Hello there. Today we are going to learn how to install and configure FreeIPA server on Fedora 29, Fedora 28, CentOS 7 or any other RHEL derivative.
FreeIPA is an opensource integrated Identity and authentication management solution for Linux/UNIX environments. It provides centralized authentication, authorization and account information by storing data about users, groups, hosts and other relevant information necessary for managing the security aspects of a network of computers.
It is build atop a number of opensource solutions such as 389 Directory Server, MIT Kerberos, NTP, DNS, Dogtag (Certificate System). FreeIPA can be managed via web interface or command line.
To ensure a smooth FreeIPA installation, ensure that the following prerequisites are met.
- Set static IP address on your server.
ip add show enp0s8 3: enp0s8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000 link/ether 08:00:27:df:3b:07 brd ff:ff:ff:ff:ff:ff inet 192.168.43.80/24 brd 192.168.43.255 scope global noprefixroute enp0s8 valid_lft forever preferred_lft forever inet6 fe80::3ea8:bb8c:b4c0:3931/64 scope link noprefixroute valid_lft forever preferred_lft forever
- Set a fully qualified hostname
hostnamectl set-hostname freeipa.kifarunix.com
- Your hostname must be resolvable. If you dont have DNS server, you can use
echo "192.168.43.80 freeipa.kifarunix.com freeipa" >> /etc/hosts
# ping freeipa -c 2 PING freeipa.kifarunix.com (192.168.43.80) 56(84) bytes of data. 64 bytes from freeipa.kifarunix.com (192.168.43.80): icmp_seq=1 ttl=64 time=0.043 ms 64 bytes from freeipa.kifarunix.com (192.168.43.80): icmp_seq=2 ttl=64 time=0.081 ms --- freeipa.kifarunix.com ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 33ms rtt min/avg/max/mdev = 0.043/0.062/0.081/0.019 ms
- Ensure that your package repository is up to date
Once the above requirements are met, install FreeIPA packages as shown below;
yum -y install freeipa-server
In this guide, we are going to set up basic FreeIPA server without integrated DNS. If you would like to include DNS integration, install these additional packages;
yum install -y bind-dyndb-ldap freeipa-server-dns
Once the installation is done, run the command below to launch basic FreeIPA setup.
To perform FreeIPA setup with DNS integration, run the command below;
In this guide, we are going to perform FreeIPA basic setup without DNS integration.
When you launched the installation setup command, the first thing you are prompted to do is choose whether to setup integrated DNS. In this guide, we are not configuring DNS integration.
ipa-server-install The log file for this installation can be found in /var/log/ipaserver-install.log ============================================================================== This program will set up the FreeIPA Server. Version 4.7.0 This includes: * Configure a stand-alone CA (dogtag) for certificate management * Configure the NTP client (chronyd) * Create and configure an instance of Directory Server * Create and configure a Kerberos Key Distribution Center (KDC) * Configure Apache (httpd) * Configure the KDC to enable PKINIT To accept the default shown in brackets, press the Enter key. WARNING: conflicting time&date synchronization service 'ntpd' will be disabled in favor of chronyd Do you want to configure integrated DNS (BIND)? [no]: no
Next, you are required to setup the server hostname as well as the Kerberos realm. Kerberos realm is an authentication protocol for FreeIPA. You can press ENTER to accept the defaults.
Enter the fully qualified domain name of the computer on which you're setting up server software. Using the form <hostname>.<domainname> Example: master.example.com. Server host name [freeipa.kifarunix.com]: freeipa.kifarunix.com The domain name has been determined based on the host name. Please confirm the domain name [kifarunix.com]: ENTER The kerberos protocol requires a Realm name to be defined. This is typically the domain name converted to uppercase. Please provide a realm name [KIFARUNIX.COM]: ENTER
Next, set the Directory manager (LDAP) password
Certain directory server operations require an administrative user. This user is referred to as the Directory Manager and has full access to the Directory for system management tasks and will be added to the instance of directory server created for IPA. The password must be at least 8 characters long. Directory Manager password: password Password (confirm): password
Set the IPA administrator password
The IPA server requires an administrative user, named 'admin'. This user is a regular system account used for IPA server administration. IPA admin password: password2 Password (confirm): password2
Next, you are prompted on whether to configure the IPA server with the above configuration options.
The IPA Master Server will be configured with: Hostname: freeipa.kifarunix.com IP address(es): 192.168.43.80 Domain name: kifarunix.com Realm name: KIFARUNIX.COM The CA will be configured with: Subject DN: CN=Certificate Authority,O=KIFARUNIX.COM Subject base: O=KIFARUNIX.COM Chaining: self-signed Continue to configure the system with these values? [no]: yes
The configuration will take quite some minutes to complete depending on the swiftness of your server. If all is well, you should see such an output.
============================================================================== Setup complete Next steps: 1. You must make sure these network ports are open: TCP Ports: * 80, 443: HTTP/HTTPS * 389, 636: LDAP/LDAPS * 88, 464: kerberos UDP Ports: * 88, 464: kerberos * 123: ntp 2. You can now obtain a kerberos ticket using the command: 'kinit admin' This ticket will allow you to use the IPA tools (e.g., ipa user-add) and the web user interface. Be sure to back up the CA certificates stored in /root/cacert.p12 These files are required to create replicas. The password for these files is the Directory Manager password The ipa-server-install command was successful
Next, you need to open the FreeIPA services ports through the firewall.
for i in 80 443 389 636 88 464; do firewall-cmd --add-port=$i/tcp --permanent; done
for i in 88 464 123; do firewall-cmd --add-port=$i/udp --permanent; done
Now that the installation is done, you need to authenticate to FreeIPA server. During installation two users were created, the Directory manager and the admin manager. To authenticate to FreeIPA manager as an admin, you need to generate the Kerberos ticket by running the command below;
# kinit admin Password for [email protected]: Enter admin password set above
Once you authenticate, you can try to find the information about admin user by running the command
ipa user-find admin.
# ipa user-find admin -------------- 1 user matched -------------- User login: admin Last name: Administrator Home directory: /home/admin Login shell: /bin/bash Principal alias: [email protected] UID: 86400000 GID: 86400000 Account disabled: False ---------------------------- Number of entries returned 1 ----------------------------