Различия

Показаны различия между двумя версиями страницы.

--- service:freeipa [22.08.2024 08:12] – [Установка] viacheslav
+++ service:freeipa [22.08.2024 14:33] (текущий) – удалено viacheslav
@@ Строка 1: / Строка 1: @@
-====== FreeIPA ======
-https://github.com/freeipa/freeipa-container/blob/master/README\\
-https://github.com/freeipa/freeipa-container#running-freeipa-server-container\\
-https://hub.docker.com/r/freeipa/freeipa-server/\\
-https://www.altlinux.org/FreeIPA/%D0%A3%D1%81%D1%82%D0%B0%D0%BD%D0%BE%D0%B2%D0%BA%D0%B0_%D1%81%D0%B5%D1%80%D0%B2%D0%B5%D1%80%D0%B0_FreeIPA\\
-https://docs.altlinux.org/ru-RU/domain/10.2/html/freeipa/ch01s08.html\\
-https://freeipa.readthedocs.io/en/latest/workshop/1-server-install.html
-===== Установка =====
-Docker run
-<code bash>
-docker run --name freeipa-server -ti \
--h ipa.workgroup.test --read-only \
---cgroupns=host -v /sys/fs/cgroup:/sys/fs/cgroup:rw \
---sysctl net.ipv6.conf.all.disable_ipv6=0 \
--v ~/volumes/freeipa/data:/data freeipa/freeipa-server:rocky-9 ipa-server-install --skip-mem-check
-</code>
-Docker compose (cgroups2, без DNS)
-<code yaml>
----
-services:
-  freeipa:
-    image: freeipa/freeipa-server:rocky-9
-    container_name: freeipa-server
-    restart: unless-stopped
-    ports:
-      - 123:123/udp
-      - 389:389
-      - 443:443
-      - 464:464
-      - 464:464/udp
-      - 636:636
-      - 80:80
-      - 88:88
-      - 88:88/udp
-    tty: true
-    stdin_open: true
-    cgroup: host
-    environment:
-      IPA_SERVER_HOSTNAME: ipa.workgroup.test
-      IPA_SERVER_INSTALL_OPTS: "-n workgroup.test -r WORKGROUP.TEST --skip-mem-check -U"
-      PASSWORD: "123456Qwerty"
-      TZ: "Europe/Moscow"
-    volumes:
-      - /etc/localtime:/etc/localtime:ro
-      - /sys/fs/cgroup:/sys/fs/cgroup:rw
-      - ~/volumes/freeipa/data:/data
-    sysctls:
-      - net.ipv6.conf.all.disable_ipv6=0
-</code>
-Останов и чистка данных в случае неудачной установки
-<code bash>
-docker rm -f freeipa-server
-sudo rm -rf ~/volumes/freeipa/data/*
-</code>
-Результат установки
-<code>
-he IPA Master Server will be configured with:
-Hostname:       ipa.workgroup.test
-IP address(es): 172.17.0.2
-Domain name:    workgroup.test
-Realm name:     WORKGROUP.TEST
-The CA will be configured with:
-Subject DN:   CN=Certificate Authority,O=WORKGROUP.TEST
-Subject base: O=WORKGROUP.TEST
-Chaining:     self-signed
-. You must make sure these network ports are open:
-        TCP Ports:
-          * 80, 443: HTTP/HTTPS
-          * 389, 636: LDAP/LDAPS
-          * 88, 464: kerberos
-        UDP Ports:
-          * 88, 464: kerberos
-          * 123: ntp
-. You can now obtain a kerberos ticket using the command: 'kinit admin'
-   This ticket will allow you to use the IPA tools (e.g., ipa user-add)
-   and the web user interface.
-. Kerberos requires time synchronization between clients
-   and servers for correct operation. You should consider enabling chronyd.
-Be sure to back up the CA certificates stored in /root/cacert.p12
-These files are required to create replicas. The password for these
-files is the Directory Manager password
-The ipa-server-install command was successful
-</code>
-===== Ошибки =====
-==== Configuring certificate server (pki-tomcatd) ====
-При первоначальной установке
-<code>
-Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
-  [1/30]: configuring certificate server instance
-Failed to configure CA instance
-See the installation logs and the following files/directories for more information:
-  /var/log/pki/pki-tomcat
-  [error] RuntimeError: CA configuration failed.
-CA configuration failed.
-</code>
-Надо прописывать правильный hostname в команде запуска.