Jump To Close Expand all Collapse all Table of contents Installing Identity Management Making open source more inclusive Providing feedback on Red Hat documentation 1. How to use this guide I. Installing Identity Management Expand section "I. Installing Identity Management" Collapse section "I. Installing Identity Management" 2. Preparing the system for IdM server installation Expand section "2. Preparing the system for IdM server installation" Collapse section "2. Preparing the system for IdM server installation" 2.1. Prerequisites 2.2. Hardware recommendations 2.3. Custom configuration requirements for IdM 2.4. FIPS compliance 2.5. Support for cross-forest trust with FIPS mode enabled 2.6. Time service requirements for IdM Expand section "2.6. Time service requirements for IdM" Collapse section "2.6. Time service requirements for IdM" 2.6.1. How IdM uses chronyd for synchronization 2.6.2. List of NTP configuration options for IdM installation commands 2.6.3. Ensuring IdM can reference your NTP time server 2.6.4. Additional resources 2.7. Host name and DNS requirements for IdM 2.8. Port requirements for IdM 2.9. Opening the ports required by IdM 2.10. Installing packages required for an IdM server 2.11. Setting the correct file mode creation mask for IdM installation 2.12. Ensuring that fapolicyd rules do not block IdM installation and operation 2.13. Options for the IdM installation commands 3. Installing an IdM server: With integrated DNS, with an integrated CA as the root CA Expand section "3. Installing an IdM server: With integrated DNS, with an integrated CA as the root CA" Collapse section "3. Installing an IdM server: With integrated DNS, with an integrated CA as the root CA" 3.1. Interactive installation 3.2. Non-interactive installation 4. Installing an IdM server: With integrated DNS, with an external CA as the root CA Expand section "4. Installing an IdM server: With integrated DNS, with an external CA as the root CA" Collapse section "4. Installing an IdM server: With integrated DNS, with an external CA as the root CA" 4.1. Interactive installation 4.2. Troubleshooting: External CA installation fails 5. Installing an IdM server: With integrated DNS, without a CA Expand section "5. Installing an IdM server: With integrated DNS, without a CA" Collapse section "5. Installing an IdM server: With integrated DNS, without a CA" 5.1. Certificates required to install an IdM server without a CA 5.2. Interactive installation 6. Installing an IdM server: Without integrated DNS, with an integrated CA as the root CA Expand section "6. Installing an IdM server: Without integrated DNS, with an integrated CA as the root CA" Collapse section "6. Installing an IdM server: Without integrated DNS, with an integrated CA as the root CA" 6.1. Interactive installation 6.2. Non-interactive installation 6.3. IdM DNS records for external DNS systems 7. Installing an IdM server: Without integrated DNS, with an external CA as the root CA Expand section "7. Installing an IdM server: Without integrated DNS, with an external CA as the root CA" Collapse section "7. Installing an IdM server: Without integrated DNS, with an external CA as the root CA" 7.1. Options used when installing an IdM CA with an external CA as the root CA 7.2. Interactive installation 7.3. Non-interactive installation 7.4. IdM DNS records for external DNS systems 8. Installing an IdM server or replica with custom database settings from an LDIF file 9. Troubleshooting IdM server installation Expand section "9. Troubleshooting IdM server installation" Collapse section "9. Troubleshooting IdM server installation" 9.1. Reviewing IdM server installation error logs 9.2. Reviewing IdM CA installation errors 9.3. Removing a partial IdM server installation 9.4. Additional resources 10. Uninstalling an IdM server 11. Renaming an IdM server 12. Updating and downgrading IdM Expand section "12. Updating and downgrading IdM" Collapse section "12. Updating and downgrading IdM" 12.1. Updating IdM packages 12.2. Downgrading IdM packages 12.3. Additional resources 13. Preparing the system for IdM client installation Expand section "13. Preparing the system for IdM client installation" Collapse section "13. Preparing the system for IdM client installation" 13.1. Supported