Today’s guide will be on the installation and configuration of FreeIPA Server on Rocky Linux 8 system. FreeIPA is an open source solution that provide a unified and centralized way to manage authentication, policies, identity stores, and authorization policies in a Linux-based domain. The solution is created to reduce the overhead for Linux Administrators in management of different systems and services individually in the Infrastructure. With FreeIPA Identity Management solution, System Administrators can set different access levels for users by using host-based access control, delegation, and other rules.
FreeIPA is one of the few centralized policy, identity, and authorization free to use software solutions fit for enterprise use. This software solution has some advanced features and support for:
- Large groups of Linux machines
- Native integration with Windows Active Directory
- Advanced features of Linux operating system environments
- Full multi master replication for higher redundancy and scalability
- Provision of extensible management interfaces (Web UI, CLI, XMLRPC and JSONRPC API) and Python SDK
In this short article we’ll be performing the installation and configuration of FreeIPA on Rocky Linux 8. We’re performing this setup on a freshly installed Rocky Linux 8 server. As IPA services ports could conflict with other Linux services, it is recommended to perform the installation on a new system.
Key Benefits of using FreeIPA
- Central Authentication Management – Centralized management of users, machines, and services within large Linux/Unix enterprise environments.
- Fine-grained Access Control: Provides a clear method of defining access control policies to govern user identities and delegation of administrative tasks.
- One Time Password (OTP): Provides a popular method for achieving two-factor authentication (2FA).
- Direct Connect to Active Directory: You can retrieve information from Active Directory (AD) and join a domain or realm in a standard way.
- Active Directory Cross-Realm Trust: As System Administrator, you can establish cross-forest Kerberos trusts with Microsoft Active Directory. This allows external Active Directory (AD) users convenient access to resources in the Identity Management domain.
- Integrated Public Key Infrastructure (PKI) Service: This provides PKI services that sign and publish certificates for hosts and services, Certificate Revocation List (CRL) and OCSP services for software validating the published certificate, and an API to request, show, and find certificates.
Step 1: Set hostname, Timezone, Update System
Let’s start with correct configuration of the system hostname.
sudo hostnamectl set-hostname idm.example.com
The host name must be a fully qualified domain name, such as idm.example.com.
Once the hostname has been configured set system timezone to match your region:
sudo timedatectl set-timezone Africa/Nairobi sudo timedatectl set-local-rtc 0
Confirm your settings:
$ timedatectl Local time: Fri 2021-07-16 21:28:38 EAT Universal time: Fri 2021-07-16 18:28:38 UTC RTC time: Fri 2021-07-16 18:28:38 Time zone: Africa/Nairobi (EAT, +0300) System clock synchronized: yes NTP service: active RTC in local TZ: no
Step 2: Check FreeIPA installation requirements
FreeIPA server comprises of the following key components as its building blocks
- MIT Kerberos KDC – Provides Single-Sign-on authentication solution
- 389 Directory Server – Main data store and provides a full multi-master LDAPv3 directory infrastructure.
- Dogtag Certificate System – This component provides CA & RA used for certificate management functions.
- ISC Bind DNS server – Bind is the default Domain name resolution service in FreeIPA.
- Web UI / CLI Interface– Used to centrally manage access control, the delegation of administrative tasks and other network administration tasks.
- NTP Server – For time synchronization across fleet of nodes joined to the domain
Here are the minimum hardware requirements for installing FreeIPA Server on Rocky Linux 8:
- Minimum 4GB memory
- Minimum of 2 vCPUs
- A fully qualified domain name used as idM domain – should be resolvable from DNS server configured in the system
- Minimum of 10 GB Disk space availability
You can check the hardware requirements by using the commands below:
# CPU Cores $ lcpu # Memory check $ free -h # Disk space $ lsblk -fp
Edit /etc/hosts file and add server’s IP address and matching hostnam:
$ sudo vi /etc/hosts 192.168.10.6 idm.example.com
Confirm that all the requirement are met then proceed to install FreeIPA Server on Rocky Linux 8.
Confirm that the hostname does not resolve to the loopback address, but only to the system’s public IP address.
dig +short server.idm.example.com A
Verify the reverse DNS configuration (PTR records) is set correctly in your DNS Server using dig command:
$ dig +short -x
Below is a list of ports used by IPA IdM to communicate with the services:
Additionally, ports 8080, 8443, and 749 must be free as they are used internally.
Step 3: Install FreeIPA Server on Rocky Linux 8
Next we perform the installation of FreeIPA packages on Rocky Linux 8 server. No extra RPM repository is required, all the packages and dependencies are available in default OS default repositories.
Upgrade and reboot the system
sudo yum -y update sudo reboot
In EL8 based systems,the packages necessary for installing FreeIPA server are shipped in a module stream called the DL1 stream. You’ll need to enable the stream before performing packages installation from the stream.
You can use the following command to list modules that contain IdM packages.
$ sudo yum module list idm Rocky Linux 8 - AppStream 23 MB/s | 7.8 MB 00:00 Rocky Linux 8 - BaseOS 8.0 MB/s | 3.5 MB 00:00 Rocky Linux 8 - Extras 21 kB/s | 3.8 kB 00:00 Rocky Linux 8 - AppStream Name Stream Profiles Summary idm DL1 adtrust, client, common [d], dns, server The Red Hat Enterprise Linux Identity Management system module idm client [d] common [d] RHEL IdM long term support client module Hint: [d]efault, [e]nabled, [x]disabled, [i]nstalled
As seen from the output DL1 is the system Identity Management module. More information on the module can be checked using the command:
sudo dnf module info idm:DL1
Enable the idm:DL1 stream:
sudo yum module enable idm:DL1
Rocky Linux 8 - AppStream 8.6 MB/s | 8.0 MB 00:00 Rocky Linux 8 - BaseOS 15 MB/s | 4.5 MB 00:00 Rocky Linux 8 - Extras 18 kB/s | 3.8 kB 00:00 Dependencies resolved. ================================================================================================================================================================== Package Architecture Version Repository Size ================================================================================================================================================================== Enabling module streams: 389-ds 1.4 httpd 2.4 idm DL1 pki-core 10.6 pki-deps 10.6 Transaction Summary ================================================================================================================================================================== Is this ok [y/N]: y Complete!
Switch to the RPMs delivered through the idm:DL1 stream:
sudo yum distro-sync
Choose one of the following options, depending on your IdM requirements:
- Installing IdM server without an integrated DNS:
sudo yum module install idm:DL1/server
- Installing FreeIPA server with an integrated DNS:
sudo yum module install idm:DL1/dns
- Installing FreeIPA server that has a trust agreement with Active Directory:
sudo yum module install idm:DL1/adtrust
- For multiple profiles, e.g dns and adtrust profiles:
sudo yum module install idm:DL1/dns,adtrust
- For FreeIPA client
sudo yum module install idm:DL1/client
Run FreeIPA Server installer
We can now run the ipa-server-install utility. The installer script will create a log file at /var/log/ipaserver-install.log:
The script prompts for several required settings and offers recommended default values in brackets.
- To accept a default value, press Enter.
- To provide a custom value, enter the required value.
For Non-interactive installation for IdM without DNS:
sudo ipa-server-install --realm EXAMPLE.COM \ --ds-password DM_password \ --admin-password admin_password \ --unattended # OR sudo ipa-server-install \ --domain example.com \ --realm EXAMPLE.COM \ --ds-password DM_password \ --admin-password admin_password
The minimum required options for non-interactive installation are:
--realmto provide the Kerberos realm name
--ds-passwordto provide the password for the Directory Manager (DM), the Directory Server super user
--admin-passwordto provide the password for
admin, the IdM administrator
--unattendedto let the installation process select default options for the host name and domain name
Non-interactive installation for IdM with integrated DNS:
sudo ipa-server-install --domain example.com --realm EXAMPLE.COM \ --reverse-zone=10.168.192.in-addr.arpa. \ --no-forwarders \ --no-ntp \ --setup-dns \ --ds-password DM_password \ --admin-password admin_password \ --unattended
Here is the extraction from my installation:
$ sudo ipa-server-install The log file for this installation can be found in /var/log/ipaserver-install.log ============================================================================== This program will set up the IPA Server. Version 4.9.2 This includes: * Configure a stand-alone CA (dogtag) for certificate management * Configure the NTP client (chronyd) * Create and configure an instance of Directory Server * Create and configure a Kerberos Key Distribution Center (KDC) * Configure Apache (httpd) * Configure the KDC to enable PKINIT To accept the default shown in brackets, press the Enter key. Do you want to configure integrated DNS (BIND)? [no]: no Enter the fully qualified domain name of the computer on which you're setting up server software. Using the form
. Example: master.example.com. Server host name [idm.example.com]: idm.example.com The domain name has been determined based on the host name. Please confirm the domain name [example.com]: example.com The kerberos protocol requires a Realm name to be defined. This is typically the domain name converted to uppercase. Please provide a realm name [EXAMPLE.COM]: EXAMPLE.COM Certain directory server operations require an administrative user. This user is referred to as the Directory Manager and has full access to the Directory for system management tasks and will be added to the instance of directory server created for IPA. The password must be at least 8 characters long. Directory Manager password: Password (confirm): The IPA server requires an administrative user, named 'admin'. This user is a regular system account used for IPA server administration. IPA admin password: Password (confirm): Do you want to configure chrony with NTP server or pool address? [no]: yes Enter NTP source server addresses separated by comma, or press Enter to skip: 0.de.pool.ntp.org,1.de.pool.ntp.org Enter a NTP source pool address, or press Enter to skip: The IPA Master Server will be configured with: Hostname: idm.example.com IP address(es): 192.168.10.6 Domain name: example.com Realm name: EXAMPLE.COM The CA will be configured with: Subject DN: CN=Certificate Authority,O=EXAMPLE.COM Subject base: O=EXAMPLE.COM Chaining: self-signed NTP server: 0.de.pool.ntp.org NTP server: 1.de.pool.ntp.org Continue to configure the system with these values? [no]: yes The following operations may take some minutes to complete. Please wait until the prompt is returned. Disabled p11-kit-proxy Synchronizing time Configuration of chrony was changed by installer. Attempting to sync time with chronyc. Process chronyc waitsync failed to sync time! Unable to sync time with chrony server, assuming the time is in sync. Please check that 123 UDP port is opened, and any time server is on network. Warning: IPA was unable to sync time with chrony! Time synchronization is required for IPA to work correctly Configuring directory server (dirsrv). Estimated time: 30 seconds [1/41]: creating directory server instance [2/41]: tune ldbm plugin .....
Successful installation command output:
...... Sudoers I/O plugin version 1.8.29 Client hostname: idm.example.com Realm: EXAMPLE.COM DNS Domain: example.com IPA Server: idm.example.com BaseDN: dc=example,dc=com Configured sudoers in /etc/authselect/user-nsswitch.conf Configured /etc/sssd/sssd.conf Systemwide CA database updated. Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub Could not update DNS SSHFP records. SSSD enabled Configured /etc/openldap/ldap.conf Configured /etc/ssh/ssh_config Configured /etc/ssh/sshd_config Configuring example.com as NIS domain. Client configuration complete. The ipa-client-install command was successful Please add records in this file to your DNS system: /tmp/ipa.system.records.hh7e7u2h.db ============================================================================== Setup complete Next steps: 1. You must make sure these network ports are open: TCP Ports: * 80, 443: HTTP/HTTPS * 389, 636: LDAP/LDAPS * 88, 464: kerberos UDP Ports: * 88, 464: kerberos * 123: ntp 2. You can now obtain a kerberos ticket using the command: 'kinit admin' This ticket will allow you to use the IPA tools (e.g., ipa user-add) and the web user interface. Be sure to back up the CA certificates stored in /root/cacert.p12 These files are required to create replicas. The password for these files is the Directory Manager password The ipa-server-install command was successful
If you have firewalld running then allow the the following services and ports in the default zone:
# Without integrated DNS sudo firewall-cmd --permanent --add-service=ntp,freeipa-4 # With DNS sudo firewall-cmd --permanent --add-service=ntp,dns,freeipa-4
Then reload firewalld configuration for the change to take effect immediately:
sudo firewall-cmd --reload sudo firewall-cmd --list-all
Step 4: Access FreeIPA Management Dashboard
After installation FreeIPA Server web-based administration console can be accessed using the server hostname on https:
Ignore SSL warning by clicking “Advanced” > “Proceed to idm.example.com (unsafe)“
Login with admin username and password set during installation.
Upon successful login you’re presented with an interface that has such a look:
Step 5: Secure FreeIPA Server With Let’s Encrypt SSL Certificate
After installation we recommend using secure SSL on your FreeIPA Server. If running on a public instance follow our guide in the next link:
Step 6: Using CLI Interface to Manage FreeIPA Server
The ipa command can be used to perform all FreeIPA server operations.
But first, get admin user Kerberos ticket:
$ sudo kinit admin Password for [email protected]:
Check ticket expiry information using klist.
$ sudo klist Ticket cache: KCM:0 Default principal: [email protected] Valid starting Expires Service principal 08/02/2021 17:42:38 08/03/2021 17:42:31 krbtgt/[email protected]
Set user’s default shell to
$ sudo ipa config-mod --defaultshell=/bin/bash Maximum username length: 32 Home directory base: /home Default shell: /bin/bash Default users group: ipausers Default e-mail domain: example.com Search time limit: 2 Search size limit: 100 User search fields: uid,givenname,sn,telephonenumber,ou,title Group search fields: cn,description Enable migration mode: FALSE Certificate Subject base: O=EXAMPLE.COM Password Expiration Notification (days): 4 Password plugin features: AllowNThash, KDC:Disable Last Success SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023 Default SELinux user: unconfined_u:s0-s0:c0.c1023 Default PAC types: MS-PAC, nfs:NONE IPA masters: ipa.example.com IPA CA servers: ipa.example.com IPA CA renewal master: ipa.example.com IPA master capable of PKINIT: ipa.example.com
Test by adding a user account and listing accounts present:
$ sudo ipa user-add test --first=Test --last=User \ [email protected] --password Password: Enter Password again to verify: ------------------- Added user "test" ------------------- User login: test First name: Test Last name: User Full name: Test User Display name: Test User Initials: TU Home directory: /home/test GECOS: Test User Login shell: /bin/bash Principal name: [email protected] Principal alias: [email protected] User password expiration: 20210802153038Z Email address: [email protected] UID: 1201400001 GID: 1201400001 Password: True Member of groups: ipausers Kerberos keys available: True
To list user accounts added, run:
$ sudo ipa user-find --------------- 2 users matched --------------- User login: admin Last name: Administrator Home directory: /home/admin Login shell: /bin/bash Principal alias: [email protected] UID: 1201400000 GID: 1201400000 Account disabled: False User login: test First name: Test Last name: User Home directory: /home/test Login shell: /bin/bash Principal name: [email protected] Principal alias: [email protected] Email address: [email protected] UID: 1201400001 GID: 1201400001 Account disabled: False ---------------------------- Number of entries returned 2 ----------------------------
Try to login as
testuser. On your first log in, you’ll be asked to change your password:
$ ssh [email protected] Password: Password expired. Change your password now. Current Password: New password:
id uid=1201400003(test1) gid=1201400003(test1) groups=1201400003(test1) cont
If you want to modify user password expiry period refer to the following guide:
You can play with the interface to understand placement of various FreeIPA management functions. In the guides to follow we cover usage examples – how FreeIPA server can help in Infrastructure-wide user, groups, hosts and policy management. Stay connected for updates.