Unterschiede

Hier werden die Unterschiede zwischen zwei Versionen angezeigt.

Link zu dieser Vergleichsansicht

Beide Seiten der vorigen Revision Vorhergehende Überarbeitung
Nächste Überarbeitung		 Vorhergehende Überarbeitung
content:serverbasics:docker-freeipa [2024/09/07 11:15] Danielcontent:serverbasics:docker-freeipa [2025/02/19 10:46] (aktuell) Daniel
Zeile 1: Zeile 1:
-====== FreeIPA ======+====== Docker: FreeIPA ====== 
 + 
 +FreeIPA is a collection of Tools for managing an AD (Active Directory) and a nice Web- GUI to mange those. 
 + 
 +As docker Image, it delivers LDAP for central storing of Users/Groups, Hosts and Keys. The bind- DNS will serve Hostnames to IP- Adresses and the included MIT- Kerberos- Implementation will deliver SSO attached to the Users. 
 + 
 +This chapter will describe, how to install FreeIPA in a rootless Docker- Environement, use letsencrypt Cretificates for SSL and TLS and how to setup central User- Management with it. 
 + 
 +===== Prerequiusite ===== 
 + 
 +You will need a Docker- Host, that is rechable from the Internet with its fully qualifierd Domain- Name (FQDN) as described in the chapters before. The given Ports must be reachable from the clients. 
 + 
 +===== Docker composer ===== 
 + 
 +FreeIPA will not use a Database - all needed informations are stored into the Docker Data- Volume. Some Services - like LDAP will setup their own DB in that Directory. 
 + 
 +First, create a Directory in your Docker-Compose directry that you chose before in [[http://obel1x.de/doku.php?id=content:serverbasics:docker#create_a_place_for_yamls|http://obel1x.de/doku.php?id=content:serverbasics:docker#create_a_place_for_yamls]] 
 + 
 +Then, create your ''docker-compose.yml'' like this: 
 +<file> 
 + 
 +services: 
 +  freeipa: 
 +    image: freeipa/freeipa-server:almalinux-9 
 +    restart: unless-stopped 
 +    hostname: [FQDN_HOSTNAME] 
 +#For dns setup: 
 +#    read_only: true 
 +    environment: 
 +      IPA_SERVER_HOSTNAME: [FQDN_HOSTNAME] 
 +      TZ: "Europe/Berlin" 
 +      PASSWORD: 'NEWPASSWORD' 
 +#      DEBUG_NO_EXIT:
 +    tty: true 
 +    stdin_open: true 
 +    cgroup: host 
 +    cap_add: 
 +      - NET_ADMIN 
 +    volumes: 
 +      - /etc/localtime:/etc/localtime:ro 
 +      - ipa_data:/data 
 +      - ipa_journal:/var/log/journal 
 +      - /run/user/[UID_OF_DOCKERUSER]/docker.sock:/var/run/docker.sock 
 +      - /sys/fs/cgroup:/sys/fs/cgroup:rw 
 +      - caddy_data:/etc/letsencrypt:ro 
 +    tmpfs: 
 +      - /run 
 +      - /tmp 
 +    sysctls: 
 +      - net.ipv6.conf.all.disable_ipv6=0 
 +      - net.ipv6.conf.lo.disable_ipv6=0 
 +    security_opt: 
 +      - "seccomp:unconfined" 
 +    command: 
 +      - -U 
 +      - --domain=clients.[DOMAINPART_OF_HOSTNAME] 
 +# Must match the last part of the Domain-Name and must be upper case and routed to the domain 
 +      - --realm=[DOMAINPART_OF_HOSTNAME_UPPERCASE] 
 +      - --http-pin=[NEWHTTPDPIN] 
 +      - --dirsrv-pin=[NEWDIRSRVPIN] 
 +#Bind/DNS Setup - use own Server Open Port 53 for this 
 +      - --setup-dns 
 +#      - --no-host-dns 
 + - --setup-dns 
 +# Save choice: 
 + - --no-forwarders 
 +# Will Forward unknow DNS- Queries to something else. May be a security- breach 
 +# - --auto-forwarders 
 +# - --forwarder=192.168.178.1 
 +#NTP - not needed, this is the server which time is taken from /etc/localtime see volumes 
 +#This server has also a chrony-daemon running here to sync time 
 +      - --no-ntp 
 +#      - --ntp-server=172.0.0.11 
 +#Error: Unable to determine the amount of available RAM 
 +      - --skip-mem-check 
 +    ports: 
 +#HTTP(s): Will be proxiesd by Caddy 
 +#      - "8082:80" 
 +#      - "8443:443" 
 +#LDAP (needed) 
 +      - "389:389" 
 +#LDAPs (needed) 
 +      - "636:636" 
 +#Kerberos (needed) 
 +      - "88:88" 
 +      - "464:464" 
 +      - "88:88/udp" 
 +      - "464:464/udp" 
 +#DNS (needed) 
 +      - "53:53" 
 +      - "53:53/udp" 
 +#NTP - not needed, takes chronyd of the host 
 +#      - "123:123/udp" 
 +#Unknown: 
