprise Linux IdM is a way t# reate identity st#res+ entra%i)edauthentiati#n+ d#main #ntr#% -#r er/er#s and 01! servies+ andauth#ri)ati#n p#%iies 2 a%% #n Linux systems+ using native Linux t##%s. It isa%s# supp#rts Linuxnix d#mains.

www.redhat.#m +o-/rig)t @ "015 4ed .at< Inc; 4ed .at< 4ed .at Enter-rise Linu7< t)e )adowman logo< and ABossare trademarks o9 4ed .at< Inc;< registered in ot)er countries; Linu7 is t)e registered trademark o9

Linus &orvalds in t)e #;; and ot)er countries;


4/39

* 6 4ed .at ummit "015 2 4ed .at Enter-rise Linu7 Identit/ Management

Red Hat Enterprise Linux dentit! "anagement Bene#ts$

Enhances Security

(entra%i)es authentiati#n+ auth#ri)ati#n and fne&grained aess #ntr#% -#r41I53Linux envir#nments.

Provides eSSO (enterprise Single Sign-on)

Ena/%es users t# aess many di6erent enterprise res#ures a-ter their initia%%#g&in with#ut having t# type user name and passw#rd again and again.

Centralizes Administration and Control

*%%#ws administrat#rs t# easi%y #ns#%idate and manage identity servers in a41I53Linux envir#nment7 with the #pti#n t# inter#perate with *tive 0iret#ry.

Implements Standards-Based Integrated ComponentsIntegrates the apa/i%ities #- er/er#s+ L0*"+ 01! and x.89 ertifates int#a simp%e identity management s#%uti#n.

!educes costs

(an rep%ae third&party user diret#ries #r Identity Management !#%uti#ns

d" %eatures

• Integrated+ native user+ h#st+ and servie authentiati#n and aess

#ntr#%.

• (#nsistent and managea/%e identity management -#r Linux and nixsystems.

• Inter#pera/i%ity with Mir#s#-t *tive 0iret#ry d#mains.

• !tandards&/ased+ trusted tehn#%#gies.

• Easier and %earer t# imp%ement+ maintain+ and understand

authentiati#n and aess #ntr#% p#%iies.

• ,%exi/%e aess #ntr#% ru%es /ased #n sud# ru%es+ h#st&/ased ru%es+

and #ther riteria.

• (#nsistent and universa% passw#rd p#%iies -#r users.

• Integrate esta/%ished Linuxnix servies %i;e 1,!+ aut#m#unt+ 1I!+1


5/39


d" Lab Environment &etails

E%ement RL sername "assw#rd

IdM !erver http:idm&server.examp%e.#m admin passw#rd

IdM !erver ssh: idm&server.examp%e.#m r##t redhat

IdM %ient ssh: idm&%ient.examp%e.#m r##t redhat

IdM aesseva%uati#n

ssh: idm&aess.examp%e.#m r##t redhat

IdM Rep%iati#n ssh idm&rep%ia.examp%e.#m r##t redhat

>ind#ws *tive0iret#ry

?irtua% Mahine (#ns#%e administrat#r !eret@=3

d" Lab ob'ectives

0ep%#y /#th %ient and server entra%i)ed and high avai%a/%e authentiati#n

using Red Hat Enterprise Linux Identity Management $IdM' and pr#vide a

w#r;ing entra% authentiati#n server+ imp%ement additi#na% aess #ntr#%s

and sud# ru%es -#r %ient and aess mahines.




6/39

! 6 4ed .at ummit "015 2 4ed .at Enter-rise Linu7 Identit/ Management

1#te: Ma;e sure that a%% virtua% mahines starting with AId"-# are running.

*-ter fnishing La/@+ y#u an start the >ind#ws&0( mahine whih is running

the *tive 0iret#ry

Lab ($ Server nstallation

$arget server% idm&server.examp%e.#mAccess% ssh r##tCidm&server.examp%e.#m

• L#g int# idm&server.examp%e.#m+ via ssh.