versions of RHEL for installing IdM clients 13.2. DNS requirements for IdM clients 13.3. Port requirements for IdM clients 13.4. IPv6 requirements for IdM clients 13.5. Installing IdM client packages from the idm:client stream 13.6. Installing IdM client packages from the idm:DL1 stream 14. Installing an IdM client Expand section "14. Installing an IdM client" Collapse section "14. Installing an IdM client" 14.1. Prerequisites 14.2. Installing a client by using user credentials: Interactive installation 14.3. Installing a client by using a one-time password: Interactive installation 14.4. Installing a client: Non-interactive installation 14.5. Removing pre-IdM configuration after installing a client 14.6. Testing an IdM client 14.7. Connections performed during an IdM client installation 14.8. IdM client’s communications with the server during post-installation deployment 14.9. SSSD communication patterns 14.10. Certmonger communication patterns 15. Installing an IdM client with Kickstart Expand section "15. Installing an IdM client with Kickstart" Collapse section "15. Installing an IdM client with Kickstart" 15.1. Installing a client with Kickstart 15.2. Kickstart file for client installation 15.3. Testing an IdM client 16. Troubleshooting IdM client installation Expand section "16. Troubleshooting IdM client installation" Collapse section "16. Troubleshooting IdM client installation" 16.1. Reviewing IdM client installation errors 16.2. Resolving issues if the client installation fails to update DNS records 16.3. Resolving issues if the client installation fails to join the IdM Kerberos realm 16.4. Additional resources 17. Re-enrolling an IdM client Expand section "17. Re-enrolling an IdM client" Collapse section "17. Re-enrolling an IdM client" 17.1. Client re-enrollment in IdM 17.2. Re-enrolling a client by using user credentials: Interactive re-enrollment 17.3. Re-enrolling a client by using the client keytab: Non-interactive re-enrollment 17.4. Testing an IdM client 18. Uninstalling an IdM client Expand section "18. Uninstalling an IdM client" Collapse section "18. Uninstalling an IdM client" 18.1. Uninstalling an IdM client 18.2. Uninstalling an IdM client: additional steps after multiple past installations 19. Renaming IdM client systems Expand section "19. Renaming IdM client systems" Collapse section "19. Renaming IdM client systems" 19.1. Preparing an IdM client for its renaming 19.2. Uninstalling an IdM client 19.3. Uninstalling an IdM client: additional steps after multiple past installations 19.4. Renaming the host system 19.5. Re-installing an IdM client 19.6. Re-adding services, re-generating certificates, and re-adding host groups 20. Preparing the system for IdM replica installation Expand section "20. Preparing the system for IdM replica installation" Collapse section "20. Preparing the system for IdM replica installation" 20.1. Replica version requirements 20.2. Methods for displaying IdM software version 20.3. Authorizing the installation of a replica on an IdM client 20.4. Authorizing the installation of a replica on a system that is not enrolled into IdM 21. Installing an IdM replica Expand section "21. Installing an IdM replica" Collapse section "21. Installing an IdM replica" 21.1. Installing an IdM replica with integrated DNS and a CA 21.2. Installing an IdM replica with integrated DNS and no CA 21.3. Installing an IdM replica without integrated DNS and with a CA 21.4. Installing an IdM replica without integrated DNS and without a CA 21.5. Installing an IdM hidden replica 21.6. Testing an IdM replica 21.7. Connections performed during an IdM replica installation 22. Troubleshooting IdM replica installation Expand section "22. Troubleshooting IdM replica installation" Collapse section "22. Troubleshooting IdM replica installation" 22.1. IdM replica installation error log files 22.2. Reviewing IdM replica installation errors 22.3. IdM CA installation error log files 22.4. Reviewing IdM CA installation errors 22.5. Removing a partial IdM replica installation 22.6. Resolving invalid credential errors 22.7. Additional resources 23. Uninstalling an IdM replica 24. Installing DNS on an existing IdM server 25. Uninstalling the integrated IdM DNS service from an IdM server 26. Adding the IdM