User Tools
решение_freeipa
Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
|
решение_freeipa [2025/10/02 11:58] val [Инициализация клиента] |
решение_freeipa [2025/10/02 18:18] (current) val [Управление сертификатами] |
||
|---|---|---|---|
| Line 109: | Line 109: | ||
| </code> | </code> | ||
| - | ===== Инициализация клиента ===== | + | ===== Установка и инициализация клиента ===== |
| * [[https://www.altlinux.org/FreeIPA/Клиент]] | * [[https://www.altlinux.org/FreeIPA/Клиент]] | ||
| Line 115: | Line 115: | ||
| <code> | <code> | ||
| # apt update && apt install freeipa-client | # apt update && apt install freeipa-client | ||
| + | |||
| + | # #kinit admin | ||
| gate# ipa-client-install --mkhomedir | gate# ipa-client-install --mkhomedir | ||
| Line 120: | Line 122: | ||
| client1# hostnamectl hostname client1.corp13.un | client1# hostnamectl hostname client1.corp13.un | ||
| + | clientN:~# cat /etc/hosts | ||
| + | </code><code> | ||
| + | 127.0.0.1 localhost | ||
| + | 127.0.1.1 client1.corp13.un clientN | ||
| + | </code><code> | ||
| client1# ipa-client-install --mkhomedir --enable-dns-updates | client1# ipa-client-install --mkhomedir --enable-dns-updates | ||
| - | gate# systemctl status sssd | + | # systemctl status sssd |
| - | [root@server ~]# ipa host-show gate | + | [root@server ~]# ipa host-show gate|client1 |
| + | |||
| + | [root@server ~]# host gate|client1 | ||
| + | </code> | ||
| + | |||
| + | ===== Управление пользователями ===== | ||
| + | <code> | ||
| + | [root@server ~]# ipa user-add user1 --first="Иван" --last="Иванов" --password | ||
| + | |||
| + | [root@server ~]# #ipa passwd user1 | ||
| </code> | </code> | ||
| ===== Создание service principal ===== | ===== Создание service principal ===== | ||
| + | |||
| + | * [[Установка, настройка и запуск пакета SQUID]] | ||
| + | |||
| <code> | <code> | ||
| + | # kinit admin | ||
| + | |||
| [root@freeipa-server /]# ipa service-add HTTP/gate.corp13.un | [root@freeipa-server /]# ipa service-add HTTP/gate.corp13.un | ||
| gate.corp13.un:~# ipa-getkeytab -p HTTP/gate.corp13.un -k /etc/krb5.keytab | gate.corp13.un:~# ipa-getkeytab -p HTTP/gate.corp13.un -k /etc/krb5.keytab | ||
| </code> | </code> | ||
| + | |||
| + | * [[Аутентификация доступа к SQUID#Копируем ключи в системный keytab]] | ||
| + | * [[Аутентификация доступа к SQUID#Настройка сервиса SQUID на использование GSSAPI]] | ||
| ===== Управление сертификатами ===== | ===== Управление сертификатами ===== | ||
| <code> | <code> | ||
| + | [root@server ~]# cat /etc/ipa/ca.crt | ||
| + | |||
| + | gate# ipa-getcert request -f /root/gate.crt -k /root/gate.key | ||
| + | </code> | ||
| + | * [[Пакет OpenSSL#Создание пользовательского сертификата, подписанного CA]] | ||
| + | <code> | ||
| + | client1# ipa cert-request --principal=user1 --certificate-out=user1.crt user1.req | ||
| + | </code> | ||
| + | |||
| + | <code> | ||
| + | |||
| server.corp13.un:~# cat /opt/freeipa-data/etc/ipa/ca.crt | server.corp13.un:~# cat /opt/freeipa-data/etc/ipa/ca.crt | ||
| Line 145: | Line 180: | ||
| - | gate.corp13.un:~# ipa-getcert request -f /root/gate.crt -k /root/gate.key -K host/gate.corp13.un | ||
| - | ###server.corp13.un:~# scp kube1:webd-k8s/webd.req /opt/freeipa-data/ | ||
| - | ---- | ||
| - | ldapsearch -x -b"dc=corp13,dc=un" -H ldap://server "uid=admin" | + | ###server.corp13.un:~# scp kube1:webd-k8s/webd.req /opt/freeipa-data/ |
| + | </code> | ||
| + | ===== Работа с LDAP ===== | ||
| + | <code> | ||
| + | [root@server ~]# ldapsearch -x -b"dc=corp13,dc=un" -H ldap://server "uid=admin" | ||
| </code> | </code> | ||
решение_freeipa.1759395487.txt.gz · Last modified: 2025/10/02 11:58 by val
Page Tools
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
