How to install FreeIPA to create Identity Management system.


FreeIPA is a open source security information management solution. It combines Linux (Red hat family) with several services like 389 Directory Server, MIT Kerberos, NTP, DNS, Dogtag (Certificate System), sssd and some others. It is a popular alternative of Microsoft’s Active directory tool. It integrates Identity and Authentication solution for Linux/UNIX networked environments and can also provide authentication to windows clients.

Our setup:

  • Server :CentOS 7.3
  • IP Address: 192.168.1.10
  • Hostname: ipa.rock.local

Setup Hostname:

First step is to set our desired hostname.

[root@localhost ~]# hostnamectl set-hostname ipa.example.com

Check if the hostname has been changed.

[root@localhost ~]# hostname
ipa.rock.local

Now , we will edit the /etc/hosts file to point to fqdn

echo "192.168.1.10  ipa.rock.local" >> /etc/hosts

Software Installation:

We need to install “ipa-server” and “bind-dyndb-ldap” package. bind-dyndb-ldap package also installs “bind” and “389 directory service” as dependency. Since we dont have dns server configured for our lab, We will use google’s public dns address 8.8.8.8 as our dns server.

[root@ipa ~]# yum -y install ipa-server bind-dyndb-ldap

Next we will start the installation script:

[root@ipa ~]# ipa-server-install --setup-dns

The log file for this installation can be found in /var/log/ipaserver-install.log

==============================================================================

This program will set up the IPA Server.

This includes:

  * Configure a stand-alone CA (dogtag) for certificate management
  * Configure the Network Time Daemon (ntpd)
  * Create and configure an instance of Directory Server
  * Create and configure a Kerberos Key Distribution Center (KDC)
  * Configure Apache (httpd)
  * Configure DNS (bind)
  * Configure the KDC to enable PKINIT

To accept the default shown in brackets, press the Enter key.
Enter the fully qualified domain name of the computer
on which you're setting up server software. Using the form
<hostname>.<domainname>
Example: master.example.com.
Server host name [ipa.rock.local]: 
Warning: skipping DNS resolution of host ipa.rhce.local
The domain name has been determined based on the host name.
Please confirm the domain name [rock.local]: 
The kerberos protocol requires a Realm name to be defined.
This is typically the domain name converted to uppercase.
Please provide a realm name [ROCK.LOCAL]:

The installation should automatically pick up the server hostname, domain name and realm name as shown. If it does not, stop the installation and check the hostname configuration in the first step. If it picks up , just press enter to accept the value. Next it will ask for Directory Manager password and IPA admin password. For the sake of simplicity in our lab, we will chooses “pass1234”. (clever, huh? i know)

Certain directory server operations require an administrative user.

This user is referred to as the Directory Manager and has full access

to the Directory for system management tasks and will be added to the

instance of directory server created for IPA.

The password must be at least 8 characters long.

Directory Manager password: 
Password (confirm): 
The IPA server requires an administrative user, named 'admin'.
This user is a regular system account used for IPA server administration.
IPA admin password: 
Password (confirm):

Next we will enter dns setup.Since we dont have dns server configured for our lab, We will use google’s public dns address 8.8.8.8 as our dns server.

Do you want to configure DNS forwarders? [yes]:
Enter the IP address of DNS forwarder to use, or press Enter to finish.
Enter IP address for a DNS forwarder: 8.8.8.8
DNS forwarder 8.8.8.8 added
Enter IP address for a DNS forwarder:
Do you want to configure the reverse zone? [yes]:
Please specify the reverse zone name [1.168.192.in-addr.arpa.]:
Using reverse zone 1.168.192.in-addr.arpa.

Then it will show summary of everything we have configured .

 

The IPA Master Server will be configured with:
Hostname:       ipa.rhce.local
IP address(es): 192.168.1.39
Domain name:    rhce.local
Realm name:     RHCE.LOCAL
BIND DNS server will be configured to serve IPA domain with:
Forwarders:       89.150.129.22, 89.150.129.10, 8.8.8.8
Forward policy:   only
Reverse zone(s):  1.168.192.in-addr.arpa.
Continue to configure the system with these values? [no]: yes

Write yes and proceed with the installation

It will take some time to finish. Wait until prompt is back.

Firewall configuration:

Next we will configure firewalld to accommodate our freeipa services.

[root@lpa ~]# firewall-cmd --permanent --add-service={http,https,ldap,ldaps,dns,kerberos,ntp,kpasswd}
success
[root@lpa ~]# firewall-cmd --reload
success

Check if all the services are configured properly.

[root@lpa ~]# firewall-cmd --list--services
dhcpv6-client dns http https kerberos kpasswd ldap ldaps ntp ssh

FreeIPA is actually a combination of a lot of services. We check the services that are installed together.

[root@ipa ~]# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
ntpd Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING

Preparing the server for user authentication:

First , obtain a kerberos ticket

[root@ipa ~]# kinit admin

Check the validity of the ticket.

[root@localhost ~]# klist

Ticket cache: KEYRING:persistent:0:0
Default principal: admin@ROCK.LOCAL
Valid starting     Expires            Service principal
19/10/17 19:02:21  20/10/17 19:02:15  krbtgt/ROCK.LOCAL@ROCK.LOCAL

Create an user named “sky”

[root@ipa]# ipa user-add sky

Next configure a password for this user

[root@ipa]# ipa passwd sky

Configuring FTP in Freeipa server for CA Certificate:

The client machine needs the IPA server’s CA certificate in order to use ipa authorisation. We will configure an ftp server and put the certificate in the public folder, so clients get easily get it.

[root@ipa ~]# yum -y install vsftpd

[root@localhost ~]# firewall-cmd --add-service=ftp --permanent

success

[root@localhost ~]# firewall-cmd --reload

success

[root@localhost ~]# systemctl start vsftpd

[root@localhost ~]# systemctl enable vsftpd

Created symlink from /etc/systemd/system/multi-user.target.wants/vsftpd.service to /usr/lib/systemd/system/vsftpd.service.

Next copy  the certificate in to the ftp directory.

[root@ipa ~]# cp /root/cacert.p12 /var/ftp/pub

Now our FreeIPA server is ready to authorise user in the client machine.

Leave a comment

Your email address will not be published. Required fields are marked *