FreeIPA is an open-source identity management system for Linux / Unix environments that provides centralized account management and authentication, like Microsoft Active Directory or LDAP.
Here at Ibmi Media, as part of our Server Management Services, we regularly help our Customers to perform related Linux System Open Source Software Installation and configuration queries.
In this context, we shall look into how to install FreeIPA on CentOS 8.
1. Install EPEL and Perform System Update
To begin, ensure that you install EPEL repository and also keep your system up-to-date with the below commands:
$ sudo dnf install epel-release
$ sudo dnf update
2. Install FreeIPA on the system
Let's say our IP Address is 192.168.77.5 and Hostanme is freeipa.linuxapt.com, we setup Hostname, you can set up it with the following command:
$ hostnamectl set-hostname freeipa.linuxapt.com
echo "192.168.77.5 freeipa.linuxapt.local ipa" >> /etc/hosts
FreeIPA packages are provided by the Identity Management system module of CentOS 8 AppStream repos.
Therefore, you need to enable the idm:DL1 stream by running the command:
$ sudo dnf module enable idm:DL1
Next, sync the repository with the following command:
$ sudo dnf distro-sync
Finally, install FreeIPA on CentOS 8 system using the following command:
$ sudo dnf install ipa-server ipa-server-dns
1. Setup FreeIPA server
You will need to set up the FreeIPA server. we can set up it with the following command:
$ ipa-server-install --setup-dns
Here is how this configuration will look by running the previous command:
[root@linuxapt.com ~]# ipa-server-install --setup-dns
The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will set up the IPA Server.
This includes:
* Configure a stand-alone CA (dogtag) for certificate management
* Configure the Network Time Daemon (ntpd)
* Create and configure an instance of Directory Server
* Create and configure a Kerberos Key Distribution Center (KDC)
* Configure Apache (httpd)
* Configure DNS (bind)
To accept the default shown in brackets, press the Enter key.
Enter the fully qualified domain name of the computer
on which you're setting up server software. Using the form
<hostname>.<domainname>
Example: master.example.com.
Server host name [freeipa.linuxapt.com]: [ENTER]
Warning: skipping DNS resolution of host freeipa.linuxapt.local
The domain name has been determined based on the host name.
Please confirm the domain name [linuxapt.com]:[ENTER]
The kerberos protocol requires a Realm name to be defined.
This is typically the domain name converted to uppercase.
Please provide a realm name [LINUXAPT.COM]: [ENTER]
Certain directory server operations require an administrative user.
This user is referred to as the Directory Manager and has full access
to the Directory for system management tasks and will be added to the
instance of directory server created for IPA.
The password must be at least 8 characters long.
Directory Manager password: [ENTER PASSWORD]
Password (confirm): [ENTER PASSWORD]
. . . . .
After the FreeIPA installation, authenticate to the Kerberos realm to ensure that the administrator is configured correctly:
$ kinit admin
You can as well list Kerberos tickets using the klist command:
$ klist
2. Configure Firewall for FreeIPA
You will need to allow some ports used by FreeIPA. You can allow them with the following command:
$ sudo firewall-cmd --add-service={http,https,dns,ntp,freeipa-ldap,freeipa-ldaps} --permanent
$ sudo firewall-cmd --reload
Next, you will also need to disable the SELinux in your system:
$ sudo setenforce 0
$ sudo sed -i 's/^SELINUX=.*/SELINUX=permissive/g' /etc/selinux/config
FreeIPA will be available on HTTP port 80 by default.
Start by Using the below command to check whether all services of FreeIPA are running or not:
[root@ipa ~]# ipactl status
Then, Open your favorite browser and navigate to https://freeipa.linuxapt.com/ and complete the required steps to finish the installation.
Ignore the private SSL warning and proceed to the FreeIPA server login page.
Use the username, admin, and admin password provided during the installation setup.
This article covers how to install the FreeIPA on CentOS 8 system. In fact, FreeIPA is a free and open source identity management tool for managing centralized authentication along with account management, policy (host-based access control) and audit.
How to Open Required FreeIPA ports on Firewall ?
FreeIPA uses a number of ports to communicate with its services which must be opened on firewall to allow external connections. You can simply open all the required ports using the service names by running the command below:
$ firewall-cmd --add-service={freeipa-ldap,freeipa-ldaps,dns,ntp} --permanent
$ firewall-cmd --reload