In this guide, we’ll look at how to Install FreeIPA Server on CentOS 7. Once you have FreeIPA running, your problems of having to manually manage user accounts/authentication on Linux Systems will come to an end. Initially, I used vanilla OpenLDAP server for identity management, it is real pain in the neck to administer.
For those new to FreeIPA, it is an Identity management system which aims to provide an easily managed Identity, Policy, and Audit for users.
FreeIPA is an Open Source project sponsored by Red Hat. It is upstream for the commercial Red Hat Identity Manager. On the client side, there is a client application used to configure target systems.
For other servers, have a look at:
FreeIPA installation Minimum requirements
- Server with 4gb ram – I got failed installations for 1GB and 2GB RAM
- CentOS server – can be CentOS 7.x or CentOS 6.x
- 2 vCPUs
- Port 443 and 80 not used by another application
- FQDN – Resolvable over public or private DNS server
- 10 GB Disk space
Install FreeIPA Server on CentOS 7
There are a few settings that we need to satisfy before installing FreeIPA on our CentOS server.
Step 1: Update system
I’m going to add the epel repository and update all packages installed on the system.
sudo yum -y install epel-release sudo yum -y update sudo yum install bind-utils vim
Once the system is updated, proceed to install FreeIPA server packages.
Step 2: Install FreeIPA Server packages
The packages you install depends on which services you need IPA to provide. If you don’t need DNS service, just install ipa-server package:
sudo yum -y install ipa-server
If you want to include DNS service, also install ipa-server-dns, bind and bind-dyndb-ldap:
sudo yum -y install ipa-server-dns bindipa-server bind-dyndb-ldap
Step 3: Setup IPA Server
Configuring FreeIPA server is a straightforward process, you only need to answer few questions and everything will be configured. If you don’t have DNS server to resolve server hostname, modify /etc/hosts file to include hostname and IP address.
$ sudo vim /etc/hosts 172.16.11.20 ipa.computingpost.com
Configure server hostname to match above name:
sudo hostnamectl set-hostname ipa.computingpost.com
Then run ipa-server-install command to configure IPA server. You need to execute this as root user:
If you want to configure DNS service as well, include –setup-dns option:
sudo ipa-server-install --setup-dns
You will be prompted to provide answers to a number of questions:
$ sudo ipa-server-install The log file for this installation can be found in /var/log/ipaserver-install.log ============================================================================== This program will set up the IPA Server. This includes: * Configure a stand-alone CA (dogtag) for certificate management * Configure the Network Time Daemon (ntpd) * Create and configure an instance of Directory Server * Create and configure a Kerberos Key Distribution Center (KDC) * Configure Apache (httpd) * Configure the KDC to enable PKINIT To accept the default shown in brackets, press the Enter key. WARNING: conflicting time&date synchronization service 'chronyd' will be disabled in favor of ntpd Do you want to configure integrated DNS (BIND)? [no]: Enter the fully qualified domain name of the computer on which you're setting up server software. Using the form
. Example: master.example.com. Server host name [ipa.computingpost.com]: The domain name has been determined based on the host name. Please confirm the domain name [computingpost.com]: The kerberos protocol requires a Realm name to be defined. This is typically the domain name converted to uppercase. Please provide a realm name [COMPUTINGPOST.COM]: Certain directory server operations require an administrative user. This user is referred to as the Directory Manager and has full access to the Directory for system management tasks and will be added to the instance of directory server created for IPA. The password must be at least 8 characters long. Directory Manager password: Password (confirm): The IPA server requires an administrative user, named 'admin'. This user is a regular system account used for IPA server administration. IPA admin password: Password (confirm): The IPA Master Server will be configured with: Hostname: ipa.computingpost.com IP address(es): 192.168.x.x Domain name: computingpost.com Realm name: COMPUTINGPOST.COM Continue to configure the system with these values? [no]: yes The following operations may take some minutes to complete. Please wait until the prompt is returned. Configuring NTP daemon (ntpd) [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd Done configuring NTP daemon (ntpd). Configuring directory server (dirsrv). Estimated time: 30 seconds ..... Client configuration complete. The ipa-client-install command was successful ============================================================================== Setup complete Next steps: 1. You must make sure these network ports are open: TCP Ports: * 80, 443: HTTP/HTTPS * 389, 636: LDAP/LDAPS * 88, 464: kerberos UDP Ports: * 88, 464: kerberos * 123: ntp 2. You can now obtain a kerberos ticket using the command: 'kinit admin' This ticket will allow you to use the IPA tools (e.g., ipa user-add) and the web user interface. Be sure to back up the CA certificates stored in /root/cacert.p12 These files are required to create replicas. The password for these files is the Directory Manager password ...
