Install & Configure FreeIPA IDM server/client on Linux VM

FreeIPA (Free Identity Policy Audit)is a free and open-source tool for managing identities. It is the base for Red Hat Identity Manager. FreeIPA makes it easy to handle centralized authentication, user accounts, policies (like who can access what), and auditing. It also provides DNS and PKI services. This tool brings everything together in one place, reducing the need for different tools on different machines and making management simpler.

Key Points:

• Centralized Management: Handles user accounts, authentication, policies, and auditing all in one place.
• Linux Integration: Works well with Linux features and can unify many Linux machines.
• Active Directory Integration: Can connect with Windows' Active Directory, even though it doesn't directly support Windows clients.
• SSL Certificates: Can issue SSL certificates to secure communications.

FreeIPA uses existing Linux tools and protocols, which are trusted and reliable. It can run on any Linux system and helps create a controlled Linux domain.

Terms & Definitions

Kerberos

• krb5kdc: The Kerberos Authentication service and Key Distribution Center (KDC) daemon. It handles authentication requests and ticket distribution in a Kerberos environment.
• kadmin: The Kerberos database administration program. It is used to manage the Kerberos database, including adding, deleting, and modifying principals.

LDAP Directory Server

• dirsrv: The internal LDAP (Lightweight Directory Access Protocol) directory server instance in FreeIPA. It stores all Identity Management (IdM) information, such as Kerberos data, user accounts, host entries, services, policies, DNS, and more.

Certificate Authority

• pki-tomcatd: The Command-Line Interface for accessing Certificate System services. It manages the issuance and lifecycle of SSL certificates within FreeIPA.

Domain Name System (DNS)

• named: FreeIPA uses DNS for dynamic service discovery. The FreeIPA client installation utility can use DNS information to automatically configure the client machine. Once enrolled in the FreeIPA domain, the client uses DNS to locate IPA servers and services within the domain.

Network Time Protocol (NTP)

• ntpd: IPA uses NTP to synchronize clocks over a network via the ntpd service. An authoritative central server provides the correct time, and clients synchronize their clocks to this server. During server installation, the IPA server is configured as the NTP server for the IdM domain.

Apache HTTP Server

• httpd: The Apache HTTP web server provides the IdM Web UI and manages communication between the Certificate Authority and other FreeIPA IdM services.

One-Time Password (OTP) Authentication

• ipa-otpd: One-time passwords (OTP) are generated by an authentication token for only one session, as part of two-factor authentication.

Custodia

• ipa-custodia: A Secrets Services provider that stores and shares access to secret material such as passwords, keys, tokens, and certificates.

OpenDNSSEC

• ipa-dnskeysyncd: A DNS manager that automates the process of keeping track of DNS security extensions (DNSSEC) keys and the signing of zones.

Minimum Hardware Requirements:

RAM = 2 GB, CPU = 2 vCPU, Disk = 12 GB free space on /

FreeIPA Server Installation :

Step 1: Set hostname and install the latest updates on VM

Disable SELinux and add an entry in the /etc/hosts matching the server ip and hostname is useful. Additionally, make sure to set the hostname properly.

[root@rameshidm1 ~]# sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config
[root@rameshidm1 ~]#hostnamectl set-hostname rameshidm1.uaedubaireg.local
[root@rameshidm1 ~]# cat /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
172.18.64.209   rameshidm1.uaedubaireg.local
[root@rameshidm1 ~]# hostname -f
rameshidm1.freeipacentos.local
[root@rameshidm1 ~]#         

Install updates using yum/dnf command and then reboot it.

[root@rameshidm1 ~]# yum update -y
[root@rameshidm1 ~]# reboot        

Step 2 : Install FreeIPA Packages

After configuring the hostname and FQDN of the server, the next step is to install the FreeIPA packages from the official CentOS repository. To do this, run the following yum command as the root user

[root@rameshidm1 ~]# sudo yum install ipa-server bind-dyndb-ldap ipa-server-dns         

Step 3 : Setup FreeIPA Server

In this step, we will set up the FreeIPA server and DNS. FreeIPA offers an interactive command-line interface that simplifies the administration of the FreeIPA configuration.

