FreeIPA (IPA)

The FreeIPA (IPA) tool is a powerful identity and access management system. It allows administrators to manage hosts, users, services, and policies through commands. Below are detailed descriptions of key IPA subcommands related to hosts, hostgroups, services, and keytabs:

---

1. Host Subcommands

Managing hosts (servers or systems) is crucial in the FreeIPA domain, where each host can be enrolled and managed securely.

• Add a Host:

  ipa host-add <hostname> [options]

  Adds a new host to the FreeIPA domain.

  Example:

  ipa host-add server1.example.com

• List Hosts:

  ipa host-find

  Lists all enrolled hosts in the domain.

• Show Host Information:

  ipa host-show <hostname>

  Displays detailed information about a specific host.

• Modify a Host:

  ipa host-mod <hostname> [options]

  Updates attributes of an existing host (e.g., description).

• Remove a Host:

  ipa host-del <hostname>

  Deletes a host from the FreeIPA domain.

• Disable/Enable a Host:

  • Disable: Temporarily deactivates the host.

    ipa host-disable <hostname>

  • Enable: Re-enables the disabled host.

    ipa host-enable <hostname>

---

2. Hostgroup Subcommands

Hostgroups allow administrators to group multiple hosts for easier management of access and policies.

• Add a Hostgroup:

  ipa hostgroup-add <hostgroup_name> --desc="Description"

  Creates a new hostgroup.

  Example:

  ipa hostgroup-add WebServers --desc="Web Servers"

• Find Hostgroups:

  ipa hostgroup-find

  Lists all hostgroups.

• Show Hostgroup Details:

  ipa hostgroup-show <hostgroup_name>

  Displays detailed information about a hostgroup.

• Add Hosts to a Hostgroup:

  ipa hostgroup-add-member <hostgroup_name> --hosts=<hostname>

  Adds hosts to a hostgroup.

• Remove Hosts from a Hostgroup:

  ipa hostgroup-remove-member <hostgroup_name> --hosts=<hostname>

  Removes hosts from a hostgroup.

• Delete a Hostgroup:

  ipa hostgroup-del <hostgroup_name>

  Deletes a hostgroup from the domain.

---

3. Service Subcommands

FreeIPA provides services management to handle application services (e.g., HTTP, LDAP) securely using Kerberos for authentication.

• Add a Service:

  ipa service-add <service/hostname>

  Registers a new service in FreeIPA for Kerberos authentication.

  Example:

  ipa service-add HTTP/server1.example.com

• Find Services:

  ipa service-find

  Lists all registered services.

• Show Service Details:

  ipa service-show <service/hostname>

  Displays details for a specific service.

• Delete a Service:

  ipa service-del <service/hostname>

  Deletes a service from the domain.

• Enable/Disable a Service:

  • Enable:

    ipa service-enable <service/hostname>

  • Disable:

    ipa service-disable <service/hostname>

---

4. Getkeytab Subcommands

Keytab files are used for storing credentials securely, particularly for Kerberos authentication. The ipa-getkeytab tool helps manage these credentials.

• Obtain a Keytab for a Host:

  ipa-getkeytab -s <IPA_server> -p host/<hostname> -k /etc/krb5.keytab

  Retrieves the keytab for a specified host.

  Example:

  ipa-getkeytab -s ipa.example.com -p host/server1.example.com -k /etc/krb5.keytab

• Obtain a Keytab for a Service:

  ipa-getkeytab -s <IPA_server> -p <service/hostname> -k /etc/krb5.keytab

  Retrieves the keytab for a specific service.

• Force a New Keytab:

  ipa-getkeytab -s <IPA_server> -p <service/hostname> -k /etc/krb5.keytab -f

  Forces a new keytab, overwriting any existing one.

• Remove a Keytab:

  ipa service-remove-keytab <service/hostname> --keytab=<keytab_location>

  Deletes a keytab for a service, revoking its credentials.

---

Example Scenario: Enrolling and Securing a Host with a Service

1. Add a Host:

   ipa host-add server1.example.com

2. Create a Hostgroup:

   ipa hostgroup-add WebServers --desc="Group of web servers"
   ipa hostgroup-add-member WebServers --hosts=server1.example.com

3. Add an HTTP Service:

   ipa service-add HTTP/server1.example.com

4. Obtain a Keytab for the HTTP Service:

   ipa-getkeytab -s ipa.example.com -p HTTP/server1.example.com -k /etc/krb5.keytab

This process ensures that the host and the service are enrolled securely within the IPA domain using Kerberos authentication.

---

Conclusion

The IPA command, along with the host, hostgroup, service, and getkeytab subcommands, provides a flexible and secure way to manage services, hosts, and access policies in FreeIPA environments. These commands are essential for effective host and service management in centralized, identity-based environments like FreeIPA.