Este conteúdo não está disponível no idioma selecionado.
2.4. System Prerequisites
			The IdM server is set up using a configuration script, and this script makes certain assumption about the host system. If the system does not meet these prerequisites, then server configuration may fail.
		
2.4.1. DNS Records
Copiar o linkLink copiado para a área de transferência!
				Proper forward and reverse DNS settings are critical for both IdM servers and replicas (copies of servers) to be configured. DNS is used for replicating data between servers, for identifying servers in SSL certificates, and in Kerberos tickets, among other places. Therefore, servers must be resolvable in both forward and reverse DNS configuration.
			
				The DNS settings for a host can be determined easily used 
ifconfig and dig.
			- Obtain the hostname.hostname [root@server ~]# hostname server.example.comCopy to Clipboard Copied! Toggle word wrap Toggle overflow 
- Get the IP address. In this example, the returned IP address is196.2.3.4.Copy to Clipboard Copied! Toggle word wrap Toggle overflow 
- Verify that forward DNS is properly configured by usingdigto query the hostname and check what IP address is returned. In this example, the expected IP address is196.2.3.4.Copy to Clipboard Copied! Toggle word wrap Toggle overflow 
- Verify the reverse DNS configuration usingdigwith the-t ptrto query the PTR records (reverse records) for the address. This is the IP address in reverse order, with.in-addr.arpa.appended to the address. This should resolve to the hostname,server.example.com.in this example.Copy to Clipboard Copied! Toggle word wrap Toggle overflow 
				The DNS records should resolve to whatever hostname is used in the IdM certificates.
			
Note
					If the IdM server is configured to host its own DNS server, the IdM DNS service processes all DNS queries. The IdM DNS records take precedence, and any previous existing DNS configuration is ignored.
				
					All systems within the domain must be configured to use the IdM-managed DNS server.
				
2.4.2. Hostname and IP Address Requirements
Copiar o linkLink copiado para a área de transferência!
				Regardless of whether the DNS is within the IdM server or external, the server host must have DNS properly configured:
			
- The hostname must be a fully-qualified domain name. For example,ipaserver.example.com.Important This must be a valid DNS name, which means only numbers, alphabetic characters, and hyphens (-) are allowed. Other characters, like underscores, in the hostname will cause DNS failures.
- The hostname must be all lower-case.
- The server's A record must be set and resolve to its public IP address.The fully-qualified domain name cannot resolve to the loopback address. It must resolve to the machine's public IP address, not to127.0.0.1. The output of thehostnamecommand cannot belocalhostorlocalhost6.The A adn PTR records do not need to match for the server.
- The server's hostname and IP address must be in its own/etc/hostsfile. The fully-qualified domain name for the IdM server must be listed in thehostsfile before any aliases.Note A misconfigured file can prevent the IdM command-line tools from functioning correctly and can prevent the IdM web interface from connecting to the IdM server.Additionally, the hostname cannot be part of the localhost entry.For example, this lists the IPv4 and IPv6 localhost entries for the host (properly), then the IdM server IP address and hostname as the first entry.127.0.0.1 localhost.localdomain localhost ::1 localhost6.localdomain6 localhost6 192.168.1.1 ipaserver.example.com ipaserver 127.0.0.1 localhost.localdomain localhost ::1 localhost6.localdomain6 localhost6 192.168.1.1 ipaserver.example.com ipaserverCopy to Clipboard Copied! Toggle word wrap Toggle overflow 
- It is recommended that a separate DNS domain be allocated for the IdM server to manage. While not required (clients from other domains can still be enrolled in the IdM domain), this is a convenience for overall DNS management.
2.4.3. Directory Server
Copiar o linkLink copiado para a área de transferência!
				There must not be any instances of 389 Directory Server installed on the host machine.
			
2.4.4. System Files 
Copiar o linkLink copiado para a área de transferência!
				The server script overwrites system files to set up the IdM domain. The system should be clean, without custom configuration for services like DNS and Kerberos, before configuring the IdM server.
			
2.4.5. System Ports
Copiar o linkLink copiado para a área de transferência!
				IdM uses a number of ports to communicate with its services. These ports, listed in Table 2.1, “IdM Ports”, must be open and available for IdM to work. They cannot be in use by another service or blocked by a firewall. To make sure that these ports are available, try the 
iptables utility to list the available ports or the nc, telnet, or nmap utilities to connect to a port or run a port scan.
			
				To open a port:
			
iptables -A INPUT -p tcp --dport 389 -j ACCEPT
[root@server ~]# iptables -A INPUT -p tcp --dport 389 -j ACCEPT
				The iptables(8) man page has more information on opening and closing ports on a system.
			
| Service | Ports | Type | 
|---|---|---|
| HTTP/HTTPS | 80, 443 | TCP | 
| LDAP/LDAPS | 389, 636 | TCP | 
| Kerberos | 88, 464 | TCP and UDP | 
| DNS | 53 | TCP and UDP | 
| NTP | 123 | UDP | 
| Dogtag Certificate System - LDAP | 7389 | TCP | 
2.4.6. NTP
Copiar o linkLink copiado para a área de transferência!
				Network time protocol (NTP) synchronizes time between systems on a network. An NTP server centralizes and manages that clock synchronization. By default, Identity Management installs and configures an NTP server which is used by the domain to synchronize clocks for other Identity Management servers, replicas, and systems and services within the IdM domain.
			
				Some sort of NTP server must be running for some domain tasks — such as Kerberos ticket maintenance and data replication between servers and replicas in the topology — to function properly. It is not required that an IdM server host the NTP server, but it is strongly recommended. This is the default configuration.
			
				If a server is being installed on a virtual machine, that server should not run an NTP server. To disable NTP for IdM, use the 
--no-ntp option when the IdM server is configured to prevent an NTP server from being installed.
			2.4.7. NSCD
Copiar o linkLink copiado para a área de transferência!
				It is strongly recommended that you avoid or restrict the use of 
nscd in an IdM deployment. The nscd service is extremely useful for reducing the load on the server, and for making clients more responsive, but there can be problems when a system is also using SSSD, which performs its own caching.
			nscd caches authentication and identity information for all services that perform queries through nsswitch, including getent. Because nscd performs both positive and negative caching, if a request determines that a specific IdM user does not exist, it caches this as a negative response. Values stored in the cache remain until the cache expires, regardless of any changes that may occur on the server. The results of such caching is that new users and memberships may not be visible, and users and memberships that have been removed may still be visible.
			
				To avoid clashes with SSSD caches and to prevent locking out users, avoid using 
nscd altogether. Alternatively, use a shorter cache time by resetting the time-to-live caching values in the /etc/nscd.conf file:
			positive-time-to-live group 3600 negative-time-to-live group 60 positive-time-to-live hosts 3600 negative-time-to-live hosts 20
positive-time-to-live   group           3600
negative-time-to-live   group           60
positive-time-to-live   hosts           3600
negative-time-to-live   hosts           20
2.4.8. Networking
Copiar o linkLink copiado para a área de transferência!
				The default networking service used by Red Hat Enterprise Linux is NetworkManager. However, NetworkManager can cause problems with IdM and the KDC. It is highly recommended that you use the 
network service to manage the networking requirements in an IdM environment and disable the NetworkManager service.
			- Boot the machine into single-user mode.
- Disable off the NetworkManager service in the start list and stop the NetworkManager service.chkconfig NetworkManager off; service NetworkManager stop [root@server ~]# chkconfig NetworkManager off; service NetworkManager stopCopy to Clipboard Copied! Toggle word wrap Toggle overflow 
- IfNetworkManagerDispatcheris installed, ensure that it is stopped and disabled:chkconfig NetworkManagerDispatcher off; service NetworkManagerDispatcher stop [root@server ~]# chkconfig NetworkManagerDispatcher off; service NetworkManagerDispatcher stopCopy to Clipboard Copied! Toggle word wrap Toggle overflow 
- Then, make sure that thenetworkservice is properly started.chkconfig network on; service network start [root@server ~]# chkconfig network on; service network startCopy to Clipboard Copied! Toggle word wrap Toggle overflow 
- Ensure that static networking is correctly configured.
- Restart the system.