1 files changed, 176 insertions, 0 deletions
diff --git a/articles/freeipa-server.html b/articles/freeipa-server.html
new file mode 100644
index 0000000..80825d0
--- /dev/null
+++ b/articles/freeipa-server.html
@@ -0,0 +1,176 @@
+<!DOCTYPE html>
+<html lang=en>
+    <head>
+        <title></title>
+        <meta charset="utf-8"/>
+        <link rel="shortcut icon" href="favicon.ico"/>
+        <link rel='stylesheet' href='../style.css'/>
+        <meta name="viewport" content="width=device-width, initial-scale=1">
+    </head>
+<body>
+    <header><h1>FreeIPA Server Setup</h1></header>
+    <main>
+                        <p>FreeIPA is a centralized idenity management solution developed 
+                        by Redhat. It is in my opinion the most functional libre alternative 
+                        to Microsoft's Active Directory.  Like AD, FreeIPA integrates all of 
+                        the pieces needed to setup a domain including LDAP, Kerberos, 
+                        a Certificate Authority, and much more.</p>
+                        <p>I will be using Fedora 35 in this tutorial. As of Debian 11, the 
+                        FreeIPA server is still not in the Debian repos. You will need either 
+                        a Fedora or a RHEL machine. A CentOS fork may work also but I have not 
+                        tested that.</p>
+                        <h2>FreeIPA in an Enterprise</h2>
+                        <p>For readers exploring the use of FreeIPA in a business 
+                        environment, note that FreeIPA documentation explicitly states that 
+                        it is not a replacement for Active Directory.  I have not personally 
+                        tried to join a Windows computer to a FreeIPA domain, and so I can't 
+                        speak to how well that would work. FreeIPA would also not be able to push 
+                        out policy to Windows machines as is done with Group Policy. FreeIPA 
+                        is though able to create inter-domain trusts with an existing AD 
+                        infrastructure.</p>
+                        <h2>The Case for FreeIPA at Home</h2>
+                        <p>Using a full Kerberos and LDAP identity management server may 
+                        seem like overkill at home. And if you only have a single computer 
+                        then it probably is. But scaling up even slightly, to perhaps a small 
+                        family each with their own computer, will make having FreeIPA 
+                        advantageous (<em>your family is all using Linux, right?</em>). This 
+                        will be especially apparent if you are hosting your own services. 
+                        If you are for instance hosting a Jellyfin media server that everyone 
+                        in your family accesses, you won't want them to juggle separate 
+                        passwords for Jellyfin when you could just have them use the same 
+                        password they do on the computer. This single/same sign-on capability is 
+                        one of the most practically useful aspects of FreeIPA.</p>
+                        <h2>Install Packages</h2>
+                        <p>We start as usual by installing the required packages.</p>
+                        <pre><code>dnf install freeipa-server freeipa-dns</code></pre>
+                        <h2>Set Hostname</h2>
+                        <p>The server will need to have a fully qualified hostname 
+                        before setting up IPA. You will need both a hostname for the server 
+                        itself and the domain name you will want for the FreeIPA domain. I 
+                        will be using <em>ipaserver.myhome.local</em>, where 
+                        <em>ipaserver</em> is the hostname and <em>myhome.local</em> is the 
+                        domain name.</p>
+                        <pre><code>hostnamectl set-hostname <em>ipaserver.home.local</em></code></pre>
+                        <p>We'll also need to add a hosts file entry to 
+                        <strong>/etc/hosts</strong>. Open that file in an editor and add a new 
+                        line with the IP of the server, the fully qualified name, and the 
+                        hostname.</p>
+                        <pre><code>192.168.1.10 ipaserver.myhome.local ipaserver</code></pre>
+                        
+                        <p>Make sure to reboot the server before continuing to complete 
+                        the hostname change.</p>
+                        <h2>Firewall Configuration</h2>
+                        <p>We'll need to allow several ports for FreeIPA to function properly. 
