Red Hat SummitChapter 15. Installing an IdM client with Kickstart
Automate Identity Management client enrollment during RHEL installation to reduce manual configuration. This process creates a consistent domain setup across new systems and simplifies large-scale deployments.
15.1. Installing a client with Kickstart
Install Identity Management (IdM) clients by using Kickstart files to automate enrollment during system installation and reduce manual configuration.
Prerequisites
-
Do not start the
sshdservice prior to the kickstart enrollment. Startingsshdbefore enrolling the client generates the SSH keys automatically, but the Kickstart file in Section 15.2, “Kickstart file for client installation” uses a script for the same purpose, which is the preferred solution.
Procedure
Pre-create the host entry on the IdM server, and set a temporary password for the entry:
ipa host-add client.example.com --password=secret
$ ipa host-add client.example.com --password=secretCopy to Clipboard Copied! Toggle word wrap Toggle overflow The password is used by Kickstart to authenticate during the client installation and expires after the first authentication attempt. After the client is successfully installed, it authenticates using its keytab.
-
Create a Kickstart file with the contents described in Section 15.2, “Kickstart file for client installation”. Make sure that network is configured properly in the Kickstart file using the
networkcommand. - Use the Kickstart file to install the IdM client.
15.2. Kickstart file for client installation
Automate Identity Management (IdM) client installation during system deployment by using a Kickstart file with the required configuration. The contents of the Kickstart file must meet the requirements outlined.
- The
ipa-clientpackage in the list of packages to install Add the
ipa-clientpackage to the %packages section of the Kickstart file. For example:%packages ... ipa-client ...
%packages ... ipa-client ...Copy to Clipboard Copied! Toggle word wrap Toggle overflow - Post-installation instructions for the IdM client
The post-installation instructions must include:
- An instruction for ensuring SSH keys are generated before enrollment
An instruction to run the
ipa-client-installutility, while specifying:- All the required information to access and configure the IdM domain services
- The password which you set when pre-creating the client host on the IdM server. in Section 15.1, “Installing a client with Kickstart”.
For example, the post-installation instructions for a Kickstart installation that uses a one-time password and retrieves the required options from the command line rather than via DNS can look like this:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
Optionally, you can also include other options in the Kickstart file, such as:
-
For a non-interactive installation, add the
--unattendedoption toipa-client-install. To let the client installation script request a certificate for the machine:
-
Add the
--request-certoption toipa-client-install. Set the system bus address to
/dev/nullfor both thegetcertandipa-client-installutility in the Kickstartchrootenvironment. To do this, add these lines to the post-installation instructions in the Kickstart file before theipa-client-installinstruction:env DBUS_SYSTEM_BUS_ADDRESS=unix:path=/dev/null getcert list env DBUS_SYSTEM_BUS_ADDRESS=unix:path=/dev/null ipa-client-install
# env DBUS_SYSTEM_BUS_ADDRESS=unix:path=/dev/null getcert list # env DBUS_SYSTEM_BUS_ADDRESS=unix:path=/dev/null ipa-client-installCopy to Clipboard Copied! Toggle word wrap Toggle overflow
-
Add the
15.3. Testing an IdM client
Verify Identity Management (IdM) client functionality by testing user information resolution and authentication to ensure proper deployment.
Procedure
To test that the Identity Management (IdM) client can obtain information about users defined on the server, check that you are able to resolve a user defined on the server. For example, to check the default
adminuser:id admin uid=1254400000(admin) gid=1254400000(admins) groups=1254400000(admins)
[user@client ~]$ id admin uid=1254400000(admin) gid=1254400000(admins) groups=1254400000(admins)Copy to Clipboard Copied! Toggle word wrap Toggle overflow To test that authentication works correctly,
suto a root user from a non-root user:su - Last login: Thu Oct 18 18:39:11 CEST 2018 from 192.168.122.1 on pts/0
[user@client ~]$ su - Last login: Thu Oct 18 18:39:11 CEST 2018 from 192.168.122.1 on pts/0 [root@client ~]#Copy to Clipboard Copied! Toggle word wrap Toggle overflow
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}