How to Install FreeIPA Server on Fedora 29/Fedora 28/CentOS 7

|
Last Updated:
|
|

Hello there. Today we are going to learn how to install and configure FreeIPA server on Fedora 29, Fedora 28, CentOS 7 or any other RHEL derivative.

FreeIPA is an opensource integrated Identity and authentication management solution for Linux/UNIX environments. It provides centralized authentication, authorization and account information by storing data about users, groups, hosts and other relevant information necessary for managing the security aspects of a network of computers.

It is build atop a number of opensource solutions such as 389 Directory Server, MIT Kerberos, NTP, DNS, Dogtag (Certificate System). FreeIPA can be managed via web interface or command line.

Prerequisites

To ensure a smooth FreeIPA installation, ensure that the following prerequisites are met.

  • Set static IP address on your server.
ip add show enp0s8
3: enp0s8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 08:00:27:df:3b:07 brd ff:ff:ff:ff:ff:ff
    inet 192.168.43.80/24 brd 192.168.43.255 scope global noprefixroute enp0s8
       valid_lft forever preferred_lft forever
    inet6 fe80::3ea8:bb8c:b4c0:3931/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
  • Set a fully qualified hostname
hostnamectl set-hostname freeipa.kifarunix.com
  • Your hostname must be resolvable. If you dont have DNS server, you can use /etc/hosts file.
echo "192.168.43.80 freeipa.kifarunix.com freeipa" >> /etc/hosts
# ping freeipa -c 2
PING freeipa.kifarunix.com (192.168.43.80) 56(84) bytes of data.
64 bytes from freeipa.kifarunix.com (192.168.43.80): icmp_seq=1 ttl=64 time=0.043 ms
64 bytes from freeipa.kifarunix.com (192.168.43.80): icmp_seq=2 ttl=64 time=0.081 ms

--- freeipa.kifarunix.com ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 33ms
rtt min/avg/max/mdev = 0.043/0.062/0.081/0.019 ms
  • Ensure that your package repository is up to date
yum update

Install FreeIPA

Once the above requirements are met, install FreeIPA packages as shown below;

yum -y install freeipa-server

In this guide, we are going to set up basic FreeIPA server without integrated DNS. If you would like to include DNS integration, install these additional packages;

yum install -y bind-dyndb-ldap freeipa-server-dns

Once the installation is done, run the command below to launch basic FreeIPA setup.

ipa-server-install

To perform FreeIPA setup with DNS integration, run the command below;

ipa-server-install --setup-dns

In this guide, we are going to perform FreeIPA basic setup without DNS integration.

When you launched the installation setup command, the first thing you are prompted to do is choose whether to setup integrated DNS. In this guide, we are not configuring DNS integration.

ipa-server-install

The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will set up the FreeIPA Server.
Version 4.7.0

This includes:
  * Configure a stand-alone CA (dogtag) for certificate management
  * Configure the NTP client (chronyd)
  * Create and configure an instance of Directory Server
  * Create and configure a Kerberos Key Distribution Center (KDC)
  * Configure Apache (httpd)
  * Configure the KDC to enable PKINIT

To accept the default shown in brackets, press the Enter key.

WARNING: conflicting time&date synchronization service 'ntpd' will be disabled
in favor of chronyd

Do you want to configure integrated DNS (BIND)? [no]: no

Next, you are required to setup the server hostname as well as the Kerberos realm. Kerberos realm is an authentication protocol for FreeIPA. You can press ENTER to accept the defaults.

Enter the fully qualified domain name of the computer
on which you're setting up server software. Using the form
<hostname>.<domainname>
Example: master.example.com.


Server host name [freeipa.kifarunix.com]: freeipa.kifarunix.com

The domain name has been determined based on the host name.

Please confirm the domain name [kifarunix.com]: ENTER

The kerberos protocol requires a Realm name to be defined.
This is typically the domain name converted to uppercase.

Please provide a realm name [KIFARUNIX.COM]: ENTER

Next, set the Directory manager (LDAP) password

Certain directory server operations require an administrative user.
This user is referred to as the Directory Manager and has full access
to the Directory for system management tasks and will be added to the
instance of directory server created for IPA.
The password must be at least 8 characters long.

Directory Manager password: password
Password (confirm): password

Set the IPA administrator password

The IPA server requires an administrative user, named 'admin'.
This user is a regular system account used for IPA server administration.

IPA admin password: password2
Password (confirm): password2

Next, you are prompted on whether to configure the IPA server with the above configuration options.

The IPA Master Server will be configured with:
Hostname:       freeipa.kifarunix.com
IP address(es): 192.168.43.80
Domain name:    kifarunix.com
Realm name:     KIFARUNIX.COM

The CA will be configured with:
Subject DN:   CN=Certificate Authority,O=KIFARUNIX.COM
Subject base: O=KIFARUNIX.COM
Chaining:     self-signed

Continue to configure the system with these values? [no]: yes

The configuration will take quite some minutes to complete depending on the swiftness of your server. If all is well, you should see such an output.

==============================================================================
Setup complete

Next steps:
	1. You must make sure these network ports are open:
		TCP Ports:
		  * 80, 443: HTTP/HTTPS
		  * 389, 636: LDAP/LDAPS
		  * 88, 464: kerberos
		UDP Ports:
		  * 88, 464: kerberos
		  * 123: ntp

	2. You can now obtain a kerberos ticket using the command: 'kinit admin'
	   This ticket will allow you to use the IPA tools (e.g., ipa user-add)
	   and the web user interface.

Be sure to back up the CA certificates stored in /root/cacert.p12
These files are required to create replicas. The password for these
files is the Directory Manager password
The ipa-server-install command was successful

Next, you need to open the FreeIPA services ports through the firewall.

for i in 80 443 389 636 88 464; do firewall-cmd --add-port=$i/tcp --permanent; done
for i in 88 464 123; do firewall-cmd --add-port=$i/udp --permanent; done
firewall-cmd --reload

Now that the installation is done, you need to authenticate to FreeIPA server. During installation two users were created, the Directory manager and the admin manager. To authenticate to FreeIPA manager as an admin, you need to generate the Kerberos ticket by running the command below;

# kinit admin
Password for [email protected]: Enter admin password set above

Once you authenticate, you can try to find the information about admin user by running the command ipa user-find admin.

# ipa user-find admin
--------------
1 user matched
--------------
  User login: admin
  Last name: Administrator
  Home directory: /home/admin
  Login shell: /bin/bash
  Principal alias: [email protected]
  UID: 86400000
  GID: 86400000
  Account disabled: False
----------------------------
Number of entries returned 1
----------------------------

SUPPORT US VIA A VIRTUAL CUP OF COFFEE

We're passionate about sharing our knowledge and experiences with you through our blog. If you appreciate our efforts, consider buying us a virtual coffee. Your support keeps us motivated and enables us to continually improve, ensuring that we can provide you with the best content possible. Thank you for being a coffee-fueled champion of our work!

Photo of author
koromicha
I am the Co-founder of Kifarunix.com, Linux and the whole FOSS enthusiast, Linux System Admin and a Blue Teamer who loves to share technological tips and hacks with others as a way of sharing knowledge as: "In vain have you acquired knowledge if you have not imparted it to others".

Leave a Comment