• Ma;e sure that h#sts f%e is pr#per%y #nfgured+ y#u sh#u%d fnd this

%ine:

cat /etc/hosts | grep idm

192.168.10.10 idm-server.example.com idm-server

• Insta%% the IdM pa;ages:

yum -y install bind-dyndb-ldap ipa-server

• Run as r##t:

root!idm-server "#$ ipa-server-install --setup-dns --ssh-trust-dns %

--m&homedir

• >hen y#u pr#mpt -#r these Duesti#ns use the respetive answers:

'xisting ()*+ con,iguration detected overrite no# es3

4erver host name idm-server.example.com# 5ress 'nter3

5lease con,irm the domain name example.com# 5ress 'nter3

5lease provide a realm name '75'.:;# 5ress 'nter3

+irectory anager passord 3

5assord ?con,irm@


7/39

6 4ed .at ummit "015 2 4ed .at Enter-rise Linu7 Identit/ Management

+omain name example.com

Fealm name '75'.:;

()*+ +*4 server ill be con,igured to serve )57 domain ith

Gorarders 8.8.8.8

Feverse Cone 10.168.192.in-addr.arpa.

A&ter installation% (he; the IdM we/ inter-ae via idm&server.examp%e.#m+ use the admin username and passw#rd.

• (he; main I"* #nfgurati#n: etipade-au%t.#n- /ase 01+ rea%m.

•O/tain a ;er/er#s ti;et:

&init admin

&list

• (he; aut#matia%%y reated 01! re#rds $*+ !R?':

ipa dnsCone-,ind

ipa dnsrecord-,ind --nameHidm-server Iall

Jone name example.com

7ctive Cone DF


8/39

6 4ed .at ummit "015 2 4ed .at Enter-rise Linu7 Identit/ Management

• (he; IdM server de-au%ts:

ipa con,ig-sho

ipa con,ig-mod --de,aultshellH/bin/bash

•


9/39

% 6 4ed .at ummit "015 2 4ed .at Enter-rise Linu7 Identit/ Management

Lab )$ *sers and +assword +olicies


@. *dd new users $reate a username with y#ur pre-erenes in thepr#mpt m#de'+ then run the #ther #mmands:

ipa user-add

ipa user-add --,irstHMohn --lastH4mith Nsmith

ipa user-add --,irstHatt --lastHOell --managerHNsmith %

--emailHmell!example.com --homedirH/home/mell mell

=. M#di-y ser attri/utes:ipa user-mod Nsmith --addattrHdepartmentnumberH101

ipa user-sho Nsmith --all

ipa user-mod mell --titleHP4ystem 'ngineerP

3. M#di-y sers passw#rd as admin:

ipa user-mod mell --passord

ipa user-mod Nsmith --passord

4. (he; i- the system re#gni)e the users:

id Nsmith

getent group mell

8. (he; the de-au%t "assw#rd "#%ies:

ipa help ppolicy

ipa ppolicy-sho

ipa ppolicy-mod --maxli,eH60

. *s smith login via ssh t# idm&server+ y#u wi%% /e pr#mpted t# hange

the passw#rd -#r frst time.


10/39


J. *s *dmin:

ipa ppolicy-mod --minli,eH0 --max,ailHK

ipa ppolicy-sho

K. *s mwe%%+ %#gin t# the idm&server+ hange the @st time passw#rd andthen+ hange passw#rd with Aipa passwd + it wi%% sueed as wehanged the minimum %i-etime #- users passw#rd.

. On the >e/ I he; the -#%%#wing:

G *dd a user.G (he; passw#rd expiry.G Edit user detai%s.

