FreeIPA is a open source security information management solution. It combines Linux (Red hat family) with several services like 389 Directory Server, MIT Kerberos, NTP, DNS, Dogtag (Certificate System), sssd and some others. It is a popular alternative of Microsoft’s Active directory tool. It integrates Identity and Authentication solution for Linux/UNIX networked environments and can also provide authentication to windows clients.
Our setup:
- Server :CentOS 7.3
- IP Address: 192.168.1.10
- Hostname: ipa.rock.local
Setup Hostname:
First step is to set our desired hostname.
[root@localhost ~]# hostnamectl set-hostname ipa.example.com
Check if the hostname has been changed.
[root@localhost ~]# hostname
ipa.rock.local
Now , we will edit the /etc/hosts file to point to fqdn
echo "192.168.1.10 ipa.rock.local" >> /etc/hosts
Software Installation:
We need to install “ipa-server” and “bind-dyndb-ldap” package. bind-dyndb-ldap package also installs “bind” and “389 directory service” as dependency. Since we dont have dns server configured for our lab, We will use google’s public dns address 8.8.8.8 as our dns server.
[root@ipa ~]# yum -y install ipa-server bind-dyndb-ldap
Next we will start the installation script:
[root@ipa ~]# ipa-server-install --setup-dns The log file for this installation can be found in /var/log/ipaserver-install.log ============================================================================== This program will set up the IPA Server. This includes: * Configure a stand-alone CA (dogtag) for certificate management * Configure the Network Time Daemon (ntpd) * Create and configure an instance of Directory Server * Create and configure a Kerberos Key Distribution Center (KDC) * Configure Apache (httpd) * Configure DNS (bind) * Configure the KDC to enable PKINIT To accept the default shown in brackets, press the Enter key. Enter the fully qualified domain name of the computer on which you're setting up server software. Using the form <hostname>.<domainname> Example: master.example.com. Server host name [ipa.rock.local]: Warning: skipping DNS resolution of host ipa.rhce.local The domain name has been determined based on the host name. Please confirm the domain name [rock.local]: The kerberos protocol requires a Realm name to be defined. This is typically the domain name converted to uppercase. Please provide a realm name [ROCK.LOCAL]:
The installation should automatically pick up the server hostname, domain name and realm name as shown. If it does not, stop the installation and check the hostname configuration in the first step. If it picks up , just press enter to accept the value. Next it will ask for Directory Manager password and IPA admin password. For the sake of simplicity in our lab, we will chooses “pass1234”. (clever, huh? i know)
Certain directory server operations require an administrative user. This user is referred to as the Directory Manager and has full access to the Directory for system management tasks and will be added to the instance of directory server created for IPA. The password must be at least 8 characters long. Directory Manager password: Password (confirm): The IPA server requires an administrative user, named 'admin'. This user is a regular system account used for IPA server administration. IPA admin password: Password (confirm):
Next we will enter dns setup.Since we dont have dns server configured for our lab, We will use google’s public dns address 8.8.8.8 as our dns server.
Do you want to configure DNS forwarders? [yes]: Enter the IP address of DNS forwarder to use, or press Enter to finish. Enter IP address for a DNS forwarder: 8.8.8.8 DNS forwarder 8.8.8.8 added Enter IP address for a DNS forwarder: Do you want to configure the reverse zone? [yes]: Please specify the reverse zone name [1.168.192.in-addr.arpa.]: Using reverse zone 1.168.192.in-addr.arpa.
Then it will show summary of everything we have configured .
The IPA Master Server will be configured with: Hostname: ipa.rhce.local IP address(es): 192.168.1.39 Domain name: rhce.local Realm name: RHCE.LOCAL BIND DNS server will be configured to serve IPA domain with: Forwarders: 89.150.129.22, 89.150.129.10, 8.8.8.8 Forward policy: only Reverse zone(s): 1.168.192.in-addr.arpa. Continue to configure the system with these values? [no]: yes
Write yes and proceed with the installation
It will take some time to finish. Wait until prompt is back.
Firewall configuration:
Next we will configure firewalld to accommodate our freeipa services.
[root@lpa ~]# firewall-cmd --permanent --add-service={http,https,ldap,ldaps,dns,kerberos,ntp,kpasswd} success [root@lpa ~]# firewall-cmd --reload success
Check if all the services are configured properly.
[root@lpa ~]# firewall-cmd --list--services dhcpv6-client dns http https kerberos kpasswd ldap ldaps ntp ssh
FreeIPA is actually a combination of a lot of services. We check the services that are installed together.
[root@ipa ~]# ipactl status Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING named Service: RUNNING httpd Service: RUNNING ipa-custodia Service: RUNNING ntpd Service: RUNNING pki-tomcatd Service: RUNNING ipa-otpd Service: RUNNING ipa-dnskeysyncd Service: RUNNING
Preparing the server for user authentication:
First , obtain a kerberos ticket
[root@ipa ~]# kinit admin
Check the validity of the ticket.
[root@localhost ~]# klist Ticket cache: KEYRING:persistent:0:0 Default principal: admin@ROCK.LOCAL Valid starting Expires Service principal 19/10/17 19:02:21 20/10/17 19:02:15 krbtgt/ROCK.LOCAL@ROCK.LOCAL
Create an user named “sky”
[root@ipa]# ipa user-add sky
Next configure a password for this user
[root@ipa]# ipa passwd sky
Configuring FTP in Freeipa server for CA Certificate:
The client machine needs the IPA server’s CA certificate in order to use ipa authorisation. We will configure an ftp server and put the certificate in the public folder, so clients get easily get it.
[root@ipa ~]# yum -y install vsftpd [root@localhost ~]# firewall-cmd --add-service=ftp --permanent success [root@localhost ~]# firewall-cmd --reload success [root@localhost ~]# systemctl start vsftpd [root@localhost ~]# systemctl enable vsftpd Created symlink from /etc/systemd/system/multi-user.target.wants/vsftpd.service to /usr/lib/systemd/system/vsftpd.service.
Next copy the certificate in to the ftp directory.
[root@ipa ~]# cp /root/cacert.p12 /var/ftp/pub
Now our FreeIPA server is ready to authorise user in the client machine.