How to Install FreeIPA in CentOS 7 and add a Client
How to Install FreeIPA in CentOS 7 and add a Client
FreeIPA is a free and open source identity management tool sponsored by Red Hat and it is the upstream for the Red Hat Identity Manager(IdM). In this guide, we will discuss on how to install and configure FreeIPA Server on CentOS 7 / RHEL 7 Linux server. FreeIPA Identity management system aims to provide an easy way of centrally managing Identity, Policy, and Audit for users and services. FreeIPA also provides the services like DNS and NTP.
What you get with FreeIPA
- Central Authentication Management.
- Fine-grained Access Control.
- One Time Password (OTP).
- Direct Connect to Active Directory.
- Integrated Public Key Infrastructure (PKI) Service.
FreeIPA Server is composed of the following Open Source Projects.
- 389 Directory Server
- MIT Kerberos KDC
- Dogtag Certificate System
- Bind DNS server (optional)
- Web UI / ipa Command Line tool
- NTP Server (optional)
Application Requirement:
- RAM = 4 GB
- CPU =2/4 vCPU
- Disk = 10 GB free space on /
- Internet Connection
- hostname : freeipa.example.com -- Resolvable FQDN
1. Set the hostname of your server if not set already
[root@freeipa /]# hostnamectl set-hostname "freeipa.example.com"
2. Update the server using yum update command and then reboot it
[root@freeipa /]# yum update -y;reboot
3. Update the "/etc/hosts" file
Run the below echo command to update /etc/hosts file, replace the ip address and hostname as per your setup.
[root@freeipa /]# echo -e "192.168.1.24\tfreeipa.example.com\t ip" >> /etc/hosts
Install FreeIPA packages
[root@freeipa /]# yum install ipa-server -y
Loaded plugins: fastestmirror, ovl
Determining fastest mirrors
* base: d36uatko69830t.cloudfront.net
Loaded plugins: fastestmirror, ovl
Determining fastest mirrors
* base: d36uatko69830t.cloudfront.net
Start the FreeIPA setup
Your Installation may not continue with following error if IPv6 is not disabled. If so follow this post.
ipapython.admintool: ERROR IPv6 stack is enabled in the kernel but there is no interface that has ::1 address assigned. Add ::1 address resolution to 'lo' interface. You might need to enable IPv6 on the interface 'lo' in sysctl.conf.
ipapython.admintool: ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
[root@freeipa /]# ipa-server-install
The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will set up the IPA Server.
This includes:
* Configure a stand-alone CA (dogtag) for certificate management
* Configure the Network Time Daemon (ntpd)
* Create and configure an instance of Directory Server
* Create and configure a Kerberos Key Distribution Center (KDC)
* Configure Apache (httpd)
* Configure the KDC to enable PKINIT
To accept the default shown in brackets, press the Enter key.
The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will set up the IPA Server.
This includes:
* Configure a stand-alone CA (dogtag) for certificate management
* Configure the Network Time Daemon (ntpd)
* Create and configure an instance of Directory Server
* Create and configure a Kerberos Key Distribution Center (KDC)
* Configure Apache (httpd)
* Configure the KDC to enable PKINIT
To accept the default shown in brackets, press the Enter key.
The IPA Master Server will be configured with:
Hostname: freeipa.example.com
IP address(es): 192.168.1.24
Domain name: example.com
Realm name: example.com
Continue to configure the system with these values? [no]: yes
Hostname: freeipa.example.com
IP address(es): 192.168.1.24
Domain name: example.com
Realm name: example.com
Continue to configure the system with these values? [no]: yes
After entering "yes" to setup in "Continue to configure the system with these values", it will proceed to setup your FreeIPA server and once it has been setup successfully then we will get output something like below,
Done.
Restarting the KDC
Configuring client side components
Using existing certificate '/etc/ipa/ca.crt'.
Client hostname: freeipa.example.com
Realm: example.com
DNS Domain: example.com
IPA Server: freeipa.example.com
BaseDN: dc=example,dc=com
Skipping synchronizing time with NTP server.
New SSSD config will be created
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
trying https://freeipa.example.com/ipa/json
[try 1]: Forwarding 'schema' to json server 'https://freeipa.example.com/ipa/json'
trying https://freeipa.example.com/ipa/session/json
[try 1]: Forwarding 'ping' to json server 'https://freeipa.example.com/ipa/session/json'
[try 1]: Forwarding 'ca_is_enabled' to json server 'https://freeipa.example.com/ipa/session/json'
Systemwide CA database updated.
SSSD enabled
Configured /etc/openldap/ldap.conf
/etc/ssh/ssh_config not found, skipping configuration
/etc/ssh/sshd_config not found, skipping configuration
Configuring example.com as NIS domain.
Client configuration complete.
The ipa-client-install command was successful
Please add records in this file to your DNS system: /tmp/ipa.system.records.S_gTln.db
==============================================================================
Setup complete
Next steps:
1. You must make sure these network ports are open:
TCP Ports:
* 80, 443: HTTP/HTTPS
* 389, 636: LDAP/LDAPS
* 88, 464: kerberos
UDP Ports:
* 88, 464: kerberos
* 123: ntp
2. You can now obtain a kerberos ticket using the command: 'kinit admin'
This ticket will allow you to use the IPA tools (e.g., ipa user-add)
and the web user interface.
Be sure to back up the CA certificates stored in /root/cacert.p12
These files are required to create replicas. The password for these
files is the Directory Manager password
[root@freeipa /]#
Restarting the KDC
Configuring client side components
Using existing certificate '/etc/ipa/ca.crt'.
Client hostname: freeipa.example.com
Realm: example.com
DNS Domain: example.com
IPA Server: freeipa.example.com
BaseDN: dc=example,dc=com
Skipping synchronizing time with NTP server.
New SSSD config will be created
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
trying https://freeipa.example.com/ipa/json
[try 1]: Forwarding 'schema' to json server 'https://freeipa.example.com/ipa/json'
trying https://freeipa.example.com/ipa/session/json
[try 1]: Forwarding 'ping' to json server 'https://freeipa.example.com/ipa/session/json'
[try 1]: Forwarding 'ca_is_enabled' to json server 'https://freeipa.example.com/ipa/session/json'
Systemwide CA database updated.
SSSD enabled
Configured /etc/openldap/ldap.conf
/etc/ssh/ssh_config not found, skipping configuration
/etc/ssh/sshd_config not found, skipping configuration
Configuring example.com as NIS domain.
Client configuration complete.
The ipa-client-install command was successful
Please add records in this file to your DNS system: /tmp/ipa.system.records.S_gTln.db
==============================================================================
Setup complete
Next steps:
1. You must make sure these network ports are open:
TCP Ports:
* 80, 443: HTTP/HTTPS
* 389, 636: LDAP/LDAPS
* 88, 464: kerberos
UDP Ports:
* 88, 464: kerberos
* 123: ntp
2. You can now obtain a kerberos ticket using the command: 'kinit admin'
This ticket will allow you to use the IPA tools (e.g., ipa user-add)
and the web user interface.