+                        Fedora 35 uses firewalld by default but I am going to disable that 
+                        in favor of UFW here.</p>
+                        <pre><code><em>#Install UFW</em>
+dnf install ufw
+<em># Stop and disable firewalld</em>
+systemctl disable --now firewalld
+<em># Configure UFW</em>
+ufw enable
+ufw allow ssh
+ufw allow dns
+ufw allow 88 comment kerberos
+ufw allow 389 comment ldap
+ufw allow 443 comment webui
+ufw allow 636 comment ldaps
+ufw default deny incoming
+ufw reload</code></pre>
+        <h2>Configure FreeIPA</h2>
+        <p>Now we can run the FreeIPA setup script. This is an interactive but mostly 
+        automatic process that will configure all of the IPA components. The 
+        <strong>--mkhomedir</strong> flag will configure the server to create home 
+        directories for IPA users on their first login and would otherwise have to be 
+        done manually.</p>
+        <pre><code>ipa-server-install --mkhomedir</code></pre>
+        <p>That command will bring you into the install script.  You will be prompted 
+        several times before the bulk of the configuration happens. Default values 
+        are show in brackets after the prompt. Let's run through those prompts.<br><br>
+        <strong>Do you want to configure integrated DNS (BIND)?</strong>: 
+        <em>yes</em><br><br>
+        <strong>Sever host name</strong>: the default value should be showing 
+        <em>ipaserver.myhome.local</em> which is what we want. Simply hit enter to acecpt
+        the default.<br><br>
+        <strong>Please confirm the domain name</strong>: The default here should be 
+        correct <em>myhome.local</em> so hit enter to accept that.<br><br>
+        <strong>Please provide a realm name</strong>: This should just be the domain 
+        name in all uppercase. If the default looks correct just hit enter.<br><br>
+        <strong>Directory Manager password</strong>: This is the password for an 
+        administrator account used by system services. You will not need this for daily 
+        use so I recommend setting it to a long randomly generated string. I have found 
+        myself that using an extremely long password here will cause the installation to 
+        fail. A password under 40 characters should be safe.<br><br>
+        <strong>IPA admin password</strong>: This is the password for your initial admin 
+        user. Make this a strong password as this user has full admin rights for the 
+        entire domain.<br><br>
+        <strong>Do you want to configure DNS forwarders</strong>: This allows you to 
+        configure the IPA server to forward DNS requests to another DNS server for 
+        zones it is not authoratitve for. The DNS server is configured by default as 
+        a recursive DNS server so answering no does not prevent internet access. If you 
+        have another DNS server that should be used instead then answer yes and provide 
+        the IP address when prompted.<br><br>
+        <strong>Do you want to configure chrony with NTP server or pool address?</strong>
+        : Here you can configure a custom NTP server or pool for the NTP daemon chrony. 
+        If you already have an NTP server on your network answer yes and provide its IP. 
+        If you want to leave the deafult chrony configuration then answer no. Time 
+        synchronization is very important in Kerberos so you should consider how you 
+        want to achieve that on your network. If you do not have an NTP server you may 
+        want to configure the IPA server as one later.<br><br>
+        <strong>Continue to configure the system with these values?</strong>: This is a 
+        final confirmation before the script takes over and configures the IPA 
+        components. Review the information printed and enter yes if it all looks correct.
+        </p>
+        <p>The install script will now run through configuration. This process usually 
+        takes several minutes. When finished you should get a message saying 
+        <strong>The ipa-server-install command was successful</strong>.</p>
+        <p>To finish, run this command to receive a Kerberos TGT. Provide the 
+        password for the admin user when prompted.</p>
+        <pre><code>kinit admin</code></pre>
+        <h2>Accessing the Web Interface</h2>
+        
+        <p>You are now able to manage FreeIPA through the web interface. You can 
+        browse either to the IP or the hostname if your DNS is configured correctly.
+        You should see a screen similar to this.</p>
+        <img alt="FreeIPA Login Screen" src=../images/freeipa-webui.png>
+        <p>Login with the username admin and the password you set during the 
+        insallation. You are now ready to begin configuring your IPA domain.</p>
+    </main>
+<p>
+<hr>
+Consider <a href=../donate.html>donating</a> if this article was useful.
