In this article we discuss in detail the installation and configuration of FreeIPA Server on Rocky Linux 9 / AlmaLinux 9 system. FreeIPA is popular and widely used identity management solution useful in management of user authentication, creation and enforcement of policies, identity stores, and authorization policies in a Linux domain. FreeIPA aims at eliminating the overhead for Linux Administrators working in medium to large scale Linux powered infrastructures.
Some of the advanced features of FreeIPA are;
- Support for large groups of Linux machines
- Has native integration with Windows Active Directory
- Advanced features of Linux operating system environments
- Full multi master replication for higher redundancy and scalability
- Provision of extensible management interfaces (Web UI, CLI, XMLRPC and JSONRPC API) and Python SDK
Key Benefits of using FreeIPA
- Central Authentication Management – Centralized management of users, machines, and services within large Linux/Unix enterprise environments.
- Fine-grained Access Control: Provides a clear method of defining access control policies to govern user identities and delegation of administrative tasks.
- One Time Password (OTP): Provides a popular method for achieving two-factor authentication (2FA).
- Direct Connect to Active Directory: You can retrieve information from Active Directory (AD) and join a domain or realm in a standard way.
- Active Directory Cross-Realm Trust: As System Administrator, you can establish cross-forest Kerberos trusts with Microsoft Active Directory. This allows external Active Directory (AD) users convenient access to resources in the Identity Management domain.
- Integrated Public Key Infrastructure (PKI) Service: This provides PKI services that sign and publish certificates for hosts and services, Certificate Revocation List (CRL) and OCSP services for software validating the published certificate, and an API to request, show, and find certificates.
Ensure this installation is done on a freshly install Rocky Linux 9 / AlmaLinux 9 system to since IPA services ports could conflict with other Linux services.
Step 1: Update system, set hostname, timezone
Update your Rocky Linux / AlmaLinux 8 server:
sudo yum -y update sudo reboot
Once rebooted, set correct system hostname.
sudo hostnamectl set-hostname ipa.example.com
The host name must be a fully qualified domain name, such as ipa.example.com. Once set also configure system timezone to match your region:
sudo timedatectl set-timezone Africa/Nairobi
Confirm your timezone settings:
$ timedatectl Local time: Wed 2022-07-27 21:44:27 EAT Universal time: Wed 2022-07-27 18:44:27 UTC RTC time: Wed 2022-07-27 18:44:27 Time zone: Africa/Nairobi (EAT, +0300) System clock synchronized: yes NTP service: active RTC in local TZ: no
Step 2: Check FreeIPA server installation pre-reqs
Key FreeIPA server components are:
- MIT Kerberos KDC – Provides Single-Sign-on authentication solution
- 389 Directory Server – Main data store and provides a full multi-master LDAPv3 directory infrastructure.
- ISC Bind DNS server – Bind is the default Domain name resolution service in FreeIPA.
- Dogtag Certificate System – This component provides CA & RA used for certificate management functions.
- NTP Server – For time synchronization across fleet of nodes joined to the domain
- Web UI / CLI Interface– Used to centrally manage access control, the delegation of administrative tasks and other network administration tasks.
Minimum hardware requirements when installing FreeIPA Server on Rocky Linux 9 / AlmaLinux 9:
- 4GB RAM
- 2 vCPUs
- FQDN – It must be resolvable from DNS server configured in the system
- Minimum of 10 GB Disk space availability
Use commands shared below to check CPU, Memory and disk space on your Rocky Linux 9 / AlmaLinux 9 instance.
# CPU Cores $ grep -c ^processor /proc/cpuinfo 4 # Memory check $ free -h # Disk space $ lsblk -fp
Add FreeIPA Server IP address and its DNS name inside the
$ sudo vi /etc/hosts 172.20.30.252 ipa.example.com
Validate your IP settings:
$ hostname --ip-address 172.20.30.252
Verify the reverse DNS configuration (PTR records) is set correctly in your DNS Server using dig command:
$ dig +short -x
Step 3: Install FreeIPA server on Rocky Linux 9 / AlmaLinux 9
Next we perform the installation of FreeIPA packages on Rocky Linux 9 / AlmaLinux 9 server. No extra RPM repository is required, all the packages and dependencies are available in default OS default repositories.
Install all FreeIPA server and client packages with the following commands:
sudo dnf -y install freeipa-server freeipa-server-dns freeipa-client
Run FreeIPA server installer
FreeIPA server configurations is done using the
ipa-server-install command line tool. The installer script will create a log file at /var/log/ipaserver-install.log:
The script prompts for several required settings and offers recommended default values in brackets.
- To accept a default value, press Enter.
- To provide a custom value, enter the required value.
For Non-interactive installation for IdM without DNS:
sudo ipa-server-install --realm EXAMPLE.COM \ --ds-password DM_password \ --admin-password admin_password \ --unattended # OR sudo ipa-server-install \ --domain example.com \ --realm EXAMPLE.COM \ --ds-password DM_password \ --admin-password admin_password
The minimum required options for non-interactive installation are:
--realmto provide the Kerberos realm name
--ds-passwordto provide the password for the Directory Manager (DM), the Directory Server super user
--admin-passwordto provide the password for
admin, the IdM administrator
--unattendedto let the installation process select default options for the host name and domain name
Non-interactive installation for IdM with integrated DNS:
sudo ipa-server-install --domain example.com --realm EXAMPLE.COM \ --reverse-zone=30.20.172.in-addr.arpa. \ --no-forwarders \ --no-ntp \ --setup-dns \ --ds-password StrongDMPassw0rd \ --admin-password StrongDMPassw0rd \ --unattended
Interactive installation of FreeIPA server
See below for complete prompts you’ll get during installation and expected responses:
$ sudo ipa-server-install The log file for this installation can be found in /var/log/ipaserver-install.log ============================================================================== This program will set up the IPA Server. Version 4.9.8 This includes: * Configure a stand-alone CA (dogtag) for certificate management * Configure the NTP client (chronyd) * Create and configure an instance of Directory Server * Create and configure a Kerberos Key Distribution Center (KDC) * Configure Apache (httpd) * Configure SID generation * Configure the KDC to enable PKINIT To accept the default shown in brackets, press the Enter key. Do you want to configure integrated DNS (BIND)? [no]: yes Enter the fully qualified domain name of the computer on which you're setting up server software. Using the form
. Example: master.example.com. Server host name [ipa.example.com]: ipa.example.com The domain name has been determined based on the host name. Please confirm the domain name [example.com]: example.com The kerberos protocol requires a Realm name to be defined. This is typically the domain name converted to uppercase. Please provide a realm name [EXAMPLE.COM]: EXAMPLE.COM Certain directory server operations require an administrative user. This user is referred to as the Directory Manager and has full access to the Directory for system management tasks and will be added to the instance of directory server created for IPA. The password must be at least 8 characters long. Directory Manager password: Password (confirm): The IPA server requires an administrative user, named 'admin'. This user is a regular system account used for IPA server administration. IPA admin password: Password (confirm): Do you want to configure chrony with NTP server or pool address? [no]: yes Enter NTP source server addresses separated by comma, or press Enter to skip: 0.de.pool.ntp.org,1.de.pool.ntp.org Enter a NTP source pool address, or press Enter to skip: The IPA Master Server will be configured with: Hostname: ipa.example.com IP address(es): 172.20.30.252 Domain name: example.com Realm name: EXAMPLE.COM The CA will be configured with: Subject DN: CN=Certificate Authority,O=EXAMPLE.COM Subject base: O=EXAMPLE.COM Chaining: self-signed NTP server: 0.de.pool.ntp.org NTP server: 1.de.pool.ntp.org Continue to configure the system with these values? [no]: yes The following operations may take some minutes to complete. Please wait until the prompt is returned. Disabled p11-kit-proxy Synchronizing time Configuration of chrony was changed by installer. Attempting to sync time with chronyc. Process chronyc waitsync failed to sync time! Unable to sync time with chrony server, assuming the time is in sync. Please check that 123 UDP port is opened, and any time server is on network. Warning: IPA was unable to sync time with chrony! Time synchronization is required for IPA to work correctly Configuring directory server (dirsrv). Estimated time: 30 seconds [1/41]: creating directory server instance [2/41]: tune ldbm plugin .....
