Setting up FreeIPA Centos 7

About FreeIPA


As per Wikipedia, FreeIPA is an open-source project sponsored by Red Hat – which aims to provide an easily managed Identity, Policy, and Audit (IPA) suite primarily targeted towards networks of Linux and Unix computers. FreeIPA has goals and mechanisms comparable to those of Novell's Identity Manager or of Microsoft's Active Directory.

The reason i am looking to set this up on my home network is because i have a lot of servers (both physical and virtual) and i'd like to manage the authentication of them all from a central system. I did think about setting up a Windows Domain Controller instead, but seeing as 99% of the servers in use are linux machines, i figured something native would be better. i also didnt want to have to use the Windows server for DNS, I much prefer using BIND.

Prerequisites


As a lot of things in FreeIPA (and AD), correct hostname and DNS settings are a must. So we need to set the hostname and IP manually on this machine first.

echo 192.168.0.80 freeipa.example.com freipa >> /etc/hosts
echo freeipa.example.com > /etc/hostname

Once that is complete, we can start the installation.

Installation


Starting the installation of FreeIPA is simple. All it requires is:

yum install ipa-server


It does download quite a few dependencies. On my fresh (though fully updated) CentOS 7 install, i needed to grab around 500MB of packages. In total it installed 318 packages.
If you wish to manage your DNS records through FreeIPA, you will also need to install the bind-dyndb-ldap package and also the ipa-server-dns package. This can be done with:

yum install bind-dyndb-ldap ipa-server-dns


Setup


Now its time to actually setup FreeIPA. Run the following to begin the install.

ipa-server-install --setup-dns


During the install, it will ask you some questions. It will try to answer them itself, but if it fails to it will need your input. One of the main things you will need to add in is your Directory Manager password, which has to be 8 characters long, and then also your admin password. Also, it will ask you if you want to override the current DNS configuration, Say "Yes" to this.
Once this is done. It can take a good few minutes for FreeIPA to setup its ervices and configs. Best just leave it do its thing.
Once its complete, you will get some info in regards to which ports you need to open, Ill go through those in the next section. This is what the output looks like:
============================================================================== Setup complete
Next steps:
1. You must make sure these network ports are open:
TCP Ports:
* 80, 443: HTTP/HTTPS
* 389, 636: LDAP/LDAPS
* 88, 464: kerberos
* 53: bind
UDP Ports:
* 88, 464: kerberos
* 53: bind
* 123: ntp

2. You can now obtain a kerberos ticket using the command: 'kinit admin' This ticket will allow you to use the IPA tools (e.g., ipa user-add) and the web user interface.
Be sure to back up the CA certificates stored in /root/cacert.p12 These files are required to create replicas. The password for these files is the Directory Manager password


Firewall Settings


Now we need to allow a few ports through the firewall. These are the commands needed:

firewall-cmd --permanent --add-service=ntp
firewall-cmd --permanent --add-service=http
firewall-cmd --permanent --add-service=https
firewall-cmd --permanent --add-service=ldap
firewall-cmd --permanent --add-service=ldaps
firewall-cmd --permanent --add-service=kerberos
firewall-cmd --permanent --add-service=kpasswd
firewall-cmd --permanent --add-service=dns
firewall-cmd --reload


Finally, before we reboot, we need to tell FreeIPA to create homedirs that arent already created.

authconfig --enablemkhomedir --update


Now go ahead and reboot.

Loging In


Once your server is back up, you can go ahead and log into the web interface of FreeIPA and go about configuring your users, servers and DNS records. the username will be admin and the password will be whatever you have set in the config.

Using FreeIPA to authenticate OpenVPN users on pfSense

I have been fiddling with multiple different authentication methods to centralise the authentication across all my devices and services. ...… Continue reading

Zen Internet, IPv6 and pfsense

Published on February 19, 2017

Basic Telegraf, InfluxDB and Grafana setup

Published on January 26, 2017