1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
|
<!DOCTYPE html>
<html lang=en>
<head>
<title></title>
<meta charset="utf-8"/>
<link rel="shortcut icon" href="favicon.ico"/>
<link rel='stylesheet' href='../style.css'/>
<meta name="viewport" content="width=device-width, initial-scale=1">
</head>
<body>
<header><h1>FreeIPA Server Setup</h1></header>
<main>
<p>FreeIPA is a centralized idenity management solution developed
by Redhat. It is in my opinion the most functional libre alternative
to Microsoft's Active Directory. Like AD, FreeIPA integrates all of
the pieces needed to setup a domain including LDAP, Kerberos,
a Certificate Authority, and much more.</p>
<p>I will be using Fedora 35 in this tutorial. As of Debian 11, the
FreeIPA server is still not in the Debian repos. You will need either
a Fedora or a RHEL machine. A CentOS fork may work also but I have not
tested that.</p>
<h2>FreeIPA in an Enterprise</h2>
<p>For readers exploring the use of FreeIPA in a business
environment, note that FreeIPA documentation explicitly states that
it is not a replacement for Active Directory. I have not personally
tried to join a Windows computer to a FreeIPA domain, and so I can't
speak to how well that would work. FreeIPA would also not be able to push
out policy to Windows machines as is done with Group Policy. FreeIPA
is though able to create inter-domain trusts with an existing AD
infrastructure.</p>
<h2>The Case for FreeIPA at Home</h2>
<p>Using a full Kerberos and LDAP identity management server may
seem like overkill at home. And if you only have a single computer
then it probably is. But scaling up even slightly, to perhaps a small
family each with their own computer, will make having FreeIPA
advantageous (<em>your family is all using Linux, right?</em>). This
will be especially apparent if you are hosting your own services.
If you are for instance hosting a Jellyfin media server that everyone
in your family accesses, you won't want them to juggle separate
passwords for Jellyfin when you could just have them use the same
password they do on the computer. This single/same sign-on capability is
one of the most practically useful aspects of FreeIPA.</p>
<h2>Install Packages</h2>
<p>We start as usual by installing the required packages.</p>
<pre><code>dnf install freeipa-server freeipa-dns</code></pre>
<h2>Set Hostname</h2>
<p>The server will need to have a fully qualified hostname
before setting up IPA. You will need both a hostname for the server
itself and the domain name you will want for the FreeIPA domain. I
will be using <em>ipaserver.myhome.local</em>, where
<em>ipaserver</em> is the hostname and <em>myhome.local</em> is the
domain name.</p>
<pre><code>hostnamectl set-hostname <em>ipaserver.home.local</em></code></pre>
<p>We'll also need to add a hosts file entry to
<strong>/etc/hosts</strong>. Open that file in an editor and add a new
line with the IP of the server, the fully qualified name, and the
hostname.</p>
<pre><code>192.168.1.10 ipaserver.myhome.local ipaserver</code></pre>
<p>Make sure to reboot the server before continuing to complete
the hostname change.</p>
<h2>Firewall Configuration</h2>
<p>We'll need to allow several ports for FreeIPA to function properly.
Fedora 35 uses firewalld by default but I am going to disable that
in favor of UFW here.</p>
<pre><code><em>#Install UFW</em>
dnf install ufw
<em># Stop and disable firewalld</em>
systemctl disable --now firewalld
<em># Configure UFW</em>
ufw enable
ufw allow ssh
ufw allow dns
ufw allow 88 comment kerberos
ufw allow 389 comment ldap
ufw allow 443 comment webui
ufw allow 636 comment ldaps
ufw default deny incoming
ufw reload</code></pre>
<h2>Configure FreeIPA</h2>
<p>Now we can run the FreeIPA setup script. This is an interactive but mostly
automatic process that will configure all of the IPA components. The
<strong>--mkhomedir</strong> flag will configure the server to create home
directories for IPA users on their first login and would otherwise have to be
done manually.</p>
<pre><code>ipa-server-install --mkhomedir</code></pre>
<p>That command will bring you into the install script. You will be prompted
several times before the bulk of the configuration happens. Default values
are show in brackets after the prompt. Let's run through those prompts.<br><br>
<strong>Do you want to configure integrated DNS (BIND)?</strong>:
<em>yes</em><br><br>
<strong>Sever host name</strong>: the default value should be showing
<em>ipaserver.myhome.local</em> which is what we want. Simply hit enter to acecpt
the default.<br><br>
<strong>Please confirm the domain name</strong>: The default here should be
correct <em>myhome.local</em> so hit enter to accept that.<br><br>
<strong>Please provide a realm name</strong>: This should just be the domain
name in all uppercase. If the default looks correct just hit enter.<br><br>
<strong>Directory Manager password</strong>: This is the password for an
administrator account used by system services. You will not need this for daily
use so I recommend setting it to a long randomly generated string. I have found
myself that using an extremely long password here will cause the installation to
fail. A password under 40 characters should be safe.<br><br>
<strong>IPA admin password</strong>: This is the password for your initial admin
user. Make this a strong password as this user has full admin rights for the
entire domain.<br><br>
<strong>Do you want to configure DNS forwarders</strong>: This allows you to
configure the IPA server to forward DNS requests to another DNS server for
zones it is not authoratitve for. The DNS server is configured by default as
a recursive DNS server so answering no does not prevent internet access. If you
have another DNS server that should be used instead then answer yes and provide
the IP address when prompted.<br><br>
<strong>Do you want to configure chrony with NTP server or pool address?</strong>
: Here you can configure a custom NTP server or pool for the NTP daemon chrony.
If you already have an NTP server on your network answer yes and provide its IP.
If you want to leave the deafult chrony configuration then answer no. Time
synchronization is very important in Kerberos so you should consider how you
want to achieve that on your network. If you do not have an NTP server you may
want to configure the IPA server as one later.<br><br>
<strong>Continue to configure the system with these values?</strong>: This is a
final confirmation before the script takes over and configures the IPA
components. Review the information printed and enter yes if it all looks correct.
</p>
<p>The install script will now run through configuration. This process usually
takes several minutes. When finished you should get a message saying
<strong>The ipa-server-install command was successful</strong>.</p>
<p>To finish, run this command to receive a Kerberos TGT. Provide the
password for the admin user when prompted.</p>
<pre><code>kinit admin</code></pre>
<h2>Accessing the Web Interface</h2>
<p>You are now able to manage FreeIPA through the web interface. You can
browse either to the IP or the hostname if your DNS is configured correctly.
You should see a screen similar to this.</p>
<img alt="FreeIPA Login Screen" src=../images/freeipa-webui.png>
<p>Login with the username admin and the password you set during the
insallation. You are now ready to begin configuring your IPA domain.</p>
</main>
<p>
<hr>
Consider <a href=../donate.html>donating</a> if this article was useful.
<a class=qr href=../images/bitcoin.png>[BTC]</a>
</p>
</main>
<footer>
<a href=../kb.html>Knowledge Base</a>
<br>
<a href=../index.html>www.chudnick.com</a>
</footer>
</body>
</html>
|