Do you want to configure integrated DNS (BIND)? [no]: no –> Answer yes if you want to enable DNS service (bind)
Server hostname [ipa.
Step 4: Configure Firewalld for FreeIPA
If you have firewall service running – Firewalld for CentOS 7.x, you need to Open some ports required by FreeIPA services. The ports to open are:
TCP Ports: * 80, 443: HTTP/HTTPS * 389, 636: LDAP/LDAPS * 88, 464: kerberos UDP Ports: * 88, 464: kerberos * 123: ntp
Use the following commands to configure firewalld:
sudo firewall-cmd --add-service=dns,freeipa-ldap,freeipa-ldaps --permanent sudo firewall-cmd --reload
Step 5: Access FreeIPA Web interface
Having opened firewall ports and configured FreeIPA server, you can access its admin web interface for administering. All IPA tasks can be done on the web interface or using the ipa command line tool. Access admin dashboard using https://ipa.
computingpost.com. Replace ipa.computingpost.com with your hostname.
After logging in. you should see an interface like below:
To use ipa command, you need to first get a Kerberos ticket.
# kinit admin Password for [email protected]:
Check ticket expiry information using klist.
# klist Ticket cache: KEYRING:persistent:0:0 Default principal: [email protected] Valid starting Expires Service principal 06/01/2018 20:14:49 06/02/2018 20:14:44 krbtgt/[email protected]
Test by listing adding a user account and listing accounts present:
# ipa user-add jmutai \ --first=Josphat --last=Mutai \ [email protected] \ --shell=/bin/bash --password Password: Enter Password again to verify: ------------------- Added user "jmutai" ------------------- User login: jmutai First name: Josphat Last name: Mutai Full name: Josphat Mutai Display name: Josphat Mutai Initials: JM Home directory: /home/jmutai GECOS: Josphat Mutai Login shell: /bin/bash Principal name: [email protected] Principal alias: [email protected] Email address: [email protected] UID: 839400001 GID: 839400001 Password: True Member of groups: ipausers Kerberos keys available: True
Get User Accounts:
# ipa user-find --------------- 2 users matched --------------- User login: admin Last name: Administrator Home directory: /home/admin Login shell: /bin/bash Principal alias: [email protected] UID: 839400000 GID: 839400000 Account disabled: False User login: jmutai First name: Josphat Last name: Mutai Home directory: /home/jmutai Login shell: /bin/bash Principal name: [email protected] Principal alias: [email protected] Email address: [email protected] UID: 839400001 GID: 839400001 Account disabled: False ---------------------------- Number of entries returned 2 ----------------------------
On your first log in using LDAP account, you’ll be asked to change your password:
$ ssh [email protected] The authenticity of host 'localhost (
)' can't be established. ECDSA key fingerprint is SHA256:ZlUOPuCJMftjMABxBWAWX/CXWZEtolp2Mv84nzKDV+4. ECDSA key fingerprint is MD5:03:61:e8:e5:21:17:98:db:96:d5:75:cb:38:c2:0a:34. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'localhost' (ECDSA) to the list of known hosts. Password: Password expired. Change your password now. Current Password: New password: Retype new password: Could not chdir to home directory /home/jmutai: No such file or directory
Step 6: Secure FreeIPA Server With Let’s Encrypt SSL Certificate
After installation we recommend using secure SSL on your FreeIPA Server. If running on a public instance follow our guide in the next link:
After setting up FreeIPA Server, you would probably want to configure FreeIPA client, for this refer to: