Setup FreeIPA client on Ubuntu

Jan 19, 2022 · 2 min read · freeipa ldap ·

Share on:

開發者有需求要連線至 server via ssh, 一般情況下需要在 server 中建立帳號並配置金鑰. 但目前公司的人員管理政策是使用 FreeIPA 做管理, 所以不想要另外在 server 建立帳號, 造成管理複雜.

所以這採用的解決方案是使用 freeipa-client 套件, 讓主機跟 FreeIPA 做人員權限認證.

Install FreeIPA client package

server OS is Ubuntu 20.04.

在開始前, 先更新主機套件, 讓軟體升級到最新.

1root@edge:/root# apt-get update
2root@edge:/root# apt-get upgrade

確認防火牆是否有開通, 規則如下.

1Please make sure the following ports are opened in the firewall settings:
2TCP: 80, 88, 389
3UDP: 88 (at least one of TCP/UDP ports 88 has to be open)
4Also note that following ports are necessary for ipa-client working
5properly after enrollment:
6TCP: 464
7UDP: 464, 123 (if NTP enabled)

安裝 & 配置 freeipa-client 套件.

 1root@edge:/root# apt-get install -y freeipa-client
 2
 3root@edge:/root# ipa-client-install --hostname=`hostname -f` --mkhomedir --server=ldap.example.com --domain example.com --realm EXAMPLE.COM
 4WARNING: conflicting time&date synchronization service 'ntp' will be disabled
 5in favor of chronyd
 6
 7Autodiscovery of servers for failover cannot work with this configuration.
 8If you proceed with the installation, services will be configured to always access the discovered server for all operations and will not fail over to other servers in case of failure.
 9Proceed with fixed values and no DNS discovery? [no]: yes
10Client hostname: edge.example.com
11Realm: EXAMPLE.COM
12DNS Domain: example.com
13IPA Server: ldap.example.com
14BaseDN: dc=example,dc=com
15
16Continue to configure the system with these values? [no]: yes
17Synchronizing time
18No SRV records of NTP servers found and no NTP server or pool address was provided.
19Using default chrony configuration.
20Attempting to sync time with chronyc.
21Time synchronization was successful.
22User authorized to enroll computers: admin
23Password for admin@EXAMPLE.COM:
24・・・
25The ipa-client-install command was successful