Run the following command to configure the FreeIPA server:

[root@rameshidm1 ~]# ipa-server-install --setup-dns

The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will set up the IPA Server.

This includes:
  * Configure a stand-alone CA (dogtag) for certificate management
  * Configure the Network Time Daemon (ntpd)
  * Create and configure an instance of Directory Server
  * Create and configure a Kerberos Key Distribution Center (KDC)
  * Configure Apache (httpd)
  * Configure DNS (bind)
  * Configure the KDC to enable PKINIT

To accept the default shown in brackets, press the Enter key.

WARNING: conflicting time&date synchronization service 'chronyd' will be disabled
in favor of ntpd

Enter the fully qualified domain name of the computer
on which you're setting up server software. Using the form
<hostname>.<domainname>
Example: master.example.com.


Server host name [rameshidm1.uaedubaireg.local]: rameshidm1.uaedubaireg.local

Warning: skipping DNS resolution of host rameshidm1.uaedubaireg.local
The domain name has been determined based on the host name.

Please confirm the domain name [uaedubaireg.local]: uaedubaireg.local

The kerberos protocol requires a Realm name to be defined.
This is typically the domain name converted to uppercase.

Please provide a realm name [UAEDUBAIREG.LOCAL]: UAEDUBAIREG.LOCAL
Certain directory server operations require an administrative user.
This user is referred to as the Directory Manager and has full access
to the Directory for system management tasks and will be added to the
instance of directory server created for IPA.
The password must be at least 8 characters long.

Directory Manager password:
Password (confirm):

The IPA server requires an administrative user, named 'admin'.
This user is a regular system account used for IPA server administration.

IPA admin password:
Password (confirm):

Checking DNS domain freeipacentos.local., please wait ...
Do you want to configure DNS forwarders? [yes]: yes
Following DNS servers are configured in /etc/resolv.conf: 100.125.0.34, 100.125.0.35
Do you want to configure these servers as DNS forwarders? [yes]: yes
All DNS servers from /etc/resolv.conf were added. You can enter additional addresses now:
Enter an IP address for a DNS forwarder, or press Enter to skip:
Checking DNS forwarders, please wait ...
DNS server 100.125.0.34: answer to query '. SOA' is missing DNSSEC signatures (no RRSIG data)
Please fix forwarder configuration to enable DNSSEC support.
(For BIND 9 add directive "dnssec-enable yes;" to "options {}")
DNS server 100.125.0.35: answer to query '. SOA' is missing DNSSEC signatures (no RRSIG data)
Please fix forwarder configuration to enable DNSSEC support.
(For BIND 9 add directive "dnssec-enable yes;" to "options {}")
WARNING: DNSSEC validation will be disabled
Do you want to search for missing reverse zones? [yes]:
Do you want to create reverse zone for IP 172.18.64.209 [yes]:
Please specify the reverse zone name [64.18.172.in-addr.arpa.]:
Using reverse zone(s) 64.18.172.in-addr.arpa.

The IPA Master Server will be configured with:
Hostname:       rameshidm1.uaedubaireg.local
IP address(es): 172.18.64.209
Domain name:    uaedubaireg.local
Realm name:     UAEDUBAIREG.LOCAL

BIND DNS server will be configured to serve IPA domain with:
Forwarders:       100.125.0.34, 100.125.0.35
Forward policy:   only
Reverse zone(s):  64.18.172.in-addr.arpa.

Continue to configure the system with these values? [no]: yes
The following operations may take some minutes to complete.
Please wait until the prompt is returned.

Configuring NTP daemon (ntpd)
  [1/4]: stopping ntpd
  [2/4]: writing configuration
  [3/4]: configuring ntpd to start on boot
  [4/4]: starting ntpd
Done configuring NTP daemon (ntpd).
Configuring directory server (dirsrv). Estimated time: 1 minute
  [1/42]: creating directory server user
  [2/42]: creating directory server instance
  [3/42]: adding default schema
  [4/42]: enabling memberof plugin
  [5/42]: enabling winsync plugin
  [6/42]: configuring replication version plugin
  [7/42]: enabling IPA enrollment plugin
  [8/42]: enabling ldapi
  [9/42]: configuring uniqueness plugin
  [10/42]: configuring uuid plugin
  etc.....

