Install and configure FreeIPA server on CentOS 8

Install and configure FreeIPA server on CentOS 8

FreeIPA is an open source integrated identity and authentication solution for Linux and Unix-based systems. It provides centralized authentication by storing data about users, groups, hosts, and other objects. It provides integrated identity management services for Linux, Mac and Windows. FreeIPA is based on 389 directory server, Kerberos, SSSD, Dogtag, NTP and DNS. It provides a web-based interface to manage Linux users and clients in your field from a central location.

In this tutorial, we will show you how to install FreeIPA server on CentOS 8.

prerequisites

  • Server running CentOS 8.
  • The root password is configured for the server.

Set hostname

First, you will need to set up a standard hostname in the system. You can use the following command to set:

hostnamectl set-hostname freeipa.mydomain10.com

Next, edit the /etc/hosts file and add the server IP and hostname:

nano /etc/hosts

Add the following line:

45.58.43.185 freeipa.mydomain10.com

When finished, save and close the file.

Install FreeIPA server

By default, the FreeIPA package is not available in the CentOS standard repository. Therefore, you will need to enable idm:DL1 repository in your system.

You can enable it with the following command:

dnf module enable idm:DL1

Next, use the following command to synchronize the repository:

dnf distro-sync

Next, run the following command to install FreeIPA server in your system.

dnf install ipa-server ipa-server-dns -y

After the installation is complete, you can proceed to the next step.

Set up FreeIPA server

Next, you will need to set up the FreeIPA server. You can use the following command to set:

ipa-server-install

You will be asked to configure integrated DNS as shown below:

The log file for this installation can be found in /var/log/ipaserver-install.log
ipa-server-install

The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will set up the IPA Server.
Version 4.8.4

This includes:
  * Configure a stand-alone CA (dogtag) for certificate management
  * Configure the NTP client (chronyd)
  * Create and configure an instance of Directory Server
  * Create and configure a Kerberos Key Distribution Center (KDC)
  * Configure Apache (httpd)
  * Configure the KDC to enable PKINIT

To accept the default shown in brackets, press the Enter key.

Do you want to configure integrated DNS (BIND)? [no]: 

Press Enter to select No. You will be asked to provide the hostname of the server:

Enter the fully qualified domain name of the computer
on which you're setting up server software. Using the form
.
Example: master.example.com.


Server host name [freeipa.mydomain10.com]: 

Press Enter to select the default host name. You will be asked to confirm your domain name as follows:

The domain name has been determined based on the host name.

Please confirm the domain name [mydomain10.com]: 

Press Enter to select the default domain name. You will be asked to set the directory manager password as shown below:

The kerberos protocol requires a Realm name to be defined.
This is typically the domain name converted to uppercase.

Please provide a realm name [MYDOMAIN10.COM]: 
Certain directory server operations require an administrative user.
This user is referred to as the Directory Manager and has full access
to the Directory for system management tasks and will be added to the
instance of directory server created for IPA.
The password must be at least 8 characters long.

Directory Manager password: 
Password (confirm): 

Provide the required password and press Enter. The system will ask you to set the IPA administrator password as shown below:

The IPA server requires an administrative user, named 'admin'.
This user is a regular system account used for IPA server administration.

IPA admin password: 
Password (confirm): 

Provide the required password and press Enter. The system will ask you to configure the NTP server as shown below:

Do you want to configure chrony with NTP server or pool address? [no]: 

Press Enter to select the default option. You should get the following output:

The IPA Master Server will be configured with:
Hostname:       freeipa.mydomain10.com
IP address(es): 45.58.43.185
Domain name:    mydomain10.com
Realm name:     MYDOMAIN10.COM

The CA will be configured with:
Subject DN:   CN=Certificate Authority,O=MYDOMAIN10.COM
Subject base: O=MYDOMAIN10.COM
Chaining:     self-signed

Continue to configure the system with these values? [no]: yes

Type yes and press Enter to configure the system with the above values. After the setup is complete, you should get the following output:

SSSD enabled
Configured /etc/openldap/ldap.conf
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Configuring mydomain10.com as NIS domain.
Client configuration complete.
The ipa-client-install command was successful

unable to resolve host name freeipa.mydomain10.com. to IP address, ipa-ca DNS record will be incomplete
unable to resolve host name freeipa.mydomain10.com. to IP address, ipa-ca DNS record will be incomplete
Please add records in this file to your DNS system: /tmp/ipa.system.records._u0fzahd.db
==============================================================================
Setup complete

Next steps:
	1. You must make sure these network ports are open:
		TCP Ports:
		  * 80, 443: HTTP/HTTPS
		  * 389, 636: LDAP/LDAPS
		  * 88, 464: kerberos
		UDP Ports:
		  * 88, 464: kerberos
		  * 123: ntp

	2. You can now obtain a kerberos ticket using the command: 'kinit admin'
	   This ticket will allow you to use the IPA tools (e.g., ipa user-add)
	   and the web user interface.

Be sure to back up the CA certificates stored in /root/cacert.p12
These files are required to create replicas. The password for these
files is the Directory Manager password
The ipa-server-install command was successful

Once completed, you can proceed to the next step.

Configure firewall and SELinux

If firewalld is installed in the system, then you will need to allow FreeIPA to use certain ports. You can allow them with the following command:

firewall-cmd --add-service={http,https,dns,ntp,freeipa-ldap,freeipa-ldaps} --permanent

Next, reload firewalld to apply the changes using the following command:

firewall-cmd --reload

Next, you also need to cancel SELinux in the system.

You can disable SELinux by editing the /etc/selinux/config file:

advertising

nano /etc/selinux/config

Find the following line:

SELINUX=enforcing

And, replace it with the following line:

SELINUX=permissive

Save and close the file. Then, restart the system to apply the changes:

Visit FreeIPA Web UI

Now, open your web browser and use the URL https://freeipa.mydomain10.com to access the FreeIPA web interface. You will be redirected to the FreeIPA login page as shown below:

Provide your administrator username and password, and click Logging in Button. You should see the FreeIPA dashboard in the following page:

FreeIPA server

Use FreeIPA CLI

FreeIPA also provides a command line tool for adding new users, groups, service principals, and granting write access to certain attributes (from one group to another).

Before using the CLI tool, you need to use the following command to obtain a Kerberos ticket:

kinit admin

You will be asked to provide a password as shown below:

Password for [email protected]:

Provide your administrator password and press Enter to get a Kerberos ticket.

Next, run the following command to check the expiration time of the ticket:

klist

You should get the following output:

Ticket cache: KCM:0
Default principal: [email protected]

Valid starting       Expires              Service principal
2020-09-28T03:36:54  2020-09-29T03:36:50  krbtgt/[email protected]

Next, use the following command to add a new user account:

ipa user-add user1 --first=hit --last=jethva [email protected] --password

You should get the following output:

Password: 
Enter Password again to verify: 
------------------
Added user "user1"
------------------
  User login: user1
  First name: hit
  Last name: jethva
  Full name: hit jethva
  Display name: hit jethva
  Initials: hj
  Home directory: /home/user1
  GECOS: hit jethva
  Login shell: /bin/sh
  Principal name: [email protected]
  Principal alias: [email protected]
  User password expiration: 20200928073905Z
  Email address: [email protected]
  UID: 384600001
  GID: 384600001
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True

You can also use the following command to list all user accounts in the system:

ipa user-find

You should see the following output:

---------------
2 users matched
---------------
  User login: admin
  Last name: Administrator
  Home directory: /home/admin
  Login shell: /bin/bash
  Principal alias: [email protected]
  UID: 384600000
  GID: 384600000
  Account disabled: False

  User login: user1
  First name: hit
  Last name: jethva
  Home directory: /home/user1
  Login shell: /bin/sh
  Principal name: [email protected]
  Principal alias: [email protected]
  Email address: [email protected]
  UID: 384600001
  GID: 384600001
  Account disabled: False
----------------------------
Number of entries returned 2

in conclusion

Congratulations! You have successfully installed and configured FreeIPA server on CentOS 8. You can now install the FreeIPA client and add it to the FreeIPA server for centralized authentication. If you have any questions, please feel free to ask me.

Sidebar