IdM recommends having a physical server on premises. There are few topology recommendations in IdM docs [1]
On the AWS web console, Spin up an RHEL instance with following configurations
- I’ve created this setup on the m4.xlarge instance for our requirement. Minimum requirement matches t2.large which meets the minimum requirement 2vCPU and 8GiB RAM [2]
- Attach at-least 12GB Root volume [2]
On the AWS web console, Configure the security groups to allow ports required by IdM. IdM desires,
- HTTP/HTTPS – 80, 443 – TCP
- LDAP/LDAPS – 389, 636 – TCP
- Kerberos – 88, 464 – Both TCP and UDP
- DNS – 53 – Both TCP and UDP
- NTP – 123 – UDP
to be opened.
we need to allow inbound traffic from above ports. outbound can be all traffic. You may ignore the 80 and 389 port warnings,
Do not be concerned that IdM uses ports 80 and 389.
Port 80 (HTTP) is used to provide Online Certificate Status Protocol (OCSP) responses and Certificate Revocation Lists (CRL). Both are digitally signed and therefore secured against man-in-the-middle attacks.
Port 389 (LDAP) uses STARTTLS and GSSAPI for encryption. [2]
Spin up the server and connect to it.
On the instance,
Install bind-utils
yum install -y bind-utils
Setting up the hostname, hosts entries, and hostname network configurations; Hostname must be Fully Qualified Domain Name(FQDN).
#configure the server host name
export HOSTNAME=”ipa.yourdomain.net”
sudo hostnamectl set-hostname $HOSTNAME –static
sudo hostname $HOSTNAME
#configure the HOSTNAME in the network file
echo “HOSTNAME=ipan.cakepos.net” | sudo tee -a /etc/sysconfig/network
#ipa.yourdomain.net needs to be resolved to your private ip
echo ” ipa.yourdomain.net ipa” | sudo tee -a /etc/hosts
installed dnsmasq[3] for local DNS caching
yum install -y dnsmasq
Backup default /etc/dnsmasq.conf and create a new one
# move the existing dnsmasq file to backup
mv /etc/dnsmasq.conf /etc/dnsmasq.conf.orig
# create a new configuration
vi /etc/dnsmasq.conf
/etc/dnsmasq.conf will look like follows
# server configurations
listen-address=127.0.0.1
port=53
bind-interfaces
user=dnsmasq
group=dnsmasq
pid-file=/var/run/dnsmasq.pid
# Name resolution options
resolv-file=/etc/resolv.dnsmasq
cache-size=500
neg-ttl=60
adding new /etc/resolve.dnsmasq and configuring the aws nameserver on it. Normally, this can be find in the /etc/resolve.conf.
nameserver 192.168.16.234
starting the dnsmasq service and attaching it to startup,
#starting the service
service dnsmasq start
#set the service to startup
chkconfig dnsmasq on
We will be using AWS Route 53 DNS service as a forwarding service. In order to do that it needs to support Extension Mechanisms for DNS (EDNS0) and DNSSEC standards.
dig +dnssec @172.31.0.2 . SOA
Installing the IdM
Updating the yum,
yum -y update
#list idm modules
yum module list idm
[root@ip-192-168-16-6 ec2-user]# yum module list idm
Last metadata expiration check: 1:19:30 ago on Fri 21 Jun 2019 15:09:15 UTC.
Red Hat Enterprise Linux 8 for x86_64 – AppStream from RHUI (RPMs)
Name Stream Profiles Summary
idm DL1 [e] common [d] [i], adtrus The Red Hat Enterprise Linux Identity Man
t, client, dns, server agement system module
idm client [d] common [d] RHEL IdM long term support client module
Hint: [d]efault, [e]nabled, [x]disabled, [i]nstalled
listing IdM modules,
yum module list idm
Sample output
[root@ip-192-168-16-6 ec2-user]# yum module list idm
Last metadata expiration check: 1:19:30 ago on Fri 21 Jun 2019 15:09:15 UTC.
Red Hat Enterprise Linux 8 for x86_64 – AppStream from RHUI (RPMs)
Name Stream Profiles Summary
idm DL1 [e] common [d] [i], adtrus The Red Hat Enterprise Linux Identity Man
t, client, dns, server agement system module
idm client [d] common [d] RHEL IdM long term support client module
Hint: [d]efault, [e]nabled, [x]disabled, [i]nstalled
Installing the IdM module,
yum -y install @idm:DL1
yum -y install ipa-server ipa-server-dns
Setup the ipa server using ipa-server-install with –setup-dns option
ipa-server-install –setup-dns
when prompted for host name provide the hostname or press enter for keep the default value which we configured in previous step
Server host name [ipa.yourdomain.net]: ipa.yourdoamin.net
Please confirm the domain name [yourdomain.net]: yourdomain.net
Please provide a realm name [YOURDOMAIN.NET]: YOURDOMAIN.NET
after configuring the realm provide the directory manager password and IPA admin password
Directory Manager password:
Password (confirm):
IPA admin password:
Password (confirm):
After configuring users setup process will propmt for the DNS forwarder configurations, enter yes to configure the forwarder step.
Do you want to configure DNS forwarders? [yes]: yes
it’ll pick the nameserver from the /etc/resolve.conf
Following DNS servers are configured in /etc/resolv.conf: 192.168.16.234
Verify the configurations and proceed when prompted.
The IPA Master Server will be configured with:
Hostname: ipa.yourdoamin.net
IP address(es): 192.162.18.14
Domain name: yourdoamin.net
Realm name: YOURDOMAIN.NET
The CA will be configured with:
Subject DN: CN=Certificate Authority,O=YOURDOMAIN.NET
Subject base: O=YOURDOMAIN.NET
Chaining: self-signed
BIND DNS server will be configured to serve IPA domain with:
Forwarders: 192.168.16.234
Forward policy: only
Reverse zone(s): No reverse zone
Continue to configure the system with these values? [no]: yes
Setup will carry out it’s configurations for few minutes. Success out put will look like following
============================
Setup complete
Next steps:
1. You must make sure these network ports are open:
TCP Ports:
* 80, 443: HTTP/HTTPS
* 389, 636: LDAP/LDAPS
* 88, 464: kerberos
* 53: bind
UDP Ports:
* 88, 464: kerberos
* 53: bind
* 123: ntp
2. You can now obtain a kerberos ticket using the command: ‘kinit admin’
This ticket will allow you to use the IPA tools (e.g., ipa user-add)
and the web user interface.
Be sure to back up the CA certificates stored in /root/cacert.p12
These files are required to create replicas. The password for these
files is the Directory Manager password
The ipa-server-install command was successful
If you don’t have DNS created make sure you have added the instance’s public IP in your host entry to access the IdM web UI.
#Your local machine host entry for Web UI access
echo ” ipan.yourdomain.net” | sudo tee -a /etc/hosts
References:
[3] https://aws.amazon.com/premiumsupport/knowledge-center/dns-resolution-failures-ec2-linux/
Chamath's Blog 