User Tools
решение_freeipa
Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
|
решение_freeipa [2025/11/14 10:16] val [Управление DNS] |
решение_freeipa [2025/12/29 08:57] (current) val [Динамический DNS] |
||
|---|---|---|---|
| Line 28: | Line 28: | ||
| # service docker restart | # service docker restart | ||
| - | docker run --userns=host ... | + | # ###docker run --userns=host ... |
| - | cat docker-compose.yml | + | # ###cat docker-compose.yml |
| ... | ... | ||
| userns_mode: 'host' | userns_mode: 'host' | ||
| ... | ... | ||
| - | docker run --name freeipa-server-container -ti -h ipa.example.test --read-only -v /var/lib/ipa-data:/data:Z freeipa/freeipa-server:centos-9-stream | + | # ###docker run --name freeipa-server-container -ti -h ipa.example.test --read-only -v /var/lib/ipa-data:/data:Z freeipa/freeipa-server:centos-9-stream |
| # ###rm -rf /opt/freeipa-data/ | # ###rm -rf /opt/freeipa-data/ | ||
| Line 137: | Line 137: | ||
| client1# hostnamectl hostname client1.corpX.un | client1# hostnamectl hostname client1.corpX.un | ||
| - | clientN:~# cat /etc/hosts | + | client1# cat /etc/hosts |
| </code><code> | </code><code> | ||
| 127.0.0.1 localhost | 127.0.0.1 localhost | ||
| Line 143: | Line 143: | ||
| </code><code> | </code><code> | ||
| client1# ipa-client-install --mkhomedir --enable-dns-updates | client1# ipa-client-install --mkhomedir --enable-dns-updates | ||
| + | ...: no | ||
| + | ...: yes | ||
| + | ...: admin | ||
| + | ...: ..... | ||
| # systemctl status sssd | # systemctl status sssd | ||
| Line 216: | Line 220: | ||
| ipa dnsrecord-add corpX.un keycloak --a-rec="192.168.X.64" | ipa dnsrecord-add corpX.un keycloak --a-rec="192.168.X.64" | ||
| + | sleep 5 | ||
| + | |||
| ipa host-add keycloak.corpX.un | ipa host-add keycloak.corpX.un | ||
| ipa service-add HTTP/keycloak.corpX.un | ipa service-add HTTP/keycloak.corpX.un | ||
| Line 224: | Line 230: | ||
| server# scp /opt/freeipa-data/keycloak.* kube1:/tmp/ | server# scp /opt/freeipa-data/keycloak.* kube1:/tmp/ | ||
| + | </code> | ||
| + | |||
| + | ==== Поддержка ACME ==== | ||
| + | |||
| + | * [[https://www.freeipa.org/page/V4/ACME|FreeIPA Automated Certificate Management Environment]] | ||
| + | |||
| + | <code> | ||
| + | [root@freeipa-server /]# | ||
| + | |||
| + | ipa-acme-manage enable | ||
| + | |||
| + | ipa-acme-manage status | ||
| </code> | </code> | ||
| ===== Управление DNS ===== | ===== Управление DNS ===== | ||
| <code> | <code> | ||
| - | [root@freeipa-server /]# kinit admin | + | server# ###docker exec -ti freeipa-server bash |
| + | [root@freeipa-server /]# kinit admin | ||
| + | </code><code> | ||
| ipa dnsrecord-add corpX.un kube1 --a-rec="192.168.X.221" | ipa dnsrecord-add corpX.un kube1 --a-rec="192.168.X.221" | ||
| ipa dnsrecord-add corpX.un kube2 --a-rec="192.168.X.222" | ipa dnsrecord-add corpX.un kube2 --a-rec="192.168.X.222" | ||
| Line 237: | Line 257: | ||
| * [[Авторизация с использованием LDAP сервера]] | * [[Авторизация с использованием LDAP сервера]] | ||
| + | |||
| + | ===== Динамический DNS ===== | ||
| + | |||
| + | * [[https://astrid.tech/2021/04/18/0/k8s-freeipa-dns/|How to set up Dynamic DNS on FreeIPA for your Kubernetes Cluster]] | ||
| + | * [[https://www.ipamworldwide.com/ipam/update-policy.html|BIND update-policy option]] | ||
| + | |||
| + | <code> | ||
| + | [root@freeipa-server ~]# tsig-keygen cert-manager | tee /data/etc/named/cert-manager.key | ||
| + | |||
| + | server.corp13.un:~# cat /opt/freeipa-data/etc/named/ipa-ext.conf | ||
| + | ... | ||
| + | include "/data/etc/named/cert-manager.key"; | ||
| + | |||
| + | [root@freeipa-server ~]# rndc reload | ||
