Datos sociodemográficos sobre violencia filio parental.

Integration Scenario 3 allows administrators to centrally manage all IdM user account UID's within IdM.

Integration Scenario 3

Centralized Management of user ID's (UID)

Components • OpenShift Enterprise 2.1

• Identity Management in Red Hat Enterprise Linux 7

Description • Create new groups, user accounts - all are centrally managed within IdM

Target User • Administrators

Use Case • Centralized management of user accounts with a Linux domain Configuration Files • n/a OpenShift Services • n/a IdM Services • LDAP • Kerberos Notes

• Kerberos must be previously configured on IdM hosts and clients

• Steps are similar to those used during the deployment of the first IdM Server

Integration Tasks - Summary

The following sequence of steps are required to configure integration scenario 3: 1. Obtain Kerberos ticket (idm-srv1)

2. Create IdM group (idm-srv1) 3. Create IdM user (idm-srv1)

4. View IdM group and user (idm-srv1) 5. Verify IdM group and user (admin1)

Integration Tasks – Detail

Unless otherwise indicated, all steps can be performed from either idm-srv1, idm-srv2 or admin1. For convenience, idm-srv1 is shown here.

1. Obtain Kerberos ticket.

# hostname

idm-srv1.interop.example.com # kinit admin

Password for [email protected]: # klist

Ticket cache: KEYRING:persistent:0:0

Default principal: [email protected]

Valid starting Expires Service principal

07/28/2014 11:54:37 07/29/2014 11:54:32 krbtgt/INTEROP.EXAMPLE.COM@ INTEROP.EXAMPLE.COM

2. Create an IdM group named ose-operators.

# ipa group-add ose-operators --desc="OpenShift Operators" --gid=889000004

--- Added group "ose-operators" --- Group name: ose-operators

Description: OpenShift Operators GID: 889000004

3. Create an IdM a user named ose-oper1 and add it to the ose-operators group.

# ipa user-add ose-oper1 --first="OSE" --last="Oper 1"

--displayname="OpenShift Operator 1" --homedir="/home/ose-oper1" --shell="/bin/bash" --uid=889000004 --gidnumber=889000004 --password

Password: ********

Enter Password again to verify: ********

--- Added user "ose-oper1" --- User login: ose-oper1 First name: OSE

Last name: Oper 1 Full name: OSE Oper 1

Display name: OpenShift Operator 1 Initials: OO

Home directory: /home/ose-oper1 GECOS: OSE Oper 1

Login shell: /bin/bash

Kerberos principal: [email protected] Email address: [email protected]

UID: 889000004 GID: 889000004 Password: True

Member of groups: ipausers Kerberos keys available: True

Note: By default OpenShift node hosts use UID's in the range 1000-6999 for gears. For most environments this should not present an issue as the default ranges used by IdM are well outside this range. The default ranges can be set during server installation, using the --idstart and -- idmax options.

If no range is set when the first IdM server is installed, a range off 200,000 IDs is randomly selected. There are 10,000 possible ranges. Selecting a random range from that number provides a high probability of non-conflicting IDs if two separate IdM domains are ever merged in the future.

For more information, consult the Managing Unique UID and GID Number Assignments chapter of the Red Hat Enterprise Linux 7 - Linux Domain, Identity, Authentication and Policy Guide on the Red Hat customer portal.

4. View the new IdM group and user.

# ipa group-show ose-operators

Group name: ose-operators

Description: OpenShift Operators GID: 889000004

# ipa user-show ose-oper1

User login: ose-oper1 First name: OSE

Last name: Oper 1

Home directory: /home/ose-oper1 Login shell: /bin/bash

Email address: [email protected] UID: 889000004

GID: 889000004

Account disabled: False Password: True

Member of groups: ipausers Kerberos keys available: True

5. Verify the new IdM group and user.

$ hostname

admin1.interop.example.com # id ose-oper1

# su - ose-oper1

Creating home directory for ose-oper1. $ id ose-oper1

uid=889000004(ose-oper1) gid=889000004(ose-operators) groups=889000004(ose- operators) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

6. Additional Verification and Troubleshooting Tips (All hosts). a) If either ssh or su complain about the home directory:

su: warning: cannot change directory to /home/ose-oper1: No such file or directory

then make sure that oddjob-mkhomedir has been installed and the oddjob service is running and enabled (on boot) for the target host:

Red Hat Enterprise Linux 6

# yum install oddjob-mkhomedir

# service oddjobd restart

Shutting down oddjobd: [FAILED] Starting oddjobd: [ OK ] # chkconfig oddjobd on

# chkconfig oddjobd --list

# oddjobd 0:off 1:off 2:on 3:on 4:on 5:on 6:off

Red Hat Enterprise Linux 7

# yum install oddjob-mkhomedir

# systemctl restart oddjobd

# systemctl enable oddjobd

# systemctl status oddjobd

oddjobd.service - privileged operations for unprivileged applications Loaded: loaded (/usr/lib/systemd/system/oddjobd.service; enabled) Active: active (running) since Mon 2014-07-28 12:36:52 EDT; 26s ago Main PID: 23329 (oddjobd)

CGroup: /system.slice/oddjobd.service

└─23329 /usr/sbin/oddjobd -n -p /var/run/oddjobd.pid -t 300

b) If the initial ipa-client-install was not done with --enablemkhomedir then it can be enabled later using:

# authconfig --enablemkhomedir --update

Stopping sssd: [ OK ] Starting oddjobd: [ OK ]

and then restarting SSSD: Red Hat Enterprise Linux 6

# service sssd restart

Shutting down oddjobd: [ OK ] Starting oddjobd: [ OK ]

Red Hat Enterprise Linux 7

# systemctl restart sssd

c) If either ssh or su complain about the group:

# su - ose-oper1

id: cannot find name for group ID 889000001

then make sure the SSSD service is running and enabled to start on boot: Red Hat Enterprise Linux 6

# service sssd restart

Stopping sssd: [FAILED] Starting sssd: [ OK ] # chkconfig --list sssd

sssd 0:off 1:off 2:on 3:on 4:on 5:on 6:off

Red Hat Enterprise Linux 7

# systemctl restart sssd

# systemctl status sssd

sssd.service - System Security Services Daemon

Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled) Active: active (running) since Wed 2014-07-30 13:22:11 EDT; 15s ago Process: 17920 ExecStart=/usr/sbin/sssd -D -f (code=exited,

status=0/SUCCESS)

Main PID: 17921 (sssd) # systemctl enable sssd

ln -s '/usr/lib/systemd/system/sssd.service' '/etc/systemd/system/multi- user.target.wants/sssd.service'