Red Hat Summit Red Hat SummitApoyoConsolaDesarrolladoresIniciar una pruebaContacto

Este contenido no está disponible en el idioma seleccionado.

Chapter 15. Installing an IdM client with Kickstart

Automate Identity Management client enrollment during RHEL installation to reduce manual configuration. This process creates a consistent domain setup across new systems and simplifies large-scale deployments.

15.1. Installing an IdM client with Kickstart
Copiar enlace

Install Identity Management (IdM) clients by using Kickstart files to automate enrollment during system installation and reduce manual configuration.

Prerequisites

  • Do not start the sshd service prior to the Kickstart enrollment. Starting sshd before enrolling the client generates the SSH keys automatically, but the Kickstart enrollment process uses a script for the same purpose, which is the preferred solution.

Procedure

  1. Pre-create the host entry on the IdM server and set a one-time password for the entry: 

    $ ipa host-add <idm_client_fqdn> --password=<password>
    Copy to Clipboard Toggle word wrap

    The password is used by Kickstart to authenticate during the client installation and expires after the first authentication attempt. After the client is successfully installed, it authenticates using its keytab.

  2. Create a Kickstart file with the required components:

    1. Add the ipa-client package to the %packages section of the Kickstart file: 

      %packages
...
ipa-client
...
      Copy to Clipboard Toggle word wrap

    2. Add a %post section with the required post installation instructions:

      • Instructions to generate SSH keys before enrollment.

      • Instructions to run the ipa-client-install utility.

        For example, the post-installation instructions for a Kickstart installation that uses a one-time password and retrieves the required options from the command line rather than via DNS can look like this: 

        %post --log=/root/ks-post.log

# Generate SSH keys; ipa-client-install uploads them to the IdM server by default
/usr/libexec/openssh/sshd-keygen rsa

# Run the client install script
/usr/sbin/ipa-client-install --hostname=client.example.com --domain=EXAMPLE.COM --enable-dns-updates --mkhomedir -w secret --realm=EXAMPLE.COM --server=server.example.com
        Copy to Clipboard Toggle word wrap
  3. Use the Kickstart file to install the IdM client system.

Verification

  1. Log in to the newly deployed client system.

  2. Verify that the client can obtain information about users defined on the server by checking that you can resolve a user. For example, to check the default admin user: 

    [user@client ~]$ id admin
    Copy to Clipboard Toggle word wrap 
    uid=1254400000(admin) gid=1254400000(admins) groups=1254400000(admins)
    Copy to Clipboard Toggle word wrap

  3. Verify that authentication works correctly by switching to a root user from a non-root user: 

    [user@client ~]$ su -
    Copy to Clipboard Toggle word wrap 
    Last login: Thu Oct 18 18:39:11 CEST 2018 from 192.168.122.1 on pts/0
[root@client ~]#
    Copy to Clipboard Toggle word wrap

15.2. Kickstart-based client installation
Copiar enlace

Kickstart-based client installation enables automates system enrollment into an Identity Management (IdM) domain, eliminates manual post-installation configuration, and ensures consistent domain integration across multiple systems.

The ipa-client package provides the necessary tools and utilities for domain enrollment, including the ipa-client-install command-line utility.

During a Kickstart-based installation, the system installs the ipa-client package and executes post-installation scripts that enroll the client into the IdM domain.

Post-installation configuration

The post-installation section executes the enrollment commands using predefined parameters such as the domain name, realm, server location, and authentication credentials.

The post-instllation section must include:

  • An instruction for ensuring SSH keys are generated before enrollment. The Kickstart script generates SSH keys instead of relying on the sshd service to generate them automatically.

  • An instruction to run the ipa-client-install utility, while specifying:

    • All the required information to access and configure the IdM domain services.
    • The password which you set when pre-creating the client host on the IdM server.

Optionally, you can also include other options in the Kickstart file, such as:

  • For a non-interactive installation, add the --unattended option to ipa-client-install.

  • To let the client installation script request a certificate for the machine:

    • Add the --request-cert option to ipa-client-install.

    • Set the system bus address to /dev/null for both the getcert and ipa-client-install utility in the Kickstart chroot environment. To do this, add these lines to the post-installation instructions in the Kickstart file before the ipa-client-install instruction: 

      # env DBUS_SYSTEM_BUS_ADDRESS=unix:path=/dev/null getcert list
# env DBUS_SYSTEM_BUS_ADDRESS=unix:path=/dev/null ipa-client-install
      Copy to Clipboard Toggle word wrap
Red Hat logoGithubredditYoutubeTwitter

Aprender

Pruebe, compre y venda

Comunidades

Acerca de la documentación de Red Hat

Ayudamos a los usuarios de Red Hat a innovar y alcanzar sus objetivos con nuestros productos y servicios con contenido en el que pueden confiar. Explore nuestras recientes actualizaciones.

Hacer que el código abierto sea más inclusivo

Red Hat se compromete a reemplazar el lenguaje problemático en nuestro código, documentación y propiedades web. Para más detalles, consulte el Blog de Red Hat.

Acerca de Red Hat

Ofrecemos soluciones reforzadas que facilitan a las empresas trabajar en plataformas y entornos, desde el centro de datos central hasta el perímetro de la red.

Theme

© 2026 Red HatVolver arriba