{"id":4403,"date":"2019-10-14T20:34:42","date_gmt":"2019-10-14T17:34:42","guid":{"rendered":"https:\/\/kifarunix.com\/?p=4403"},"modified":"2024-05-04T10:11:12","modified_gmt":"2024-05-04T07:11:12","slug":"install-and-setup-freeipa-server-on-centos-8","status":"publish","type":"post","link":"https:\/\/kifarunix.com\/install-and-setup-freeipa-server-on-centos-8\/","title":{"rendered":"Install and Setup FreeIPA Server on CentOS 8"},"content":{"rendered":"\n<p>Welcome to our today&#8217;s guide on how to install and Setup FreeIPA server on CentOS 8. <a aria-label=\"FreeIPA (opens in a new tab)\" href=\"https:\/\/www.freeipa.org\/page\/About\" target=\"_blank\" rel=\"noreferrer noopener\">FreeIPA<\/a> is an integrated Identity and Authentication solution for Linux\/UNIX networked environments.<\/p>\n\n\n\n<div class=\"wp-block-rank-math-toc-block\" id=\"rank-math-toc\"><h2>Table of Contents<\/h2><nav><ul><li><a href=\"#installing-free-ipa-server-on-cent-os-8\">Installing FreeIPA Server on CentOS 8<\/a><ul><li><a href=\"#prerequisites\">Prerequisites<\/a><\/li><li><a href=\"#install-free-ipa-on-cent-os-8\">Install FreeIPA on CentOS 8<\/a><\/li><li><a href=\"#setup-free-ipa-with-integrated-dns-server\">Setup FreeIPA with integrated DNS server<\/a><\/li><li><a href=\"#open-required-free-ipa-ports-on-firewall\">Open Required FreeIPA ports on Firewall<\/a><\/li><li><a href=\"#generate-kerberos-ticket\">Generate kerberos ticket<\/a><\/li><li><a href=\"#accessing-free-ipa-web-interface\">Accessing FreeIPA Web interface<\/a><\/li><li><a href=\"#related-tutorials\">Related Tutorials<\/a><\/li><\/ul><\/li><\/ul><\/nav><\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"installing-free-ipa-server-on-cent-os-8\">Installing FreeIPA Server on CentOS 8<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"prerequisites\">Prerequisites<\/h3>\n\n\n\n<p>Set static hostname for your system. Note that the hostname must be fully qualified and must not be&nbsp;<code>localhost<\/code>&nbsp;or&nbsp;<code>localhost6<\/code>.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">hostnamectl set-hostname freeipa.kifarunix-demo.com<\/pre>\n\n\n\n<p>Make the hostname resolvable. If you have a DNS server with your FreeIPA server entries then it is fine. Otherwise, configure your <code><strong>\/etc\/hosts<\/strong><\/code> file accordingly.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">echo \"192.168.56.123 freeipa.kifarunix-demo.com\" | sudo tee -a \/etc\/hosts<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"install-free-ipa-on-cent-os-8\">Install FreeIPA on CentOS 8<\/h3>\n\n\n\n<p>FreeIPA packages are provided by the Identity Management system module of CentOS 8 AppStream repos. Therefore, you need to enable the&nbsp;<code>idm:DL1<\/code>&nbsp;stream by running the command;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>dnf module enable idm:DL1<\/code><\/pre>\n\n\n\n<p>Next, run system update<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>dnf distro-sync<\/code><\/pre>\n\n\n\n<p>Install FreeIPA on CentOS 8<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>dnf install ipa-server ipa-server-dns<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"setup-free-ipa-with-integrated-dns-server\">Setup FreeIPA with integrated DNS server<\/h3>\n\n\n\n<p>To setup FreeIPA server with integrated DNS, simply execute the setup command as shown below;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">ipa-server-install --setup-dns<\/pre>\n\n\n\n<p>The setup will script will basically configure;<\/p>\n\n\n\n<pre class=\"scroll-box\"><code> ...\n  * Configure a stand-alone CA (dogtag) for certificate management\n  * Configure the NTP client (chronyd)\n  * Create and configure an instance of Directory Server\n  * Create and configure a Kerberos Key Distribution Center (KDC)\n  * Configure Apache (httpd)\n  * Configure DNS (bind)\n  * Configure the KDC to enable PKINIT\n<\/code><\/pre>\n\n\n\n<p>Once the setup script runs, you are prompted to configure a number of options. Provide the necessary input accordingly.<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>...\nTo accept the default shown in brackets, press the Enter key.\n\nEnter the fully qualified domain name of the computer\non which you're setting up server software. Using the form\n.\nExample: master.example.com.\n\n\nServer host name [freeipa.kifarunix-demo.com]: ENTER\n\nWarning: skipping DNS resolution of host freeipa.kifarunix-demo.com\nThe domain name has been determined based on the host name.\n\nPlease confirm the domain name [kifarunix-demo.com]: ENTER\n\nThe kerberos protocol requires a Realm name to be defined.\nThis is typically the domain name converted to uppercase.\n\nPlease provide a realm name [KIFARUNIX-DEMO.COM]: ENTER\nCertain directory server operations require an administrative user.\nThis user is referred to as the Directory Manager and has full access\nto the Directory for system management tasks and will be added to the\ninstance of directory server created for IPA.\nThe password must be at least 8 characters long.\n\nDirectory Manager password: SET YOUR PASSWORD\nPassword (confirm): SET YOUR PASSWORD\n\nThe IPA server requires an administrative user, named 'admin'.\nThis user is a regular system account used for IPA server administration.\n\nIPA admin password: SET YOUR PASSWORD\nPassword (confirm): SET YOUR PASSWORD\n\nChecking DNS domain kifarunix-demo.com., please wait ...\nDo you want to configure DNS forwarders? [yes]: ENTER\nFollowing DNS servers are configured in \/etc\/resolv.conf: 8.8.8.8\nDo you want to configure these servers as DNS forwarders? [yes]: ENTER\nAll DNS servers from \/etc\/resolv.conf were added. You can enter additional addresses now:\nEnter an IP address for a DNS forwarder, or press Enter to skip: \nChecking DNS forwarders, please wait ...\nDo you want to search for missing reverse zones? [yes]: ENTER\nChecking DNS domain 56.168.192.in-addr.arpa., please wait ...\nDo you want to create reverse zone for IP 192.168.56.123 [yes]: ENTER\nPlease specify the reverse zone name [56.168.192.in-addr.arpa.]: ENTER\nChecking DNS domain 56.168.192.in-addr.arpa., please wait ...\nUsing reverse zone(s) 56.168.192.in-addr.arpa.\n\nThe IPA Master Server will be configured with:\nHostname:       freeipa.kifarunix-demo.com\nIP address(es): 192.168.56.123\nDomain name:    kifarunix-demo.com\nRealm name:     KIFARUNIX-DEMO.COM\n\nThe CA will be configured with:\nSubject DN:   CN=Certificate Authority,O=KIFARUNIX-DEMO.COM\nSubject base: O=KIFARUNIX-DEMO.COM\nChaining:     self-signed\n\nBIND DNS server will be configured to serve IPA domain with:\nForwarders:       8.8.8.8\nForward policy:   only\nReverse zone(s):  56.168.192.in-addr.arpa.\n...\n<\/code><\/pre>\n\n\n\n<p>After configuring all the values above, proceed with the setup.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>...\nContinue to configure the system with these values? [no]: <strong>yes<\/strong>\n...<\/code><\/pre>\n\n\n\n<p>The setup will then proceed and takes some few minutes to complete. Once done, you will be provided with setup summary.<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>...\n==============================================================================\nSetup complete\n\nNext steps:\n 1. You must make sure these network ports are open:\n TCP Ports:\n   * 80, 443: HTTP\/HTTPS\n   * 389, 636: LDAP\/LDAPS\n   * 88, 464: kerberos\n   * 53: bind\n UDP Ports:\n   * 88, 464: kerberos\n   * 53: bind\n   * 123: ntp\n\n 2. You can now obtain a kerberos ticket using the command: 'kinit admin'\n    This ticket will allow you to use the IPA tools (e.g., ipa user-add)\n    and the web user interface.\n\nBe sure to back up the CA certificates stored in \/root\/cacert.p12\nThese files are required to create replicas. The password for these files is the Directory Manager password\nThe ipa-server-install command was successful\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"open-required-free-ipa-ports-on-firewall\">Open Required FreeIPA ports on Firewall <\/h3>\n\n\n\n<p>FreeIPA uses a number of&nbsp;ports&nbsp;to communicate with its services which must be opened on firewall to allow external connections. You can simply open all the required ports using the service names by running the command below;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>firewall-cmd --add-service={freeipa-ldap,freeipa-ldaps,dns,ntp} --permanent<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>firewall-cmd --reload<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"generate-kerberos-ticket\">Generate kerberos ticket<\/h3>\n\n\n\n<p>In order to use the IPA tools\/commands, use the web user interface and perform any other administrative tasks, you need to obtain a <a href=\"https:\/\/www.freeipa.org\/page\/Kerberos\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\"kerberos ticket (opens in a new tab)\">kerberos ticket<\/a> by running the command below;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>kinit admin<\/code><\/pre>\n\n\n\n<p>When prompted, enter the administrator password set during the installation setup.<\/p>\n\n\n\n<p>You can as well list kerberos tickets using the <code><strong>klist<\/strong><\/code> command.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>klist<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>Ticket cache: KCM:0\nDefault principal: admin@KIFARUNIX-DEMO.COM\n\nValid starting       Expires              Service principal\n10\/14\/2019 13:06:09  10\/15\/2019 13:06:06  krbtgt\/KIFARUNIX-DEMO.COM@KIFARUNIX-DEMO.COM\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"accessing-free-ipa-web-interface\">Accessing FreeIPA Web interface<\/h3>\n\n\n\n<p>The FreeIPA server is now installed and setup on CentOS 8. Other configuration settings can be done from the web interface. On the browser, you can access FreeIPA using the address <strong><code>https:\/\/freeipa.kifarunix-demo.com<\/code><\/strong>.<\/p>\n\n\n\n<p>Ignore the private SSL warning and proceed to FreeIPA server login page. Use the username, <strong><code>admin<\/code><\/strong> and the admin password provided during the installation setup.