Fattylewis.com
Buy VPN

Setting up FreeIPA Centos 7

30 May 2016

About FreeIPA

As per wikipedia, FreeIPA is an open-source project sponsored by Red Hat – which aims to provide an easily managed Identity, Policy, and Audit (IPA) suite primarily targeted towards networks of Linux and Unix computers. FreeIPA has goals and mechanisms comparable to those of Novell’s Identity Manager or of Microsoft’s Active Directory.

The reason i am looking to set this up on my home network is because i have a lot of servers (both physical and virtual) and i’d like to manage the authentication of them all from a central system. I did think about setting up a Windows Domain Controller instead, but seeing as 99% of the servers in use are linux machines, i figured something native would be better. i also didnt want to have to use the Windows server for DNS, I much prefer using BIND.

Prerequisites

As a lot of things in FreeIPA (and AD), correct hostname and DNS settings are a must. So we need to set the hostname and IP manually on this machine first.

echo 192.168.0.80 freeipa.example.com freipa >> /etc/hosts
echo freeipa.example.com > /etc/hostname

Once that is complete, we can start the installation.

Installation

Starting the installation of FreeIPA is simple. All it requires is:

yum install ipa-server

It does download quite a few dependencies. On my fresh (though fully updated) CentOS 7 install, i needed to grab around 500MB of packages. In total it installed 318 packages.

If you wish to manage your DNS records through FreeIPA, you will also need to install the bind-dyndb-ldap package and also the ipa-server-dns package. This can be done with:

yum install bind-dyndb-ldap ipa-server-dns

Setup

Now its time to actually setup FreeIPA. Run the following to begin the install.

ipa-server-install --setup-dns

During the install, it will ask you some questions. It will try to answer them itself, but if it fails to it will need your input. One of the main things you will need to add in is your Directory Manager password, which has to be 8 characters long, and then also your admin password. Also, it will ask you if you want to override the current DNS configuration, Say “Yes” to this.

Once this is done. It can take a good few minutes for FreeIPA to setup its ervices and configs. Best just leave it do its thing.

Once its complete, you will get some info in regards to which ports you need to open, Ill go through those in the next section. This is what the output looks like:

==============================================================================
Setup complete

Next steps:
	1. You must make sure these network ports are open: 
		TCP Ports: 
		  * 80, 443: HTTP/HTTPS 
		  * 389, 636: LDAP/LDAPS 
		  * 88, 464: kerberos
		  * 53: bind
		UDP Ports:
		  * 88, 464: kerberos
		  * 53: bind
		  * 123: ntp

	2. You can now obtain a kerberos ticket using the command: 'kinit admin'
	   This ticket will allow you to use the IPA tools (e.g., ipa user-add)
	   and the web user interface.

Be sure to back up the CA certificates stored in /root/cacert.p12
These files are required to create replicas. The password for these
files is the Directory Manager password

Firewall Settings

Now we need to allow a few ports through the firewall. These are the commands needed:

firewall-cmd --permanent --add-service=ntp
firewall-cmd --permanent --add-service=http
firewall-cmd --permanent --add-service=https
firewall-cmd --permanent --add-service=ldap
firewall-cmd --permanent --add-service=ldaps
firewall-cmd --permanent --add-service=kerberos
firewall-cmd --permanent --add-service=kpasswd
firewall-cmd --permanent --add-service=dns
firewall-cmd --reload

Finally, before we reboot, we need to tell FreeIPA to create homedirs that arent already created.

authconfig --enablemkhomedir --update

Now go ahead and reboot.

Loging In

Once your server is back up, you can go ahead and log into the web interface of FreeIPA and go about configuring your users, servers and DNS records. the username will be admin and the password will be whatever you have set in the config.

Tweet me @fatty_lewis if you like this post.

Tweet
comments powered by Disqus