How to Install and Configure FreeIPA Server on CentOS/RHEL 7
FreeIPA is a free and open source identity management tool and project has been sponsored by Red Hat. FreeIPA manage Linux servers and authenticate, like Microsoft Active Directory and LDAP. In other words you can manage user accounts on Linux system using FreeIPA. Identity Management made easy for the Linux administrator. FreeIPA also provides the services like DNS and PKI.
FreeIPA is based on the following Open Source projects,
- 389 Directory Server(LDAP)
- MIT Kerberos
- SSSD
- Dogtag (Certificate System)
- NTP & DNS
Step 1: Prerequisites
Installation of FreeIPA is simple on a Linux system. But, before starting installation of FreeIPA we need to prepare the server for installation.
Set the Hostname:
First set the FQDN hostname of the server.
# hostnamectl set-hostname srv.techoism.net
OR
# vim /etc/hostname
srv.techoism.net
Add Host Entry:
Add a host entry on the server to resolve system hostname.
# echo "192.168.1.8 srv.techoism.net srv" >> /etc/hosts
Step:2 Install FreeIPA
FreeIPA package is available in default repository. Run the below command to install FreeIPA and its dependencies
# yum install ipa-server ipa-server-dns -y
Step 3: Configure IPA Server
Once the packages has been installed use mention command to setup the FreeIPA on server.
# ipa-server-install
It will prompt couple of things to configure FreeIPA like DNS, Host name, Domain Name and Realm Name.
It will take some time to configure your FreeIPA server and once it has been setup successfully then we will get output something like below.
Note: Sometime you will get the below errors while installing FreeIPA on CentOS 7 server.
[error] CalledProcessError: Command '/bin/systemctl start certmonger.service' returned non-zero exit status 1
ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): ERROR Command '/bin/systemctl start certmonger.service' returned non-zero exit status 1
ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
This is very known issue so to resolve this restart dbus service.
For CentOS/RHEL 6
# service dbus restart
For CentOS/RHEL 7
# systemctl restart dbus
Uninstall FreeIPA using the mention command and then again try to install.
# ipa-server-install –uninstall
Step 4: User’s Home Directory
Run the below command to allow User’s home directory creation automatically after login.
# authconfig --enablemkhomedir --update
Step 5: Configure Firewalld:
If you have firewall service running on server, you need to Open some required ports for FreeIPA services.
TCP Ports:
* 80, 443: HTTP/HTTPS
* 389, 636: LDAP/LDAPS
* 88, 464: kerberos
UDP Ports:
* 88, 464: kerberos
* 123: ntp
# firewall-cmd --permanent --add-service=ntp
# firewall-cmd --permanent --add-service=http
# firewall-cmd --permanent --add-service=https
# firewall-cmd --permanent --add-service=ldap
# firewall-cmd --permanent --add-service=ldaps
# firewall-cmd --permanent --add-service=kerberos
# firewall-cmd --permanent --add-service=kpasswd
# firewall-cmd --reload
Step:6 Verification FreeIPA
Use the below command to check whether all services of FreeIPA are running or not.
# ipactl status
Step:7 Verify Admin Token
Verify that the Kerberos realm installed correctly by attempting to initialize a Kerberos token for the admin user.
# kinit admin
# klist
Step:8 Access FreeIPA
Now you can access the FreeIPA using accessing below URL.
https://Hostname/ipa/ui
OR
https://Server-IP/ipa/ui
Now you are successfully accessed the FreeIPA.
Reference: https://www.freeipa.org/page/Main_Page
Enjoy it!
