IPA
The The ipa
command in FreeIPA (Identity, Policy, Audit) is a robust tool for managing users, hosts, services, and policies in a centralized manner. It provides subcommands that are essential for managing hosts, hostgroups, services, and keytab files—important components in managing a secure, identity-based infrastructure.
Below are detailed descriptions of these subcommands, including commands for hosts, hostgroups, services, and keytabs:
Key Subcommands: host
, hostgroup
, service
, and getkeytab
host
, hostgroup
, service
, and getkeytab
1. Host Subcommands
These commands allow the management of hosts (servers or systems) within the FreeIPA domain. Hosts are enrolled to gain authentication and policy-based access control.
Common Commands:
Add a Host:
ipa host-add <hostname> [options]
Adds a new host to the domain (e.g.,
ipa host-add server1.example.com
).Find Hosts:
ipa host-find
Lists all enrolled hosts in the domain.
Show Host Details:
ipa host-show <hostname>
Displays detailed information about a specific host.
Modify a Host:
ipa host-mod <hostname> [options]
Modifies attributes of an existing host, such as its description or principal.
Delete a Host:
ipa host-del <hostname>
Removes a host from the domain.
Disable/Enable a Host:
Disable: Temporarily removes the host from active use.
ipa host-disable <hostname>
Enable: Restores the host to active use.
ipa host-enable <hostname>
2. Hostgroup Subcommands
Hostgroups provide an easy way to manage multiple hosts together by grouping them logically, often for policy or access control purposes.
Common Commands:
Add a Hostgroup:
ipa hostgroup-add <hostgroup_name> --desc="Description"
Creates a new hostgroup with a given description.
Find Hostgroups:
ipa hostgroup-find
Lists all existing hostgroups.
Show Hostgroup Details:
ipa hostgroup-show <hostgroup_name>
Displays detailed information about a specific hostgroup.
Add Hosts to a Hostgroup:
ipa hostgroup-add-member <hostgroup_name> --hosts=<hostname>
Adds one or more hosts to a hostgroup.
Remove Hosts from a Hostgroup:
ipa hostgroup-remove-member <hostgroup_name> --hosts=<hostname>
Removes one or more hosts from a hostgroup.
Delete a Hostgroup:
ipa hostgroup-del <hostgroup_name>
Deletes a hostgroup from the domain.
3. Service Subcommands
Services represent applications (such as web services, mail services, etc.) running on hosts that require secure authentication through IPA. These commands manage such services.
Common Commands:
Add a Service:
ipa service-add <service/hostname>
Adds a new service to the domain, enabling it to interact with the IPA environment (e.g.,
HTTP/webserver01.example.com
).Find Services:
ipa service-find
Lists all services available in the domain.
Show Service Details:
ipa service-show <service/hostname>
Displays detailed information about a specific service.
Delete a Service:
ipa service-del <service/hostname>
Removes a service from the domain.
Enable/Disable a Service:
Enable:
ipa service-enable <service/hostname>
Disable:
ipa service-disable <service/hostname>
4. Getkeytab Subcommands
Keytabs are files that store service or host credentials used for secure authentication, specifically with Kerberos. The ipa-getkeytab
command fetches and manages keytab files.
Common Commands:
Obtain a Keytab for a Host:
ipa-getkeytab -s <IPA_server> -p host/<hostname> -k /etc/krb5.keytab
Fetches the keytab for a specified host and stores it in the default Kerberos keytab location.
Obtain a Keytab for a Service:
ipa-getkeytab -s <IPA_server> -p <service/hostname> -k /etc/krb5.keytab
Retrieves the keytab for a service running on a host.
Force a New Keytab:
ipa-getkeytab -s <IPA_server> -p <service/hostname> -k /etc/krb5.keytab -f
Forces the retrieval of a new keytab, overwriting any existing keytab.
Remove a Keytab:
ipa service-remove-keytab <service/hostname> --keytab=<keytab_location>
Deletes a keytab for a specific service, revoking its credentials.
Example Scenario: Adding and Securing a Host with a Service
Add the Host:
ipa host-add server1.example.com --force
Create a Hostgroup (e.g., all web servers):
ipa hostgroup-add WebServers --desc="All web servers" ipa hostgroup-add-member WebServers --hosts=server1.example.com
Add and Configure a Service: For example, you may want to add an HTTP service for
server1
:ipa service-add HTTP/server1.example.com
Obtain the Keytab for the HTTP Service:
ipa-getkeytab -s ipa.example.com -p HTTP/server1.example.com -k /etc/krb5.keytab
This ensures that the host and the service are authenticated and secure within the FreeIPA domain, with keytab-based Kerberos authentication.