CA service to an IdM server in a deployment without a CA Expand section "26. Adding the IdM CA service to an IdM server in a deployment without a CA" Collapse section "26. Adding the IdM CA service to an IdM server in a deployment without a CA" 26.1. Installing the first IdM CA as the root CA into an existing IdM domain 26.2. Installing the first IdM CA with an external CA as the root CA into an existing IdM domain 27. Adding the IdM CA service to an IdM server in a deployment with a CA 28. Uninstalling the IdM CA service from an IdM server 29. Managing replication topology Expand section "29. Managing replication topology" Collapse section "29. Managing replication topology" 29.1. Explaining replication agreements, topology suffixes and topology segments Expand section "29.1. Explaining replication agreements, topology suffixes and topology segments" Collapse section "29.1. Explaining replication agreements, topology suffixes and topology segments" 29.1.1. Replication agreements between IdM replicas 29.1.2. Topology suffixes 29.1.3. Topology segments 29.2. Using the topology graph to manage replication topology 29.3. Setting up replication between two servers using the Web UI 29.4. Stopping replication between two servers using the Web UI 29.5. Setting up replication between two servers using the CLI 29.6. Stopping replication between two servers using the CLI 29.7. Removing server from topology using the Web UI 29.8. Removing server from topology using the CLI 29.9. Viewing server roles on an IdM server using the Web UI 29.10. Viewing server roles on an IdM server using the CLI 29.11. Promoting a replica to a CA renewal server and CRL publisher server 29.12. Demoting or promoting hidden replicas 30. Installing and running the IdM Healthcheck tool Expand section "30. Installing and running the IdM Healthcheck tool" Collapse section "30. Installing and running the IdM Healthcheck tool" 30.1. Healthcheck in IdM 30.2. Installing IdM Healthcheck 30.3. Running IdM Healthcheck 30.4. Additional resources 31. Installing an Identity Management server using an Ansible playbook Expand section "31. Installing an Identity Management server using an Ansible playbook" Collapse section "31. Installing an Identity Management server using an Ansible playbook" 31.1. Ansible and its advantages for installing IdM 31.2. Installing the ansible-freeipa package 31.3. Ansible roles location in the file system 31.4. Setting the parameters for a deployment with an integrated DNS and an integrated CA as the root CA 31.5. Setting the parameters for a deployment with external DNS and an integrated CA as the root CA 31.6. Deploying an IdM server with an integrated CA as the root CA using an Ansible playbook 31.7. Setting the parameters for a deployment with an integrated DNS and an external CA as the root CA 31.8. Setting the parameters for a deployment with external DNS and an external CA as the root CA 31.9. Deploying an IdM server with an external CA as the root CA using an Ansible playbook 31.10. Uninstalling an IdM server using an Ansible playbook 31.11. Using an Ansible playbook to uninstall an IdM server even if this leads to a disconnected topology 31.12. Additional resources 32. Installing an Identity Management replica using an Ansible playbook Expand section "32. Installing an Identity Management replica using an Ansible playbook" Collapse section "32. Installing an Identity Management replica using an Ansible playbook" 32.1. Specifying the base, server and client variables for installing the IdM replica 32.2. Specifying the credentials for installing the IdM replica using an Ansible playbook 32.3. Deploying an IdM replica using an Ansible playbook 32.4. Uninstalling an IdM replica using an Ansible playbook 33. Installing an Identity Management client using an Ansible playbook Expand section "33. Installing an Identity Management client using an Ansible playbook" Collapse section "33. Installing an Identity Management client using an Ansible playbook" 33.1. Setting the parameters of the inventory file for the autodiscovery client installation mode 33.2. Setting the parameters of the inventory file when autodiscovery is not possible during client installation 33.3. Checking the parameters in the install-client.yml file 