Be sure to back up the CA certificates stored in /root/cacert.p12
These files are required to create replicas. The password for these
files is the Directory Manager password
[root@freeipa /]#
Verify FreeIPA processes
[root@freeipa /]# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
ntpd Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa: INFO: The ipactl command was successful
[root@freeipa /]#
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
ntpd Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa: INFO: The ipactl command was successful
[root@freeipa /]#
Open Ports in Firewall:
# firewall-cmd --permanent --add-service={ntp,http,https,ldap,ldaps,kerberos,kpasswd,dns}
success
# firewall-cmd --reload
success
With RHEL 7.2, new Firewalld FreeIPA configuration files have been created: freeipa-ldap and freeipa-ldapssuccess
# firewall-cmd --reload
success
To open the ports for http-TCP 80, https-TCP 443, kerberos-TCP/UDP 88, kpasswd-TCP/UDP 464, ntp-TCP 123, ldap-TCP 389, type:
# firewall-cmd –permanent –add-service freeipa-ldap
To open the ports for http-TCP 80, https-TCP 443, kerberos-TCP/UDP 88, kpasswd-TCP/UDP 464, ntp-TCP 123, ldaps-TCP 634, type:
# firewall-cmd –permanent –add-service freeipa-ldaps
Obtain a kerberos ticket using the command: 'kinit admin'
[root@freeipa /]# kinit admin
Password for admin@example.com:
[root@freeipa /]#
[root@freeipa /]# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: admin@example.com
Valid starting Expires Service principal
03/28/20 15:40:56 03/29/20 15:40:34 krbtgt/example.com@example.com
[root@freeipa /]#
Password for admin@example.com:
[root@freeipa /]#
[root@freeipa /]# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: admin@example.com
Valid starting Expires Service principal
03/28/20 15:40:56 03/29/20 15:40:34 krbtgt/example.com@example.com
[root@freeipa /]#
Allow User’s home directory creation automatically
[root@freeipa /]# authconfig --enablemkhomedir --update
FreeIPA admin portal will be available at:
https://freeipa.example.com/ipa/ui
Uninstall FreeIPA Server
[root@freeipa /]# ipa-server-install --uninstall
This is a NON REVERSIBLE operation and will delete all data and configuration!
It is highly recommended to take a backup of existing data and configuration using ipa-backup utility before proceeding.
Are you sure you want to continue with the uninstall procedure? [no]: yes
-------------------------------------------------
Deleted IPA server "freeipa.example.com"
-------------------------------------------------
Shutting down all IPA services
Unconfiguring ntpd
Configuring certmonger to stop tracking system certificates for KRA
Configuring certmonger to stop tracking system certificates for CA
Unconfiguring CA
Unconfiguring krb5kdc
Unconfiguring kadmin
Unconfiguring directory server
Unconfiguring ipa-custodia
Removing IPA client configuration
Unconfigured automount client failed: Command '/usr/sbin/ipa-client-automount --uninstall --debug' returned non-zero exit status 1
Removing Kerberos service principals from /etc/krb5.keytab
Disabling client Kerberos and LDAP configurations
Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to /etc/sssd/sssd.conf.deleted
nscd daemon is not installed, skip configuration
nslcd daemon is not installed, skip configuration
Client uninstall complete.
The ipa-client-install command was successful
[root@freeipa /]#
This is a NON REVERSIBLE operation and will delete all data and configuration!
It is highly recommended to take a backup of existing data and configuration using ipa-backup utility before proceeding.
Are you sure you want to continue with the uninstall procedure? [no]: yes
-------------------------------------------------
Deleted IPA server "freeipa.example.com"
-------------------------------------------------
Shutting down all IPA services
Unconfiguring ntpd
Configuring certmonger to stop tracking system certificates for KRA
Configuring certmonger to stop tracking system certificates for CA
Unconfiguring CA
Unconfiguring krb5kdc
Unconfiguring kadmin
Unconfiguring directory server
Unconfiguring ipa-custodia
Removing IPA client configuration
Unconfigured automount client failed: Command '/usr/sbin/ipa-client-automount --uninstall --debug' returned non-zero exit status 1
Removing Kerberos service principals from /etc/krb5.keytab
Disabling client Kerberos and LDAP configurations
Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to /etc/sssd/sssd.conf.deleted
nscd daemon is not installed, skip configuration
nslcd daemon is not installed, skip configuration
Client uninstall complete.