+<a class=qr href=../images/bitcoin.png>[BTC]</a>
+</p>
+        </main>
+    <footer>
+        <a href=../kb.html>Knowledge Base</a>
+        <br>
+        <a href=../index.html>www.chudnick.com</a>
+        </footer>
+</body>
+</html>

diff --git a/articles/freeipa-server.html b/articles/freeipa-server.html new file mode 100644 index 0000000..80825d0 --- /dev/null +++ b/articles/freeipa-server.html
@@ -0,0 +1,176 @@
	1	<!DOCTYPE html>
	2	<html lang=en>
	3	<head>
	4	<title></title>
	5	<meta charset="utf-8"/>
	6	<link rel="shortcut icon" href="favicon.ico"/>
	7	<link rel='stylesheet' href='../style.css'/>
	8	<meta name="viewport" content="width=device-width, initial-scale=1">
	9	</head>
	10	<body>
	11	<header><h1>FreeIPA Server Setup</h1></header>
	12	<main>
	13	<p>FreeIPA is a centralized idenity management solution developed
	14	by Redhat. It is in my opinion the most functional libre alternative
	15	to Microsoft's Active Directory. Like AD, FreeIPA integrates all of
	16	the pieces needed to setup a domain including LDAP, Kerberos,
	17	a Certificate Authority, and much more.</p>
	18
	19	<p>I will be using Fedora 35 in this tutorial. As of Debian 11, the
	20	FreeIPA server is still not in the Debian repos. You will need either
	21	a Fedora or a RHEL machine. A CentOS fork may work also but I have not
	22	tested that.</p>
	23
	24	<h2>FreeIPA in an Enterprise</h2>
	25
	26	<p>For readers exploring the use of FreeIPA in a business
	27	environment, note that FreeIPA documentation explicitly states that
	28	it is not a replacement for Active Directory. I have not personally
	29	tried to join a Windows computer to a FreeIPA domain, and so I can't
	30	speak to how well that would work. FreeIPA would also not be able to push
	31	out policy to Windows machines as is done with Group Policy. FreeIPA
	32	is though able to create inter-domain trusts with an existing AD
	33	infrastructure.</p>
	34
	35	<h2>The Case for FreeIPA at Home</h2>
	36	<p>Using a full Kerberos and LDAP identity management server may
	37	seem like overkill at home. And if you only have a single computer
	38	then it probably is. But scaling up even slightly, to perhaps a small
	39	family each with their own computer, will make having FreeIPA
	40	advantageous (<em>your family is all using Linux, right?</em>). This
	41	will be especially apparent if you are hosting your own services.
	42	If you are for instance hosting a Jellyfin media server that everyone
	43	in your family accesses, you won't want them to juggle separate
	44	passwords for Jellyfin when you could just have them use the same
	45	password they do on the computer. This single/same sign-on capability is
	46	one of the most practically useful aspects of FreeIPA.</p>
	47
	48	<h2>Install Packages</h2>
	49	<p>We start as usual by installing the required packages.</p>
	50
	51	<pre><code>dnf install freeipa-server freeipa-dns</code></pre>
	52
	53	<h2>Set Hostname</h2>
	54	<p>The server will need to have a fully qualified hostname
	55	before setting up IPA. You will need both a hostname for the server
	56	itself and the domain name you will want for the FreeIPA domain. I
	57	will be using <em>ipaserver.myhome.local</em>, where
	58	<em>ipaserver</em> is the hostname and <em>myhome.local</em> is the
	59	domain name.</p>
	60
	61	<pre><code>hostnamectl set-hostname <em>ipaserver.home.local</em></code></pre>
	62
	63	<p>We'll also need to add a hosts file entry to
	64	<strong>/etc/hosts</strong>. Open that file in an editor and add a new
	65	line with the IP of the server, the fully qualified name, and the
	66	hostname.</p>
	67
	68	<pre><code>192.168.1.10 ipaserver.myhome.local ipaserver</code></pre>
	69
	70
	71	<p>Make sure to reboot the server before continuing to complete
	72	the hostname change.</p>
	73
	74	<h2>Firewall Configuration</h2>
	75	<p>We'll need to allow several ports for FreeIPA to function properly.
