From Fedora Project Wiki

(Created page with "{{QA/Test_Case |description=Installation IPA server |setup= <ol> <li>For testing purposes, a machine (or VM) with at least 1GB of RAM and 4 GB of free disk space for binaries,...")
 
m
Line 89: Line 89:
 
}}
 
}}
  
[[Category:FreeIPA_Test_Cases]]
+
[[Category:Ipsilon_Test_Cases]]

Revision as of 17:00, 5 March 2015

Description

Installation IPA server

Setup

  1. For testing purposes, a machine (or VM) with at least 1GB of RAM and 4 GB of free disk space for binaries, data and logs should be plenty to set up and run an IPA master.
  2. Make sure /etc/hosts is sane and your hostname does not appear in either the IPv4 or IPv6 localhost lines.
  3. If you have an existing AD server in your network, choose a different name for the IPA server realm name. Clients that use DNS autodiscovery to find the KDC to use may get confused and try to authenticate to the AD KDC. It is recommended that FreeIPA and AD serves different domains, for example ipa.example.org and ad.example.org

How to test

Installation

First, install the FreeIPA server package:

# yum install freeipa-server
With DNS

We recommend installing FreeIPA with integrated DNS service as it will make client autodiscovery much easier. You will just need to make sure that the domain managed by FreeIPA is properly delegated to the FreeIPA server or that your VMs are configured to use FreeIPA server directly (by configuring your DHCP server or manually updating /etc/resolv.conf).

# yum install bind bind-dyndb-ldap
# ipa-server-install --setup-dns

Or with all options on the command-line:

# ipa-server-install -a Secret123 -p Secret123 --domain=ipa.example.org --realm=IPA.EXAMPLE.ORG --hostname srv1.ipa.example.org --setup-dns --forwarder=<forwarder IP> -U

Substitute you existing DNS server's IP for <forwarder IP>, or pass --no-forwarders.

Without DNS

For a fully-interactive install run:

# ipa-server-install

You can optionally provide all options on the command-line:

# ipa-server-install -a Secret123 -p Secret123 --domain=ipa.example.org --realm=IPA.EXAMPLE.ORG --hostname srv1.ipa.example.org -U

Verify the basics

Ideally each of these installation steps will conclude with no errors and a running set of IPA services.

To briefly test the installation:

# kinit admin  # (the password is the admin password, or the password from -a)

Show our own user entry:

# ipa user-show admin

And make sure nss can see us too:

# id admin
# getent passwd admin

Verify DNS

Verify these only if you installed with a DNS server.

# dig srv1.ipa.example.org.

Look for a line like this in the output:

srv1.ipa.example.org.      86400   IN      A       192.168.0.1
# host srv1.ipa.example.org
srv1.ipa.example.org has address 192.168.0.1
# ipa dns-resolve srv1.ipa.example.org
---------------------------
Found 'srv1.ipa.example.org.'
---------------------------
# ipa host-show srv1.ipa.example.org
  Host name: srv1.ipa.example.org
  Principal name: host/srv1.ipa.example.org@IPA.EXAMPLE.ORG
  Keytab: True
  Managed by: srv1.ipa.example.org

Configure the Firewall

New Fedora 22 systems have FirewallD enabled by default, you may want to either open all ports required by FreeIPA server or disable the Firewall for the test and flush iptables rules so that clients do not have issues connecting FreeIPA server:

# systemctl stop firewalld.service
# systemctl disable firewalld.service
# iptables -F

Expected Results

All the test steps should end with the specified results.