33.4. Authorization options for IdM client enrollment using an Ansible playbook 33.5. Deploying an IdM client using an Ansible playbook 33.6. Testing an Identity Management client after Ansible installation 33.7. Uninstalling an IdM client using an Ansible playbook II. Integrating IdM and AD Expand section "II. Integrating IdM and AD" Collapse section "II. Integrating IdM and AD" 34. Installing trust between IdM and AD Expand section "34. Installing trust between IdM and AD" Collapse section "34. Installing trust between IdM and AD" 34.1. Supported versions of Windows Server 34.2. How the trust works 34.3. AD administration rights 34.4. Ensuring support for common encryption types in AD and RHEL Expand section "34.4. Ensuring support for common encryption types in AD and RHEL" Collapse section "34.4. Ensuring support for common encryption types in AD and RHEL" 34.4.1. Enabling AES encryption in AD (recommended) 34.4.2. Enabling the AES encryption type in Active Directory using a GPO 34.4.3. Enabling RC4 support in RHEL 34.4.4. Additional resources 34.5. Ports required for communication between IdM and AD 34.6. Configuring DNS and realm settings for a trust Expand section "34.6. Configuring DNS and realm settings for a trust" Collapse section "34.6. Configuring DNS and realm settings for a trust" 34.6.1. Unique primary DNS domains 34.6.2. Configuring a DNS forward zone in the IdM Web UI 34.6.3. Configuring a DNS forward zone in the CLI 34.6.4. Configuring DNS forwarding in AD 34.6.5. Verifying the DNS configuration 34.7. Configuring IdM clients in an Active Directory DNS domain Expand section "34.7. Configuring IdM clients in an Active Directory DNS domain" Collapse section "34.7. Configuring IdM clients in an Active Directory DNS domain" 34.7.1. Configuring an IdM client without Kerberos single sign-on 34.7.2. Requesting SSL certificates without single sign-on 34.7.3. Configuring an IdM client with Kerberos single sign-on 34.7.4. Requesting SSL certificates with single sign-on 34.8. Setting up a trust Expand section "34.8. Setting up a trust" Collapse section "34.8. Setting up a trust" 34.8.1. Preparing the IdM server for the trust 34.8.2. Setting up a trust agreement using the command line 34.8.3. Setting up a trust agreement in the IdM Web UI 34.8.4. Setting up a trust agreement using Ansible 34.8.5. Verifying the Kerberos configuration 34.8.6. Verifying the trust configuration on IdM 34.8.7. Verifying the trust configuration on AD 34.8.8. Creating a trust agent 34.8.9. Enabling automatic private group mapping for a POSIX ID range on the CLI 34.8.10. Enabling automatic private group mapping for a POSIX ID range in the IdM WebUI 34.9. Troubleshooting setting up a cross-forest trust Expand section "34.9. Troubleshooting setting up a cross-forest trust" Collapse section "34.9. Troubleshooting setting up a cross-forest trust" 34.9.1. Sequence of events when establishing a cross-forest trust with AD 34.9.2. Checklist of prerequisites for establishing an AD trust 34.9.3. Gathering debug logs of an attempt to establish an AD trust 34.10. Troubleshooting client access to services in the other forest Expand section "34.10. Troubleshooting client access to services in the other forest" Collapse section "34.10. Troubleshooting client access to services in the other forest" 34.10.1. Flow of information when a host in the AD forest root domain requests services from an IdM server 34.10.2. Flow of information when a host in an AD child domain requests services from an IdM server 34.10.3. Flow of information when an IdM client requests services from an AD server 34.11. Removing the trust using the command line 34.12. Removing the trust using the IdM Web UI 34.13. Removing the trust using Ansible 34.14. Removing an ID range after removing a trust to AD Legal Notice Settings Close Language: 简体中文 日本語 한국어 English Português Language: 简体中文 日本語 한국어 English Português Format: Multi-page Single-page PDF Format: Multi-page Single-page PDF Language and Page Formatting Options Language: 简体中文 日本語 한국어 English Português Language: 简体中文 日本語 한국어 English Português Format: Multi-page Single-page PDF Format: Multi-page Single-page PDF Red Hat Training A Red Hat training course is available for RHEL 8 Part I. Installing Identity Management Previous Next