# FreeIPA [FreeIPA](https://www.freeipa.org/page/Main_Page) is an open source identify management solution. It's a good modern day solution for centralized account management. For this one we'll be installing the server on a Fedora machine. By looking at the installation [requirements](https://www.freeipa.org/page/Quick_Start_Guide#Preparing_a_Platform) we learn that we need a bit more RAM than usual. I suggest a machine with: * 4GB RAM * min 2 CPU * 10GB disk ## Server installation Do a Fedora installation as you have done before. Your base installation should look like the screenshot below. ![base](./assets/fedora_01.png) When looking through the software selection list we can already install freeipa from the start. Tick it, or install it later through `dnf`, your call. Notice the `Network Servers` package and how it *still* includes `nis`? ![software selection](./assets/fedora_02.png) Fedora takes a bit more time to install but once it's done, log in and install your tools of choice. Your Debian skills will go a long way here. ```bash [waldek@fedora ~]$ sudo dnf install htop tmux vim [sudo] password for waldek: Last metadata expiration check: 0:00:04 ago on Tue 28 Sep 2021 21:12:01 CEST. Dependencies resolved. ======================================================================================================================================= Package Architecture Version Repository Size ======================================================================================================================================= Installing: htop x86_64 3.0.5-4.fc34 fedora 154 k tmux x86_64 3.1c-2.fc34 fedora 397 k vim-enhanced x86_64 2:8.2.3404-1.fc34 updates 1.8 M Installing dependencies: gpm-libs x86_64 1.20.7-26.fc34 fedora 20 k libsodium x86_64 1.0.18-7.fc34 fedora 165 k vim-common x86_64 2:8.2.3404-1.fc34 updates 6.7 M vim-filesystem noarch 2:8.2.3404-1.fc34 updates 22 k Transaction Summary ======================================================================================================================================= Install 7 Packages Total download size: 9.3 M Installed size: 36 M Is this ok [y/N]: y Downloading Packages: (1/7): gpm-libs-1.20.7-26.fc34.x86_64.rpm 38 kB/s | 20 kB 00:00 (2/7): htop-3.0.5-4.fc34.x86_64.rpm 270 kB/s | 154 kB 00:00 (3/7): libsodium-1.0.18-7.fc34.x86_64.rpm 262 kB/s | 165 kB 00:00 (4/7): tmux-3.1c-2.fc34.x86_64.rpm 996 kB/s | 397 kB 00:00 (5/7): vim-filesystem-8.2.3404-1.fc34.noarch.rpm 139 kB/s | 22 kB 00:00 (6/7): vim-enhanced-8.2.3404-1.fc34.x86_64.rpm 943 kB/s | 1.8 MB 00:02 (7/7): vim-common-8.2.3404-1.fc34.x86_64.rpm 2.2 MB/s | 6.7 MB 00:02 --------------------------------------------------------------------------------------------------------------------------------------- Total 2.0 MB/s | 9.3 MB 00:04 Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Preparing : 1/1 Installing : vim-filesystem-2:8.2.3404-1.fc34.noarch 1/7 Installing : vim-common-2:8.2.3404-1.fc34.x86_64 2/7 Installing : libsodium-1.0.18-7.fc34.x86_64 3/7 Installing : gpm-libs-1.20.7-26.fc34.x86_64 4/7 Installing : vim-enhanced-2:8.2.3404-1.fc34.x86_64 5/7 Installing : tmux-3.1c-2.fc34.x86_64 6/7 Running scriptlet: tmux-3.1c-2.fc34.x86_64 6/7 Installing : htop-3.0.5-4.fc34.x86_64 7/7 Running scriptlet: htop-3.0.5-4.fc34.x86_64 7/7 Verifying : gpm-libs-1.20.7-26.fc34.x86_64 1/7 Verifying : htop-3.0.5-4.fc34.x86_64 2/7 Verifying : libsodium-1.0.18-7.fc34.x86_64 3/7 Verifying : tmux-3.1c-2.fc34.x86_64 4/7 Verifying : vim-common-2:8.2.3404-1.fc34.x86_64 5/7 Verifying : vim-enhanced-2:8.2.3404-1.fc34.x86_64 6/7 Verifying : vim-filesystem-2:8.2.3404-1.fc34.noarch 7/7 Installed: gpm-libs-1.20.7-26.fc34.x86_64 htop-3.0.5-4.fc34.x86_64 libsodium-1.0.18-7.fc34.x86_64 tmux-3.1c-2.fc34.x86_64 vim-common-2:8.2.3404-1.fc34.x86_64 vim-enhanced-2:8.2.3404-1.fc34.x86_64 vim-filesystem-2:8.2.3404-1.fc34.noarch Complete! [waldek@fedora ~]$ ``` Once this is done we need to set a `hostname` and a FQDN. Most LDAP servers are *very* picky about domains and FQDNs and FreeIPA is no different. It can not have a single top level domain. I advise a reboot once you have set this before continuing the configuration. ```bash [waldek@ipa ~]$ cat /etc/hostname ipa [waldek@ipa ~]$ cat /etc/hosts 192.168.0.69 ipa.corp.lan ipa 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 [waldek@ipa ~]$ ``` We can configure the server with a tool called `ipa-server-install` that comes installed with the FreeIPA package. It will run you through some questions but the default values are good for the most part. I'll be adding some arguments to speed things up. The `--mkhomedir -a -p` arguments do the following (in practice you should set proper passwords!): ```bash --mkhomedir create home directories for users on their first login -p DM_PASSWORD, --ds-password=DM_PASSWORD Directory Manager password -a ADMIN_PASSWORD, --admin-password=ADMIN_PASSWORD admin user kerberos password ``` There we go! ```bash [waldek@ipa ~]$ sudo ipa-server-install --mkhomedir -a 123456789 -p 123456789 The log file for this installation can be found in /var/log/ipaserver-install.log ============================================================================== This program will set up the IPA Server. Version 4.9.6 This includes: * Configure a stand-alone CA (dogtag) for certificate management * Configure the NTP client (chronyd) * Create and configure an instance of Directory Server * Create and configure a Kerberos Key Distribution Center (KDC) * Configure Apache (httpd) * Configure the KDC to enable PKINIT To accept the default shown in brackets, press the Enter key. Do you want to configure integrated DNS (BIND)? [no]: Enter the fully qualified domain name of the computer on which you're setting up server software. Using the form . Example: master.example.com. Server host name [ipa.corp.lan]: The domain name has been determined based on the host name. Please confirm the domain name [corp.lan]: The kerberos protocol requires a Realm name to be defined. This is typically the domain name converted to uppercase. Please provide a realm name [CORP.LAN]: Do you want to configure chrony with NTP server or pool address? [no]: The IPA Master Server will be configured with: Hostname: ipa.corp.lan IP address(es): 192.168.0.69 Domain name: corp.lan Realm name: CORP.LAN The CA will be configured with: Subject DN: CN=Certificate Authority,O=CORP.LAN Subject base: O=CORP.LAN Chaining: self-signed Continue to configure the system with these values? [no]: yes The following operations may take some minutes to complete. Please wait until the prompt is returned. Disabled p11-kit-proxy Synchronizing time No SRV records of NTP servers found and no NTP server or pool address was provided. Using default chrony configuration. Attempting to sync time with chronyc. Time synchronization was successful. Configuring directory server (dirsrv). Estimated time: 30 seconds [1/41]: creating directory server instance [2/41]: tune ldbm plugin [3/41]: adding default schema [4/41]: enabling memberof plugin [5/41]: enabling winsync plugin [6/41]: configure password logging [7/41]: configuring replication version plugin [8/41]: enabling IPA enrollment plugin [9/41]: configuring uniqueness plugin [10/41]: configuring uuid plugin [11/41]: configuring modrdn plugin [12/41]: configuring DNS plugin [13/41]: enabling entryUSN plugin [14/41]: configuring lockout plugin [15/41]: configuring topology plugin [16/41]: creating indices [17/41]: enabling referential integrity plugin [18/41]: configuring certmap.conf [19/41]: configure new location for managed entries [20/41]: configure dirsrv ccache and keytab [21/41]: enabling SASL mapping fallback [22/41]: restarting directory server [23/41]: adding sasl mappings to the directory [24/41]: adding default layout [25/41]: adding delegation layout [26/41]: creating container for managed entries [27/41]: configuring user private groups [28/41]: configuring netgroups from hostgroups [29/41]: creating default Sudo bind user [30/41]: creating default Auto Member layout [31/41]: adding range check plugin [32/41]: creating default HBAC rule allow_all [33/41]: adding entries for topology management [34/41]: initializing group membership [35/41]: adding master entry [36/41]: initializing domain level [37/41]: configuring Posix uid/gid generation [38/41]: adding replication acis [39/41]: activating sidgen plugin [40/41]: activating extdom plugin [41/41]: configuring directory to start on boot Done