If your FreeIPA server installation on Rocky Linux 9 / AlmaLinux 9 was successful, expect output similar to this:
...... Sudoers I/O plugin version 1.8.29 Client hostname: ipa.example.com Realm: EXAMPLE.COM DNS Domain: example.com IPA Server: ipa.example.com BaseDN: dc=example,dc=com Configured sudoers in /etc/authselect/user-nsswitch.conf Configured /etc/sssd/sssd.conf Systemwide CA database updated. Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub Could not update DNS SSHFP records. SSSD enabled Configured /etc/openldap/ldap.conf Configured /etc/ssh/ssh_config Configured /etc/ssh/sshd_config Configuring example.com as NIS domain. Client configuration complete. The ipa-client-install command was successful Please add records in this file to your DNS system: /tmp/ipa.system.records.hh7e7u2h.db ============================================================================== Setup complete Next steps: 1. You must make sure these network ports are open: TCP Ports: * 80, 443: HTTP/HTTPS * 389, 636: LDAP/LDAPS * 88, 464: kerberos UDP Ports: * 88, 464: kerberos * 123: ntp 2. You can now obtain a kerberos ticket using the command: 'kinit admin' This ticket will allow you to use the IPA tools (e.g., ipa user-add) and the web user interface. Be sure to back up the CA certificates stored in /root/cacert.p12 These files are required to create replicas. The password for these files is the Directory Manager password The ipa-server-install command was successful
Open FreeIPA service ports on the firewall
A list of FreeIPA service ports are as listed in the following table:
Let’s open the ports on the firewall using
sudo firewall-cmd --add-service=dns,ntp,freeipa-ldap,freeipa-ldaps --permanent
Then reload firewalld configuration for the change to take effect immediately:
sudo firewall-cmd --reload
List allowed services on the firewall:
$ sudo firewall-cmd --list-all public (active) target: default icmp-block-inversion: no interfaces: ens18 sources: services: cockpit dhcpv6-client dns freeipa-ldap freeipa-ldaps ntp ssh ....
Step 4: Access FreeIPA Management Dashboard
After installation FreeIPA Server web-based administration console can be accessed using the server hostname on https:
Ignore SSL warning by clicking “Advanced” > “Proceed to ipa.example.com (unsafe)“
Login with admin username and password set during installation.
Upon successful login you’re presented with an interface that has such a look:
Step 5: Secure FreeIPA With Let’s Encrypt SSL
After installation we recommend using secure SSL on your FreeIPA Server. If running on a public instance follow our guide in the next link:
Step 6: Manage FreeIPA using CLI Interface
The ipa command can be used to perform all FreeIPA server operations. But first, get admin user Kerberos ticket:
$ kinit admin Password for [email protected]:
Time validity of assigned ticket can be checked using
$ klist Ticket cache: KCM:0 Default principal: [email protected] Valid starting Expires Service principal 07/27/2022 17:42:38 07/28/2022 21:49:26 krbtgt/[email protected]
Set user’s default shell to
$ ipa config-mod --defaultshell=/bin/bash Maximum username length: 32 Home directory base: /home Default shell: /bin/bash Default users group: ipausers Default e-mail domain: example.com Search time limit: 2 Search size limit: 100 User search fields: uid,givenname,sn,telephonenumber,ou,title Group search fields: cn,description Enable migration mode: FALSE Certificate Subject base: O=EXAMPLE.COM Password Expiration Notification (days): 4 Password plugin features: AllowNThash, KDC:Disable Last Success SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023 Default SELinux user: unconfined_u:s0-s0:c0.c1023 Default PAC types: MS-PAC, nfs:NONE IPA masters: ipa.example.com IPA CA servers: ipa.example.com IPA CA renewal master: ipa.example.com IPA master capable of PKINIT: ipa.example.com
Test by adding a user account and listing accounts present:
$ ipa user-add test --first=Test --last=User [email protected] --password Password: Enter Password again to verify: ------------------- Added user "test" ------------------- User login: test First name: Test Last name: User Full name: Test User Display name: Test User Initials: TU Home directory: /home/test GECOS: Test User Login shell: /bin/bash Principal name: [email protected] Principal alias: [email protected] User password expiration: 20210802153038Z Email address: [email protected] UID: 1201400001 GID: 1201400001 Password: True Member of groups: ipausers Kerberos keys available: True
To list user accounts added, run:
$ ipa user-find --------------- 2 users matched --------------- User login: admin Last name: Administrator Home directory: /home/admin Login shell: /bin/bash Principal alias: [email protected] UID: 1201400000 GID: 1201400000 Account disabled: False User login: test First name: Test Last name: User Home directory: /home/test Login shell: /bin/bash Principal name: [email protected] Principal alias: [email protected] Email address: [email protected] UID: 1201400001 GID: 1201400001 Account disabled: False ---------------------------- Number of entries returned 2 ----------------------------
Try to login as
testuser. On your first log in, you’ll be asked to change your password:
$ ssh [email protected] Password: Password expired. Change your password now. Current Password: New password:
Retype new password: Activate the web console with: systemctl enable --now cockpit.socket [[email protected] ~]$ id uid=1201400003(test1) gid=1201400003(test1) groups=1201400003(test1) cont
If you want to modify user password expiry period refer to the following guide:
You can play with the interface to understand placement of various FreeIPA management functions. In the guides to follow we cover usage examples – how FreeIPA server can help in Infrastructure-wide user, groups, hosts and policy management. Stay connected for updates.