FreeIPA is a free and open source (identity management tool) integrated security information management solution relating Linux, Directory server. It contains of a command line and web interface supervision tools. it is the upstream venture (Project) for Red Hat identity manager. Using FreeIPA Server tool, we can straightforwardly succeed centralized authentication along with account management, policy (host-based access control) and audit. FreeIPA Server Centos7/RHEL7 also offers the services like DNS and PKI.
FreeIPA is an integrated Identity and Authentication resolution for Linux/UNIX networked environments. Multiple FreeIPA servers can simply be designed in a FreeIPA Domain to afford redundancy and scalability. A FreeIPA server delivers centralized authentication, account information and authorization by keeping data about user, groups, hosts and other objects compulsory to manage the security features of a network of computers.
FreeIPA integrated Solution Packages.
Linux
MIT Kerberos
389 Directory Server
NTP
DNS
Web and command line administration and provisioning tool.
Active Directory Integration
Integration with WebLogic Server
Dogtag Certificate System.
In this tutorial we will describe how to install and configure FreeIPA Server on Centos 7.
IP Address: 10.1.2.34
Hostname:- ipa.linuxpcfix.com
Set the FQDN Hostname of the server and apply the update.
[root@localhost ~]# exec bash
[root@ipa.linuxpcfix.com ~]#vi /etc/hosts
10.1.2.34 ipa.linuxpcfix.com
Now update the server packages by executing below command.
Install FreeIPA packages using yum command
FreeIPA rpm packages and its dependencies are accessible in the default package repositories. As we are planning to install integrated DNS of FreeIPA, so we will also install “ipa-server-dns”
Execute the below command to install FreeIPA and related dependencies
Start the FreeIPA Installation setup using “ipa-server-install”
Once the packages are installed successfully then execute the below command to start the freeipa installation setup wizard,
It will ask couple of objects similar to configure Integrated DNS, Domain name, Host name, and Realm Name
After pressing yes in above opening frame, it will take some time to configure your FreeIPA server and one installation get completed successfully then we will see result something like below,
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
[try 1]: Forwarding ‘host_mod’ to json server ‘https://ipa.linuxpcfix.com/ipa/session/json’
Could not update DNS SSHFP records.
SSSD enabled
Configured /etc/openldap/ldap.conf
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Configuring ipa.linuxpcfix.com as NIS domain.
Client configuration complete.
The ipa-client-install command was successful
==============================================================================
Setup complete
1. You must make sure these network ports are open:
TCP Ports:
* 80, 443: HTTP/HTTPS
* 389, 636: LDAP/LDAPS
* 88, 464: kerberos
* 53: bind
UDP Ports:
* 88, 464: kerberos
* 53: bind
* 123: ntp
2. You can now obtain a kerberos ticket using the command: ‘kinit admin’
This ticket will allow you to use the IPA tools (e.g., ipa user-add)
and the web user interface.
Be sure to back up the CA certificates stored in /root/cacert.p12
These files are required to create replicas. The password for these
files is the Directory Manager password
Above output confirms that it has been installed successfully.
Run the below command to allow User’s home directory creation automatically after authentication (or login)
[root@ipa ~]#
Note: If you get following error while installing FreeIPA on CentOS 7 server,
It’s basically occurs due to dbus daemon so to resolve the issue just restart the the dbus service (service dbus restart) and remove freeipa installation followed by the command “ipa-server-install –uninstall” and then try again.
Verify FreeIPA and Access The FreeIPA admin Console
Perform the below command to cross-check that all services of FreeIPA are running or not
Finally need to verify that admin user will receive token or not via Kerberos using the kinit command, use the same admin password login credential that we provided during FreeIPA installation.
Password for admin@LINUXPCFIX.COM:
[root@ipa ~]# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: admin@IPA.LINUXPCFIX.COM
Valid starting Expires Service principal
01/25/2019 02:11:17 01/26/2019 02:11:10 krbtgt/IPA.LINUXPCFIX.COM@IPA.LINUXPCFIX.COM
Access the FreeIPA Server admin GUI Console using the URL:
https://ipa.linuxpcfix.com/ipa/ui
Please enter the admin user name (admin) and the password that we specify during the installation.
If get logged in without any issue that means you have successfully install and Configure FreeIPA Server on Centos7/RHEL.
I am founder and webmaster of www.linuxpcfix.com and working as a Sr. Linux Administrator (Expertise on Linux/Unix & Cloud Server) and have been in the industry since more than 14 years.