The ipa-client-install command was successful
[root@freeipa /]#
Add a Client to FreeIPA
[root@freeipa ~]# yum install freeipa-client -y
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
[root@freeipa ~]# ipa-client-install --mkhomedir --force-ntpd
DNS discovery failed to determine your DNS domain
Provide the domain name of your IPA server (ex: example.com): example.com
Discovery was successful!
Client hostname: client1.example.com
Realm: example.com
DNS Domain: example.com
IPA Server: freeipa.example.com
BaseDN: dc=example,dc=com
Continue to configure the system with these values? [no]: yes
Synchronizing time with KDC...
Attempting to sync time using ntpd. Will timeout after 15 seconds
Attempting to sync time using ntpd. Will timeout after 15 seconds
Unable to sync time with NTP server, assuming the time is in sync. Please check that 123 UDP port is opened.
User authorized to enroll computers: admin
Password for admin@example.com:
Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=example.com
Issuer: CN=Certificate Authority,O=example.com
Valid From: 2020-03-28 15:28:34
Valid Until: 2040-03-28 15:28:34
Enrolled in IPA realm example.com
Created /etc/ipa/default.conf
New SSSD config will be created
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm example.com
trying https://freeipa.example.com/ipa/json
[try 1]: Forwarding 'schema' to json server 'https://freeipa.example.com/ipa/json'
trying https://freeipa.example.com/ipa/session/json
[try 1]: Forwarding 'ping' to json server 'https://freeipa.example.com/ipa/session/json'
[try 1]: Forwarding 'ca_is_enabled' to json server 'https://freeipa.example.com/ipa/session/json'
Systemwide CA database updated.
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
[try 1]: Forwarding 'host_mod' to json server 'https://freeipa.example.com/ipa/session/json'
Could not update DNS SSHFP records.
SSSD enabled
Configured /etc/openldap/ldap.conf
NTP enabled
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Configuring example.com as NIS domain.
Client configuration complete.
The ipa-client-install command was successful
[root@freeipa ~]#
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
[root@freeipa ~]# ipa-client-install --mkhomedir --force-ntpd
DNS discovery failed to determine your DNS domain
Provide the domain name of your IPA server (ex: example.com): example.com
Discovery was successful!
Client hostname: client1.example.com
Realm: example.com
DNS Domain: example.com
IPA Server: freeipa.example.com
BaseDN: dc=example,dc=com
Continue to configure the system with these values? [no]: yes
Synchronizing time with KDC...
Attempting to sync time using ntpd. Will timeout after 15 seconds
Attempting to sync time using ntpd. Will timeout after 15 seconds
Unable to sync time with NTP server, assuming the time is in sync. Please check that 123 UDP port is opened.
User authorized to enroll computers: admin
Password for admin@example.com:
Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=example.com
Issuer: CN=Certificate Authority,O=example.com
Valid From: 2020-03-28 15:28:34
Valid Until: 2040-03-28 15:28:34
Enrolled in IPA realm example.com
Created /etc/ipa/default.conf
New SSSD config will be created
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm example.com
trying https://freeipa.example.com/ipa/json
[try 1]: Forwarding 'schema' to json server 'https://freeipa.example.com/ipa/json'
trying https://freeipa.example.com/ipa/session/json
[try 1]: Forwarding 'ping' to json server 'https://freeipa.example.com/ipa/session/json'
[try 1]: Forwarding 'ca_is_enabled' to json server 'https://freeipa.example.com/ipa/session/json'
Systemwide CA database updated.
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
[try 1]: Forwarding 'host_mod' to json server 'https://freeipa.example.com/ipa/session/json'
Could not update DNS SSHFP records.
SSSD enabled
Configured /etc/openldap/ldap.conf
NTP enabled
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Configuring example.com as NIS domain.
Client configuration complete.
The ipa-client-install command was successful
[root@freeipa ~]#
Other FreeIPA Stories:
How to Install FreeIPA in CentOS 8 and add a ClientHow to Add FreeIPA User in command line interface (CLI) and Web UI
No comments