  Done configuring DNS key synchronization service (ipa-dnskeysyncd).
Restarting ipa-dnskeysyncd
Restarting named
Restarting the web server
==============================================================================
Setup complete

Next steps:
    1. You must make sure these network ports are open:
        TCP Ports:
          * 80, 443: HTTP/HTTPS
          * 389, 636: LDAP/LDAPS
          * 88, 464: kerberos
          * 53: bind
        UDP Ports:
          * 88, 464: kerberos
          * 53: bind
          * 123: ntp

    2. You can now obtain a kerberos ticket using the command: 'kinit admin'
       This ticket will allow you to use the IPA tools (e.g., ipa user-add)
       and the web user interface.

Be sure to back up the CA certificates stored in /root/cacert.p12
These files are required to create replicas. The password for these
files is the Directory Manager password        

Step 4 : Verify Admin

At this stage, we have already set up FreeIPA on the server. Now, let's verify our configuration.

To verify the Kerberos admin password, use the kinit command:

1. Open a terminal.

2. Run the following command to authenticate as the FreeIPA admin user:

  kinit admin        

3. Enter the admin password when prompted.

If the password is correct, there will be no output, indicating that the authentication was successful.

To further verify, you can check the Kerberos ticket using:

klist        

This command will display the Kerberos tickets currently held by the user, confirming that the authentication was successful.

4. After that, verify the admin user is available on the FreeIPA database using the following command.

[root@rameshidm1 ~]# kinit admin
Password for [email protected]:
[root@rameshidm1 ~]# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: [email protected]

Valid starting       Expires              Service principal
07/28/2024 19:48:07  07/29/2024 19:48:04  krbtgt/[email protected]
[root@rameshidm1 ~]# ipa user-find admin
--------------
1 user matched
--------------
  User login: admin
  Last name: Administrator
  Home directory: /home/admin
  Login shell: /bin/bash
  Principal alias: [email protected]
  UID: 1069600000
  GID: 1069600000
  Account disabled: False
----------------------------
Number of entries returned 1
----------------------------
[root@rameshidm1 ~]#        

Step 5 : Use the following commands to configure firewalld:

[root@rameshidm1 ~]# systemctl restart firewalld
[root@rameshidm1 ~]# sudo firewall-cmd --add-service={dns,freeipa-ldap,freeipa-ldaps} --permanent
success
[root@rameshidm1 ~]# sudo firewall-cmd --reload
success
[root@rameshidm1 ~]#        

Next, we're going to verify the FreeIPA admin web-UI.

Open the web browser, type your FreeIPA domain name on the address bar. Mine is:

https://rameshidm1.uaedubaireg.local/

And you will get the FreeIPA web-UI login page.

Step 6 : Add New User

Step 7 : Test Login

We will test connecting to the FreeIPA server via SSH from the local computer using the user account created in step 5, which in this example is ramesh.ramineni.

From your local system, run the ssh command below.

ssh ramesh.ramineni@<IP Address of Local VM>

Now, enter your password. After completing this, you will see a notification indicating that your password has expired. Type your current password to set a new one.

Once you've done this, you will be in your home directory and successfully logged in to the server using the FreeIPA user account we just created.

[root@rameshidm1 ~]# ssh [email protected]
Password:
Creating home directory for ramesh.ramineni.
Last login: Mon Jul 29 01:11:32 2024 from rameshidm1.uaedubaireg.local
[ramesh.ramineni@rameshidm1 ~]# df -hT
Filesystem     Type      Size  Used Avail Use% Mounted on
devtmpfs       devtmpfs  3.8G     0  3.8G   0% /dev
tmpfs          tmpfs     3.9G  4.0K  3.9G   1% /dev/shm
tmpfs          tmpfs     3.9G  8.7M  3.9G   1% /run
tmpfs          tmpfs     3.9G     0  3.9G   0% /sys/fs/cgroup
/dev/vda1      xfs        40G  2.9G   38G   8% /
tmpfs          tmpfs     783M     0  783M   0% /run/user/0
tmpfs          tmpfs     783M     0  783M   0% /run/user/1507200001
[ramesh.ramineni@rameshidm1 ~] exit
logout
Connection to 172.18.64.45 closed.
[root@rameshidm1 ~]#        

Step 8 : Work on DNS

FreeIPA can manage DNS records automatically during setup for internal services like LDAP and Kerberos. Additionally, it can be configured to act as a DNS server.

