IPA

The The ipa command in FreeIPA (Identity, Policy, Audit) is a robust tool for managing users, hosts, services, and policies in a centralized manner. It provides subcommands that are essential for managing hosts, hostgroups, services, and keytab files—important components in managing a secure, identity-based infrastructure.

Below are detailed descriptions of these subcommands, including commands for hosts, hostgroups, services, and keytabs:


Key Subcommands: host, hostgroup, service, and getkeytab

1. Host Subcommands

These commands allow the management of hosts (servers or systems) within the FreeIPA domain. Hosts are enrolled to gain authentication and policy-based access control.

Common Commands:

  • Add a Host:

    ipa host-add <hostname> [options]

    Adds a new host to the domain (e.g., ipa host-add server1.example.com).

  • Find Hosts:

    ipa host-find

    Lists all enrolled hosts in the domain.

  • Show Host Details:

    ipa host-show <hostname>

    Displays detailed information about a specific host.

  • Modify a Host:

    ipa host-mod <hostname> [options]

    Modifies attributes of an existing host, such as its description or principal.

  • Delete a Host:

    ipa host-del <hostname>

    Removes a host from the domain.

  • Disable/Enable a Host:

    • Disable: Temporarily removes the host from active use.

      ipa host-disable <hostname>
    • Enable: Restores the host to active use.

      ipa host-enable <hostname>

2. Hostgroup Subcommands

Hostgroups provide an easy way to manage multiple hosts together by grouping them logically, often for policy or access control purposes.

Common Commands:

  • Add a Hostgroup:

    ipa hostgroup-add <hostgroup_name> --desc="Description"

    Creates a new hostgroup with a given description.

  • Find Hostgroups:

    ipa hostgroup-find

    Lists all existing hostgroups.

  • Show Hostgroup Details:

    ipa hostgroup-show <hostgroup_name>

    Displays detailed information about a specific hostgroup.

  • Add Hosts to a Hostgroup:

    ipa hostgroup-add-member <hostgroup_name> --hosts=<hostname>

    Adds one or more hosts to a hostgroup.

  • Remove Hosts from a Hostgroup:

    ipa hostgroup-remove-member <hostgroup_name> --hosts=<hostname>

    Removes one or more hosts from a hostgroup.

  • Delete a Hostgroup:

    ipa hostgroup-del <hostgroup_name>

    Deletes a hostgroup from the domain.


3. Service Subcommands

Services represent applications (such as web services, mail services, etc.) running on hosts that require secure authentication through IPA. These commands manage such services.

Common Commands:

  • Add a Service:

    ipa service-add <service/hostname>

    Adds a new service to the domain, enabling it to interact with the IPA environment (e.g., HTTP/webserver01.example.com).

  • Find Services:

    ipa service-find

    Lists all services available in the domain.

  • Show Service Details:

    ipa service-show <service/hostname>

    Displays detailed information about a specific service.

  • Delete a Service:

    ipa service-del <service/hostname>

    Removes a service from the domain.

  • Enable/Disable a Service:

    • Enable:

      ipa service-enable <service/hostname>
    • Disable:

      ipa service-disable <service/hostname>

4. Getkeytab Subcommands

Keytabs are files that store service or host credentials used for secure authentication, specifically with Kerberos. The ipa-getkeytab command fetches and manages keytab files.

Common Commands:

  • Obtain a Keytab for a Host:

    ipa-getkeytab -s <IPA_server> -p host/<hostname> -k /etc/krb5.keytab

    Fetches the keytab for a specified host and stores it in the default Kerberos keytab location.

  • Obtain a Keytab for a Service:

    ipa-getkeytab -s <IPA_server> -p <service/hostname> -k /etc/krb5.keytab

    Retrieves the keytab for a service running on a host.

  • Force a New Keytab:

    ipa-getkeytab -s <IPA_server> -p <service/hostname> -k /etc/krb5.keytab -f

    Forces the retrieval of a new keytab, overwriting any existing keytab.

  • Remove a Keytab:

    ipa service-remove-keytab <service/hostname> --keytab=<keytab_location>

    Deletes a keytab for a specific service, revoking its credentials.


Example Scenario: Adding and Securing a Host with a Service

  1. Add the Host:

    ipa host-add server1.example.com --force
  2. Create a Hostgroup (e.g., all web servers):

    ipa hostgroup-add WebServers --desc="All web servers"
    ipa hostgroup-add-member WebServers --hosts=server1.example.com
  3. Add and Configure a Service: For example, you may want to add an HTTP service for server1:

    ipa service-add HTTP/server1.example.com
  4. Obtain the Keytab for the HTTP Service:

    ipa-getkeytab -s ipa.example.com -p HTTP/server1.example.com -k /etc/krb5.keytab

This ensures that the host and the service are authenticated and secure within the FreeIPA domain, with keytab-based Kerberos authentication.


Conclusion

Using the ipa command with subcommands for hosts, hostgroups, services, and keytabs, administrators can efficiently manage identity, authentication, and policies in a secure FreeIPA environment. These tools are critical in environments that require centralized management of users, machines, services, and access control in enterprise systems.` command in FreeIPA (Identity, Policy, Audit) is a robust tool for managing users, hosts, services, and policies in a centralized manner. It provides subcommands that are essential for managing hosts, hostgroups, services, and keytab files—important components in managing a secure, identity-based infrastructure.

Below are detailed descriptions of these subcommands, including commands for hosts, hostgroups, services, and keytabs:


Key Subcommands: host, hostgroup, service, and getkeytab

1. Host Subcommands

These commands allow the management of hosts (servers or systems) within the FreeIPA domain. Hosts are enrolled to gain authentication and policy-based access control.

Common Commands:

  • Add a Host:

    ipa host-add <hostname> [options]

    Adds a new host to the domain (e.g., ipa host-add server1.example.com).

  • Find Hosts:

    ipa host-find

    Lists all enrolled hosts in the domain.

  • Show Host Details:

    ipa host-show <hostname>

    Displays detailed information about a specific host.

  • Modify a Host:

    ipa host-mod <hostname> [options]

    Modifies attributes of an existing host, such as its description or principal.

  • Delete a Host:

    ipa host-del <hostname>

    Removes a host from the domain.

  • Disable/Enable a Host:

    • Disable: Temporarily removes the host from active use.

      ipa host-disable <hostname>
    • Enable: Restores the host to active use.

      ipa host-enable <hostname>

2. Hostgroup Subcommands

Hostgroups provide an easy way to manage multiple hosts together by grouping them logically, often for policy or access control purposes.

Common Commands:

  • Add a Hostgroup:

    ipa hostgroup-add <hostgroup_name> --desc="Description"

    Creates a new hostgroup with a given description.

  • Find Hostgroups:

    ipa hostgroup-find

    Lists all existing hostgroups.

  • Show Hostgroup Details:

    ipa hostgroup-show <hostgroup_name>

    Displays detailed information about a specific hostgroup.

  • Add Hosts to a Hostgroup:

    ipa hostgroup-add-member <hostgroup_name> --hosts=<hostname>

    Adds one or more hosts to a hostgroup.

  • Remove Hosts from a Hostgroup:

    ipa hostgroup-remove-member <hostgroup_name> --hosts=<hostname>

    Removes one or more hosts from a hostgroup.

  • Delete a Hostgroup:

    ipa hostgroup-del <hostgroup_name>

    Deletes a hostgroup from the domain.


3. Service Subcommands

Services represent applications (such as web services, mail services, etc.) running on hosts that require secure authentication through IPA. These commands manage such services.

Common Commands:

  • Add a Service:

    ipa service-add <service/hostname>

    Adds a new service to the domain, enabling it to interact with the IPA environment (e.g., HTTP/webserver01.example.com).

  • Find Services:

    ipa service-find

    Lists all services available in the domain.

  • Show Service Details:

    ipa service-show <service/hostname>

    Displays detailed information about a specific service.

  • Delete a Service:

    ipa service-del <service/hostname>

    Removes a service from the domain.

  • Enable/Disable a Service:

    • Enable:

      ipa service-enable <service/hostname>
    • Disable:

      ipa service-disable <service/hostname>

4. Getkeytab Subcommands

Keytabs are files that store service or host credentials used for secure authentication, specifically with Kerberos. The ipa-getkeytab command fetches and manages keytab files.

Common Commands:

  • Obtain a Keytab for a Host:

    ipa-getkeytab -s <IPA_server> -p host/<hostname> -k /etc/krb5.keytab

    Fetches the keytab for a specified host and stores it in the default Kerberos keytab location.

  • Obtain a Keytab for a Service:

    ipa-getkeytab -s <IPA_server> -p <service/hostname> -k /etc/krb5.keytab

    Retrieves the keytab for a service running on a host.

  • Force a New Keytab:

    ipa-getkeytab -s <IPA_server> -p <service/hostname> -k /etc/krb5.keytab -f

    Forces the retrieval of a new keytab, overwriting any existing keytab.

  • Remove a Keytab:

    ipa service-remove-keytab <service/hostname> --keytab=<keytab_location>

    Deletes a keytab for a specific service, revoking its credentials.


Example Scenario: Adding and Securing a Host with a Service

  1. Add the Host:

    ipa host-add server1.example.com --force
  2. Create a Hostgroup (e.g., all web servers):

    ipa hostgroup-add WebServers --desc="All web servers"
    ipa hostgroup-add-member WebServers --hosts=server1.example.com
  3. Add and Configure a Service: For example, you may want to add an HTTP service for server1:

    ipa service-add HTTP/server1.example.com
  4. Obtain the Keytab for the HTTP Service:

    ipa-getkeytab -s ipa.example.com -p HTTP/server1.example.com -k /etc/krb5.keytab

This ensures that the host and the service are authenticated and secure within the FreeIPA domain, with keytab-based Kerberos authentication.


Conclusion

Using the ipa command with subcommands for hosts, hostgroups, services, and keytabs, administrators can efficiently manage identity, authentication, and policies in a secure FreeIPA environment. These tools are critical in environments that require centralized management of users, machines, services, and access control in enterprise systems.

Last updated