{"id":1447,"date":"2018-11-18T18:56:12","date_gmt":"2018-11-18T15:56:12","guid":{"rendered":"http:\/\/kifarunix.com\/?p=1447"},"modified":"2024-05-04T10:45:24","modified_gmt":"2024-05-04T07:45:24","slug":"how-to-install-freeipa-server-on-fedora-29-fedora-28-centos7","status":"publish","type":"post","link":"https:\/\/kifarunix.com\/how-to-install-freeipa-server-on-fedora-29-fedora-28-centos7\/","title":{"rendered":"How to Install FreeIPA Server on Fedora 29\/Fedora 28\/CentOS 7"},"content":{"rendered":"\n<p>Hello there. Today we are going to learn how to install FreeIPA server on Fedora 29\/Fedora 28\/CentOS 7 or any other RHEL derivative. According to their <a href=\"https:\/\/www.freeipa.org\/About.html\" target=\"_blank\" rel=\"noreferrer noopener\">About page<\/a>,<em> FreeIPA is an opensource integrated Identity and authentication management solution for Linux\/UNIX environments. It provides centralized authentication, authorization and account information by storing data about users, groups, hosts and other relevant information necessary for managing the security aspects of a network of computers. It is build atop a number of opensource solutions such as 389 Directory Server, MIT Kerberos, NTP, DNS, Dogtag (Certificate System). FreeIPA can be managed via web interface or command line<\/em>.<\/p>\n\n\n\n<div class=\"wp-block-rank-math-toc-block\" id=\"rank-math-toc\"><h2>Table of Contents<\/h2><nav><ul><li><a href=\"#how-to-install-free-ipa-server-on-fedora-cent-os\">How to Install FreeIPA Server on Fedora\/CentOS<\/a><ul><li><a href=\"#prerequisites\">Prerequisites<\/a><\/li><li><a href=\"#install-free-ipa-on-fedora-cent-os\">Install FreeIPA on Fedora\/CentOS<\/a><\/li><li><a href=\"#setup-free-ipa-server-on-fedora-cent-os\">Setup FreeIPA Server on Fedora\/CentOS<\/a><\/li><li><a href=\"#open-free-ipa-services-ports-on-firewall\">Open FreeIPA Services Ports on Firewall<\/a><\/li><li><a href=\"#check-status-of-free-ipa-services\">Check Status of FreeIPA Services<\/a><\/li><li><a href=\"#obtain-kerberos-ticket-for-ipa-adminstration\">Obtain Kerberos Ticket for IPA Adminstration<\/a><\/li><li><a href=\"#using-ipa-command-line-tools\">Using IPA Command Line tools<\/a><\/li><li><a href=\"#access-free-ipa-web-interface\">Access FreeIPA Web Interface<\/a><\/li><li><a href=\"#adding-users-to-free-ipa-server\">Adding Users to FreeIPA Server<\/a><\/li><\/ul><\/li><\/ul><\/nav><\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"how-to-install-free-ipa-server-on-fedora-cent-os\">How to Install FreeIPA Server on Fedora\/CentOS<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"prerequisites\">Prerequisites<\/h3>\n\n\n\n<p>To ensure a smooth FreeIPA installation, ensure that the following prerequisites are met.<\/p>\n\n\n\n<p>Set static IP address on your server.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ip add<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000\n    link\/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00\n    inet 127.0.0.1\/8 scope host lo\n       valid_lft forever preferred_lft forever\n    inet6 ::1\/128 scope host noprefixroute \n       valid_lft forever preferred_lft forever\n2: enp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000\n    link\/ether 52:54:00:08:8c:21 brd ff:ff:ff:ff:ff:ff\n    inet 192.168.122.110\/24 brd 192.168.122.255 scope global dynamic noprefixroute enp1s0\n       valid_lft 3447sec preferred_lft 3447sec\n    inet6 fe80::2a79:62fd:eb27:1e0a\/64 scope link noprefixroute \n       valid_lft forever preferred_lft forever\n<\/code><\/pre>\n\n\n\n<p>So my address is 192.168.122.110 and is set statically using the NMCLI command;<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>nmcli con add \\\n\ttype ethernet \\\n\tifname enp1s0 \\\n\tcon-name enp1s0 \\\n\tipv4.addresses 192.168.122.110\/24 \\\n\tipv4.gateway 192.168.122.1 \\\n\tipv4.dns 8.8.8.8 \\\n\tipv4.method manual \\\n\tconnection.autoconnect yes\n<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>nmcli con up enp1s0<\/code><\/pre>\n\n\n\n<p>Set a fully qualified hostname<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">hostnamectl set-hostname freeipa.kifarunix.com<\/pre>\n\n\n\n<p>Your hostname must be resolvable. If you don&#8217;t have a DNS server, you can use <code><span class=\"highlight\">\/etc\/hosts<\/span><\/code> file.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">echo \"192.168.122.110 freeipa.kifarunix.com freeipa\"  >> \/etc\/hosts<\/pre>\n\n\n\n<p>Ensure both forward and reverse DNS resolution;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>dig freeipa.kifarunix.com +short<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>192.168.122.110<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>dig -x 192.168.122.110 +short<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>freeipa.kifarunix.com.