In this guide, we’ll look at how to Install FreeIPA Server on CentOS 7 / RHEL 7. Once you have FreeIPA running, your problems of having to manually manage user accounts/authentication on Linux Systems will come to an end. Initially, I used vanilla OpenLDAP server for identity management, it is real pain in the neck to administer.
For those new to FreeIPA, it is an Identity management system which aims to provide an easily managed Identity, Policy, and Audit for users.
FreeIPA is an Open Source project sponsored by Red Hat. It is upstream for the commercial Red Hat Identity Manager. On the client side, there is a client application used to configure target systems.
For other servers, have a look at:
FreeIPA installation Minimum requirements
- Server with 4gb ram – I got failed installations for 1GB and 2GB RAM
- 2 vCPUs
- Port 443 and 80 not used by another application
- FQDN – Resolvable over public or private DNS server
- 10 GB Disk space
Install FreeIPA Server on CentOS 7 / RHEL 7
There are a few settings that we need to satisfy before installing FreeIPA on our CentOS server.
Step 1: Update system
I’m going to add the epel repository and update all packages installed on the system.
sudo yum -y install epel-release
sudo yum -y update
sudo yum install bind-utils vimOnce the system is updated, proceed to install FreeIPA server packages.
Step 2: Install FreeIPA Server packages
The packages you install depends on which services you need IPA to provide. If you don’t need DNS service, just install ipa-server package:
sudo yum -y install ipa-serverIf you want to include DNS service, also install ipa-server-dns, bind and bind-dyndb-ldap:
sudo yum -y install ipa-server-dns bindipa-server bind-dyndb-ldap
Step 3: Setup IPA Server
Configuring FreeIPA server is a straightforward process, you only need to answer few questions and everything will be configured. If you don’t have DNS server to resolve server hostname, modify /etc/hosts file to include hostname and IP address.
$ sudo vim /etc/hosts
172.16.11.20 ipa.neveropen.techConfigure server hostname to match above name:
sudo hostnamectl set-hostname ipa.neveropen.techThen run ipa-server-install command to configure IPA server. You need to execute this as root user:
sudo ipa-server-installIf you want to configure DNS service as well, include –setup-dns option:
sudo ipa-server-install --setup-dnsYou will be prompted to provide answers to a number of questions:
$ sudo ipa-server-install
The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will set up the IPA Server.
This includes:
* Configure a stand-alone CA (dogtag) for certificate management
* Configure the Network Time Daemon (ntpd)
* Create and configure an instance of Directory Server
* Create and configure a Kerberos Key Distribution Center (KDC)
* Configure Apache (httpd)
* Configure the KDC to enable PKINIT
To accept the default shown in brackets, press the Enter key.
WARNING: conflicting time&date synchronization service 'chronyd' will be disabled
in favor of ntpd
Do you want to configure integrated DNS (BIND)? [no]:
Enter the fully qualified domain name of the computer
on which you're setting up server software. Using the form
<hostname>.<domainname>
Example: master.example.com.
Server host name [ipa.geeksforgeeks.org]:
The domain name has been determined based on the host name.
Please confirm the domain name [geeksforgeeks.org]:
The kerberos protocol requires a Realm name to be defined.
This is typically the domain name converted to uppercase.
Please provide a realm name [COMPUTINGFORGEEKS.COM]:
Certain directory server operations require an administrative user.
This user is referred to as the Directory Manager and has full access
to the Directory for system management tasks and will be added to the
instance of directory server created for IPA.
The password must be at least 8 characters long.
Directory Manager password:
Password (confirm):
The IPA server requires an administrative user, named 'admin'.
This user is a regular system account used for IPA server administration.
IPA admin password:
Password (confirm):
The IPA Master Server will be configured with:
Hostname: ipa.geeksforgeeks.org
IP address(es): 192.168.x.x
Domain name: geeksforgeeks.org
Realm name: COMPUTINGFORGEEKS.COM
Continue to configure the system with these values? [no]: yes
The following operations may take some minutes to complete.
Please wait until the prompt is returned.
Configuring NTP daemon (ntpd)
[1/4]: stopping ntpd
[2/4]: writing configuration
[3/4]: configuring ntpd to start on boot
[4/4]: starting ntpd
Done configuring NTP daemon (ntpd).
Configuring directory server (dirsrv). Estimated time: 30 seconds
.....
Client configuration complete.
The ipa-client-install command was successful
==============================================================================
Setup complete
Next steps:
1. You must make sure these network ports are open:
TCP Ports:
* 80, 443: HTTP/HTTPS
* 389, 636: LDAP/LDAPS
* 88, 464: kerberos
UDP Ports:
* 88, 464: kerberos
* 123: ntp
2. You can now obtain a kerberos ticket using the command: 'kinit admin'
This ticket will allow you to use the IPA tools (e.g., ipa user-add)
and the web user interface.
Be sure to back up the CA certificates stored in /root/cacert.p12
These files are required to create replicas. The password for these
files is the Directory Manager password
...
Do you want to configure integrated DNS (BIND)? [no]: no –> Answer yes if you want to enable DNS service (bind)
Server hostname [ipa.geeksforgeeks.org]: <Enter to confirm>
Step 4: Configure Firewalld for FreeIPA
If you have firewall service running, you need to Open some ports required by FreeIPA services. The ports to open are:
TCP Ports:
* 80, 443: HTTP/HTTPS
* 389, 636: LDAP/LDAPS
* 88, 464: kerberos
UDP Ports:
* 88, 464: kerberos
* 123: ntp
Use the following commands to configure firewalld:
sudo firewall-cmd --add-service={dns,freeipa-ldap,freeipa-ldaps} --permanent
sudo firewall-cmd --reloadStep 5: Access FreeIPA Web interface
Having opened firewall ports and configured FreeIPA server, you can access its admin web interface for administering. All IPA tasks can be done on the web interface or using the ipa command line tool. Access admin dashboard using https://ipa.geeksforgeeks.org/. Replace ipa.computinforgeeks.com with your hostname.
After logging in. you should see an interface like below:
To use ipa command, you need to first get a Kerberos ticket.
$ kinit admin
Password for [email protected]:Check ticket expiry information using klist.
$ klist
Ticket cache: KEYRING:persistent:0:0
Default principal: [email protected]
Valid starting Expires Service principal
06/01/2018 20:14:49 06/02/2018 20:14:44 krbtgt/[email protected]Test by listing adding a user account and listing accounts present:
$ sudo ipa user-add jmutai \
--first=Josphat --last=Mutai \
--em[email protected] \
--shell=/bin/bash --password
Password:
Enter Password again to verify:
-------------------
Added user "jmutai"
-------------------
User login: jmutai
First name: Josphat
Last name: Mutai
Full name: Josphat Mutai
Display name: Josphat Mutai
Initials: JM
Home directory: /home/jmutai
GECOS: Josphat Mutai
Login shell: /bin/bash
Principal name: [email protected]
Principal alias: [email protected]
Email address: [email protected]
UID: 839400001
GID: 839400001
Password: True
Member of groups: ipausers
Kerberos keys available: TrueGet User Accounts:
# ipa user-find
---------------
2 users matched
---------------
User login: admin
Last name: Administrator
Home directory: /home/admin
Login shell: /bin/bash
Principal alias: [email protected]
UID: 839400000
GID: 839400000
Account disabled: False
User login: jmutai
First name: Josphat
Last name: Mutai
Home directory: /home/jmutai
Login shell: /bin/bash
Principal name: [email protected]
Principal alias: [email protected]
Email address: [email protected]
UID: 839400001
GID: 839400001
Account disabled: False
----------------------------
Number of entries returned 2
----------------------------On your first log in using LDAP account, you’ll be asked to change your password:
$ ssh jmutai@localhost
The authenticity of host 'localhost (<no hostip for proxy command>)' can't be established.
ECDSA key fingerprint is SHA256:ZlUOPuCJMftjMABxBWAWX/CXWZEtolp2Mv84nzKDV+4.
ECDSA key fingerprint is MD5:03:61:e8:e5:21:17:98:db:96:d5:75:cb:38:c2:0a:34.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'localhost' (ECDSA) to the list of known hosts.
Password:
Password expired. Change your password now.
Current Password:
New password:
Retype new password:
Could not chdir to home directory /home/jmutai: No such file or directoryStep 6: Secure FreeIPA Server With Let’s Encrypt
After installation we recommend using secure SSL on your FreeIPA Server. If running on a public instance follow our guide in the next link:
After setting up FreeIPA Server, you would probably want to configure FreeIPA client, for this refer to the following guides:
Also read: How to Reset FreeIPA admin Password as root user
LDAP Usage examples:
