Installing and configuring the FreeIPA server in Centos 7

FreeIPA is an open source project for creating a centralized system for managing user identity, setting access and audit policies for Linux-based networks

A series of articles on installing and configuring the FreeIPA server and client

  • Installing and configuring the FreeIPA server in Centos 7
  • Fault tolerance, setting up FreeIPA replication on Centos 7

FreeIPA uses domain names to manage server identity. FreeIPA can also be used as a control panel for NS-records.

Preparatory stage, synchronization with NTP server

It is recommended to use NTP for time synchronization Stop and turn off chrony, if it is preinstalled

[[email protected] ~]$ sudo systemctl stop chronyd
[[email protected] ~]$ sudo systemctl disable chronyd

Install NTP and configure synchronization with our ntp server

[[email protected] ~]$ sudo yum install ntpdate
[[email protected] ~]$ sudo nano /etc/ntp.conf
server 192.168.1.10

We look at the discrepancy in time:

[[email protected] ~]$ sudo ntpdate -qu 192.168.1.10
server 192.168.1.10, stratum 3, offset -14.866896, delay 0.04178
11 Nov 09:46:42 ntpdate[19110]: step time server 192.168.1.10 offset -14.866896 sec

Stop the service, synchronize the time, start the service

[[email protected] ~]$ sudo systemctl stop ntpd
[[email protected] ~]$ sudo ntpdate 192.168.1.10
[[email protected] ~]$ sudo systemctl start ntpd

We activate the NTP client, and see the status

[[email protected] ~]$ sudo timedatectl set-ntp true
[[email protected] ~]$ sudo timedatectl status
      Local time: Mon 2019-11-11 09:49:10 MSK
  Universal time: Mon 2019-11-11 06:49:10 UTC
        RTC time: Mon 2019-11-11 06:49:10
       Time zone: Europe/Moscow (MSK, +0300)
     NTP enabled: yes
NTP synchronized: yes
 RTC in local TZ: no
      DST active: n/a

You can check the time discrepancy again:

[[email protected] ~]$ sudo ntpdate -qu 192.168.1.10
server 192.168.1.10, stratum 3, offset 0.003698, delay 0.04181
11 Nov 09:49:45 ntpdate[19143]: adjust time server 192.168.1.10 offset 0.003698 sec

Setting up the domain name of the server and network

The FreeIPA server name must be full (FQDN), let’s set it:

[[email protected] ~]$ sudo hostnamectl set-hostname srv-ipa-01.domain.local
[[email protected] ~]$ sudo hostnamectl status
   Static hostname: srv-ipa-01.domain.local
...

We will write the address of the FreeIPA server in the / etc / hosts file If we plan to add a replicating FreeIPA server, then its name and IP address must also be added

[[email protected] ~]$ sudo nano /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.1.11   srv-ipa-01.domain.local srv-ipa-01
192.168.1.12   srv-ipa-02.domain.local srv-ipa-02

If the network is going to use short hostnames, the correct domain or search option must be specified.

If we use the FreeIPA server as a DNS, we will add its ip-address in the resolve.conf file (and the replicating ip-address, if replication is planned)

[[email protected] ~]$ sudo nano /etc/resolv.conf 
search domain.local
# DNS FreeIPA
nameserver 192.168.1.11
nameserver 192.168.1.11
# Наши DNS
nameserver 192.168.1.1
nameserver 192.168.1.2

Let’s edit the file with the network interface settings. Parameter PEERDNS = “no” – responds so that the resolv.conf file is not overwritten after restarting the Network service

[[email protected] ~]$ sudo nano /etc/sysconfig/network-scripts/ifcfg-ens160
...
IPADDR="192.168.1.11"
PREFIX="24"
GATEWAY="192.168.1.1"
DNS1="192.168.1.1"
DNS2="192.168.1.2"
PEERDNS="no"
DOMAIN="domain.local"
...

Installing the software

Installing the required packages

[[email protected] ~]$ sudo yum -y install bind bind-utils bind-dyndb-ldap ipa-server ipa-client ipa-server-dns

FreeIPA requires a lot of random data in order to perform cryptographic operations. Install the rngd random number generator

[[email protected] ~]$ sudo yum install rng-tools
[[email protected] ~]$ sudo systemctl start rngd
[[email protected] ~]$ sudo systemctl enable rngd

Installing and configuring FreeIPA

Install FreeIPA

[[email protected] ~]$ sudo ipa-server-install

During installation, you can enable the option to create user directories

[[email protected] ~]$ ipa-server-install --mkhomedir

If you did not specify it, then this option can be added after installing the FreeIPA server with the command:

[[email protected] ~]$ sudo authconfig --enablemkhomedir --update

If we do not plan to use FreeIPA as DNS, then we answer the corresponding question NO, and then set the parameters

Do you want to configure integrated DNS (BIND)? [no]: no

Server host name [srv-ipa-01.domain.local]: srv-ipa-01.domain.local
Please confirm the domain name [domain.local]: srv-ipa-01.domain.local
Please provide a realm name [SRV-IPA-01.DOMAIN.LOCAL]: SRV-IPA-01.DOMAIN.LOCAL
Directory Manager password:
IPA admin password:

Continue to configure the system with these values? [no]: yes

If we plan to use FreeIPA as DNS, then we answer the corresponding question YES, and then set the parameters

Do you want to configure integrated DNS (BIND)? [no]: yes

Server host name [srv-ipa-01.domain.local]: srv-ipa-01.domain.local
Please confirm the domain name [domain.local]: domain.local
Please provide a realm name [DOMAIN.LOCAL]: DOMAIN.LOCAL
Directory Manager password:
IPA admin password:

Next, there will be questions about setting up DNS

If we do not want to redirect DNS requests from FreeIPA to another server, in the corresponding question we write NO

Checking DNS domain domain.local., please wait ...
Do you want to configure DNS forwarders? [yes]: no
No DNS forwarders configured

If we want to redirect DNS requests from FreeIPA to another server, in the corresponding question we write YES, and then leave the DNS that FreeIPA will offer, or write others

Checking DNS domain domain.local., please wait ...
Do you want to configure DNS forwarders? [yes]:
Following DNS servers are configured in /etc/resolv.conf: 192.168.1.11, 192.168.1.12
Do you want to configure these servers as DNS forwarders? [yes]:
All DNS servers from /etc/resolv.conf were added. You can enter additional addresses now:
Enter an IP address for a DNS forwarder, or press Enter to skip: 8.8.8.8
DNS forwarder 8.8.8.8 added. You may add another.
Enter an IP address for a DNS forwarder, or press Enter to skip: 8.8.4.4
DNS forwarder 8.8.4.4 added. You may add another.
Enter an IP address for a DNS forwarder, or press Enter to skip:
Checking DNS forwarders, please wait…

Allowing the reverse zone

Do you want to search for missing reverse zones? [yes]:
Do you want to create reverse zone for IP 192.168.1.11 [yes]:
Please specify the reverse zone name [1.168.192.in-addr.arpa.]:
Using reverse zone(s) 1.168.192.in-addr.arpa.

Next, our data will be displayed for verification

The IPA Master Server will be configured with:
Hostname:	srv-ipa-01.domain.local
IP address(es):	192.168.1.11
Domain name:	domain.local
Realm name: 	DOMAIN.LOCAL

BIND DNS server will be configured to serve IPA domain with:
Forwarders:	8.8.8.8, 8.8.4.4
Forward policy:	only
Reverse zone(s):  1.168.192.in-addr.arpa.
Continue to configure the system with these values? [no]: yes

Then the long installation process will go, and the data for the firewall will be displayed, which ports should be opened

1. You must make sure these network ports are open:
TCP Ports:
* 80, 443: HTTP/HTTPS
* 389, 636: LDAP/LDAPS
* 88, 464: kerberos
* 53: bind
UDP Ports:
* 88, 464: kerberos
* 53: bind
* 123: ntp

We open these ports

[[email protected] ~]$ sudo firewall-cmd --permanent --zone=public --add-service={ntp,http,https,ldap,ldaps,kerberos,kpasswd,dns}
[[email protected] ~]$ sudo firewall-cmd --permanent --zone=public --add-port=53/tcp
[[email protected] ~]$ sudo firewall-cmd --permanent --zone=public --add-port=53/udp
[[email protected] ~]$ sudo firewall-cmd --reload

Check

We get a kerberos ticket

[[email protected] ~]$ kinit admin
Password for [email protected]:

Check the received ticket

[[email protected] ~]$ klist
Ticket cache: KEYRING:persistent:1000:1000
Default principal: [email protected]

Valid starting       Expires              Service principal
11/05/2019 15:55:28  11/06/2019 15:55:20  krbtgt/[email protected]

If at any stage an error occurs, FreeIPA server can be removed and try to install again

[[email protected] ~]$ sudo ipa-server-install --uninstall -U

To enter the web interface, you need to register the ip-address and domain name in the hosts file, and type the domain name in the browser

Sidebar