| + | |||
| + | Политика обновления BIND | ||
| + | ...; grant cert-manager subdomain corp13.un. TXT; | ||
| + | |||
| + | [root@freeipa-server ~]# nsupdate -k /data/etc/named/cert-manager.key | ||
| + | server 127.0.0.1 | ||
| + | zone corp13.un | ||
| + | update add _acme-challenge.gitlab.corp13.un. 30 IN TXT "your_txt_record_data 1" | ||
| + | send | ||
| + | </code> | ||
| + | |||
| + | ===== Отладка ===== | ||
| + | |||
| + | * [[https://www.freeipa.org/page/Centralized_Logging|FreeIPA Centralized Logging]] | ||
| + | <code> | ||
| + | [root@freeipa-server /]# find /data/var/log/ -mmin -2 -type f -ls | ||
| + | </code> | ||
| ===== Дополнительные материалы ==== | ===== Дополнительные материалы ==== | ||
| Line 307: | Line 358: | ||
| 2025-09-29T05:28:56Z ERROR No valid Negotiate header in server response | 2025-09-29T05:28:56Z ERROR No valid Negotiate header in server response | ||
| 2025-09-29T05:28:56Z ERROR The ipa-client-install command failed. See /var/log/ipaclient-install.log for more information | 2025-09-29T05:28:56Z ERROR The ipa-client-install command failed. See /var/log/ipaclient-install.log for more information | ||
| + | </code> | ||
| + | ==== Черновик ==== | ||
| + | <code> | ||
| + | ipa dnsrecord-add corp26.un gitlab --a-rec="192.168.26.65" | ||
| + | sleep 5 | ||
| + | |||
| + | ipa host-add gitlab.corp26.un | ||
| + | ipa service-add HTTP/gitlab.corp26.un | ||
| + | |||
| + | rndc-confgen -a -A hmac-sha512 -k cert-manager -c /data/etc/named/cert-manager.key | ||
| + | [root@freeipa-server ~]# chown root:named /data/etc/named/cert-manager.key | ||
| + | [root@freeipa-server ~]# chmod 640 /data/etc/named/cert-manager.key | ||
| + | |||
| + | /data/etc/named/ipa-ext.conf | ||
| + | ... | ||
| + | include "/data/etc/named/cert-manager.key"; | ||
| + | |||
| + | grant cert-manager subdomain corp26.un ANY; | ||
| + | |||
| + | |||
| + | nsupdate -k /data/etc/named/cert-manager.key | ||
| + | server 127.0.0.1 | ||
| + | server 172.18.0.2 | ||
| + | zone corp26.un | ||
| + | update add _acme-challenge.gitlab.corp26.un. 30 IN TXT "your_txt_record_data 1" | ||
| + | send | ||
| + | |||
| + | update add test.corp26.un. 30 IN A 80.80.80.80 | ||
| + | |||
| + | freeipa TSIG error with server: tsig indicates error update failed: NOTAUTH(BADKEY) | ||
| + | |||
| + | # > server 195.19.32.2 | ||
| + | # > zone _acme-challenge.anysite.bmstu.ru | ||
| + | # > update add _acme-challenge.anysite.bmstu.ru. 30 IN TXT "your_txt_record_data 1" | ||
| + | # > send | ||
| + | # > update del _acme-challenge.anysite.bmstu.ru. 30 IN TXT "your_txt_record_data 1" | ||
| + | # > send | ||
| + | # > quit | ||
| + | |||
| + | |||
| + | ==== | ||
| + | ipa dnsrecord-add corp26.un keycloak --a-rec="192.168.26.64" | ||
| + | sleep 5 | ||
| + | |||
| + | ipa host-add keycloak.corp26.un | ||
| + | ipa service-add HTTP/keycloak.corp26.un | ||
| + | |||
| + | openssl genrsa -out /data/keycloak.key 2048 | ||
| + | openssl req -new -key /data/keycloak.key -subj '/CN=keycloak.corp26.un/O=CORP26.UN' -addext 'subjectAltName=DNS:keycloak.corp26.un' -out /data/keycloak.req | ||
| + | ipa cert-request /data/keycloak.req --principal=HTTP/keycloak.corp26.un --certificate-out=/data/keycloak.crt | ||
| + | |||
| + | =============== | ||
| + | |||
| + | ipa dnsrecord-add corp26.un apwebd --a-rec="192.168.26.64" | ||
| + | sleep 5 | ||
| + | ipa host-add apwebd.corp26.un | ||
| + | ipa service-add HTTP/apwebd.corp26.un | ||
| </code> | </code> | ||
решение_freeipa.1763104562.txt.gz · Last modified: 2025/11/14 10:16 by val
Page Tools
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