Conclusion
Using the ipa
command with subcommands for hosts, hostgroups, services, and keytabs, administrators can efficiently manage identity, authentication, and policies in a secure FreeIPA environment. These tools are critical in environments that require centralized management of users, machines, services, and access control in enterprise systems.` command in FreeIPA (Identity, Policy, Audit) is a robust tool for managing users, hosts, services, and policies in a centralized manner. It provides subcommands that are essential for managing hosts, hostgroups, services, and keytab files—important components in managing a secure, identity-based infrastructure.
Below are detailed descriptions of these subcommands, including commands for hosts, hostgroups, services, and keytabs:
Key Subcommands: host
, hostgroup
, service
, and getkeytab
host
, hostgroup
, service
, and getkeytab
1. Host Subcommands
These commands allow the management of hosts (servers or systems) within the FreeIPA domain. Hosts are enrolled to gain authentication and policy-based access control.
Common Commands:
Add a Host:
ipa host-add <hostname> [options]
Adds a new host to the domain (e.g.,
ipa host-add server1.example.com
).Find Hosts:
ipa host-find
Lists all enrolled hosts in the domain.
Show Host Details:
ipa host-show <hostname>
Displays detailed information about a specific host.
Modify a Host:
ipa host-mod <hostname> [options]
Modifies attributes of an existing host, such as its description or principal.
Delete a Host:
ipa host-del <hostname>
Removes a host from the domain.
Disable/Enable a Host:
Disable: Temporarily removes the host from active use.
ipa host-disable <hostname>
Enable: Restores the host to active use.
ipa host-enable <hostname>
2. Hostgroup Subcommands
Hostgroups provide an easy way to manage multiple hosts together by grouping them logically, often for policy or access control purposes.
Common Commands:
Add a Hostgroup:
ipa hostgroup-add <hostgroup_name> --desc="Description"
Creates a new hostgroup with a given description.
Find Hostgroups:
ipa hostgroup-find
Lists all existing hostgroups.
Show Hostgroup Details:
ipa hostgroup-show <hostgroup_name>
Displays detailed information about a specific hostgroup.
Add Hosts to a Hostgroup:
ipa hostgroup-add-member <hostgroup_name> --hosts=<hostname>
Adds one or more hosts to a hostgroup.
Remove Hosts from a Hostgroup:
ipa hostgroup-remove-member <hostgroup_name> --hosts=<hostname>
Removes one or more hosts from a hostgroup.
Delete a Hostgroup:
ipa hostgroup-del <hostgroup_name>
Deletes a hostgroup from the domain.
3. Service Subcommands
Services represent applications (such as web services, mail services, etc.) running on hosts that require secure authentication through IPA. These commands manage such services.
Common Commands:
Add a Service:
ipa service-add <service/hostname>
Adds a new service to the domain, enabling it to interact with the IPA environment (e.g.,
HTTP/webserver01.example.com
).Find Services:
ipa service-find
Lists all services available in the domain.
Show Service Details:
ipa service-show <service/hostname>
Displays detailed information about a specific service.
Delete a Service:
ipa service-del <service/hostname>
Removes a service from the domain.
Enable/Disable a Service:
Enable:
ipa service-enable <service/hostname>
Disable:
ipa service-disable <service/hostname>
4. Getkeytab Subcommands
Keytabs are files that store service or host credentials used for secure authentication, specifically with Kerberos. The ipa-getkeytab
command fetches and manages keytab files.
Common Commands:
Obtain a Keytab for a Host:
ipa-getkeytab -s <IPA_server> -p host/<hostname> -k /etc/krb5.keytab
Fetches the keytab for a specified host and stores it in the default Kerberos keytab location.
Obtain a Keytab for a Service:
ipa-getkeytab -s <IPA_server> -p <service/hostname> -k /etc/krb5.keytab
Retrieves the keytab for a service running on a host.
Force a New Keytab:
ipa-getkeytab -s <IPA_server> -p <service/hostname> -k /etc/krb5.keytab -f
Forces the retrieval of a new keytab, overwriting any existing keytab.
Remove a Keytab:
ipa service-remove-keytab <service/hostname> --keytab=<keytab_location>
Deletes a keytab for a specific service, revoking its credentials.
Example Scenario: Adding and Securing a Host with a Service
Add the Host:
ipa host-add server1.example.com --force
Create a Hostgroup (e.g., all web servers):
ipa hostgroup-add WebServers --desc="All web servers" ipa hostgroup-add-member WebServers --hosts=server1.example.com
Add and Configure a Service: For example, you may want to add an HTTP service for
server1
:ipa service-add HTTP/server1.example.com
Obtain the Keytab for the HTTP Service:
ipa-getkeytab -s ipa.example.com -p HTTP/server1.example.com -k /etc/krb5.keytab
This ensures that the host and the service are authenticated and secure within the FreeIPA domain, with keytab-based Kerberos authentication.
Conclusion
Using the ipa
command with subcommands for hosts, hostgroups, services, and keytabs, administrators can efficiently manage identity, authentication, and policies in a secure FreeIPA environment. These tools are critical in environments that require centralized management of users, machines, services, and access control in enterprise systems.
Last updated