FreeIPA Server Setup

Introduction

FreeIPA is an open-source security solution for Linux which provides account management and centralized authentication, similar to Microsoft’s Active Directory. FreeIPA is built on top of multiple open source projects including the 389 Directory Server, MIT Kerberos, and SSSD.

FreeIPA has clients for CentOS 7, Fedora, and Ubuntu 14.04/16.04. These clients make it fairly straightforward to add machines into your IPA domain. Other operating systems can authenticate against FreeIPA using SSSD or LDAP.

In this tutorial, we will be installing the FreeIPA server on a CentOS 7 server. You can then configure client machines, allowing FreeIPA users to log in with their IPA credentials. We will be posting additional client configurations for CentOS, Ubuntu and Windows.  The original guide can be found at DigitalOcean.

Prerequisites

  • CentOS 7 server with at least 1 GB of RAM.
  • A Domain Name like example.com

Step 1 — Preparing the IPA Server

Entropy – https://redhatlinux.guru/index.php/2016/04/03/increase-system-entropy-on-rhel-centos-6-and-7

firewall-cmd --permanent --add-port={80/tcp,443/tcp,389/tcp,636/tcp,88/tcp,464/tcp,53/tcp,88/udp,464/udp,53/udp,123/udp}
firewall-cmd --reload
sudo yum install -y sudo
 
yum install rng-tools -y
echo "EXTRAOPTIONS=\"--rng-device=drng --no-tpm=1\"" >> /etc/sysconfig/rngd
service rngd start
yum install bind-utils
nano /etc/hosts
your_server_ipv4 ipa.example.com ipa.example.com
yum install ipa-server
ipa-server-install
 

 

Verifying the FreeIPA Server Functions

First, verify that the Kerberos realm installed correctly by attempting to initialize a Kerberos token for the admin user.

  • kinit admin

If working correctly, this should prompt you for the IPA admin password entered during the install process. Type it in, then press ENTER.

Next, verify that the IPA server is functioning properly.

  • ipa user-find admin

This should print out the following:

Output
--------------
1 user matched
--------------
  User login: admin
  Last name: Administrator
  Home directory: /home/admin
  Login shell: /bin/bash
  Principal alias: admin@IPA.EXAMPLE.COM
  UID: 494800000
  GID: 494800000
  Account disabled: False
----------------------------
Number of entries returned 1
----------------------------

 

Setup complete
Next steps:
        1. You must make sure these network ports are open:
                TCP Ports:
                  * 80, 443: HTTP/HTTPS
                  * 389, 636: LDAP/LDAPS
                  * 88, 464: kerberos
                UDP Ports:
                  * 88, 464: kerberos
                  * 123: ntp
        2. You can now obtain a kerberos ticket using the command: 'kinit admin'
           This ticket will allow you to use the IPA tools (e.g., ipa user-add)
           and the web user interface.
Be sure to back up the CA certificates stored in /root/cacert.p12
These files are required to create replicas. The password for these
files is the Directory Manager password
 
# ipa config-show
Default shell: /bin/sh
# ipa config-mod --defaultshell=/bin/bash
Default shell: /bin/bash