Unterschiede

Hier werden die Unterschiede zwischen zwei Versionen angezeigt.

Link zu dieser Vergleichsansicht

Beide Seiten der vorigen Revision Vorhergehende Überarbeitung
Nächste Überarbeitung		 Vorhergehende Überarbeitung
content:serverbasics:docker-freeipa [2025/01/11 18:32] – [Caddyfile] Danielcontent:serverbasics:docker-freeipa [2025/02/19 10:46] (aktuell) Daniel
Zeile 1: Zeile 1:
-====== FreeIPA ======+====== Docker: FreeIPA ======
  
-FreeIPA is a collection of Tools and a Web- GUI for managing an AD (Active Directory).+FreeIPA is a collection of Tools for managing an AD (Active Directory) and a nice Web- GUI to mange those.
  
 As docker Image, it delivers LDAP for central storing of Users/Groups, Hosts and Keys. The bind- DNS will serve Hostnames to IP- Adresses and the included MIT- Kerberos- Implementation will deliver SSO attached to the Users. As docker Image, it delivers LDAP for central storing of Users/Groups, Hosts and Keys. The bind- DNS will serve Hostnames to IP- Adresses and the included MIT- Kerberos- Implementation will deliver SSO attached to the Users.
  
 This chapter will describe, how to install FreeIPA in a rootless Docker- Environement, use letsencrypt Cretificates for SSL and TLS and how to setup central User- Management with it. This chapter will describe, how to install FreeIPA in a rootless Docker- Environement, use letsencrypt Cretificates for SSL and TLS and how to setup central User- Management with it.
- 
  
 ===== Prerequiusite ===== ===== Prerequiusite =====
  
-You will need a Docker- Host, that is rechable from the Internet with its fully qualifierd Domain- Name (FQDN) as described in the cahpters before. The given Ports must be reachable from the clients. +You will need a Docker- Host, that is rechable from the Internet with its fully qualifierd Domain- Name (FQDN) as described in the chapters before. The given Ports must be reachable from the clients.
  
 ===== Docker composer ===== ===== Docker composer =====
  
-FreeIPA will not use a Database - all needed informations are stored into the Docker Data- Volume.+FreeIPA will not use a Database - all needed informations are stored into the Docker Data- Volume. Some Services - like LDAP will setup their own DB in that Directory.
  
-Frst, create a Directory in your Docker-Compose directry that you chose before in [[http://obel1x.de/doku.php?id=content:serverbasics:docker#create_a_place_for_yamls|http://obel1x.de/doku.php?id=content:serverbasics:docker#create_a_place_for_yamls]]+First, create a Directory in your Docker-Compose directry that you chose before in [[http://obel1x.de/doku.php?id=content:serverbasics:docker#create_a_place_for_yamls|http://obel1x.de/doku.php?id=content:serverbasics:docker#create_a_place_for_yamls]]
  
 Then, create your ''docker-compose.yml'' like this: Then, create your ''docker-compose.yml'' like this:
Zeile 56: Zeile 54:
     command:     command:
       - -U       - -U
-      - --domain=clients.[FQDN_HOSTNAME]+      - --domain=clients.[DOMAINPART_OF_HOSTNAME]
 # Must match the last part of the Domain-Name and must be upper case and routed to the domain # Must match the last part of the Domain-Name and must be upper case and routed to the domain
-      - --realm=[DOMAINPART_OF_HOSTNAME]+      - --realm=[DOMAINPART_OF_HOSTNAME_UPPERCASE]
       - --http-pin=[NEWHTTPDPIN]       - --http-pin=[NEWHTTPDPIN]
       - --dirsrv-pin=[NEWDIRSRVPIN]       - --dirsrv-pin=[NEWDIRSRVPIN]
 +#Bind/DNS Setup - use own Server Open Port 53 for this
       - --setup-dns       - --setup-dns
 #      - --no-host-dns #      - --no-host-dns
 + - --setup-dns
 +# Save choice:
 + - --no-forwarders
 +# Will Forward unknow DNS- Queries to something else. May be a security- breach
 +# - --auto-forwarders
 +# - --forwarder=192.168.178.1
 #NTP - not needed, this is the server which time is taken from /etc/localtime see volumes #NTP - not needed, this is the server which time is taken from /etc/localtime see volumes
 #This server has also a chrony-daemon running here to sync time #This server has also a chrony-daemon running here to sync time
       - --no-ntp       - --no-ntp
 #      - --ntp-server=172.0.0.11 #      - --ntp-server=172.0.0.11
-      - --auto-forwarders 
-#      - --forwarder=192.168.178.1 
 #Error: Unable to determine the amount of available RAM #Error: Unable to determine the amount of available RAM
       - --skip-mem-check       - --skip-mem-check
Zeile 102: Zeile 105:
  
 The caddy_data Volume contains the Certifictes for encryption from Caddy as described in [[.:docker-caddy|]]. The caddy_data Volume contains the Certifictes for encryption from Caddy as described in [[.:docker-caddy|]].
- 
  
 ===== Caddyfile ===== ===== Caddyfile =====
Zeile 125: Zeile 127:
 </file> </file>
  
-As the internal Certificate of FreeIPA will be self-signed, the verification is turned off first. Later the Cert is replaced by the ACME- letsencrypt- Certificate of Caddy, so you may turn this on again. But there is no benefit, as the SSL Connection is always internally proxies by Caddy, so there will be NO insecured Connections to the net. +As the internal Certificate of FreeIPA will be self-signed, the verification is turned off first. Later the Cert is replaced by the ACME- letsencrypt- Certificate of Caddy, so you may turn this on again. But there is no benefit, as the SSL Connection is always internally proxied by Caddy, so there will be NO insecured Connections to the net.
  
 ===== Encryption ===== ===== Encryption =====
Zeile 172: Zeile 173:
  
 ''openssl storeutl -text -noout -certs ca.crt'' ''openssl storeutl -text -noout -certs ca.crt''
- 
- 
 ===== LDAP - Zentrales AD ===== ===== LDAP - Zentrales AD =====
  
  • content/serverbasics/docker-freeipa.1736620330.txt.gz
  • Zuletzt geändert: 2025/01/11 18:32
  • von Daniel