How to Install FreeIPA Server On Rocky Linux 8

by

In today’s guide we will go through on how to install FreeIPA Server On Rocky Linux 8 . Let us first understand what is FreeIPA, its functionalities and the key benefits.

Introduction

FreeIPA is an open source solution that provide a unified and centralized way to manage authentication, policies, identity stores, and authorization policies in a Linux-based domain. The solution is created to reduce the overhead for Linux Administrators in management of different systems and services individually in the Infrastructure. With FreeIPA Identity Management solution, System Administrators can set different access levels for users by using host-based access control, delegation, and other rules.

FreeIPA is one of the few centralized policy, identity, and authorization free to use software solutions fit for enterprise use. This software solution has some advanced features and support for:

  • Large groups of Linux machines
  • Native integration with Windows Active Directory
  • Advanced features of Linux operating system environments
  • Full multi master replication for higher redundancy and scalability
  • Provision of extensible management interfaces (Web UI, CLI, XMLRPC and JSONRPC API) and Python SDK

Components

FreeIPA server comprises of the following key components as its building blocks

  • MIT Kerberos KDC – Provides Single-Sign-on authentication solution
  • 389 Directory Server – Main data store and provides a full multi-master LDAPv3 directory infrastructure.
  • Dogtag Certificate System – This component provides CA & RA used for certificate management functions.
  • ISC Bind DNS server – Bind is the default Domain name resolution service in FreeIPA.
  • Web UI / CLI Interface– Used to centrally manage access control, the delegation of administrative tasks and other network administration tasks.
  • NTP Server – For time synchronization across fleet of nodes joined to the domain

Advantages

  • Central Authentication Management – Centralized management of users, machines, and services within multiple Linux/Unix enterprise environments.
  • Authorization & Access Control: Provides a clear method of defining access control policies to govern user identities and delegation of administrative tasks.
  • 2 Factor Authentication (OTP): Provides a popular method for achieving two-factor authentication (2FA).
  • Integration to Active Directory: You can retrieve information from Active Directory (AD) and join a domain or realm in a standard way.
  • Active Directory Cross-Realm Trust: As System Administrator, you can establish cross-forest Kerberos trusts with Microsoft Active Directory. This allows external Active Directory (AD) users convenient access to resources in the Identity Management domain.
  • Public Key Infrastructure (PKI) Service: This provides PKI services that sign and publish certificates for hosts and services, Certificate Revocation List (CRL) and OCSP services for software validating the published certificate, and an API to request, show, and find certificates.

For more detail on FreeIPA you can always refer the FreeIPA official Documentation

Requirements

So let us check what are the minimum hardware requirement for us to install a FreeIPA server on Rocky Linux 8. If you need any support for Installing Rocky Linux 8 follow our previous blog post How To install Rocky Linux 8

  • RAM : 4 GB
  • vCPU : 2
  • Disk : 50 GB

Now let us see the ports requirement by the FreeIPA servers. Below is a list of ports used by FreeIPA IdM to communicate with the services:

NameDestination-port / TypePurpose
HTTP/HTTPS 80 / 443 TCP             WebUI and IPA CLI admin tools communication.
LDAP/LDAPS389 / 636 TCP            directory service communication.
Kerberos    88 / 464 TCP and UDPcommunication for authentication
DNS         53 TCP and UDP   nameservice, used also for autodiscovery, autoregistration and High Availability Authentication(sssd), optional
NTP        123 UDP                network time protocol, optional
kadmind     464 / 749 TCP           used for principal generation, password changes etc.

Also, ports 80808443, and 749 must be free as they are used internally.

Setting Hostname, time & system upgrades

Set a proper hostname with a fully qualified domain name followed by proper time & zone 

sudo hostnamectl set-hostname idm.linuxquery.org
sudo timedatectl set-timezone Asia/Kolkata
sudo timedatectl set-local-rtc 0

Make an entry to the host file with IP and hostname 

$ sudo vi /etc/hosts
192.168.10.6 idm.linuxquery.org

Now you can verify if the hostname resolves to the system’s public IP and not the looback address 

dig +short idm.linuxquery.org A

Also, the reverse DNS configuration needs to be verified 

 dig +short -x <ServerIPAddress>

Installation

let us first upgrade the system tio make sure the packages are up to date followed by a reboot 

sudo yum -y update

sudo reboot

Enable the IPA module 

$ sudo yum module enable idm:DL1

Example Output 

Rocky Linux 8 - AppStream                                                                                                         8.6 MB/s | 8.0 MB     00:00

Rocky Linux 8 - BaseOS                                                                                                             15 MB/s | 4.5 MB     00:00

Rocky Linux 8 - Extras                                                                                                             18 kB/s | 3.8 kB     00:00

Dependencies resolved.

==================================================================================================================================================================

 Package                                Architecture                          Version                                Repository                              Size

==================================================================================================================================================================

Enabling module streams:

 389-ds                                                                       1.4

 httpd                                                                        2.4

 idm                                                                          DL1

pki-core                                                                     10.6
pki-deps                                                                     10.6
Transaction Summary
==================================================================================================================================================================
Is this ok [y/N]: y

Complete!

Make sure you switch to rpm delivered through the idm stream 

sudo yum distro-sync

Now depending on the requirement you can choose between two options

IDM without integrated DNS

sudo yum module install idm:DL1/server

IDM with Integrated DNS

sudo yum module install idm:DL1/dns

Installing FreeIPA that has trust with Active Directory server 

sudo yum module install idm:DL1/adtrust

Installing FreeIPA for multiple trust ( for AD and DNS )

sudo yum module install idm:DL1/{dns,adtrust}

Running IPA Installer

We will run the installer utility and it will creates its log files at /var/log/ipaserver-install.log

sudo ipa-server-install

The script prompts for several inputs and offers recommended default values in brackets if you dont want to enter a customized value. So to accept the default value you can press “Enter” and move forward else provide your own input

Sample for Non-interactive Installation without DNS 

sudo ipa-server-install --realm LINUXQUERY.ORG \
    --ds-password DM_password \
    --admin-password admin_password \
    --unattended
# OR
sudo ipa-server-install \
    --domain linuxquery.org \
    --realm LINUXQUERY.ORG \
    --ds-password DM_password \
    --admin-password admin_password
  • --realm to provide the Kerberos realm name
  • --ds-password to provide the password for the Directory Manager (DM), the Directory Server super user
  • --admin-password to provide the password for admin, the IdM administrator
  • --unattended to let the installation process select default options for the host name and domain name

Sample for Non-Interactive Installation with Integrated DNS

sudo ipa-server-install --domain example.com --realm LINUXQUERY.ORG \

    --reverse-zone=10.168.192.in-addr.arpa. \

    --no-forwarders \

    --no-ntp \

    --setup-dns \

    --ds-password DM_password \

    --admin-password admin_password \

    --unattended

Now let us see how does the interactive installation looks like 

$ sudo ipa-server-install



The log file for this installation can be found in /var/log/ipaserver-install.log

==============================================================================

This program will set up the IPA Server.

Version 4.9.2



This includes:

  * Configure a stand-alone CA (dogtag) for certificate management

  * Configure the NTP client (chronyd)

  * Create and configure an instance of Directory Server

  * Create and configure a Kerberos Key Distribution Center (KDC)

  * Configure Apache (httpd)

  * Configure the KDC to enable PKINIT



To accept the default shown in brackets, press the Enter key.



Do you want to configure integrated DNS (BIND)? [no]: no



Enter the fully qualified domain name of the computer

on which you're setting up server software. Using the form

<hostname>.<domainname>

Example: master.linuxquery.org.



Server host name [idm.linuxquery.org]: idm.linuxquery.org



The domain name has been determined based on the host name.



Please confirm the domain name [linuxquery.org]: linuxquery.org



The kerberos protocol requires a Realm name to be defined.

This is typically the domain name converted to uppercase.



Please provide a realm name [LINUXQUERY.ORG]: LINUXQUERY.ORG

Certain directory server operations require an administrative user.

This user is referred to as the Directory Manager and has full access

to the Directory for system management tasks and will be added to the

instance of directory server created for IPA.

The password must be at least 8 characters long.



Directory Manager password: <Directory-Manager-Password>

Password (confirm): <Confirm-Directory-Manager-Password>



The IPA server requires an administrative user, named 'admin'.

This user is a regular system account used for IPA server administration.



IPA admin password:

Password (confirm):



Do you want to configure chrony with NTP server or pool address? [no]: yes

Enter NTP source server addresses separated by comma, or press Enter to skip: 0.de.pool.ntp.org,1.de.pool.ntp.org

Enter a NTP source pool address, or press Enter to skip:



The IPA Master Server will be configured with:

Hostname:       idm.linuxquery.org

IP address(es): 192.168.10.6

Domain name:    linuxquery.org

Realm name:     LINUXQUERY.ORG



The CA will be configured with:

Subject DN:   CN=Certificate Authority,O=LINUXQUERY.ORG

Subject base: O=LINUXQUERY.ORG

Chaining:     self-signed



NTP server:	0.de.pool.ntp.org

NTP server:	1.de.pool.ntp.org

Continue to configure the system with these values? [no]: yes



The following operations may take some minutes to complete.

Please wait until the prompt is returned.



Disabled p11-kit-proxy

Synchronizing time

Configuration of chrony was changed by installer.

Attempting to sync time with chronyc.

Process chronyc waitsync failed to sync time!

Unable to sync time with chrony server, assuming the time is in sync. Please check that 123 UDP port is opened, and any time server is on network.

Warning: IPA was unable to sync time with chrony!

         Time synchronization is required for IPA to work correctly

Configuring directory server (dirsrv). Estimated time: 30 seconds

  [1/41]: creating directory server instance

  [2/41]: tune ldbm plugin

.....

The Successful command output will be displayed as below 

......

Sudoers I/O plugin version 1.8.29

Client hostname: idm.linuxquery.org

Realm: LINUXQUERY.ORG

DNS Domain: linuxquery.org

IPA Server: idm.linuxquery.org

BaseDN: dc=linuxquery,dc=org



Configured sudoers in /etc/authselect/user-nsswitch.conf

Configured /etc/sssd/sssd.conf

Systemwide CA database updated.

Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub

Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub

Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub

Could not update DNS SSHFP records.

SSSD enabled

Configured /etc/openldap/ldap.conf

Configured /etc/ssh/ssh_config

Configured /etc/ssh/sshd_config

Configuring example.com as NIS domain.

Client configuration complete.

The ipa-client-install command was successful



Please add records in this file to your DNS system: /tmp/ipa.system.records.hh7e7u2h.db

==============================================================================

Setup complete



Next steps:

	1. You must make sure these network ports are open:

		TCP Ports:

		  * 80, 443: HTTP/HTTPS

		  * 389, 636: LDAP/LDAPS

		  * 88, 464: kerberos

		UDP Ports:

		  * 88, 464: kerberos

		  * 123: ntp



	2. You can now obtain a kerberos ticket using the command: 'kinit admin'

	   This ticket will allow you to use the IPA tools (e.g., ipa user-add)

	   and the web user interface.



Be sure to back up the CA certificates stored in /root/cacert.p12

These files are required to create replicas. The password for these

files is the Directory Manager password

The ipa-server-install command was successful

Allowing Firewall Ports

Without DNS

sudo firewall-cmd --permanent --add-service={ntp,freeipa-4}

With Integrated DNS

sudo firewall-cmd --permanent --add-service={ntp,dns,freeipa-4}

Reload the Firewall

sudo firewall-cmd --reload

sudo firewall-cmd --list-all

Accessing the Web URL

After installation FreeIPA Server web-based administration console can be accessed using the server hostname on

https://idm.linuxquery.org

Once you have the GUI opened you can Login with admin username and password set during installation.

Leave a comment