!e&erence%Red Hat 0#umentati#n : Managing ser r#ups



https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/user-groups.htmlhttps://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/user-groups.htmlhttps://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/user-groups.html


11/39


Lab ,$ Two %actor -ut.entication


12/39

1" 6 4ed .at ummit "015 2 4ed .at Enter-rise Linu7 Identit/ Management

L#g #ut -r#m the admin sessi#n+ %#gin with smith+ then navigate t# O$P$oens then %i; #n *dd. In the *dd O


13/39


On the smartph#ne+#pen ,reeO


14/39

1* 6 4ed .at ummit "015 2 4ed .at Enter-rise Linu7 Identit/ Management

Lab /$ Client nstallation

$arget server% idm&%ient.examp%e.#m and idm&aess.examp%e.#mAccess% ssh r##tCidm&%ient.examp%e.#m

• (he; in /#th servers res#%v.#n- p#int t# IdM server $@=.@K.@9.@9':

echo Qnameserver 192.168.10.10Q 3 /etc/resolv.con,

cat /etc/resolv.con,

nameserver 192.168.10.10

• ?eri-y that idm&%ientidm&aess res#%vers arep#inting t# idm&server

dig example.com

example.com. K600 )* 4;7 idm-server.example.com. hostmaster.example.com. 1K968ARR06

K600 900 1209600 K600

• Insta%% the IdM %ient $sssd':

yum install ipa-client

• #n IdM server+ ma;e sure that "R< re#rds are reatedupdated in new

%ient insta%%ati#ns:

ipa dnsCone-mod --allo-sync-ptrHDF


15/39


• !#me adustment.


16/39

1! 6 4ed .at ummit "015 2 4ed .at Enter-rise Linu7 Identit/ Management

Lab 0$ *ser 1roups and Host 1roups "anagement


*tivities -#r %a/ 4:

• (reate users gr#up $Either thr#ugh #mmand %ine #r >e/ I'.

• *dding r#up Mem/ers.

• 0e%eting users gr#up.

• Exp%#re IdM gr#up management thr#ugh #mmand %ine+ a new gr#up

named servers wi%% /e added+ then user mwe%% wi%% /e mem/er #- servers+ adding #ther gr#up named %ients and fna%%y adding smith

t# %ients gr#up:

ipa group-add --descHQusers server groupQ servers

ipa group-add-member servers --usersHmell

ipa group-add --descHQusers client groupQ clients

ipa group-add-member clients --usersHNsmith

ipa group-,ind

ipa group-del group name3

ipa help group

On the >e/ I he; the -#%%#wing:•


17/39



18/39


*s reDuired reate new gr#up a%%ed Arestricted and Aaccess:

1#w the h#st gr#up is reated+ %i; #n Arestricted t# add the h#sts




19/39

1% 6 4ed .at ummit "015 2 4ed .at Enter-rise Linu7 Identit/ Management


20/39

"0 6 4ed .at ummit "015 2 4ed .at Enter-rise Linu7 Identit/ Management

Lab 2$ ntegrating d" wit. -ctive &irector!

$arget server% idm&server.examp%e.#m+ idm&%ient.examp%e.#m andwinad.examp%e.#mAccess% ssh r##tCidm&server.examp%e.#m+ ssh r##tCidm&%ient.examp%e.#m and #ns#%e aess t# winad.examp%e.#m

One #- the avai%a/%e mahines is running >ind#ws *tive 0iret#ry+ themahine is ready with *0. Ma;e sure that y#u have aess t# the >ind#wsmahine using username Aadministrat#r and the passw#rd is A!eret@=3.*%s# we wi%% insta%% the *0 trust and win/ind %ients.


21/39


Running the dnsmd #mmand sh#u%d return the same #utput:

On the >ind#ws 0es;t#p+ #u wi%% fnd 01! i#n $sh#rtut'+ it wi%% #pen 01!servie #n wind#ws+ we want t# veri-y the new res#ures reated+ d#u/%e%i; #n 01! i#n and -#%%#w the 01! tree as sh#wn /%#w:


22/39

"" 6 4ed .at ummit "015 2 4ed .at Enter-rise Linu7 Identit/ Management

?eri-y that !R? re#rds are res#%va/%e #n IdM server:

root!idm-server "#$ dig 4FU Vldap.Vtcp.inad.example.com

T 33 +iW 9.9.B-FedEat-9.9.B-18.elRV1.1 33 4FU Vldap.Vtcp.inad.example.com

TT global options XcmdTT Wot anser

TT -33E'7+'F- opcode Ye an veri-y that the re#rd it add t# the %dap using %dapsearh:

ldapsearch - W4475) -b cnHdnsdcHexampledcHcom idnsnameHexample.com.




23/39



24/39

"* 6 4ed .at ummit "015 2 4ed .at Enter-rise Linu7 Identit/ Management

Wroup name adVadminsVexternal

+escription adVdomain admins external map

(reate a "O!I5 #mp%iant gr#up t# /e %in;ed t# the externa% gr#up:

root!idm-server "#$ ipa group-add --descHQadVdomain adminsQ adVadmins

-----------------------

7dded group PadVadminsP

-----------------------

Wroup name adVadmins

+escription adVdomain admins

W)+ 1861200012

*dd mem/ers #- 0#main *dmins t# the reated IdM gr#up:

root!idm-server "#$ ipa group-add-member adVadminsVexternal --external %

QO)*7+%+omain 7dminsQ

member user# 5ress 'nter3

member group# 5ress 'nter3

Wroup name adVadminsVexternal

+escription adVdomain admins external map

'xternal member 4-1-A-21-18A092929B-226KB11AA8-106089K0KK-A12

-------------------------

*umber o, members added 1

-------------------------

*dding mem/ers -r#m externa% *0 gr#up t# IdM "O!I5 #mp%iant gr#up:

root!idm-server "#$ ipa group-add-member adVadmins --group adVadminsVexternal

Wroup name adVadmins

+escription adVdomain admins

W)+ 1861200016

ember groups adVadminsVexternal

-------------------------

*umber o, members added 1


25/39


1#w+ this is the testing time7 w/in-# wi%% retrieve the !I0 ass#iated with theusername speifed:

&init admin

&vno -4 EDD5 ZhostnameZ

ipa trust-sho inad.example.com

&destroy

&list

&init 7dministrator!O)*7+.'75'.:;

&list

&vno -4 ci,s dc.inad.example.com

bin,o -n QO)*7+%+omain 7dminsQ

4-1-A-21-66A0AARR-8B8A0KKK9-K10AB8K0KK-A12 4)+V+;VWF;e an reate a shared dis; t# *0 *dmins+ these #mmands wi%% reate andnew diret#ry A0linu/share and ma;e it avai%a/%e t# *0 admins:

m&dir /linuxshare

4)+HZbin,o -n QO)*7+%+omain 7dminsQ|a& Q[print\1]QZ

net con, setparm QshareQ QcommentQ QDrust test shareQ

net con, setparm QshareQ Qread onlyQ QnoQ

net con, setparm QshareQ Qvalid usersQ P\4)+P

net con, setparm QshareQ QpathQ Q/linuxshareQ

cd /linuxshare

touch )d-roc&s

ind#ws*dmins+ %ater we an avai% users shares i- needed+ #n wind#ws mahines #pen(#mputer then map the share t# a >ind#wsdrive -#%%#wing the same pr#edures:



mailto:[email protected]:[email protected]


26/39

"! 6 4ed .at ummit "015 2 4ed .at Enter-rise Linu7 Identit/ Management

* new dia%#g wi%% #pen as dia%#g wi%% /e #pened t# defne the share it wi%% as;-#r the user passw#rd+ use the administrat#r as user and the passw#rd isASecret1'2:

#u wi%% fnd the #ntens #- A0linu/share avai%a/%e+ the f%e that we reatedAId"-rocs wi%% /e there aessi/%e. #u an reate -#%ders #n >ind#ws andhe; them /a; #n the idm&server.examp%e.#m.

1#w+ the administrat#r user an %#gin t# Linux mahines with#ut passw#rds+remem/er that we didnt #nfgure the H#st Based *ess (#ntr#%+ s# a%%users an %#gin t# a%% servers it is n#t re#mmend t# run this #nfgurati#n inthe pr#duti#n. 1ext %a/ we wi%% have a HB*( #nfgured and it wi%% sh#w h#wt# defne new ru%es and examining the existing ru%es.




