IPA

The The ipa command in FreeIPA (Identity, Policy, Audit) is a robust tool for managing users, hosts, services, and policies in a centralized manner. It provides subcommands that are essential for managing hosts, hostgroups, services, and keytab files—important components in managing a secure, identity-based infrastructure.

Below are detailed descriptions of these subcommands, including commands for hosts, hostgroups, services, and keytabs:

---

Key Subcommands: host, hostgroup, service, and getkeytab

1. Host Subcommands

These commands allow the management of hosts (servers or systems) within the FreeIPA domain. Hosts are enrolled to gain authentication and policy-based access control.

Common Commands:

• Add a Host:

  ipa host-add <hostname> [options]

  Adds a new host to the domain (e.g., ipa host-add server1.example.com).

• Find Hosts:

  ipa host-find

  Lists all enrolled hosts in the domain.

• Show Host Details:

  ipa host-show <hostname>

  Displays detailed information about a specific host.

• Modify a Host:

  ipa host-mod <hostname> [options]

  Modifies attributes of an existing host, such as its description or principal.

• Delete a Host:

  ipa host-del <hostname>

  Removes a host from the domain.

• Disable/Enable a Host:

  • Disable: Temporarily removes the host from active use.

    ipa host-disable <hostname>

  • Enable: Restores the host to active use.

    ipa host-enable <hostname>

---

2. Hostgroup Subcommands

Hostgroups provide an easy way to manage multiple hosts together by grouping them logically, often for policy or access control purposes.

Common Commands:

• Add a Hostgroup:

  ipa hostgroup-add <hostgroup_name> --desc="Description"

  Creates a new hostgroup with a given description.

• Find Hostgroups:

  ipa hostgroup-find

  Lists all existing hostgroups.

• Show Hostgroup Details:

  ipa hostgroup-show <hostgroup_name>

  Displays detailed information about a specific hostgroup.

• Add Hosts to a Hostgroup:

  ipa hostgroup-add-member <hostgroup_name> --hosts=<hostname>

  Adds one or more hosts to a hostgroup.

• Remove Hosts from a Hostgroup:

  ipa hostgroup-remove-member <hostgroup_name> --hosts=<hostname>

  Removes one or more hosts from a hostgroup.

• Delete a Hostgroup:

  ipa hostgroup-del <hostgroup_name>

  Deletes a hostgroup from the domain.

---

3. Service Subcommands

Services represent applications (such as web services, mail services, etc.) running on hosts that require secure authentication through IPA. These commands manage such services.

Common Commands:

• Add a Service:

  ipa service-add <service/hostname>

  Adds a new service to the domain, enabling it to interact with the IPA environment (e.g., HTTP/webserver01.example.com).

• Find Services:

  ipa service-find

  Lists all services available in the domain.

• Show Service Details:

  ipa service-show <service/hostname>

  Displays detailed information about a specific service.

• Delete a Service:

  ipa service-del <service/hostname>

  Removes a service from the domain.

• Enable/Disable a Service:

  • Enable:

    ipa service-enable <service/hostname>

  • Disable:

    ipa service-disable <service/hostname>

---

4. Getkeytab Subcommands

Keytabs are files that store service or host credentials used for secure authentication, specifically with Kerberos. The ipa-getkeytab command fetches and manages keytab files.

Common Commands:

• Obtain a Keytab for a Host:

  ipa-getkeytab -s <IPA_server> -p host/<hostname> -k /etc/krb5.keytab

  Fetches the keytab for a specified host and stores it in the default Kerberos keytab location.

• Obtain a Keytab for a Service:

  ipa-getkeytab -s <IPA_server> -p <service/hostname> -k /etc/krb5.keytab

  Retrieves the keytab for a service running on a host.

• Force a New Keytab:

  ipa-getkeytab -s <IPA_server> -p <service/hostname> -k /etc/krb5.keytab -f

  Forces the retrieval of a new keytab, overwriting any existing keytab.

• Remove a Keytab:

  ipa service-remove-keytab <service/hostname> --keytab=<keytab_location>

  Deletes a keytab for a specific service, revoking its credentials.

---

Example Scenario: Adding and Securing a Host with a Service

1. Add the Host:

   ipa host-add server1.example.com --force

2. Create a Hostgroup (e.g., all web servers):

   ipa hostgroup-add WebServers --desc="All web servers"
   ipa hostgroup-add-member WebServers --hosts=server1.example.com

3. Add and Configure a Service: For example, you may want to add an HTTP service for server1:

   ipa service-add HTTP/server1.example.com

4. Obtain the Keytab for the HTTP Service:

   ipa-getkeytab -s ipa.example.com -p HTTP/server1.example.com -k /etc/krb5.keytab

This ensures that the host and the service are authenticated and secure within the FreeIPA domain, with keytab-based Kerberos authentication.

---

Conclusion

Using the ipa command with subcommands for hosts, hostgroups, services, and keytabs, administrators can efficiently manage identity, authentication, and policies in a secure FreeIPA environment. These tools are critical in environments that require centralized management of users, machines, services, and access control in enterprise systems.` command in FreeIPA (Identity, Policy, Audit) is a robust tool for managing users, hosts, services, and policies in a centralized manner. It provides subcommands that are essential for managing hosts, hostgroups, services, and keytab files—important components in managing a secure, identity-based infrastructure.

Below are detailed descriptions of these subcommands, including commands for hosts, hostgroups, services, and keytabs:

---

Key Subcommands: host, hostgroup, service, and getkeytab

1. Host Subcommands

These commands allow the management of hosts (servers or systems) within the FreeIPA domain. Hosts are enrolled to gain authentication and policy-based access control.

Common Commands:

• Add a Host:

  ipa host-add <hostname> [options]

  Adds a new host to the domain (e.g., ipa host-add server1.example.com).

• Find Hosts:

  ipa host-find

  Lists all enrolled hosts in the domain.

• Show Host Details:

  ipa host-show <hostname>

  Displays detailed information about a specific host.

• Modify a Host:

  ipa host-mod <hostname> [options]

  Modifies attributes of an existing host, such as its description or principal.

• Delete a Host:

  ipa host-del <hostname>

  Removes a host from the domain.

• Disable/Enable a Host:

  • Disable: Temporarily removes the host from active use.

    ipa host-disable <hostname>

  • Enable: Restores the host to active use.

    ipa host-enable <hostname>

---

2. Hostgroup Subcommands

Hostgroups provide an easy way to manage multiple hosts together by grouping them logically, often for policy or access control purposes.

Common Commands:

• Add a Hostgroup:

  ipa hostgroup-add <hostgroup_name> --desc="Description"

  Creates a new hostgroup with a given description.

• Find Hostgroups:

  ipa hostgroup-find

  Lists all existing hostgroups.

• Show Hostgroup Details:

  ipa hostgroup-show <hostgroup_name>

  Displays detailed information about a specific hostgroup.

• Add Hosts to a Hostgroup:

  ipa hostgroup-add-member <hostgroup_name> --hosts=<hostname>

  Adds one or more hosts to a hostgroup.

• Remove Hosts from a Hostgroup:

  ipa hostgroup-remove-member <hostgroup_name> --hosts=<hostname>

  Removes one or more hosts from a hostgroup.

• Delete a Hostgroup:

  ipa hostgroup-del <hostgroup_name>

  Deletes a hostgroup from the domain.

---

3. Service Subcommands

Services represent applications (such as web services, mail services, etc.) running on hosts that require secure authentication through IPA. These commands manage such services.

Common Commands:

• Add a Service:

  ipa service-add <service/hostname>

  Adds a new service to the domain, enabling it to interact with the IPA environment (e.g., HTTP/webserver01.example.com).

• Find Services:

  ipa service-find

  Lists all services available in the domain.

• Show Service Details:

  ipa service-show <service/hostname>

  Displays detailed information about a specific service.

• Delete a Service:

  ipa service-del <service/hostname>

  Removes a service from the domain.

• Enable/Disable a Service:

  • Enable:

    ipa service-enable <service/hostname>

  • Disable:

    ipa service-disable <service/hostname>

---

4. Getkeytab Subcommands

Keytabs are files that store service or host credentials used for secure authentication, specifically with Kerberos. The ipa-getkeytab command fetches and manages keytab files.

Common Commands:

• Obtain a Keytab for a Host:

  ipa-getkeytab -s <IPA_server> -p host/<hostname> -k /etc/krb5.keytab

  Fetches the keytab for a specified host and stores it in the default Kerberos keytab location.

• Obtain a Keytab for a Service:

  ipa-getkeytab -s <IPA_server> -p <service/hostname> -k /etc/krb5.keytab

  Retrieves the keytab for a service running on a host.

• Force a New Keytab:

  ipa-getkeytab -s <IPA_server> -p <service/hostname> -k /etc/krb5.keytab -f

  Forces the retrieval of a new keytab, overwriting any existing keytab.

• Remove a Keytab:

  ipa service-remove-keytab <service/hostname> --keytab=<keytab_location>

  Deletes a keytab for a specific service, revoking its credentials.

---

Example Scenario: Adding and Securing a Host with a Service

1. Add the Host:

   ipa host-add server1.example.com --force

2. Create a Hostgroup (e.g., all web servers):

   ipa hostgroup-add WebServers --desc="All web servers"
   ipa hostgroup-add-member WebServers --hosts=server1.example.com

3. Add and Configure a Service: For example, you may want to add an HTTP service for server1:

   ipa service-add HTTP/server1.example.com

4. Obtain the Keytab for the HTTP Service:

   ipa-getkeytab -s ipa.example.com -p HTTP/server1.example.com -k /etc/krb5.keytab

This ensures that the host and the service are authenticated and secure within the FreeIPA domain, with keytab-based Kerberos authentication.

---

Conclusion

Using the ipa command with subcommands for hosts, hostgroups, services, and keytabs, administrators can efficiently manage identity, authentication, and policies in a secure FreeIPA environment. These tools are critical in environments that require centralized management of users, machines, services, and access control in enterprise systems.