 +#      - "7389:7389" 
 +#      - "9443:9443" 
 +#      - "9444:9444" 
 +#      - "9445:9445" 
 +volumes: 
 + ipa_data: 
 + ipa_journal: 
 + caddy_data: 
 + 
 +</file> 
 + 
 +The caddy_data Volume contains the Certifictes for encryption from Caddy as described in [[.:docker-caddy|]]. 
 + 
 +===== Caddyfile ===== 
 + 
 +Caddy wil be used for Proxy, so in your Caddyfile (see [[https://obel1x.de/dokuwiki/doku.php?id=content:serverbasics:docker-caddy#caddy_configuration|https://obel1x.de/dokuwiki/doku.php?id=content:serverbasics:docker-caddy#caddy_configuration]]) use this: 
 +<file> 
 + 
 +# FreeIPA 
 +http://[FQDN_HOSTNAME]:80 { 
 +        reverse_proxy serverpc-freeipa-1:80 
 +
 +https://[FQDN_HOSTNAME]:443 { 
 +        header Strict-Transport-Security max-age=31536000; 
 +        reverse_proxy https://serverpc-freeipa-1:443 { 
 +            transport http { 
 +                tls 
 +                tls_insecure_skip_verify 
 +            } 
 +        } 
 +
 + 
 +</file> 
 + 
 +As the internal Certificate of FreeIPA will be self-signed, the verification is turned off first. Later the Cert is replaced by the ACME- letsencrypt- Certificate of Caddy, so you may turn this on again. But there is no benefit, as the SSL Connection is always internally proxied by Caddy, so there will be NO insecured Connections to the net. 
 + 
 +===== Encryption ===== 
 + 
 +First thing you should do, is to secure the (LDAP)- ports with the certificate from letsenrcypt that Caddy uses. Without those matching certificates in place, Kerberos later won't accept the self signed- certificates that FreeIPA will create during install. 
 + 
 +Your Caddyfile should have mounted the Certificates from Caddy to /etc/letsencrypt. To use the Certificates, you need to split the files named *.crt into the included parts. 
 + 
 +The Parts will be: 1. Certificate for your FQDN 2. Certificate of the Issuer 
 + 
 +For setting up the Truststore, we will nee the Certificate of the Issuer in one file and than import it to the keystore of freeipa webserver and ldap-server. 
 + 
 +To do this, root-bash into your Container of running FreeIPA and do the following: 
 + 
 +<code> 
 +[root@ipa test]# DOMAIN="[FQDN_HOSTNAME]" 
 +[root@ipa test]# cd /etc/letsencrypt/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${DOMAIN} 
 +[root@ipa test]# csplit -f cert ${DOMAIN}.crt '/-----BEGIN CERTIFICATE-----/' '{*}' 
 +[root@ipa test]# ipa-cacert-manage -p '[ipapassword]' -t C,, install cert-02 
 +[root@ipa test]# ipa-certupdate 
 +[root@ipa test]# ipa-server-certinstall -d -w /etc/letsencrypt/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${DOMAIN}/${DOMAIN}.crt /etc/letsencrypt/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${DOMAIN}/${DOMAIN}.key --pin='' -p '[ipapassword]' 
 +[root@ipa test]# ipactl restart 
 + 
 +</code> 
 + 
 +The first ipa-cacert-manage will install the intermediate- certificate of letsencrypt. 
 + 
 +You can check ift its the right one, by using ''openssl x509 -in cert-02 -text -noout'' and check if the subject is like 
 + 
 +''Subject: C = US, O = Let's Encrypt, CN = E6'' 
 + 
 +If the Subject contains you FQDN , its the wrong certificate. 
 + 
 +When ipa-server-certinstall has been sucessfully run, your server should use those Certificates for Kerberos, LDAP and your Webservice. 
 + 
 +Test if your Certificates for LDAP and Web do match: 
 + 
 +openssl s_client -connect [FQDN_HOSTNAME]:636 -showcerts </dev/null 
 + 
 +should be the same as: 
 + 
 +openssl s_client -connect [FQDN_HOSTNAME]:443 -showcerts </dev/null 
 + 
 +If not, check the above Certificates and loctaions to be from letsencrpt wih openssl. Mind that "openssl x509" will only accept the first Certificate in a file. You can use "openssl certstore" to ceck everything in the file, e.g.: 
 + 
 +''openssl storeutl -text -noout -certs ca.crt'' 
 +===== LDAP - Zentrales AD ===== 
 + 
 +Coming soon… 
  
-comig soon.... 
  • content/serverbasics/docker-freeipa.1725707731.txt.gz
  • Zuletzt geändert: 2024/09/07 11:15
  • von Daniel