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><a href=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2019\/10\/freeipa-login-centos8.png\"><img loading=\"lazy\" decoding=\"async\" width=\"1276\" height=\"466\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2019\/10\/freeipa-login-centos8.png\" alt=\"Install and Setup FreeIPA Server on CentOS 8\" class=\"wp-image-4405\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2019\/10\/freeipa-login-centos8.png?v=1571073855 1276w, https:\/\/kifarunix.com\/wp-content\/uploads\/2019\/10\/freeipa-login-centos8-768x280.png?v=1571073855 768w\" sizes=\"(max-width: 1276px) 100vw, 1276px\" \/><\/a><\/figure>\n\n\n\n<p>The default CentOS 8 FreeIPA server dashboard looks like;<\/p>\n\n\n\n<figure class=\"wp-block-image\"><a href=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2019\/10\/default-ipa-dashboard.png\"><img loading=\"lazy\" decoding=\"async\" width=\"1365\" height=\"405\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2019\/10\/default-ipa-dashboard.png\" alt=\"\" class=\"wp-image-4404\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2019\/10\/default-ipa-dashboard.png?v=1571073825 1365w, https:\/\/kifarunix.com\/wp-content\/uploads\/2019\/10\/default-ipa-dashboard-768x228.png?v=1571073825 768w\" sizes=\"(max-width: 1365px) 100vw, 1365px\" \/><\/a><\/figure>\n\n\n\n<p>You can now perform the FreeIPA administrative tasks from the web interface.<\/p>\n\n\n\n<p>You can as well run the administrative tasks from command line using the <strong><code>ipa<\/code><\/strong> command.<\/p>\n\n\n\n<p>For example, to list the available FreeIPA users on the server, simply run the command;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">ipa user-find<\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>--------------\n1 user matched\n--------------\n  User login: admin\n  Last name: Administrator\n  Home directory: \/home\/admin\n  Login shell: \/bin\/bash\n  Principal alias: admin@KIFARUNIX-DEMO.COM\n  UID: 1938400000\n  GID: 1938400000\n  Account disabled: False\n----------------------------\nNumber of entries returned 1\n----------------------------\n<\/code><\/pre>\n\n\n\n<p>Great. That is all on our guide on how to install and setup FreeIPA server on on CentOS 8. Stay connected for more guides on FreeIPA.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"related-tutorials\">Related Tutorials<\/h3>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/how-to-install-freeipa-server-on-fedora-29-fedora-28-centos7\/\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\">How to Install FreeIPA Server on Fedora 29\/Fedora 28\/CentOS 7<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/setup-openldap-server-with-ssl-tls-on-debian-10\/\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\">Setup OpenLDAP Server with SSL\/TLS on Debian 10<\/a><\/p>\n\n\n\n<p><a rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\" href=\"https:\/\/kifarunix.com\/install-and-configure-openldap-server-on-fedora-29\/\" target=\"_blank\">Install and Configure OpenLDAP server on Fedora 29<\/a><\/p>\n\n\n\n<p><a rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\" href=\"https:\/\/kifarunix.com\/install-and-configure-openldap-server-on-debian-9-stretch\/\" target=\"_blank\">Install and Configure OpenLDAP Server on Debian 9 Stretch<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/configure-sssd-for-openldap-client-authentication-on-debian-10-9\/\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\">Configure SSSD for OpenLDAP Client Authentication on Debian 10\/9<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Welcome to our today&#8217;s guide on how to install and Setup FreeIPA server on CentOS 8. FreeIPA is an integrated Identity and Authentication solution for<\/p>\n","protected":false},"author":1,"featured_media":22391,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rank_math_lock_modified_date":false,"footnotes":""},"categories":[121,285,1152],"tags":[1142,247,1151],"class_list":["post-4403","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-howtos","category-directory-server","category-freeipa","tag-centos-8","tag-freeipa","tag-ipa","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-50","resize-featured-image"],"_links":{"self":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/4403"}],"collection":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/comments?post=4403"}],"version-history":[{"count":6,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/4403\/revisions"}],"predecessor-version":[{"id":22397,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/4403\/revisions\/22397"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media\/22391"}],"wp:attachment":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media?parent=4403"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/categories?post=4403"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/tags?post=4403"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}