configuring directory server (dirsrv). Configuring Kerberos KDC (krb5kdc) [1/10]: adding kerberos container to the directory [2/10]: configuring KDC [3/10]: initialize kerberos container [4/10]: adding default ACIs [5/10]: creating a keytab for the directory [6/10]: creating a keytab for the machine [7/10]: adding the password extension to the directory [8/10]: creating anonymous principal [9/10]: starting the KDC [10/10]: configuring KDC to start on boot Done configuring Kerberos KDC (krb5kdc). Configuring kadmin [1/2]: starting kadmin [2/2]: configuring kadmin to start on boot Done configuring kadmin. Configuring ipa-custodia [1/5]: Making sure custodia container exists [2/5]: Generating ipa-custodia config file [3/5]: Generating ipa-custodia keys [4/5]: starting ipa-custodia [5/5]: configuring ipa-custodia to start on boot Done configuring ipa-custodia. Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes [1/28]: configuring certificate server instance [2/28]: stopping certificate server instance to update CS.cfg [3/28]: backing up CS.cfg [4/28]: Add ipa-pki-wait-running [5/28]: secure AJP connector [6/28]: reindex attributes [7/28]: exporting Dogtag certificate store pin [8/28]: disabling nonces [9/28]: set up CRL publishing [10/28]: enable PKIX certificate path discovery and validation [11/28]: authorizing RA to modify profiles [12/28]: authorizing RA to manage lightweight CAs [13/28]: Ensure lightweight CAs container exists [14/28]: starting certificate server instance [15/28]: configure certmonger for renewals [16/28]: requesting RA certificate from CA [17/28]: publishing the CA certificate [18/28]: adding RA agent as a trusted user [19/28]: configure certificate renewals [20/28]: Configure HTTP to proxy connections [21/28]: updating IPA configuration [22/28]: enabling CA instance [23/28]: importing IPA certificate profiles [24/28]: migrating certificate profiles to LDAP [25/28]: adding default CA ACL [26/28]: adding 'ipa' CA entry [27/28]: configuring certmonger renewal for lightweight CAs [28/28]: deploying ACME service Done configuring certificate server (pki-tomcatd). Configuring directory server (dirsrv) [1/3]: configuring TLS for DS instance [2/3]: adding CA certificate entry [3/3]: restarting directory server Done configuring directory server (dirsrv). Configuring ipa-otpd [1/2]: starting ipa-otpd [2/2]: configuring ipa-otpd to start on boot Done configuring ipa-otpd. Configuring the web interface (httpd) [1/21]: stopping httpd [2/21]: backing up ssl.conf [3/21]: disabling nss.conf [4/21]: configuring mod_ssl certificate paths [5/21]: setting mod_ssl protocol list [6/21]: configuring mod_ssl log directory [7/21]: disabling mod_ssl OCSP [8/21]: adding URL rewriting rules [9/21]: configuring httpd [10/21]: setting up httpd keytab [11/21]: configuring Gssproxy [12/21]: setting up ssl [13/21]: configure certmonger for renewals [14/21]: publish CA cert [15/21]: clean up any existing httpd ccaches [16/21]: configuring SELinux for httpd [17/21]: create KDC proxy config [18/21]: enable KDC proxy [19/21]: starting httpd [20/21]: configuring httpd to start on boot [21/21]: enabling oddjobd Done configuring the web interface (httpd). Configuring Kerberos KDC (krb5kdc) [1/1]: installing X509 Certificate for PKINIT Done configuring Kerberos KDC (krb5kdc). Applying LDAP updates Upgrading IPA:. Estimated time: 1 minute 30 seconds [1/10]: stopping directory server [2/10]: saving configuration [3/10]: disabling listeners [4/10]: enabling DS global lock [5/10]: disabling Schema Compat [6/10]: starting directory server [7/10]: upgrading server [8/10]: stopping directory server [9/10]: restoring configuration [10/10]: starting directory server Done. Restarting the KDC Configuring client side components This program will set up IPA client. Version 4.9.6 Using existing certificate '/etc/ipa/ca.crt'. Client hostname: ipa.corp.lan Realm: CORP.LAN DNS Domain: corp.lan IPA Server: ipa.corp.lan BaseDN: dc=corp,dc=lan Configured sudoers in /etc/authselect/user-nsswitch.conf Configured /etc/sssd/sssd.conf Systemwide CA database updated. Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub Could not update DNS SSHFP records. SSSD enabled Configured /etc/openldap/ldap.conf Configured /etc/ssh/ssh_config Configured /etc/ssh/sshd_config.d/04-ipa.conf Configuring corp.lan as NIS domain. Client configuration complete. The ipa-client-install command was successful Please add records in this file to your DNS system: /tmp/ipa.system.records.o8dlznpf.db ============================================================================== Setup complete Next steps: 1. You must make sure these network ports are open: TCP Ports: * 80, 443: HTTP/HTTPS * 389, 636: LDAP/LDAPS * 88, 464: kerberos UDP Ports: * 88, 464: kerberos * 123: ntp 2. You can now obtain a kerberos ticket using the command: 'kinit admin' This ticket will allow you to use the IPA tools (e.g., ipa user-add) and the web user interface. Be sure to back up the CA certificates stored in /root/cacert.p12 These files are required to create replicas. The password for these files is the Directory Manager password The ipa-server-install command was successful [waldek@ipa ~]$ ``` Fedora comes with a firewall installed by default so let's open up the ports needed for LDAP and HTTP and make them permanent. ```bash [waldek@ipa ~]$ sudo firewall-cmd --add-service=freeipa-ldap --add-service=freeipa-ldaps --add-service=http --add-service=https --permanent success [waldek@ipa ~]$ ``` ### Adding users #### Command line We can add users from the command line with the `ipa` tool. In order to *use* the tool we need to authenticate the shell we're using with Kerberos. ```bash [waldek@ipa ~]$ kinit admin Password for admin@CORP.LAN: [waldek@ipa ~]$ ``` Next we can **add** a user and **set** the password. You must do this in the same shell you authenticated before! ```bash [waldek@ipa ~]$ ipa user-add First name: david Last name: guy User login [dguy]: david ------------------ Added user "david" ------------------ User login: david First name: david Last name: guy Full name: david guy Display name: david guy Initials: dg Home directory: /home/david GECOS: david guy Login shell: /bin/sh Principal name: david@CORP.LAN Principal alias: david@CORP.LAN Email address: david@corp.lan UID: 1715200004 GID: 1715200004 Password: False Member of groups: ipausers Kerberos keys available: False [waldek@ipa ~]$ ipa passwd david New Password: Enter New Password again to verify: ------------------------------------- Changed password for "david@CORP.LAN" ------------------------------------- [waldek@ipa ~]$ ``` #### Web GUI As we had to fix the domain as a two part domain the resolv on our LAN won't work out of the box but you can just add the FreeIPA server to your graphical `/etc/hosts` file. Next you open a browser and navigate to the hostname or IP address of your server. There you log in with the credentials you set during the installation. You'll see a dashboard similar to the one below. ![dashboard](./assets/fedora_03.png) ## client installation ### Debian We'll need a classic headless Debian server to install the client software on. No real hardware requirements here but keep in mind the **domain** you set your FreeIPA server to! This machine will need to be in the same domain. Once up and running, install your preferred tools and look for the `freeipa-client` package to install. It seems to be missing! We can [find](https://packages.debian.org/buster/freeipa-client) on on the Debian website though? There is a package available for Buster *and* for *Sid* but not for Bullseye. The problem is that it was not ready in time for the release so it got excluded, not that it's incompatible. Remember apt pinning? We can use it to include packages from different branches of Debian. Let's add the sources and set up the pinning. ```bash waldek@ipaclient1:~$ cat /etc/apt/sources.list # deb cdrom:[Debian GNU/Linux 11.0.0 _Bullseye_ - Official amd64 NETINST 20210814-10:07]/ bullseye main #deb cdrom:[Debian GNU/Linux 11.0.0 _Bullseye_ - Official amd64 NETINST 20210814-10:07]/ bullseye main deb http://deb.debian.org/debian/ bullseye main deb-src http://deb.debian.org/debian/ bullseye main deb http://deb.debian.org/debian/ sid main deb-src http://deb.debian.org/debian/ sid main deb http://security.debian.org/debian-security bullseye-security main deb-src http://security.debian.org/debian-security bullseye-security main # bullseye-updates, to