\nfreeipa.<\/code><\/pre>\n\n\n\n<p>Ensure that your package repository is up to date<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">dnf update<\/pre>\n\n\n\n<p>Check if your server needs a reboot;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>dnf install dnf-utils<\/code><\/pre>\n\n\n\n<p>Then;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>need-restarting -r<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>No core libraries or services have been updated since boot-up.\nReboot should not be necessary.\n<\/code><\/pre>\n\n\n\n<p>If a restart is required, then do so.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"install-free-ipa-on-fedora-cent-os\">Install FreeIPA on Fedora\/CentOS<\/h3>\n\n\n\n<p>Once the above requirements are met, install FreeIPA packages as shown below;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">dnf -y install freeipa-server<\/pre>\n\n\n\n<p>In this guide, we are going to set up basic FreeIPA server without integrated DNS. If you would like to include DNS integration, install these additional packages;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">dnf install -y bind-dyndb-ldap freeipa-server-dns<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"setup-free-ipa-server-on-fedora-cent-os\">Setup FreeIPA Server on Fedora\/CentOS<\/h3>\n\n\n\n<p>Once the installation is done, run the command below to launch basic FreeIPA setup.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">ipa-server-install<\/pre>\n\n\n\n<p>To perform FreeIPA setup with DNS integration, run the command below;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">ipa-server-install --setup-dns<\/pre>\n\n\n\n<p>In this guide, we are going to perform FreeIPA basic setup without DNS integration.<\/p>\n\n\n\n<p>When you launched the installation setup command, the first thing you are prompted to do is choose whether to setup integrated DNS.<\/p>\n\n\n\n<p>If you want to accept the default settings shown in brackets, press the Enter key.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ipa-server-install<\/code><\/pre>\n\n\n\n<p>In this guide, we are not configuring DNS integration.<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>The log file for this installation can be found in \/var\/log\/ipaserver-install.log\n==============================================================================\nThis program will set up the IPA Server.\nVersion 4.11.1\n\nThis includes:\n  * Configure a stand-alone CA (dogtag) for certificate management\n  * Configure the NTP client (chronyd)\n  * Create and configure an instance of Directory Server\n  * Create and configure a Kerberos Key Distribution Center (KDC)\n  * Configure Apache (httpd)\n  * Configure SID generation\n  * Configure the KDC to enable PKINIT\n\nTo accept the default shown in brackets, press the Enter key.\n\nDo you want to configure integrated DNS (BIND)? [no]: no\n<\/code><\/pre>\n\n\n\n<p>Next, you are required to setup the server FQDN and the domain as well as the Kerberos realm. Kerberos realm is an authentication protocol for FreeIPA. You can press <strong>ENTER<\/strong> to accept the defaults.<\/p>\n\n\n\n<p>The server hostname and domain should already be auto-detected. If that is the case, just press enter to proceed.<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>Enter the fully qualified domain name of the computer\non which you're setting up server software. Using the form\n<hostname>.<domainname>\nExample: master.example.com\n\n\nServer host name [freeipa.kifarunix.com]: ENTER\n\nThe domain name has been determined based on the host name.\n\nPlease confirm the domain name [kifarunix.com]: ENTER\n\nThe kerberos protocol requires a Realm name to be defined.\nThis is typically the domain name converted to uppercase.\n\nPlease provide a realm name [KIFARUNIX.COM]: ENTER\n<\/code><\/pre>\n\n\n\n<p>Next, set the Directory manager (LDAP) password<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>Certain directory server operations require an administrative user.\nThis user is referred to as the Directory Manager and has full access\nto the Directory for system management tasks and will be added to the\ninstance of directory server created for IPA.\nThe password must be at least 8 characters long.\n\nDirectory Manager password: password\nPassword (confirm): password\n<\/code><\/pre>\n\n\n\n<p>Set the IPA administrator password<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>The IPA server requires an administrative user, named 'admin'.\nThis user is a regular system account used for IPA server administration.\n\nIPA admin password: password2\nPassword (confirm): password2\n<\/code><\/pre>\n\n\n\n<p>Accept defaults for NetBIOS and NTP server.<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>Trust is configured but no NetBIOS domain name found, setting it now.\nEnter the NetBIOS name for the IPA domain.\nOnly up to 15 uppercase ASCII letters, digits and dashes are allowed.\nExample: EXAMPLE.\n\n\nNetBIOS domain name [KIFARUNIX]: \n\nDo you want to configure chrony with NTP server or pool address? [no]:\n<\/code><\/pre>\n\n\n\n<p>Next, you are prompted on whether to configure the IPA server with the above configuration options you have provided.<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>The IPA Master Server will be configured with:\nHostname:       freeipa.kifarunix.com\nIP address(es): 192.168.122.110\nDomain name:    kifarunix.com\nRealm name:     KIFARUNIX.COM\n\nThe CA will be configured with:\nSubject DN:   CN=Certificate Authority,O=KIFARUNIX.COM\nSubject base: O=KIFARUNIX.COM\nChaining:     self-signed\n\nContinue to configure the system with these values? [no]: yes\n<\/code><\/pre>\n\n\n\n<p>If you are satisfied with what you have provided, accept and proceed.<\/p>\n\n\n\n<p>The configuration will take quite some minutes to complete depending on the swiftness of your server. If all is well, you should see such an output.<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>...\nClient configuration complete.\nThe ipa-client-install command was successful\n\nPlease add records in this file to your DNS system: \/tmp\/ipa.system.records.d6sgeix0.db\n==============================================================================\nSetup complete\n\nNext steps:\n\t1. You must make sure these network ports are open:\n\t\tTCP Ports:\n\t\t  * 80, 443: HTTP\/HTTPS\n\t\t  * 389, 636: LDAP\/LDAPS\n\t\t  * 88, 464: kerberos\n\t\tUDP Ports:\n\t\t  * 88, 464: kerberos\n\t\t  * 123: ntp\n\n\t2. You can now obtain a kerberos ticket using the command: 'kinit admin'\n\t   This ticket will allow you to use the IPA tools (e.g., ipa user-add)\n\t   and the web user interface.\n\nBe sure to back up the CA certificates stored in \/root\/cacert.p12\nThese files are required to create replicas. The password for these\nfiles is the Directory Manager password\nThe ipa-server-install command was successful\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"open-free-ipa-services-ports-on-firewall\">Open FreeIPA Services Ports on Firewall<\/h3>\n\n\n\n<p>Next, you need to open the FreeIPA services ports through the firewall if it is running.<\/p>\n\n\n\n<p>First check the state of firewall;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>firewall-cmd --state<\/code><\/pre>\n\n\n\n<p>If it is running, output should be, <strong>running<\/strong>. Thus, proceed to open the ports.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">for i in 80 443 389 636 88 464; do firewall-cmd --add-port=$i\/tcp --permanent; done<\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\">for i in 88 464 123; do firewall-cmd --add-port=$i\/udp --permanent; done<\/pre>\n\n\n\n<p>You can even use the service name instead;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code><code>firewall-cmd --add-service={freeipa-ldap,freeipa-ldaps,dns,ntp} --permanent<\/code><\/code><\/pre>\n\n\n\n<p>Then reload the firewall;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">firewall-cmd --reload<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"check-status-of-free-ipa-services\">Check Status of FreeIPA Services<\/h3>\n\n\n\n<p>To confirm if all the FreeIPA services are running, execute the command;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ipactl status<\/code><\/pre>\n\n\n\n<p>Sample output;<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>Directory Service: RUNNING\nkrb5kdc Service: RUNNING\nkadmin Service: RUNNING\nhttpd Service: RUNNING\nipa-custodia Service: RUNNING\npki-tomcatd Service: RUNNING\nipa-otpd Service: RUNNING\nipa: INFO: The ipactl command was successful\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"obtain-kerberos-ticket-for-ipa-adminstration\">Obtain Kerberos Ticket for IPA Adminstration<\/h3>\n\n\n\n<p>Now that the installation is done, you need to authenticate to FreeIPA server. During installation two users were created, the Directory manager and the admin manager.<\/p>\n\n\n\n<p>To authenticate to FreeIPA manager as an admin and even be able to use the IPA command line tools as well as the Web interface, you need to generate the Kerberos ticket by running the command below;<\/p>\n\n\n\n<p>Use the password for IPA admin user.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>kinit admin<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\">Password for admin@KIFARUNIX.COM: &lt;<strong>IPA admin user password<\/strong>><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"using-ipa-command-line-tools\">Using IPA Command Line tools<\/h3>\n\n\n\n<p>Once you obtain a Kerberos ticket, you can try to use the IPA command line tools. For example, to find the information about admin user, run the command <code class=\"systemitem\">ipa user-find admin<\/code>.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ipa user-find admin<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>--------------\n1 user matched\n--------------\n  User login: admin\n  Last name: Administrator\n  Home directory: \/home\/admin\n  Login shell: \/bin\/bash\n  Principal alias: admin@KIFARUNIX.COM, root@KIFARUNIX.COM\n  UID: 1152000000\n  GID: 1152000000\n  Account disabled: False\n----------------------------\nNumber of entries returned 1\n----------------------------\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"access-free-ipa-web-interface\">Access FreeIPA Web Interface<\/h3>\n\n\n\n<p>To login to your FreeIPA server via the browser, enter the FQDN on the browser address bar.<\/p>\n\n\n\n<p>In case you get an SSL exception prompt, just accept it and proceed to login.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1615\" height=\"842\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2024\/05\/freeipa-web-login-page.png?v=1714806063\" alt=\"\" class=\"wp-image-22391\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2024\/05\/freeipa-web-login-page.png?v=1714806063 1615w, https:\/\/kifarunix.com\/wp-content\/uploads\/2024\/05\/freeipa-web-login-page-768x400.png?v=1714806063 768w, https:\/\/kifarunix.com\/wp-content\/uploads\/2024\/05\/freeipa-web-login-page-1536x801.png?v=1714806063 1536w\" sizes=\"(max-width: 1615px) 100vw, 1615px\" \/><\/figure>\n\n\n\n<p>Authenticate using IPA Admin user credentials.<\/p>\n\n\n\n<p>When you successfully authenticate, you should see FreeIPA&#8217;s Identity Users page as shown in the screenshot below;<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1622\" height=\"557\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2024\/05\/freeipa-users-dashboard-page.png?v=1714806079\" alt=\"\" class=\"wp-image-22392\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2024\/05\/freeipa-users-dashboard-page.png?v=1714806079 1622w, https:\/\/kifarunix.com\/wp-content\/uploads\/2024\/05\/freeipa-users-dashboard-page-768x264.png?v=1714806079 768w, https:\/\/kifarunix.com\/wp-content\/uploads\/2024\/05\/freeipa-users-dashboard-page-1536x527.png?v=1714806079 1536w\" sizes=\"(max-width: 1622px) 100vw, 1622px\" \/><\/figure>\n\n\n\n<p>You have successfully setup your basic FreeIPA server. In our next article, we will learn how to add and configure FreeIPA users. Stay connected.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"adding-users-to-free-ipa-server\">Adding Users to FreeIPA Server<\/h3>\n\n\n\n<p>Follow the link below to add FreeIPA server users.<\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/add-freeipa-user-accounts-via-cli-or-web-interface\/\" target=\"_blank\" rel=\"noreferrer noopener\">Add FreeIPA User Accounts via CLI or Web Interface<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Hello there. Today we are going to learn how to install FreeIPA server on Fedora 29\/Fedora 28\/CentOS 7 or any other RHEL derivative. According to<\/p>\n","protected":false},"author":1,"featured_media":22391,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rank_math_lock_modified_date":false,"footnotes":""},"categories":[121,285,1152,246],"tags":[284,242,247,248],"class_list":["post-1447","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-howtos","category-directory-server","category-freeipa","category-identity-management","tag-centos","tag-fedora","tag-freeipa","tag-ldap","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-50","resize-featured-image"],"_links":{"self":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/1447"}],"collection":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/comments?post=1447"}],"version-history":[{"count":6,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/1447\/revisions"}],"predecessor-version":[{"id":22404,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/1447\/revisions\/22404"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media\/22391"}],"wp:attachment":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media?parent=1447"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/categories?post=1447"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/tags?post=1447"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}