Unterschiede

Hier werden die Unterschiede zwischen zwei Versionen angezeigt.

Link zu dieser Vergleichsansicht

Beide Seiten der vorigen Revision Vorhergehende Überarbeitung
Nächste Überarbeitung		 Vorhergehende Überarbeitung
content:serverbasics:docker-freeipa [2024/09/08 19:42] – [Encryption] Danielcontent:serverbasics:docker-freeipa [2025/02/19 10:46] (aktuell) Daniel
Zeile 1: Zeile 1:
-====== FreeIPA ======+====== Docker: FreeIPA ======
  
-FreeIPA is a collection of Tools and a Web- GUI for managing an AD (Active Directory). As docker Image, it delivers LDAP for central storing of Users, Hosts and Keys. The bindDNS will serve Hostnames to IP- Adresses and the Kerberos will deliver SSO attached to the Users.+FreeIPA is a collection of Tools for managing an AD (Active Directory) and a nice WebGUI to mange those.
  
-This chapter will describe, how to install FreeIPA in a rootless Docker- Environement, use letsencrypt Crtificates for SSL and TLS and how to setup central usermanagement with it.+As docker Image, it delivers LDAP for central storing of Users/Groups, Hosts and Keys. The bind- DNS will serve Hostnames to IP- Adresses and the included MIT- Kerberos- Implementation will deliver SSO attached to the Users. 
 + 
 +This chapter will describe, how to install FreeIPA in a rootless Docker- Environement, use letsencrypt Cretificates for SSL and TLS and how to setup central UserManagement with it.
  
 ===== Prerequiusite ===== ===== Prerequiusite =====
  
-You will need a Docker- Host, that is rechable from the Internet wil its fully qualifierd Domain- Name (FQDN) as described before. The given Ports must be reachable from the clients.+You will need a Docker- Host, that is rechable from the Internet with its fully qualifierd Domain- Name (FQDN) as described in the chapters before. The given Ports must be reachable from the clients.
  
 ===== Docker composer ===== ===== Docker composer =====
  
-FreeIPA will not use a Database - all needed informations are stored into the Docker Data- Volume.+FreeIPA will not use a Database - all needed informations are stored into the Docker Data- Volume. Some Services - like LDAP will setup their own DB in that Directory.
  
-Frst, create a Directory in your Docker-Compose directry that you chose before in [[http://obel1x.de/doku.php?id=content:serverbasics:docker#create_a_place_for_yamls|http://obel1x.de/doku.php?id=content:serverbasics:docker#create_a_place_for_yamls]]+First, create a Directory in your Docker-Compose directry that you chose before in [[http://obel1x.de/doku.php?id=content:serverbasics:docker#create_a_place_for_yamls|http://obel1x.de/doku.php?id=content:serverbasics:docker#create_a_place_for_yamls]]
  
-Then, create your ''docker-compsoe.yml'' like this:+Then, create your ''docker-compose.yml'' like this:
 <file> <file>
  
Zeile 52: Zeile 54:
     command:     command:
       - -U       - -U
-      - --domain=clients.[FQDN_HOSTNAME]+      - --domain=clients.[DOMAINPART_OF_HOSTNAME]
 # Must match the last part of the Domain-Name and must be upper case and routed to the domain # Must match the last part of the Domain-Name and must be upper case and routed to the domain
-      - --realm=[DOMAINPART_OF_HOSTNAME]+      - --realm=[DOMAINPART_OF_HOSTNAME_UPPERCASE]
       - --http-pin=[NEWHTTPDPIN]       - --http-pin=[NEWHTTPDPIN]
       - --dirsrv-pin=[NEWDIRSRVPIN]       - --dirsrv-pin=[NEWDIRSRVPIN]
 +#Bind/DNS Setup - use own Server Open Port 53 for this
       - --setup-dns       - --setup-dns
 #      - --no-host-dns #      - --no-host-dns
 + - --setup-dns
 +# Save choice:
 + - --no-forwarders
 +# Will Forward unknow DNS- Queries to something else. May be a security- breach
 +# - --auto-forwarders
 +# - --forwarder=192.168.178.1
 #NTP - not needed, this is the server which time is taken from /etc/localtime see volumes #NTP - not needed, this is the server which time is taken from /etc/localtime see volumes
 #This server has also a chrony-daemon running here to sync time #This server has also a chrony-daemon running here to sync time
       - --no-ntp       - --no-ntp
 #      - --ntp-server=172.0.0.11 #      - --ntp-server=172.0.0.11
-      - --auto-forwarders 
-#      - --forwarder=192.168.178.1 
 #Error: Unable to determine the amount of available RAM #Error: Unable to determine the amount of available RAM
       - --skip-mem-check       - --skip-mem-check
Zeile 97: Zeile 104:
 </file> </file>
  
-The caddy_data Volume contains the Certifictes for encryption.+The caddy_data Volume contains the Certifictes for encryption from Caddy as described in [[.:docker-caddy|]].
  
 ===== Caddyfile ===== ===== Caddyfile =====
Zeile 119: Zeile 126:
  
 </file> </file>
 +
 +As the internal Certificate of FreeIPA will be self-signed, the verification is turned off first. Later the Cert is replaced by the ACME- letsencrypt- Certificate of Caddy, so you may turn this on again. But there is no benefit, as the SSL Connection is always internally proxied by Caddy, so there will be NO insecured Connections to the net.
  
 ===== Encryption ===== ===== Encryption =====
Zeile 164: Zeile 173:
  
 ''openssl storeutl -text -noout -certs ca.crt'' ''openssl storeutl -text -noout -certs ca.crt''
- 
- 
 ===== LDAP - Zentrales AD ===== ===== LDAP - Zentrales AD =====
  
  • content/serverbasics/docker-freeipa.1725824561.txt.gz
  • Zuletzt geändert: 2024/09/08 19:42
  • von Daniel