Pegasi Wiki

This wiki acts as a memo for our own work so why not share them? Feel free to browse and use out notes and leave a note while at it.

How to install NetIQ Identity Manager 4.8 / eDirectory 9.2.2 in RHEL 8 / CentOS 8

Overview

This is a step by step checklist on how to install your eDirectory 9.2.2 and IDM 4.8 to a freshly installed RHEL 8. With CentOS 8 the drill is the same but with added install customization.

Remove firewalld and replace with iptables

I like to do this for better control.

dnf install iptables-services
dnf erase firewalld
systemctl enable iptables
vim /etc/sysconfig/iptables

Add your iptables rules such as

-A INPUT -m tcp -m multiport -p TCP --dports 22,80,389,524,636,443,8440 -s <your IDM admin network> -j ACCEPT

Install required packages

dnf install libgcc*.i686 libnsl* libnsl*.i686 libncurses*
dnf install dnf-utils ksh gettext.x86_64 libXrender.i686 libXau.i686 libxcb.i686 libX11.i686 libXext.i686 libXi.i686 libXtst.i686 glibc-*.i686 libstdc++.x86_64 libgcc-*.i686 unzip bc lsof net-tools createrepo_c libXtst

Set other stuff

Network. Replace “ens123” with your interface name.

ip route add 224.0.0.0/4 dev ens123

Add following contents to the route file: /etc/sysconfig/network-scripts/route-ens123 :

ADDRESS0=224.0.0.0
NETMASK0=240.0.0.0

Add the right selinux context if you decide to try and go with it.

chcon --reference /etc/sysconfig/network-scripts/ifcfg-ens123 /etc/sysconfig/network-scripts/route-ens123

Set /etc/hosts

127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
1.2.3.4     myidm1.domain.com
1.2.3.5     myidm2.domain.com
1.2.3.6     myidm3.domain.com

Set SELinux permissive and reboot. You may be able to make it work with SELinux set to enforcing but did not try with the latest versions of IDM/eDir. It did work with eDirectory 8.8.

Mount IDM iso and check the pre-requisites

mount -o loop Identity_Manager_4.8.1_Linux.iso /mnt/
/mnt/RHEL-Prerequisite.sh

Ignore the compat-libsrdc++-33 messages, they are no longer needed.

Install eDirectory

Unpack the latest full install eDirectory package. You will usually find the latest in dl.netiq.com patches but you need to check from the release notes if the package is a full install version or a patch only. Locate the latest full installer.

CentOS 8 install notes

Skip this topic if using RHEL.

CentOS custom RHEL server rpm

CentOS is an exact replica of RHEL with difference only in branding and support. You can use IDM / eDirectory with CentOS 8 but your support options will be limited.

Install is using dnf repository with dependencies which look for a specific redhat-release-server package to identify RHEL system. With CentOS 8 you need to create an empty RPM package called redhat-release to indicate we're dealing with a redhat server. Create a file “redhat-release.spec” with following contents

Name:           redhat-release-server
Version:        8.1.1911
Release:        1%{?dist}
Summary:        RedHat Release Dummy Package

Group:          Networking/Daemons
License:        No Licence
URL:            http://www.mysite.com

%description
This is an empty dummy package to satisfy a dependency.

%files

%changelog
* Tue Jun 30 2020 Pekka K 
- Initial release

Install rpmbuild, create package and install it.

dnf install rpm-build
rpmbuild -bb redhat-release.spec
dnf localinstall /root/rpmbuild/RPMS/x86_64/redhat-release-8.1.1911-1.el8.x86_64.rpm

CentOS install script customization

Edit nds-install script and copy-paste line

"Red Hat Enterprise Linux Server") os=rhel;;

to line

"CentOS Linux") os=rhel;;

eDirectory install

Continue straight here without previous CentOS customizations if you are using RHEL.

Install eDirectory with command

./nds-install

In the first server configure a new tree with command (with dot notation)

ndsconfig new -t <treename> -n <ou=servers.ou=path> -a <cn=admin.ou=path>

In the replicas add the edirectory to the tree with command:

ndsconfig add -t <treename> -n <ou=servers.ou=path> -a <cn=admin.ou=path> -p <server1 ip address>

Add eDirectory paths to your working environment at /etc/profile.d/edirectory.sh:

export PATH=/opt/novell/eDirectory/bin:/opt/novell/eDirectory/sbin:$PATH
export MANPATH=/opt/novell/man:/opt/novell/eDirectory/man:$MANPATH
export TEXTDOMAINDIR=/opt/novell/eDirectory/share/locale

Activate the paths

. /etc/profile.d/edirectory.sh

Set /etc/opt/novell/eDirectory/conf/hosts.nds

TREENAME.   
idm1	1.2.3.4
idm2	1.2.3.5
idm3	1.2.3.6

Link to /etc

ln -s /etc/opt/novell/eDirectory/conf/hosts.nds /etc/

Identity manager installation

If not mounted anymore do mount Identity Manager image and install with command

./install.sh

Select identity engine and iManager.

Configure IDM with command

./configure.sh

Select

  • custom configuration
  • configure identity manager engine
  • set common password
  • add to existing local machine identity vault
  • install new driverset

At the slave servers go to install image mount directory and execute

./configure.sh
  • custom configuration
  • configure identity manager engine
  • set common password
  • add to existing local machine identity vault
  • DO NOT install new driverset

Configure iManager

Create certificate for Apache. You can do better than this as this is just a self signer certificate.

openssl req -x509 -nodes -newkey rsa:4096 -keyout /etc/pki/tls/private/idm1.domain.key -out /etc/pki/tls/certs/idm1.domain.crt -days 3650

Install apache with ssl

dnf install httpd mod_ssl apr-util apr

Create AJP proxying to /etc/httpd/conf.d/imanager.conf

ServerName idm1.domain

SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ALL:!aNULL:!eNULL:!SSLv2:!LOW:!EXP:!MD5:@STRENGTH
SSLCertificateFile /etc/pki/tls/certs/idm1.domain.crt
SSLCertificateKeyFile /etc/pki/tls/private/idm1.domain.key

ProxyPass /nps ajp://localhost:9009/nps
ProxyPassReverse /nps ajp://localhost:9009/nps

<Location "/nps>
    Options +FollowSymLinks
</Location>

<Location "/nps">
    Options MultiViews FollowSymLinks
    Order allow,deny
    Allow from all
</Location>

<Location "/nps/WEB-INF/">
    deny from all
</Location>

<Location "/nps/META-INF/">
    deny from all
</Location>

Fix certificate paths also to /etc/httpd/conf.d/ssl.conf

Check config and enable / start Apache

systemctl enable httpd
apachectl configtest
systemctl start httpd

Now log in to the tree with iManager and add all servers to the driver set.

Import to Designer

Now import the identity vault and driver set to Designer, add all the servers and start doing actual IDM work :)

Comments

All comments and corrections are welcome.

 stars  from 0 votes

Leave a comment

Enter your comment:
P​ W​ S S W
 

  //check if we are running within the DokuWiki environment if (!defined("DOKU_INC")){ die(); } //place the needed HTML source codes BELOW this line