27/39

" 6 4ed .at ummit "015 2 4ed .at Enter-rise Linu7 Identit/ Management

On the >ind#ws 0es;t#p y#u wi%% fnd putty $a ssh %ient' use idm&%ient.examp%e.#m as the H#st 1ame:

ind#ws Integrati#n uide



mailto:[email protected]://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/index.htmlmailto:[email protected]://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/index.html


28/39

" 6 4ed .at ummit "015 2 4ed .at Enter-rise Linu7 Identit/ Management

Lab 3$ Host Based -ccess Control 4 HB-C

$arget server% idm&server.examp%e.#m+ idm&%ient.examp%e.#m and idm&aess.examp%e.#mAccess% ssh r##tCidm&server.examp%e.#m+ ssh r##tCidm&%ient.examp%e.#m and ssh r##tCidm&%ient.examp%e.#m

In this La/ we wi%% restrita%%#w aess /ased #n h#st gr#ups that we defnedin the previ#us %a/s. By de-au%t IdM is having a%%#w aess permissi#n t# a%%res#ures+ we #u%d disa/%e it during the insta%%ati#n time thr#ugh--no3h4ac3allo,.

0isa/%e the de-au%t a%%#wSa%% ru%e thr#ugh we/ inter-ae.



@

@

=

=

mailto:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]


29/39

"% 6 4ed .at ummit "015 2 4ed .at Enter-rise Linu7 Identit/ Management

>e want t# grant aess permissi#ns t# users in Aservers5 gr#up t# aessa%% mahines #nsidering the -#%%#wing:

• sers in Aservers gr#up an aess Arestricted h#st gr#up servers.

• sers in Aclients6 gr#up an %#gin int# Aaccess h#st gr#ups #n%y.

hat %#gin servies an /e aessed.

• !etting H#st&Based *ess #ntr#% Ru%es.

G HB*( Ru%e with name Aaccess-rule thr#ugh the we/ inter-ae.



@

=

3


30/39


(%i; #n the access-rule HB*( and add users #r users gr#ups that this ru%ewi%% /e app%ied #n.

*dd Aclients users gr#up t# the aess&ru%e in >HO fe%d.


31/39


1#w we want t# add the servie that wi%% /e a%%#wed+ se%et the sshd and%#gin servies:

• In previ#us steps we reated the aess&ru%e that wi%% a%%#w Aclients

users gr#up t# aess servers in AAccess h#st gr#up+ !ine *essh#st gr#up d#esnt have any #ther server exept idm&aess.examp%e.#m7 we a%%#wed aess t# idm&aess.examp%e.#m

#r any server that wi%% /e added t# this h#st gr#up• (reate additi#na% HB*( with namerestricted-rule that a%%#ws

Aservers users gr#up t# aess servers in Arestricted h#st gr#upusing the previ#us steps used t# reate the Aallo,-rule. !# the stepsare adding Aservers user gr#up+ *essing Arestricted h#st gr#upand servies via Asshd and %#gin

•


32/39

3" 6 4ed .at ummit "015 2 4ed .at Enter-rise Linu7 Identit/ Management

Lab 5$ d" Roles "anagement

IdM R#%e Management pr#vides rights #r permissi#ns that users have /een

granted t# per-#rm #perati#ns within IdM #n #ther users #r #/ets:• >h# an per-#rm the #perati#n.

• >hat an /e aessed.

• >hat type #- #perati#n an /e per-#rmed.

• Existing "redefned R#%es.

R#%e&/ased aess #ntr#% grants a very di6erent ;ind #- auth#rity t# users#mpared t# se%-&servie and de%egati#n aess #ntr#%s. R#%e&/ased aess#ntr#%s are -undamenta%%y administrative+ with the p#tentia% t#+ -#r examp%e+add+ de%ete+ #r signifant%y m#di-y entries.

In this %a/ we wi%% pr#vide privi%eges t# mwe%% #r his gr#up t# hange histheirgr#up mem/ership

Open the AIPA Server ta/ in the t#p menu+ and se%et the A!ole BasedAccess Control su/ta/.

