Last active
December 14, 2015 01:39
-
-
Save aweiteka/5008304 to your computer and use it in GitHub Desktop.
Install IPA server
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # Setup IPA server for QE | |
| # TODO: setup replica server for redundancy | |
| # https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Linux/6-Beta/html-single/Identity_Management_Guide/index.html#Setting_up_IPA_Replicas | |
| # TODO: setup Windows AD cross-domain trust | |
| parse_args() { | |
| # Process cmdline arguments | |
| while getopts "u:p:i:m:d:r:s:h?" options "$@"; do | |
| case $options in | |
| u ) RHN_USER=$OPTARG ;; | |
| p ) RHN_PASS=$OPTARG ;; | |
| i ) IPA_ADMIN_PASS=$OPTARG ;; | |
| m ) DIR_MANAGER_PASS=$OPTARG ;; | |
| d ) DOMAIN=$OPTARG ;; | |
| r ) REALM=$OPTARG ;; | |
| s ) USER_PASS=$OPTARG ;; | |
| \?|h ) usage ;; | |
| * ) usage ;; | |
| esac | |
| done | |
| # Any remaining arguments? | |
| ARGV=${@:$OPTIND} | |
| if [ ${#ARGV} -gt 0 ]; then | |
| echo "ERROR: unknown argument(s): $ARGV" | |
| exit 1 | |
| fi | |
| # Required -- reset option index | |
| unset OPTIND | |
| } | |
| # Initialize global variables used in this script | |
| initialize_variables() { | |
| RHN_USER=${RHN_USER:-} | |
| RHN_PASS=${RHN_PASS:-} | |
| IPA_ADMIN_PASS=${IPA_ADMIN_PASS:-} | |
| DIR_MANAGER_PASS=${DIR_MANAGER_PASS:-} | |
| DOMAIN=${DOMAIN:-} | |
| REALM=${REALM:-} | |
| USER_PASS=${USER_PASS:-} | |
| } | |
| parse_args | |
| initialize_variables | |
| USERS=( "admin" "admin-user1" "admin-user2" "admin-user3" "dev-user1" "dev-user2" "dev-user3" "owner-user1" "owner-user2" "owner-user3" "test-user1" "test-user2" "test-user3" ) | |
| GROUPS=( "admin-group" "automation-users" "dev-group" "owner-group" "qe-users" "test-users" "user-group" ) | |
| # -i only works if can be resolved | |
| #echo "`hostname -i` `hostname` ipaserver" >> /etc/hosts | |
| # --all-ip... may return more than one address | |
| echo "`hostname --all-ip-addresses` `hostname` ipaserver" >> /etc/hosts | |
| # open ports | |
| iptables -A INPUT -p tcp --dport 389 -j ACCEPT | |
| iptables -A INPUT -p tcp --dport 636 -j ACCEPT | |
| iptables -A INPUT -p tcp --dport 80 -j ACCEPT | |
| iptables -A INPUT -p tcp --dport 443 -j ACCEPT | |
| iptables -A INPUT -p tcp --dport 88 -j ACCEPT | |
| iptables -A INPUT -p udp --dport 88 -j ACCEPT | |
| iptables -A INPUT -p tcp --dport 464 -j ACCEPT | |
| iptables -A INPUT -p udp --dport 464 -j ACCEPT | |
| iptables -A INPUT -p tcp --dport 53 -j ACCEPT | |
| iptables -A INPUT -p udp --dport 53 -j ACCEPT | |
| iptables -A INPUT -p tcp --dport 123 -j ACCEPT | |
| iptables -A INPUT -p tcp --dport 7389 -j ACCEPT | |
| service iptables save | |
| # turn off services | |
| chkconfig nscd off && service nscd stop | |
| chkconfig NetworkManager off; service NetworkManager stop | |
| # subscribe to rhn for pkgs and updates | |
| subscription-manager register --username ${RHN_USER} --password ${RHN_PASS} --force --autosubscribe | |
| # update | |
| yum update -y | |
| # install | |
| yum install -y ipa-server bind bind-dyndb-ldap | |
| # /etc/krb5.conf edits: | |
| KDOMAIN=`echo ${REALM} | tr '[:upper:]' '[:lower:]'` | |
| #sed -i 's/default_realm = EXAMPLE.COM//default_realm = ${KDOMAIN} /etc/krb5.conf | |
| # FIXME: edit /etc/krb5.conf | |
| #[realms] | |
| # ${KDOMAIN} = { | |
| # kdc = `hostname`:88 | |
| # admin_server = `hostname`:749 | |
| # default_domain = ${REALM} | |
| # pkinit_anchors = FILE:/etc/ipa/ca.crt | |
| #} | |
| # unattended ipa setup with no ntp (not recommended on VM) | |
| ipa-server-install -a ${IPA_ADMIN_PASS} --hostname `hostname` -n ${DOMAIN} -p ${DIR_MANAGER_PASS} -r ${REALM} --setup-dns --no-ntp -U | |
| service sshd restart | |
| ### | |
| # test kerberos | |
| ### | |
| # get kerb ticket. default realm. password prompted. no output is success | |
| echo "${IPA_ADMIN_PASS}" | kinit admin | |
| # list ticket | |
| klist | |
| # test IdM config, should match one user | |
| ipa user-find admin | |
| ### | |
| # setup users and groups | |
| ### | |
| for USER in "${USERS[@]}" | |
| do | |
| # create users. password prompted. | |
| echo "${USER_PASS}" | ipa user-add $USER --first=first_name --last=$USER [email protected] --homedir=/home/$USER --orgunit="QE" --password | |
| done | |
| for GROUP in "${GROUPS[@]}" | |
| do | |
| # create groups that are compatible with windows (nonposix) | |
| ipa group-add $GROUP --desc="description" --nonposix | |
| done | |
| echo "IPA config:" | |
| echo `ipa config-show --all` | |
| echo "Users:" | |
| echo `ipa user-find` | |
| echo "Groups:" | |
| echo `ipa group-find` | |
| echo "IPA server setup complete." | |
| echo "Users must be manually assigned to groups." | |
| echo "WebUI: https://`hostname`/ipa/ui" | |
| echo "User: 'admin' ; Pass: '${IPA_ADMIN_PASS}'" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment