Address: 10.10.10.146 00001010.00001010.00001010 .

10010010
Netmask: 255.255.255.0 = 24 11111111.11111111.11111111 .00000000
Wildcard: 0.0.0.255 00000000.00000000.00000000 .11111111
=>
Network: 10.10.10.0/24 00001010.00001010.00001010 .00000000
(Class A)
Broadcast: 10.10.10.255 00001010.00001010.00001010 .11111111
HostMin: 10.10.10.1 00001010.00001010.00001010 .00000001
HostMax: 10.10.10.254 00001010.00001010.00001010 .11111110
Hosts/Net: 254 (Private Internet)

TYPE=Ethernet
PROXY_METHOD=none
BROWSER_ONLY=no
BOOTPROTO=none
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
IPV6_ADDR_GEN_MODE=stable-privacy
NAME=ens160
UUID=1636d130-62bb-40ac-a812-83be45f75641
DEVICE=ens160
ONBOOT=no
IPADDR=172.25.10.20
PREFIX=24
GATEWAY=172.25.10.2
DNS1=127.0.0.1
DNS2=8.8.8.8

Install and Configure FreeIPA Server on

CentOS 8 / RHEL 8
By
Josphat Mutai
-
January 31, 2020
14506
0
Share

Facebook

Twitter

Pinterest

Linkedin
 You can support us by downloading this article as PDF from the Link below. Download the
guide as PDF

Welcome to our guide on how to install and configure FreeIPA server on RHEL 8 / CentOS
8. FreeIPA is a free and open source identity management tool sponsored by Red Hat and it is
the upstream for the Red Hat Identity Manager(IdM). In this guide, we will discuss on how
to install and configure FreeIPA Server on CentOS 8 / RHEL 8 Linux server.

For CentOS 7: How to Install FreeIPA Server on CentOS 7

FreeIPA Identity management system aims to provide an easy way of centrally managing
Identity, Policy, and Audit for users and services. It is designed to provide an integrated
identity management service for a wide range of clients, including Linux, Mac, and even
Windows.

Benefits of using FreeIPA

 Central Authentication Management – Centralized management of users,
machines, and services within large Linux/Unix enterprise environments.
 Fine-grained Access Control: Provides a clear method of defining access control
policies to govern user identities and delegation of administrative tasks.
 One Time Password (OTP): Provides a popular method for achieving two-factor
authentication (2FA).
 Direct Connect to Active Directory: You can retrieve information from Active
Directory (AD) and join a domain or realm in a standard way.
 Active Directory Cross-Realm Trust: As System Administrator, you can establish
cross-forest Kerberos trusts with Microsoft Active Directory. This allows external
Active Directory (AD) users convenient access to resources in the Identity
Management domain.
 Integrated Public Key Infrastructure (PKI) Service: This provides PKI services
that sign and publish certificates for hosts and services, Certificate Revocation List
(CRL) and OCSP services for software validating the published certificate, and an
API to request, show, and find certificates.

Components of FreeIPA Server

FreeIPA Server is composed of the following Open Source Projects.

 389 Directory Server – Main data store and provides a full multi-master LDAPv3
directory infrastructure.
 MIT Kerberos KDC – Provides Single-Sign-on authentication.
 Dogtag Certificate System – Provides CA & RA for certificate management
functions.
 ISC Bind DNS server – for managing Domain names.
 Web UI / ipa Command Line tool – Used to centrally manage access control, the
delegation of administrative tasks and other network administration tasks.
 NTP Server
FreeIPA Server installation requirements
 Server with 4gb ram – I got failed installations for 1GB and 2GB RAM
 Fresh installation of RHEL / CentOS 8 server
 2 vCPUs
 Port 443 and 80 not used by another application
 FQDN – Resolvable over the public or private DNS server
 10 GB Disk space

See my server details below.

$ free -h
total used free shared buff/cache
available
Mem: 3.7Gi 185Mi 3.3Gi 8.0Mi 196Mi
3.3Gi
Swap: 2.0Gi 0B 2.0Gi

$ lscpu
Architecture: x86_64
CPU op-mode(s): 32-bit, 64-bit
Byte Order: Little Endian
CPU(s): 2
On-line CPU(s) list: 0,1
Thread(s) per core: 1
Core(s) per socket: 1
Socket(s): 2
NUMA node(s): 1
Vendor ID: GenuineIntel
CPU family: 6
Model: 94
Model name: Intel Core Processor (Skylake, IBRS)
Stepping: 3
CPU MHz: 1800.000
BogoMIPS: 3600.00
Hypervisor vendor: KVM
Virtualization type: full
L1d cache: 32K
L1i cache: 32K
L2 cache: 4096K
L3 cache: 16384K
NUMA node0 CPU(s): 0,1
Flags: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge
mca cmov pat pse36 clflush mmx fxsr sse sse2 ss syscall nx pdpe1gb rdtscp
lm constant_tsc rep_good nopl xtopology cpuid tsc_known_freq pni pclmulqdq
ssse3 fma cx16 pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer
aes xsave avx f16c rdrand hypervisor lahf_lm abm 3dnowprefetch cpuid_fault
invpcid_single pti ssbd ibrs ibpb fsgsbase tsc_adjust bmi1 avx2 smep bmi2
erms invpcid mpx rdseed adx smap clflushopt xsaveopt xsavec xgetbv1 xsaves
arat umip

$ df -h | grep root
/dev/mapper/rhel-root 17G 2.3G 15G 14% /

The next section will discuss the steps you need to install and configure FreeIPA Server on
RHEL / CentOS 8.
Step 1: Set timezone and hostname
You need to have correct timezone and hostname on your server before you can proceed. The
FreeIPA server will also run NTP service and correct timezone will ensure you have correct
time on the server.

How to Set Hostname and Timezone on RHEL / CentOS 8

Step 2: Install FreeIPA Server on RHEL / CentOS 8

RHEL IdM is an integrated solution to provide centrally managed Identity (users, hosts,
services), Authentication (SSO, 2FA), and Authorization (host access control, SELinux user
roles, services).

I had failed installation with SELinux in enforcing mode, I recommend you set it to
permissive or disabled.

sudo setenforce 0
sudo sed -i 's/^SELINUX=.*/SELINUX=permissive/g' /etc/selinux/config

FreeIPA Server and client packages are distributed through AppStream repository in RHEL /
CentOS 8. You can check IdM modules available.

$ sudo yum module list idm

Updating Subscription Management repositories.
Updating Subscription Management repositories.
Last metadata expiration check: 0:16:51 ago on Sat 29 Dec 2018 09:52:44 AM
EAT.
Red Hat Enterprise Linux 8 for x86_64 - AppStream Beta (RPMs)
Name Stream Profiles
Summary
idm DL1 adtrust, client, dns, server, default [d]
The Red Hat Enterprise Linux Identity Management system module
idm client [d] default [d]
RHEL IdM long term support client module
Hint: [d]efault, [e]nabled, [x]disabled, [i]nstalled

From the output, you can see we have DL1 and client streams. For more information about
the Server module, run:

sudo yum module info idm:DL1

Since this is FreeIPA Server installation, install DL1 stream and then freeipa-server.

sudo yum -y install @idm:DL1

sudo yum -y install freeipa-server

If you want to include DNS service, also install ipa-server-dns,  bind  and bind-dyndb-ldap:

sudo yum install ipa-server-dns bind-dyndb-ldap

Other streams used as dependencies by this installation are:

  389-ds
 httpd
 pki-core
 pki-deps

Step 3: Setup IPA Server on RHEL / CentOS 8

The initial configuration of the FreeIPA server is interactive and you only need to answer a
few questions and all the dirty work is done via a script. You will be asked to provide:

 Integrated DNS – if your DNS zone and SRV records are properly set on your system,
you may proceed by selecting the default value “no”.
 Host name – by default obtained using reverse DNS
 Domain name – by default based on the host name
 Realm name – by default based on the host name
 Password for Directory Manager – an administrator account for Directory Server
 Password for IPA administrator – a superuser for the IdM Server

If you don’t have DNS server to resolve server hostname, modify /etc/hosts file to include
hostname and IP address.

echo "192.168.122.198 ipa.example.com" | sudo tee -a /etc/hosts

Confirm

[jmutai@rhel8 ~]$ ping -c 2 ipa.example.com

PING ipa.example.com (192.168.122.198) 56(84) bytes of data.
64 bytes from ipa.example.com (192.168.122.198): icmp_seq=1 ttl=64
time=0.040 ms
64 bytes from ipa.example.com (192.168.122.198): icmp_seq=2 ttl=64
time=0.113 ms
--- ipa.example.com ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 30ms
rtt min/avg/max/mdev = 0.040/0.076/0.113/0.037 ms

Configure server hostname to match above name:

export HNAME="ipa.example.com"
sudo hostnamectl set-hostname $HNAME --static
sudo hostname $HNAME

Don’t forget to replace ipa.example.com with your Valid hostname.

Then run ipa-server-install command to configure IPA server. Run as a user with sudo
privileges or as a root user.

sudo ipa-server-install

If you want to configure DNS service as well, include  –setup-dns  option:

sudo ipa-server-install --setup-dns

Sample output:

$ sudo ipa-server-install
The log file for this installation can be found in /var/log/ipaserver-
install.log
This program will set up the IPA Server.
Version 4.7.1
This includes:
Configure a stand-alone CA (dogtag) for certificate management
Configure the NTP client (chronyd)
Create and configure an instance of Directory Server
Create and configure a Kerberos Key Distribution Center (KDC)
Configure Apache (httpd)
Configure the KDC to enable PKINIT
To accept the default shown in brackets, press the Enter key.
Do you want to configure integrated DNS (BIND)? [no]: <yes/no>
Enter the fully qualified domain name of the computer
on which you're setting up server software. Using the form
.
Example: master.example.com.
Server host name [ipa.example.com]: <Set/Confirm Hostname>
The domain name has been determined based on the host name.
Please confirm the domain name [example.com]: <Confirm domain name>
The kerberos protocol requires a Realm name to be defined.
This is typically the domain name converted to uppercase.
Please provide a realm name [EXAMPLE.COM]: <Confirm Real name>
Certain directory server operations require an administrative user.
This user is referred to as the Directory Manager and has full access
to the Directory for system management tasks and will be added to the
instance of directory server created for IPA.
The password must be at least 8 characters long.
Directory Manager password: <Enter Password>
Password (confirm): <Confirm Password>
The IPA server requires an administrative user, named 'admin'.
This user is a regular system account used for IPA server administration.
IPA admin password: <Enter Password>
Password (confirm): <Confirm Password>
The IPA Master Server will be configured with:
Hostname: ipa.example.com
IP address(es): 192.168.122.198
Domain name: example.com
Realm name: EXAMPLE.COM
The CA will be configured with:
Subject DN: CN=Certificate Authority,O=EXAMPLE.COM
Subject base: O=EXAMPLE.COM
Chaining: self-signed
Continue to configure the system with these values? [no]: yes
The following operations may take some minutes to complete.
Please wait until the prompt is returned.
.....

This will:

 Configure a stand-alone CA (dogtag) for certificate management

 Configure the NTP client (chronyd)
 Create and configure an instance of Directory Server
 Create and configure a Kerberos Key Distribution Center (KDC)
 Configure Apache (httpd)
  Configure the KDC to enable PKINIT

A successful installation should give output similar to below.

....
Restarting the KDC
Configuring client side components
This program will set up IPA client.
Version 4.7.1

Using existing certificate '/etc/ipa/ca.crt'.

Client hostname: ipa.example.com
Realm: EXAMPLE.COM
DNS Domain: example.com
IPA Server: ipa.example.com
BaseDN: dc=example,dc=com

Configured sudoers in /etc/nsswitch.conf

Configured /etc/sssd/sssd.conf
Systemwide CA database updated.
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Could not update DNS SSHFP records.
SSSD enabled
Configured /etc/openldap/ldap.conf
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Configuring example.com as NIS domain.
Client configuration complete.
The ipa-client-install command was successful
Setup complete

Step 4: Configure Firewalld

It is recommended to run firewall service and allow access to ports used by FreeIPA server
services.

sudo firewall-cmd --add-service={http,https,dns,ntp,freeipa-ldap,freeipa-

ldaps} --permanent
sudo firewall-cmd --reload

Step 5: Access FreeIPA Web interface

Your FreeIPA server installation is ready. Access the web UI on
https://ipa.example.com.

