Get Even More Visitors To Your Blog, Upgrade To A Business Listing >>

FreeIPA in AWS EC2

FreeIPA In AWS EC2
FreeIPA in AWS EC2 Huahai Thu, 12/07/2017 - 23:34

FreeIPA is the open source version of RedHat's identity management solution, which nicely integrate several open sources services that are important for managing an intranet: 389 Directory Server, MIT Kerboros, NTP, DNS, SSSD and others. 

Most of my servers are virtual machines in AWS EC2. To manage such a cloud based intranet, some additional configuration is necessary. Here's how I got it to work.

DNS

The main problem, is that very machine in EC2 has at least two kinds of of IP addresses, one internal to the VPC only, e.g. the default VPC use IP starting from 172.31.*.*; Another kinds of IP addresses are public IP addresses are different from the internal ones. A default install of freeIPA server and clients in EC2 will not work  because of this dual IP addresses.

First,  configure individual hosts' /etc/hosts, /etc/hostname, so they point to the full qualified DNS name of the hosts. Now are ready to add these to DNS servers.

Route53

The solution, is to bypass freeIPA's own DNS services, and use AWS Route53 DNS service. We need to setup three hosted zones for the network. One zone for the external IPs, one internal, and finally one for reverse lookup.

The for internal and external hosted zone, in addition to the A records that map DNS names to IPs, we also need to add TXT and SRV records that allow freeIPA to auto discover services. Eg. for the external zone: 

_kerberos.example.com.

TXT

"EXAMPLE.COM"

-

-

300

_kerberos-master._tcp.example.com.

SRV

0 100 88 ipa.example.com.

-

-

300

_kerberos._tcp.example.com.

SRV

0 100 88 ipa.example.com.

-

-

300

_kpasswd._tcp.example.com.

SRV

0 100 464 ipa.example.com.

-

-

300

_ldap._tcp.example.com.

SRV

0 100 389 ipa.example.com.

-

-

300

_kerberos-master._udp.example.com.

SRV

0 100 88 ipa.example.com.

-

-

300

_kerberos._udp.example.com.

SRV

0 100 88 ipa.example.com.

-

-

300

_kpasswd._udp.example.com.

SRV

0 100 464 ipa.example.com.

-

-

300

_ntp._udp.example.com.

SRV

0 100 123 ipa.example.com.

-

-

300

ipa.example.com.

A

99.99.99.99

-

-

300

Here we will install the freeIPA server on a machine with external IP 99.99.99.99, and the DNS name for the server is ipa.example.com.

Similar records need to be added the internal zone as well, just use the internal IP addresses.

Finally, the private reverse look up zone, named 31.172.in-addr.arpa., has records like these:

88.123.31.172.in-addr.arpa.

PTR

ipa.example.com

-

-

300

Where 172.31.123.88 is the internal IP address of the freeIPA server. 

We need to do these for all servers managed by freeIPA. It's a bit of work if there are not much machines. For large deployment, one may want to investigate automatized solution with AWS APIs.

Test DNS

On a machine inside the VPC

dig +short ipa.example.com

Should return the external IP of the machine.

Do the same on an internal machine should return the internal IP of the machine. Finall, test reverse lookup on an internal machine

dig +short -x  172.31.123.88

Should return the DNS name of the machine.

FreeIPA Server Install

I normally use Debian servers,  but there's no stable  freeIPA server available in Debian, so I installed a Fedora, which support freeIPA natively.

Use a small EC2 instance that will be dedicated to running a freeIPA server.

# yum install freeipa-server
# ipa-server-install

And say "no" to DNS

FreeIPA  Client

Since most of my machinese are Debian, we had to install Debian freeIPA client. Ubuntu Xenial universe repo has a version of freeIPA   client that is compatible with Debian Strech. So I installed them.

However, the installer configured /etc/sssd/sssd.conf is broken. nss, pam,  and ssh needs to be added to the [sssd] service line. Otherwise, the client cannot be connected to.

With that, everything worked as expected.

Add new comment



This post first appeared on Yyhh.org | - Yunyao And Huahai's Tidbits Of Common, please read the originial post: here

Share the post

FreeIPA in AWS EC2

×

Subscribe to Yyhh.org | - Yunyao And Huahai's Tidbits Of Common

Get updates delivered right to your inbox!

Thank you for your subscription

×