In this article we discuss in detail the installation and configuration of FreeIPA Server on Rocky Linux 9 / AlmaLinux 9 system. FreeIPA is popular and widely used identity management solution useful in management of user authentication, creation and enforcement of policies, identity stores, and authorization policies in a Linux domain. FreeIPA aims at eliminating the overhead for Linux Administrators working in medium to large scale Linux powered infrastructures.
Some of the advanced features of FreeIPA are;
- Support for large groups of Linux machines
- Has native integration with Windows Active Directory
- Advanced features of Linux operating system environments
- Full multi master replication for higher redundancy and scalability
- Provision of extensible management interfaces (Web UI, CLI, XMLRPC and JSONRPC API) and Python SDK
Key Benefits of using FreeIPA
- Central Authentication Management – Centralized management of users, machines, and services within large Linux/Unix enterprise environments.
- Fine-grained Access Control: Provides a clear method of defining access control policies to govern user identities and delegation of administrative tasks.
- One Time Password (OTP): Provides a popular method for achieving two-factor authentication (2FA).
- Direct Connect to Active Directory: You can retrieve information from Active Directory (AD) and join a domain or realm in a standard way.
- Active Directory Cross-Realm Trust: As System Administrator, you can establish cross-forest Kerberos trusts with Microsoft Active Directory. This allows external Active Directory (AD) users convenient access to resources in the Identity Management domain.
- Integrated Public Key Infrastructure (PKI) Service: This provides PKI services that sign and publish certificates for hosts and services, Certificate Revocation List (CRL) and OCSP services for software validating the published certificate, and an API to request, show, and find certificates.
Install FreeIPA Server on Rocky Linux 9 / AlmaLinux 9
Ensure this installation is done on a freshly install Rocky Linux 9 / AlmaLinux 9 system to since IPA services ports could conflict with other Linux services.
Step 1: Update system, set hostname, timezone
Update your Rocky Linux / AlmaLinux 8 server:
sudo yum -y update
sudo rebootOnce rebooted, set correct system hostname.
sudo hostnamectl set-hostname ipa.example.comThe host name must be a fully qualified domain name, such as ipa.example.com. Once set also configure system timezone to match your region:
sudo timedatectl set-timezone Africa/Nairobi
Confirm your timezone settings:
$ timedatectl
Local time: Wed 2022-07-27 21:44:27 EAT
Universal time: Wed 2022-07-27 18:44:27 UTC
RTC time: Wed 2022-07-27 18:44:27
Time zone: Africa/Nairobi (EAT, +0300)
System clock synchronized: yes
NTP service: active
RTC in local TZ: noStep 2: Check FreeIPA server installation pre-reqs
Key FreeIPA server components are:
- MIT Kerberos KDC – Provides Single-Sign-on authentication solution
- 389 Directory Server – Main data store and provides a full multi-master LDAPv3 directory infrastructure.
- ISC Bind DNS server – Bind is the default Domain name resolution service in FreeIPA.
- Dogtag Certificate System – This component provides CA & RA used for certificate management functions.
- NTP Server – For time synchronization across fleet of nodes joined to the domain
- Web UI / CLI Interface– Used to centrally manage access control, the delegation of administrative tasks and other network administration tasks.
Minimum hardware requirements when installing FreeIPA Server on Rocky Linux 9 / AlmaLinux 9:
- 4GB RAM
- 2 vCPUs
- FQDN – It must be resolvable from DNS server configured in the system
- Minimum of 10 GB Disk space availability
Use commands shared below to check CPU, Memory and disk space on your Rocky Linux 9 / AlmaLinux 9 instance.
# CPU Cores
$ grep -c ^processor /proc/cpuinfo
4
# Memory check
$ free -h
# Disk space
$ lsblk -fpAdd FreeIPA Server IP address and its DNS name inside the /etc/hosts file:
$ sudo vi /etc/hosts
172.20.30.252 ipa.example.comValidate your IP settings:
$ hostname --ip-address
172.20.30.252
Verify the reverse DNS configuration (PTR records) is set correctly in your DNS Server using dig command:
$ dig +short -x <ServerIPAddress>Step 3: Install and Configure FreeIPA server
Next we perform the installation of FreeIPA packages on Rocky Linux 9 / AlmaLinux 9 server. No extra RPM repository is required, all the packages and dependencies are available in default OS default repositories.
Install all FreeIPA server and client packages with the following commands:
sudo dnf -y install freeipa-server freeipa-server-dns freeipa-clientRun FreeIPA server installer
FreeIPA server configurations is done using the ipa-server-install command line tool. The installer script will create a log file at /var/log/ipaserver-install.log:
sudo ipa-server-installThe script prompts for several required settings and offers recommended default values in brackets.
- To accept a default value, press Enter.
- To provide a custom value, enter the required value.
