Chapter 10. Preparing the system for IdM client installation
This chapter describes the conditions your system must meet to install an Identity Management (IdM) client.
10.1. DNS requirements for IdM clients
Client installer by default tries to search for _ldap._tcp.DOMAIN
DNS SRV records for all domains that are parent to its hostname. For example, if a client machine has a hostname client1.idm.example.com
, the installer will try to retrieve an IdM server hostname from _ldap._tcp.idm.example.com
, _ldap._tcp.example.com
and _ldap._tcp.com
DNS SRV records, respectively. The discovered domain is then used to configure client components (for example, SSSD and Kerberos 5 configuration) on the machine.
However, the hostnames of IdM clients are not required to be part of the primary DNS domain. If the client machine hostname is not in a subdomain of an IdM server, pass the IdM domain as the --domain
option of the ipa-client-install
command. In that case, after the installation of the client, both SSSD and Kerberos components will have the domain set in their configuration files and will use it to autodiscover IdM servers.
Additional resources
- For details on DNS requirements in IdM, see Section 1.4, “Host name and DNS requirements for IdM”.
10.2. Port requirements for IdM clients
Identity Management (IdM) clients connect to a number of ports on IdM servers to communicate with their services.
On IdM client, these ports must be open in the outgoing direction. If you are using a firewall that does not filter outgoing packets, such as firewalld
, the ports are already available in the outgoing direction.
Additional resources
- For information about which specific ports are used, see Section 1.5, “Port requirements for IdM”.
10.3. IPv6 requirements for IdM clients
Identity Management (IdM) does not require the IPv6
protocol to be enabled in the kernel of the host that you want to enroll into IdM. For example, if your internal network only uses the IPv4
protocol, you can configure the System Security Services Daemon (SSSD) to only use IPv4
to communicate with the IdM server. You can do this by inserting the following line into the [domain/NAME]
section of the /etc/sssd/sssd.conf
file:
lookup_family_order = ipv4_only
Additional resources
-
For more information on the
lookup_family_order
option, see thesssd.conf(5)
man page.
10.4. Packages required to install an IdM client
In RHEL8, the packages necessary for installing an Identity Management (IdM) client are shipped as a module. Two IdM streams provide IdM client packages:
-
the
idm:client
stream. For details, see Section 10.4.1, “Installing ipa-client packages from the idm:client stream”. -
the
idm:DL1
stream. For details, see Section 10.4.2, “Installing ipa-client packages from the idm:DL1 stream”.
10.4.1. Installing ipa-client packages from the idm:client stream
The idm:client
stream is the default stream of the idm
module. Use this stream to download the IdM client packages if you do not need to install server components on your machine. Using the idm:client
stream is especially recommended if you need to consistently use IdM client software that is supported long-term, provided you do not need server components, too.
When switching to the idm:client
stream after you previously enabled the idm:DL1
stream and downloaded packages from it, you need to first explicitly remove all the relevant installed content and disable the idm:DL1
stream before enabling the idm:client
stream. Trying to enable a new stream without disabling the current one results in an error. For details on how to proceed, see Switching to a later stream.
Procedure
To download the packages necessary for installing an IdM client:
# yum module install idm
10.4.2. Installing ipa-client packages from the idm:DL1 stream
The idm:DL1
stream needs to be enabled before you can download packages from it. Use this stream to download the IdM client packages if you need to install IdM server components on your machine.
When switching to the idm:DL1
stream after you previously enabled the idm:client
stream and downloaded packages from it, you need to first explicitly remove all the relevant installed content and disable the idm:client
stream before enabling the idm:DL1
stream. Trying to enable a new stream without disabling the current one results in an error. For details on how to proceed, see Switching to a later stream.
Procedure
To switch to the RPMs delivered through the
idm:DL1
stream:# yum module enable idm:DL1 # yum distro-sync
To download the packages necessary for installing an IdM client:
# yum module install idm:DL1/client