	76	Fedora 35 uses firewalld by default but I am going to disable that
	77	in favor of UFW here.</p>
	78
	79	<pre><code><em>#Install UFW</em>
	80	dnf install ufw
	81	<em># Stop and disable firewalld</em>
	82	systemctl disable --now firewalld
	83	<em># Configure UFW</em>
	84	ufw enable
	85	ufw allow ssh
	86	ufw allow dns
	87	ufw allow 88 comment kerberos
	88	ufw allow 389 comment ldap
	89	ufw allow 443 comment webui
	90	ufw allow 636 comment ldaps
	91	ufw default deny incoming
	92	ufw reload</code></pre>
	93
	94	<h2>Configure FreeIPA</h2>
	95	<p>Now we can run the FreeIPA setup script. This is an interactive but mostly
	96	automatic process that will configure all of the IPA components. The
	97	<strong>--mkhomedir</strong> flag will configure the server to create home
	98	directories for IPA users on their first login and would otherwise have to be
	99	done manually.</p>
	100
	101	<pre><code>ipa-server-install --mkhomedir</code></pre>
	102
	103	<p>That command will bring you into the install script. You will be prompted
	104	several times before the bulk of the configuration happens. Default values
	105	are show in brackets after the prompt. Let's run through those prompts.<br><br>
	106	<strong>Do you want to configure integrated DNS (BIND)?</strong>:
	107	<em>yes</em><br><br>
	108	<strong>Sever host name</strong>: the default value should be showing
	109	<em>ipaserver.myhome.local</em> which is what we want. Simply hit enter to acecpt
	110	the default.<br><br>
	111	<strong>Please confirm the domain name</strong>: The default here should be
	112	correct <em>myhome.local</em> so hit enter to accept that.<br><br>
	113	<strong>Please provide a realm name</strong>: This should just be the domain
	114	name in all uppercase. If the default looks correct just hit enter.<br><br>
	115	<strong>Directory Manager password</strong>: This is the password for an
	116	administrator account used by system services. You will not need this for daily
	117	use so I recommend setting it to a long randomly generated string. I have found
	118	myself that using an extremely long password here will cause the installation to
	119	fail. A password under 40 characters should be safe.<br><br>
	120	<strong>IPA admin password</strong>: This is the password for your initial admin
	121	user. Make this a strong password as this user has full admin rights for the
	122	entire domain.<br><br>
	123	<strong>Do you want to configure DNS forwarders</strong>: This allows you to
	124	configure the IPA server to forward DNS requests to another DNS server for
	125	zones it is not authoratitve for. The DNS server is configured by default as
	126	a recursive DNS server so answering no does not prevent internet access. If you
	127	have another DNS server that should be used instead then answer yes and provide
	128	the IP address when prompted.<br><br>
	129
	130	<strong>Do you want to configure chrony with NTP server or pool address?</strong>
	131	: Here you can configure a custom NTP server or pool for the NTP daemon chrony.
	132	If you already have an NTP server on your network answer yes and provide its IP.
	133	If you want to leave the deafult chrony configuration then answer no. Time
	134	synchronization is very important in Kerberos so you should consider how you
	135	want to achieve that on your network. If you do not have an NTP server you may
	136	want to configure the IPA server as one later.<br><br>
	137
	138	<strong>Continue to configure the system with these values?</strong>: This is a
	139	final confirmation before the script takes over and configures the IPA
	140	components. Review the information printed and enter yes if it all looks correct.
	141	</p>
	142
	143	<p>The install script will now run through configuration. This process usually
	144	takes several minutes. When finished you should get a message saying
	145	<strong>The ipa-server-install command was successful</strong>.</p>
	146
	147	<p>To finish, run this command to receive a Kerberos TGT. Provide the
	148	password for the admin user when prompted.</p>
	149
	150	<pre><code>kinit admin</code></pre>
	151
	152	<h2>Accessing the Web Interface</h2>
	153
	154	<p>You are now able to manage FreeIPA through the web interface. You can
	155	browse either to the IP or the hostname if your DNS is configured correctly.
	156	You should see a screen similar to this.</p>
	157
	158	<img alt="FreeIPA Login Screen" src=../images/freeipa-webui.png>
	159
	160	<p>Login with the username admin and the password you set during the
	161	insallation. You are now ready to begin configuring your IPA domain.</p>
	162	</main>
	163	<p>
	164	<hr>
	165	Consider <a href=../donate.html>donating</a> if this article was useful.
	166	<a class=qr href=../images/bitcoin.png>[BTC]</a>
	167	</p>
	168	</main>
	169	<footer>
	170	<a href=../kb.html>Knowledge Base</a>
	171	<br>
	172	<a href=../index.html>www.chudnick.com</a>
	173	</footer>
	174	</body>
	175	</html>
	176