How to freeIPA replica server

Predpokladame ze hlavny IPA server [ipa01] je nainstalovany a chceme do prostredia pridat replicu [ipa02].
Ako prve na replice nainstalujeme potrebny software.

[ipa02]# yum install freeipa-server

Nasledne musime pridat replica server do host groupy na na hlavnom IPA servery. Hosta pridame nasledovne

[ipa02]# ipa-client-install --mkhomedir

Udaje ako REALM a domain sa dozvieme z dns servera.
Ked mame hosta pridaneho do IPA relam pridame replicu aj do skupina ipaservers.

[ipa01]# ipa hostgroup-add-member ipaservers --hosts ipa02.dubnik.local
  Host-group: ipaservers
  Description: IPA server hosts
  Member hosts: ipa01.dubnik.local, ipa02.dubnik.local
-------------------------
Number of members added 1

Ak je host uspense pridany do skupiny ipaservers nastavime replikaciu medzi hostami.

[ipa02]# ipa-replica-install

Teraz su ipa server ipa01 a ipa02 replikovane. Pre overenie mozeme sknotrlovat host groupy a vytvorit uzivatela ci sa bude nachadzat na oboch serveroch.

How to disable FreeIPA kerberos auth popup window

Ked otvorim vo FreeIPA webovy manazment v prehliadaci chrome vyskoci nezelane popup windows.

FreeIPA ponuka moznost kerberos SSO loginu. Prehliadac chrome vsak tuto moznost neponuka a tak nie je mozne sa prihlasit. Uzivatela to iba zmatie a nevie co robit kedze login bude vzdy neuspesny. Riesenim je vlozit par rewrite codov, ktore tento problem obidu. Nic ciste ale nakoniec lepsie ako nic.

Do suboru /etc/httpd/conf.d/ipa-rewrite.conf vlozime nakoniec nasledovne drektivy

RewriteCond %{HTTP_COOKIE} !ipa_session
RewriteCond %{HTTP_REFERER} ^(.+)/ipa/ui/$
RewriteRule ^/ipa/session/json$ - [R=401,L]
RedirectMatch 401 ^/ipa/session/login_kerberos

A restartneme sluzbu

# ipactl restart

—
All credits to http://jdshewey.blogspot.com/2017/08/fixing-annoying-popup-in-freeipa.html

FreeIPA http gui with Let’s Encrypt certificate

Ako prve si zaobsatarame let’s encrypt certifikat. Je dobre pouzivat rovno fullchain certifikat.

# ls /etc/pki/tls/certs/fullchain.pem 
/etc/pki/tls/certs/fullchain.pem
# ls /etc/pki/tls/private/privkey.pem 
/etc/pki/tls/private/privkey.pem

Aby bolo mozne certifikaty uspesne importnut potrebujeme aj CA-ckovy certifikat a obidva intermediate certifikaty.
Certifiaty je mozne stiahnut z oficilanej let’s encrypt stranky https://letsencrypt.org/certificates/
A postiahnuti ich mozeme vsetky impornut pouzitim utilty ipa-cacert-manage, ktora sa nachadza v balicku ipa-server.
Importneme CA certifikat zo stranky https://letsencrypt.org/certificates/ a updatneme certstore.

#ipa-cacert-manage -p s3cret -n crt01 -t C,, install ca.crt
#ipa-certupdate 

Nasledne importneme obidva intermediate certifikaty zo stranky https://letsencrypt.org/certificates/ a opat updatneme certstore.

#ipa-cacert-manage -p s3cret -n crt02 -t C,, install crt02.pem
#ipa-cacert-manage -p s3cret -n crt03 -t C,, install crt03.pem
#ipa-certupdate 

Ako posledny krok impornteme nas let’s encrypt certifikat s klucom.

#ipa-server-certinstall -w /etc/pki/tls/certs/fullchain.pem /etc/pki/tls/private/privkey.pem

Restartneme apache service.

#systemctl restart httpd

A mozeme skontrolovat otvorenim stranky.

Po vyprsani platnosti certifikatu je postup obnovy nasledovny. Vygenerujeme na novo public/private certifikat.
Nasledne nainstalujeme nove certifikaty

#ipa-server-certinstall -w /etc/pki/tls/certs/fullchain.pem /etc/pki/tls/private/privkey.pem

A reloadneme apacha

#systemct reload httpd

Tymto mame uspasne updatnute certifikaty na ipa servery.
* V blizkej dobre prihodil ansible skript na auto renew.

—
Zdroj:https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP