Install and configure FreeIPA server on CentOS 8
Install and configure FreeIPA server on CentOS 8
FreeIPA is an open source integrated identity and authentication solution for Linux and Unix-based systems. It provides centralized authentication by storing data about users, groups, hosts, and other objects. It provides integrated identity management services for Linux, Mac and Windows. FreeIPA is based on 389 directory server, Kerberos, SSSD, Dogtag, NTP and DNS. It provides a web-based interface to manage Linux users and clients in your field from a central location.
In this tutorial, we will show you how to install FreeIPA server on CentOS 8.
prerequisites
- Server running CentOS 8.
- The root password is configured for the server.
Set hostname
First, you will need to set up a standard hostname in the system. You can use the following command to set:
hostnamectl set-hostname freeipa.mydomain10.comNext, edit the /etc/hosts file and add the server IP and hostname:
nano /etc/hostsAdd the following line:
45.58.43.185 freeipa.mydomain10.com
When finished, save and close the file.
Install FreeIPA server
By default, the FreeIPA package is not available in the CentOS standard repository. Therefore, you will need to enable idm:DL1 repository in your system.
You can enable it with the following command:
dnf module enable idm:DL1Next, use the following command to synchronize the repository:
dnf distro-syncNext, run the following command to install FreeIPA server in your system.
dnf install ipa-server ipa-server-dns -yAfter the installation is complete, you can proceed to the next step.
Set up FreeIPA server
Next, you will need to set up the FreeIPA server. You can use the following command to set:
ipa-server-installYou will be asked to configure integrated DNS as shown below:
The log file for this installation can be found in /var/log/ipaserver-install.log ipa-server-install The log file for this installation can be found in /var/log/ipaserver-install.log ============================================================================== This program will set up the IPA Server. Version 4.8.4 This includes: * Configure a stand-alone CA (dogtag) for certificate management * Configure the NTP client (chronyd) * Create and configure an instance of Directory Server * Create and configure a Kerberos Key Distribution Center (KDC) * Configure Apache (httpd) * Configure the KDC to enable PKINIT To accept the default shown in brackets, press the Enter key. Do you want to configure integrated DNS (BIND)? [no]:
Press Enter to select No. You will be asked to provide the hostname of the server:
Enter the fully qualified domain name of the computer on which you're setting up server software. Using the form . Example: master.example.com. Server host name [freeipa.mydomain10.com]:
Press Enter to select the default host name. You will be asked to confirm your domain name as follows:
The domain name has been determined based on the host name. Please confirm the domain name [mydomain10.com]:
Press Enter to select the default domain name. You will be asked to set the directory manager password as shown below:
The kerberos protocol requires a Realm name to be defined. This is typically the domain name converted to uppercase. Please provide a realm name [MYDOMAIN10.COM]: Certain directory server operations require an administrative user. This user is referred to as the Directory Manager and has full access to the Directory for system management tasks and will be added to the instance of directory server created for IPA. The password must be at least 8 characters long. Directory Manager password: Password (confirm):
Provide the required password and press Enter. The system will ask you to set the IPA administrator password as shown below:
The IPA server requires an administrative user, named 'admin'. This user is a regular system account used for IPA server administration. IPA admin password: Password (confirm):
Provide the required password and press Enter. The system will ask you to configure the NTP server as shown below:
Do you want to configure chrony with NTP server or pool address? [no]:
Press Enter to select the default option. You should get the following output:
The IPA Master Server will be configured with: Hostname: freeipa.mydomain10.com IP address(es): 45.58.43.185 Domain name: mydomain10.com Realm name: MYDOMAIN10.COM The CA will be configured with: Subject DN: CN=Certificate Authority,O=MYDOMAIN10.COM Subject base: O=MYDOMAIN10.COM Chaining: self-signed Continue to configure the system with these values? [no]: yes
Type yes and press Enter to configure the system with the above values. After the setup is complete, you should get the following output:
SSSD enabled Configured /etc/openldap/ldap.conf Configured /etc/ssh/ssh_config Configured /etc/ssh/sshd_config Configuring mydomain10.com as NIS domain. Client configuration complete. The ipa-client-install command was successful unable to resolve host name freeipa.mydomain10.com. to IP address, ipa-ca DNS record will be incomplete unable to resolve host name freeipa.mydomain10.com. to IP address, ipa-ca DNS record will be incomplete Please add records in this file to your DNS system: /tmp/ipa.system.records._u0fzahd.db ============================================================================== Setup complete Next steps: 1. You must make sure these network ports are open: TCP Ports: * 80, 443: HTTP/HTTPS * 389, 636: LDAP/LDAPS * 88, 464: kerberos UDP Ports: * 88, 464: kerberos * 123: ntp 2. You can now obtain a kerberos ticket using the command: 'kinit admin' This ticket will allow you to use the IPA tools (e.g., ipa user-add) and the web user interface. Be sure to back up the CA certificates stored in /root/cacert.p12 These files are required to create replicas. The password for these files is the Directory Manager password The ipa-server-install command was successful
Once completed, you can proceed to the next step.
Configure firewall and SELinux
If firewalld is installed in the system, then you will need to allow FreeIPA to use certain ports. You can allow them with the following command:
firewall-cmd --add-service={http,https,dns,ntp,freeipa-ldap,freeipa-ldaps} --permanentNext, reload firewalld to apply the changes using the following command:
firewall-cmd --reloadNext, you also need to cancel SELinux in the system.
You can disable SELinux by editing the /etc/selinux/config file:
advertising
nano /etc/selinux/configFind the following line:
SELINUX=enforcing
And, replace it with the following line:
SELINUX=permissiveSave and close the file. Then, restart the system to apply the changes:
Visit FreeIPA Web UI
Now, open your web browser and use the URL https://freeipa.mydomain10.com to access the FreeIPA web interface. You will be redirected to the FreeIPA login page as shown below:
Provide your administrator username and password, and click Logging in Button. You should see the FreeIPA dashboard in the following page:
Use FreeIPA CLI
FreeIPA also provides a command line tool for adding new users, groups, service principals, and granting write access to certain attributes (from one group to another).
Before using the CLI tool, you need to use the following command to obtain a Kerberos ticket:
kinit adminYou will be asked to provide a password as shown below:
Password for [email protected]:
Provide your administrator password and press Enter to get a Kerberos ticket.
Next, run the following command to check the expiration time of the ticket:
klistYou should get the following output:
Ticket cache: KCM:0 Default principal: [email protected] Valid starting Expires Service principal 2020-09-28T03:36:54 2020-09-29T03:36:50 krbtgt/[email protected]
Next, use the following command to add a new user account:
ipa user-add user1 --first=hit --last=jethva [email protected] --passwordYou should get the following output:
Password: Enter Password again to verify: ------------------ Added user "user1" ------------------ User login: user1 First name: hit Last name: jethva Full name: hit jethva Display name: hit jethva Initials: hj Home directory: /home/user1 GECOS: hit jethva Login shell: /bin/sh Principal name: [email protected] Principal alias: [email protected] User password expiration: 20200928073905Z Email address: [email protected] UID: 384600001 GID: 384600001 Password: True Member of groups: ipausers Kerberos keys available: True
You can also use the following command to list all user accounts in the system:
ipa user-findYou should see the following output:
--------------- 2 users matched --------------- User login: admin Last name: Administrator Home directory: /home/admin Login shell: /bin/bash Principal alias: [email protected] UID: 384600000 GID: 384600000 Account disabled: False User login: user1 First name: hit Last name: jethva Home directory: /home/user1 Login shell: /bin/sh Principal name: [email protected] Principal alias: [email protected] Email address: [email protected] UID: 384600001 GID: 384600001 Account disabled: False ---------------------------- Number of entries returned 2
in conclusion
Congratulations! You have successfully installed and configured FreeIPA server on CentOS 8. You can now install the FreeIPA client and add it to the FreeIPA server for centralized authentication. If you have any questions, please feel free to ask me.