Login with admin username and IPA admin password provided during installation.
FreeIPA Administrative dashboard should be presented to you. Administration of the
FreeIPA server can be done from the web UI or from the command line.

Step 6: Using FreeIPA CLI

To use ipa command, you need to first get a Kerberos ticket.

$ sudo kinit admin

Password for [email protected]:

Check ticket expiry information using klist.

$ klist
Ticket cache: KCM:0
Default principal: [email protected]
Valid starting Expires Service principal
03/24/2019 11:48:06 03/25/2019 11:48:04 krbtgt/[email protected]

Set user’s default shell to /bin/bash.

$ sudo ipa config-mod --defaultshell=/bin/bash

Maximum username length: 32
Home directory base: /home
Default shell: /bin/bash
Default users group: ipausers
Default e-mail domain: example.com
Search time limit: 2
Search size limit: 100
User search fields: uid,givenname,sn,telephonenumber,ou,title
Group search fields: cn,description
Enable migration mode: FALSE
Certificate Subject base: O=EXAMPLE.COM
Password Expiration Notification (days): 4
Password plugin features: AllowNThash, KDC:Disable Last Success
SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-
s0:c0.c1023$unconfined_u:s0-s0:c0.c1023
Default SELinux user: unconfined_u:s0-s0:c0.c1023
Default PAC types: MS-PAC, nfs:NONE
IPA masters: ipa.example.com
IPA CA servers: ipa.example.com
IPA CA renewal master: ipa.example.com
IPA master capable of PKINIT: ipa.example.com

Test by adding a user account and listing accounts present:

$ sudo ipa user-add test --first=Test --last=User \

[email protected] --password

Password:
Enter Password again to verify:
-------------------
Added user "test"
-------------------
 User login: test
First name: Test
Last name: User
Full name: Test User
Display name: Test User
Initials: TU
Home directory: /home/test
GECOS: Test User
Login shell: /bin/bash
Principal name: [email protected]
Principal alias: [email protected]
User password expiration: 20190324085532Z
Email address: [email protected]
UID: 1201400001
GID: 1201400001
Password: True
Member of groups: ipausers
Kerberos keys available: True

To list user accounts added, run:

$ sudo ipa user-find

---------------
2 users matched
---------------
User login: admin
Last name: Administrator
Home directory: /home/admin
Login shell: /bin/bash
Principal alias: [email protected]
UID: 1201400000
GID: 1201400000
Account disabled: False

User login: test

First name: Test
Last name: User
Home directory: /home/test
Login shell: /bin/bash
Principal name: [email protected]
Principal alias: [email protected]
Email address: [email protected]
UID: 1201400001
GID: 1201400001
Account disabled: False
----------------------------
Number of entries returned 2
----------------------------

Try to login as testuser. On your first log in, you’ll be asked to change your password:

$ ssh test@localhost
Password:
Password expired. Change your password now.
Current Password:
New password: <Set new passwoird
Retype new password:
Activate the web console with: systemctl enable --now cockpit.socket
[test1@ipa ~]$ id
uid=1201400003(test1) gid=1201400003(test1) groups=1201400003(test1)
context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

Uninstall FreeIPA Server on RHEL / CentOS 8

To uninstall FreeIPA Server, run:

$ sudo ipa-server-install --uninstall

This is a NON REVERSIBLE operation and will delete all data and
configuration!
It is highly recommended to take a backup of existing data and
configuration using ipa-backup utility before proceeding.
Are you sure you want to continue with the uninstall procedure? [no]: yes

If this server is the last instance of CA, KRA, or DNSSEC master,

uninstallation may result in data loss.

Are you sure you want to continue with the uninstall procedure? [no]: yes
Shutting down all IPA services
Unconfiguring CA
Unconfiguring web server
Unconfiguring krb5kdc
Unconfiguring kadmin
Unconfiguring directory server
.......

You have successfully installed FreeIPA Server on CentOS / RHEL 8. Next reading is on