FreeIPA - Install and Configuration

In this tutorial, I will show you how to install FreeIPA(an open-source integrated Identity and Authentication solution for Linux and Unix based systems) on CentOS 8. 

What is FreeIPA?

FreeIPA (FreeIPA) is an open-source integrated Identity and Authentication solution for Linux and Unix based systems. It provides centralized authentication by storing data about user, groups, hosts, and other objects. It provides an integrated identity management service for Linux, Mac, and Windows. 
FreeIPA is based on the 389 Directory Server, Kerberos, SSSD, Dogtag, NTP, and DNS. 
It provides a web-based interface to manage Linux users and clients in your realm from the central location.

The setup and configuration is a 2 step process, with a minimum of 2 machines...
  • a machine for installing FreeIPA server components
  • a machine for installing FreeIPA client components to connect and authenticate with the server

Step 1 : Install FreeIPA server

  1. Edit the '/etc/hosts/' file and and add your server ip and hostname.
    • 192.168.1.107 services.localhost.com    services
  2. By default, FreeIPA package is not available in the CentOS standard repository.
      Enable it with the below command
    • dnf module enable idm:DL1
      • Sync the repository with the below command
    • dnf distro-sync
      • Install the FreeIPA server
    • dnf install ipa-server ipa-server-dns –y
  3. ipa-server-install
      To accept the default shown in brackets, press the Enter key.
      Do you want to configure integrated DNS (BIND)? [no]:
      Server host name [freeipa.mydomain10.com]:services.localhost.com
      Please confirm the domain name [mydomain10.com]:services.localhost.com
       
      The kerberos protocol requires a Realm name to be defined.
      This is typically the domain name converted to uppercase.
      Please provide a realm name [MYDOMAIN10.COM]:
       
      Certain directory server operations require an administrative user.
      This user is referred to as the Directory Manager and has full access
      to the Directory for system management tasks and will be added to the
      instance of directory server created for IPA.
      The password must be at least 8 characters long.
       
      Directory Manager password:
      Password (confirm): <specify-pwd-here>
       
      The IPA server requires an administrative user, named 'admin'.
      This user is a regular system account used for IPA server administration.
       
      IPA admin password:
      Password (confirm): <specify-pwd-here>
       
      Do you want to configure chrony with NTP server or pool address? [no]:
      Continue to configure the system with these values? [no]: yes
      The ipa-server-install command was successful
  4. Configure firewall rules
    • firewall-cmd --add-service={http,https,dns,ntp,freeipa-ldap,freeipa-ldaps} --permanent
      firewall-cmd –reload
  5. Open a browser and try to access https://services.localhost.com, you should be redirected to a login page (specify user as admin and pwd )





Step 2 : Install FreeIPA client

  1. Edit the '/etc/hosts/' file and and add your server ip and hostname.Add the server and client ip's
    • 192.168.1.107 services.localhost.com    services
    • 192.168.1.103 ol83.localhost.com    ol83
  2. Install the FreeIPA client
    •   yum install ipa-client 
  3. ipa-client-install--mkhomedir
      Provide the domain name of your IPA server (ex: example.com): services.localhost.com
      Provide your IPA server name (ex: ipa.example.com): services.localhost.com
      Proceed with fixed values and no DNS discovery? [no]: yes
      Do you want to configure chrony with NTP server or pool address? [no]:
      Client hostname: ol83.localhost.com
      Realm: LOCALHOST.COM
      DNS Domain: services.localhost.com
      IPA Server: services.localhost.com
      BaseDN: dc=localhost,dc=com

      Continue to configure the system with these values? [no]: yes
      Synchronizing time
      No SRV records of NTP servers found and no NTP server or pool address was provided.
      Using default chrony configuration.
      Attempting to sync time with chronyc.
      Time synchronization was successful.
      User authorized to enroll computers:admin
      Password for admin@LOCALHOST.COM:<admin-pwd-goes-here>

      Successfully retrieved CA cert

      The ipa-client-install command was successful
       
  4. Open a browser and try to access https://services.localhost.com, click on 'Hosts' tab to see the host get added...



By at