get updates before a point release is made; # see https://www.debian.org/doc/manuals/debian-reference/ch02.en.html#_updates_and_backports deb http://deb.debian.org/debian/ bullseye-updates main deb-src http://deb.debian.org/debian/ bullseye-updates main # This system was installed using small removable media # (e.g. netinst, live or single CD). The matching "deb cdrom" # entries were disabled at the end of the installation process. # For information about how to configure apt package sources, # see the sources.list(5) manual. waldek@ipaclient1:~$ cat /etc/apt/preferences.d/pinning Package: * Pin: release a=stable Pin-Priority: 700 Package: * Pin: release a=unstable Pin-Priority: 600 waldek@ipaclient1:~$ sudo apt install freeipa-client Reading package lists... Done Building dependency tree... Done Reading state information... Done freeipa-client is already the newest version (4.8.10-2+b1). 0 upgraded, 0 newly installed, 0 to remove and 8 not upgraded. waldek@ipaclient1:~$ ``` We need to add the IP address of our server to out hosts file so our client can contact it. ```bash waldek@ipaclient1:~$ cat /etc/hosts 127.0.0.1 localhost 127.0.1.1 ipaclient1.corp.lan ipaclient1 192.168.0.69 ipa.corp.lan ipa # The following lines are desirable for IPv6 capable hosts ::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes ff02::2 ip6-allrouters waldek@ipaclient1:~$ ``` Just as with the server, the client comes with a configuration tool as well. For some weird reason Debian does not detect the domain by itself so we can specify it on the command line. Here we also add the `--mkhomedir` argument so each user who logs in, gets his or her own home directory on the local computer. ```bash waldek@ipaclient1:~$ sudo ipa-client-install --server ipa.corp.lan --domain corp.lan --mkhomedir This program will set up FreeIPA client. Version 4.8.10 WARNING: conflicting time&date synchronization service 'ntp' will be disabled in favor of chronyd Autodiscovery of servers for failover cannot work with this configuration. If you proceed with the installation, services will be configured to always access the discovered server for all operations and will not fail over to other servers in case of failure. Proceed with fixed values and no DNS discovery? [no]: yes Do you want to configure chrony with NTP server or pool address? [no]: Client hostname: ipaclient1.corp.lan Realm: CORP.LAN DNS Domain: corp.lan IPA Server: ipa.corp.lan BaseDN: dc=corp,dc=lan Continue to configure the system with these values? [no]: yes Synchronizing time No SRV records of NTP servers found and no NTP server or pool address was provided. Using default chrony configuration. Attempting to sync time with chronyc. Time synchronization was successful. User authorized to enroll computers: admin Password for admin@CORP.LAN: Successfully retrieved CA cert Subject: CN=Certificate Authority,O=CORP.LAN Issuer: CN=Certificate Authority,O=CORP.LAN Valid From: 2021-09-28 19:30:06 Valid Until: 2041-09-28 19:30:06 Enrolled in IPA realm CORP.LAN Created /etc/ipa/default.conf Configured sudoers in /etc/nsswitch.conf Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm CORP.LAN Systemwide CA database updated. Hostname (ipaclient1.corp.lan) does not have A/AAAA record. Failed to update DNS records. Missing A/AAAA record(s) for host ipaclient1.corp.lan: 192.168.0.145. Incorrect reverse record(s): 192.168.0.145 is pointing to ipaclient1.lan. instead of ipaclient1.corp.lan. Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub Could not update DNS SSHFP records. SSSD enabled Configured /etc/openldap/ldap.conf Configured /etc/ssh/ssh_config Configured /etc/ssh/sshd_config.d/04-ipa.conf Configuring corp.lan as NIS domain. Client configuration complete. The ipa-client-install command was successful waldek@ipaclient1:~$ ``` Once this is done we can use the accounts we added to the server, either via the command line or the web interface, to authenticate with on the local machine. ```bash waldek@ipaclient1:~$ su alice Password: Password expired. Change your password now. Current Password: New password: Retype new password: $ id uid=1715200001(alice) gid=1715200001(alice) groups=1715200001(alice) $ cd $ pwd /home/alice $ ``` ### Fedora TODO in class