How to install FreeIPA on CentOS 7

FreeIPA® is an open-source security information management solution that has both a web interface and command-line administration tools. FreeIPA has many components including Kerberos, NTP, DNS, and Dogtag (a certificate system) in order to provide security on your CentOS 7 server. The full FreeIPA package essentially provides Linux systems with the abilities for centralized authentication, authorization and account information by storing data about user, groups, hosts and all the other objects that are needed to manage security for networks. With its multitude of administration options, FreeIPA is extremely easy to configure for your needs and simple to manage.

To get the FreeIPA suite of tools working for you, this tutorial will teach you how you can setup and configure a basic FreeIPA installation for your CentOS 7 system.

Getting Started

The completion of this tutorial requires the following:
• 1 Server (Cloud Server or Dedicated Server) running CentOS 7.
• All commands should be run as the root user

Tutorial

It is always good practice to ensure that your server is up to date before installing new packages. As the root user, update your CentOS 7 server using yum with the -y flag to avoid prompts for yes as shown:

yum update -y

Before we install FreeIPA, we have to take some basic steps to configure our machine to be ready. Install the package dependencies required for our setup with the following commands if they are not already installed:

yum install bind-dyndb-ldap ipa-server-dns sssd-client sssd-common sssd-common-pac sssd-ldap sssd-proxy python-sssdconfig authconfig authconfig-gtk

We also need to make sure that our server hostname can resolve to a valid IP address in order to be able to install and access FreeIPA. For the purposes of this tutorial, we will use 10.10.0.35 as our IP address for our server and ipa.tutorial.com as our url. Execute the following commands, replacing with your own IP and url:

echo 10.10.0.35 ipa.globo.tech ipa7 >> /etc/hosts
echo ipa.globo.tech > /etc/hostname

Now we are ready to install the actual FreeIPA server. Use yum again to install the necessary package. Don’t forget that all commands must be done as the root user:

yum install ipa-server -y

Configuring FreeIPA

The setup process for FreeIPA can take a long time to complete depending on the server specifications. Begin the setup process with the following command:

ipa-server-install --setup-dns

This setup process executes the following steps: configures a stand-alone CA (dogtag) for certificate management, configures the Network Time Daemon (ntpd), creates and configures an instance of Directory Server, creates and configures a Kerberos Key Distribution Center (KDC), configures Apache (httpd), and configures DNS (bind). During the setup, you will be prompted with several questions regarding the server installation. Make sure to define the server hostname and domain name for DNS.

It is also at this point that you will setup the password for the IPA admin and directory manager during the installation. These passwords must be eight characters long. You will also be asked questions about the Kerberos realm. Usually, this will be the same as the domain name and are given in upper case letters. More about Kerberos is explained when obtaining its ticket in the next step.

When the process finally completes (which may be up to 30 minutes), it will provide some information about ports that must be opened which will be done in the following step, but first we must obtain a Kerberos ticket. The Kerberos server is a basic component of FreeIPA and provides authentication services for FreeIPA and all of its components. The Kerberos ticket is essentially a temporary pass-book to authenticate with Kerberos and allows us to use the IPA tools with the user interface. Obtain the admin ticket:

kinit admin

You can see your tickets at any time with the below command, which will also show expiry dates:

klist

Now to complete the installation, allow firewall access to the specified ports as follows:

TCP Ports:
• 80 – 443: HTTP/HTTPS
• 389 – 636: LDPA/LDAPS
• 88 – 464: Kerberos
• 53: Bind
UDP Ports:
• 88 – 464: Kerberos
• 53: Bind
• 123: ntp

Finish firewall configuration and reload with the following. These commands are used to allow FreeIPA services in the case the the security daemon Firewalld is running on your system. If it is not running, you can skip this step.

firewall-cmd --permanent --add-service={ntp,http,https,ldap,ldaps,kerberos,kpasswd,dns}
firewall-cmd --reload

After allowing traffic for the above ports, next use authconfig to make sure that home directories are created using:

authconfig --enablemkhomedir --update

To enable SSSD, short for System Security Services Daemon, to run on boot as well as start it, use the following commands:

chkconfig sssd on
service sssd start

As a last step, reboot your server.

Testing the Setup

You can verify that everything is working as it should by trying to access your interface after completing the above steps. You can access the interface using the login admin and password that you set during the installation. Don’t forget to replace the tutorial IP address with your own:

https://10.10.0.35

Here after log in, have a look around!

Conclusion

Completion of this guide means that you are now able to install FreeIPA on your system, configure it to run, and start benefitting from its security features. More detailed information about FreeIPA can be found online to further customize this security suite solution, but if you found this tutorial about the basics helpful, why not share it with your friends? Everyone can benefit from enhanced security.