For Non-interactive installation for IdM without DNS:
sudo ipa-server-install --realm EXAMPLE.COM \
--ds-password DM_password \
--admin-password admin_password \
--unattended
# OR
sudo ipa-server-install \
--domain example.com \
--realm EXAMPLE.COM \
--ds-password DM_password \
--admin-password admin_passwordThe minimum required options for non-interactive installation are:
--realmto provide the Kerberos realm name--ds-passwordto provide the password for the Directory Manager (DM), the Directory Server super user--admin-passwordto provide the password foradmin, the IdM administrator--unattendedto let the installation process select default options for the host name and domain name
Non-interactive installation for IdM with integrated DNS:
sudo ipa-server-install --domain example.com --realm EXAMPLE.COM \
--reverse-zone=30.20.172.in-addr.arpa. \
--no-forwarders \
--no-ntp \
--setup-dns \
--ds-password StrongDMPassw0rd \
--admin-password StrongDMPassw0rd \
--unattendedInteractive installation of FreeIPA server
See below for complete prompts you’ll get during installation and expected responses:
$ sudo ipa-server-install
The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will set up the IPA Server.
Version 4.9.8
This includes:
* Configure a stand-alone CA (dogtag) for certificate management
* Configure the NTP client (chronyd)
* Create and configure an instance of Directory Server
* Create and configure a Kerberos Key Distribution Center (KDC)
* Configure Apache (httpd)
* Configure SID generation
* Configure the KDC to enable PKINIT
To accept the default shown in brackets, press the Enter key.
Do you want to configure integrated DNS (BIND)? [no]: yes
Enter the fully qualified domain name of the computer
on which you're setting up server software. Using the form
<hostname>.<domainname>
Example: master.example.com.
Server host name [ipa.example.com]: ipa.example.com
The domain name has been determined based on the host name.
Please confirm the domain name [example.com]: example.com
The kerberos protocol requires a Realm name to be defined.
This is typically the domain name converted to uppercase.
Please provide a realm name [EXAMPLE.COM]: EXAMPLE.COM
Certain directory server operations require an administrative user.
This user is referred to as the Directory Manager and has full access
to the Directory for system management tasks and will be added to the
instance of directory server created for IPA.
The password must be at least 8 characters long.
Directory Manager password: <Directory-Manager-Password>
Password (confirm): <Confirm-Directory-Manager-Password>
The IPA server requires an administrative user, named 'admin'.
This user is a regular system account used for IPA server administration.
IPA admin password:
Password (confirm):
Do you want to configure chrony with NTP server or pool address? [no]: yes
Enter NTP source server addresses separated by comma, or press Enter to skip: 0.de.pool.ntp.org,1.de.pool.ntp.org
Enter a NTP source pool address, or press Enter to skip:
The IPA Master Server will be configured with:
Hostname: ipa.example.com
IP address(es): 172.20.30.252
Domain name: example.com
Realm name: EXAMPLE.COM
The CA will be configured with:
Subject DN: CN=Certificate Authority,O=EXAMPLE.COM
Subject base: O=EXAMPLE.COM
Chaining: self-signed
NTP server: 0.de.pool.ntp.org
NTP server: 1.de.pool.ntp.org
Continue to configure the system with these values? [no]: yes
The following operations may take some minutes to complete.
Please wait until the prompt is returned.
Disabled p11-kit-proxy
Synchronizing time
Configuration of chrony was changed by installer.
Attempting to sync time with chronyc.
Process chronyc waitsync failed to sync time!
Unable to sync time with chrony server, assuming the time is in sync. Please check that 123 UDP port is opened, and any time server is on network.
Warning: IPA was unable to sync time with chrony!
Time synchronization is required for IPA to work correctly
Configuring directory server (dirsrv). Estimated time: 30 seconds
[1/41]: creating directory server instance
[2/41]: tune ldbm plugin
.....If your FreeIPA server installation on Rocky Linux 9 / AlmaLinux 9 was successful, expect output similar to this:
......
Sudoers I/O plugin version 1.8.29
Client hostname: ipa.example.com
Realm: EXAMPLE.COM
DNS Domain: example.com
IPA Server: ipa.example.com
BaseDN: dc=example,dc=com
Configured sudoers in /etc/authselect/user-nsswitch.conf
Configured /etc/sssd/sssd.conf
Systemwide CA database updated.
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Could not update DNS SSHFP records.
SSSD enabled
Configured /etc/openldap/ldap.conf
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Configuring example.com as NIS domain.
Client configuration complete.
The ipa-client-install command was successful
Please add records in this file to your DNS system: /tmp/ipa.system.records.hh7e7u2h.db
==============================================================================
Setup complete
Next steps:
1. You must make sure these network ports are open:
TCP Ports:
* 80, 443: HTTP/HTTPS
* 389, 636: LDAP/LDAPS
* 88, 464: kerberos
UDP Ports:
* 88, 464: kerberos
* 123: ntp
2. You can now obtain a kerberos ticket using the command: 'kinit admin'
This ticket will allow you to use the IPA tools (e.g., ipa user-add)
and the web user interface.
Be sure to back up the CA certificates stored in /root/cacert.p12
These files are required to create replicas. The password for these
files is the Directory Manager password
The ipa-server-install command was successfulOpen FreeIPA service ports on the firewall
A list of FreeIPA service ports are as listed in the following table:
Let’s open the ports on the firewall using firewall-cmd:
sudo firewall-cmd --add-service={dns,ntp,freeipa-ldap,freeipa-ldaps} --permanentThen reload firewalld configuration for the change to take effect immediately:
sudo firewall-cmd --reloadList allowed services on the firewall:
$ sudo firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: ens18
sources:
services: cockpit dhcpv6-client dns freeipa-ldap freeipa-ldaps ntp ssh
....Step 4: Access FreeIPA Management Dashboard
After installation FreeIPA Server web-based administration console can be accessed using the server hostname on https:
https://ipa.example.comIgnore SSL warning by clicking “Advanced” > “Proceed to ipa.example.com (unsafe)“
Login with admin username and password set during installation.
Upon successful login you’re presented with an interface that has such a look:
Step 5: Secure FreeIPA With Let’s Encrypt SSL
After installation we recommend using secure SSL on your FreeIPA Server. If running on a public instance follow our guide in the next link:
Step 6: Manage FreeIPA using CLI Interface
The ipa command can be used to perform all FreeIPA server operations. But first, get admin user Kerberos ticket:
$ kinit admin
Password for [email protected]:Time validity of assigned ticket can be checked using klist:
$ klist
Ticket cache: KCM:0
Default principal: [email protected]
Valid starting Expires Service principal
07/27/2022 17:42:38 07/28/2022 21:49:26 krbtgt/[email protected]Set user’s default shell to /bin/bash.
$ ipa config-mod --defaultshell=/bin/bash
Maximum username length: 32
Home directory base: /home
Default shell: /bin/bash
Default users group: ipausers
Default e-mail domain: example.com
Search time limit: 2
Search size limit: 100
User search fields: uid,givenname,sn,telephonenumber,ou,title
Group search fields: cn,description
Enable migration mode: FALSE
Certificate Subject base: O=EXAMPLE.COM
Password Expiration Notification (days): 4
Password plugin features: AllowNThash, KDC:Disable Last Success
SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023
Default SELinux user: unconfined_u:s0-s0:c0.c1023
Default PAC types: MS-PAC, nfs:NONE
IPA masters: ipa.example.com
IPA CA servers: ipa.example.com
IPA CA renewal master: ipa.example.com
IPA master capable of PKINIT: ipa.example.comTest by adding a user account and listing accounts present:
$ ipa user-add test --first=Test --last=User [email protected] --password
Password:
Enter Password again to verify:
-------------------
Added user "test"
-------------------
User login: test
First name: Test
Last name: User
Full name: Test User
Display name: Test User
Initials: TU
Home directory: /home/test
GECOS: Test User
Login shell: /bin/bash
Principal name: [email protected]
Principal alias: [email protected]
User password expiration: 20210802153038Z
Email address: [email protected]
UID: 1201400001
GID: 1201400001
Password: True
Member of groups: ipausers
Kerberos keys available: TrueTo list user accounts added, run:
$ ipa user-find
---------------
2 users matched
---------------
User login: admin
Last name: Administrator
Home directory: /home/admin
Login shell: /bin/bash
Principal alias: [email protected]
UID: 1201400000
GID: 1201400000
Account disabled: False
User login: test
First name: Test
Last name: User
Home directory: /home/test
Login shell: /bin/bash
Principal name: [email protected]
Principal alias: [email protected]
Email address: [email protected]
UID: 1201400001
GID: 1201400001
Account disabled: False
----------------------------
Number of entries returned 2
----------------------------Try to login as testuser. On your first log in, you’ll be asked to change your password:
$ ssh test@localhost
Password:
Password expired. Change your password now.
Current Password:
New password: <Set new password>
Retype new password:
Activate the web console with: systemctl enable --now cockpit.socket
[test1@ipa ~]$ id
uid=1201400003(test1) gid=1201400003(test1) groups=1201400003(test1) contIf you want to modify user password expiry period refer to the following guide:
You can play with the interface to understand placement of various FreeIPA management functions. In the guides to follow we cover usage examples – how FreeIPA server can help in Infrastructure-wide user, groups, hosts and policy management. Stay connected for updates.
More FreeIPA guides:
- Configure oVirt / RHEV User Authentication using FreeIPA LDAP
- Run FreeIPA Server in Docker / Podman Containers
- Manage Users and Groups in FreeIPA using CLI
Recommended Linux Books to read:
- Best Linux Books for Beginners & Experts
- Best Linux Kernel Programming Books
- Best Linux Bash Scripting Books
- Top RHCSA / RHCE Certification Study Books
- Best Top Rated CompTIA A+ Certification Books
- Best LPIC-1 and LPIC-2 certification study books