Step 9 : Can issue SSL certificates by IDM

FreeIPA allows you to manage and issue SSL certificates as part of its capabilities. It integrates with the Dogtag Certificate System to handle certificate management tasks, including:

• Issuing Certificates: Generate and issue SSL/TLS certificates for servers and applications.
• Certificate Management: Manage certificate lifecycle, including renewal and revocation.
• Public Key Infrastructure (PKI): Provides a centralized PKI for secure communications within the network.

This feature helps ensure secure communication and authentication across services managed by FreeIPA.

Finally, the FreeIPA installation and configuration on CentOS 7 server has been completed successfully.

FreeIPA client install:

• Install the ipa-client package at client side

yum install ipa-client

• Install the ipa client agent?

ipa-client-install --enable-dns-updates

• Command to view the list of clients who joined and information about them.

klist

Once installation is done at client side we can see that host enrollment in IDM like as below

FreeIPA LDAP Authentication

We can authenticate FreeIPA in different services or applications. Here I am going to give an example of Zabbix. Once its successful, We can use and access this application with IDM credentials.

Fix to login popup issue

When we are accessing the FreeIPA Web UI, we will get some pop up in chrome. To do not get the popup form to sign in we need to do some modifications . We need to add the below lines at the end of the config file and restart the httpd services.

Issue in web UI

# ?vi /etc/httpd/conf.d/ipa-rewrite.conf

#The following disables the annoying kerberos popup for chrome

RewriteCond %{HTTP_COOKIE} !ipa_session

RewriteCond %{HTTP_REFERER} ^(.+)/ipa/ui/$

RewriteRule ^/ipa/session/json$ - [R=401,L]

RedirectMatch 401 ^/ipa/session/login_kerberos

#systemctl restart httpd.service

Backup & Restore

Backup Procedure :

There are two types of backups?

Full-server backup creates a backup copy of all the IPA server files as well as LDAP data, which makes it a standalone backup. IdM affects hundreds of files; the files that the backup process copies is a mix of whole directories and specific files, such as configuration files or log files, and relate directly to IdM or to various services that IdM depends on. Because the full-server backup is a raw file backup, it is performed offline. The script that performs the full-server backup stops all IPA services to ensure a safe course of the backup process.

[root@ramesh ipa]# ipa-backup
Preparing backup on rameshidm1.uaedubaireg.local
Stopping IPA services
Backing up ipaca in FREEIPA-LOCAL to LDIF
Backing up userRoot in FREEIPA-LOCAL to LDIF
Backing up FREEIPA-LOCAL
Backing up files
Starting IPA service
Backed up to /var/lib/ipa/backup/ipa-full-2022-08-05-09-58-09
The ipa-backup command was successful
[root@ramesh ipa]#        

Data-only Backup: The data-only backup only creates a backup copy of LDAP data and the changelog. The process backs up the IPA-REALM instance and can also back up multiple back ends or only a single back end; the back ends include the IPA back end and the CA Dogtag back end. This type of backup also backs up a record of the LDAP content stored in LDIF (LDAP Data Interchange Format). The data-only backup can be performed both online and offline.

By default, IdM stores the created backups in the /var/lib/ipa/backup/ directory. The naming conventions for the subdirectories containing the backups are:

• ipa-full-YEAR-MM-DD-HH-MM-SS in the GMT time zone for the full-server backup

[root@ramesh ~]# ipa-backup --data
Preparing backup on rameshidm1.uaedubaireg.local
Stopping Directory Server
Backing up ipaca in FREEIPA-LOCAL to LDIF
Backing up userRoot in FREEIPA-LOCAL to LDIF
Backing up FREEIPA-LOCAL
Starting Directory Server
Backed up to /var/lib/ipa/backup/ipa-data-2022-08-05-10-38-38
The ipa-backup command was successful
[root@ramesh ~]#        

Restore Procedure :

Both full-server and data-only backups are restored using the ipa-restore utility which must always be run as root. Pass the backup to the command:

[root@ramesh ipa]# ipa-restore /path/to/backup
[root@ramesh ipa]#