(%i; the AAdd %in; at the t#p #- the %ist #- r#%e&/ased *(Is:



@

@


33/39


Enter the r#%e name and a desripti#n:

(%i; the AAdd and Edit /utt#n t# save the new r#%e and g# t# the#nfgurati#n page.

(%i; #n the R#%e that y#u ust reated+ then %i; #n A*dd



@

@


34/39

3* 6 4ed .at ummit "015 2 4ed .at Enter-rise Linu7 Identit/ Management

!e%et the users #n the %e-t and use the P78 /utt#n t# m#ve them t# theAProspective #%umn.

*t the t#p #- the APrivileges ta/+ %i; AAdd.



@

@

=


35/39


!e%et the privi%eges #n the %e-t and use the P7P /utt#n t# m#ve them t# theAProspective #%umn.

(%i; the AAdd /utt#n t# save.



=


36/39

3! 6 4ed .at ummit "015 2 4ed .at Enter-rise Linu7 Identit/ Management

L#g #ut the admin user+ and %#gin with mwe%% user. 1avigate thr#ughA9et,or Services+ then 01! su/ta/ menu Q then %i; #n examp%e.#m.*-ter getting examp%e.#m res#ures7 %i; #n AAdd:

>e need t# test that user Am,ell an add new re#rds+ reate new re#rdAnoti&y


37/39


Lab 6$ d" Replication

$arget server% idm&server.examp%e.#m and idm&rep%ia.examp%e.#mAccess% ssh r##tCidm&server.examp%e.#m ssh r##tCidm&rep%ia.examp%e.#m

On the idm&rep%ia.examp%e.#m run:

yum install ipa-server bind-dyndb-ldap

On


38/39


Lab (7$ Services and 8e!tabs

$arget server% idm&server.examp%e.#m #r idm&%ient.examp%e.#m

Access% ssh r##tCidm&server.examp%e.#m ssh r##tCidm&%ient.examp%e.#m

L#g in t# idm&aess mahine:

yum install httpd modVnss modVsgi modVauthV&erb ipa-admintools

"repare #ntent -#r idm&aess:

cp or&shop.con, /etc/httpd/con,.d/or&shop.con,

cp or&shop.sgi /var//cgi-bin/or&shop.sgi

chmod Xx /var//cgi-bin/or&shop.sgi

(reate the I"* servie entry -#r idm&aess:

&init

5assord ,or admin!'75'.:;

ipa service-add EDD5/ZhostnameZ

ipa service-sho EDD5/ZhostnameZ

Retrieve a ;eyta/ -#r httpd servie #n idm&aess:

ipa-get&eytab -p EDD5/ZhostnameZ -& http.&eytab -s idm-server.example.com

&list -&t http.&eytab

(#nfgure idm&aess t# use the ;eyta/:

mv http.&eytab /etc/httpd/con,/

chon apacheapache /etc/httpd/con,/http.&eytab

chmod 0B00 /etc/httpd/con,/http.&eytab

service httpd restart

*ess idm&%ient and run:

yum install ,ire,ox xorg-x11-xinit.x86V6B

exit

ssh root! idm-client.example.com -

,ire,ox

In ,ire-#x+ aess idm&aess.examp%e.#mtest+ when y#u exit ,ire-#x he;:

&list



mailto:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]


39/39

3% 6 4ed .at ummit "015 2 4ed .at Enter-rise Linu7 Identit/ Management

It might n#t w#r; as se%inux wi%% deny the http&;eyta/.

:d /root

grep httpdVt /var/log/audit/audit.log | audit2allo -m http-&eytab 3 http-&eytab.te

grep httpdVt /var/log/audit/audit.log | audit2allo - http-&eytab

semodule -i http-&eytab.pp

1#w+ he; again ,ire-#x+ a-ter authentiati#n it sh#u%d print:

EelloL

Feceived connection ,rom 192.168.10.11

7L ^erberos authentication or&sL

Femote user is admin!'75'.:;

Documents

Summit IdM Lab User Guide 2015