Tuesday, September 4, 2018

How to install and configure FreeIPA on Red Hat Linux

https://linuxconfig.org/how-to-install-and-configure-freeipa-on-red-hat-linux

Objective

Our objective is to install and configure a standalone FreeIPA server on Red Hat Enterprise Linux.

Operating System and Software Versions

  • Operating System: Red Hat Enterprise Linux 7.5
  • Software: FreeIPA 4.5.4-10

Requirements

Privileged access to the target server, available software repository.

Difficulty

MEDIUM

Conventions

  • # - requires given linux commands to be executed with root privileges either directly as a root user or by use of sudo command
  • $ - given linux commands to be executed as a regular non-privileged user

Introduction

FreeIPA is mainly a directory service, where you can store information about your users, and their rights regarding login, become root, or just run a specific command as root on your systems that are joined your FreeIPA domain, and many more. Although this is the main feature of the service, there are optional components that can be very useful, like DNS and PKI - this makes FreeIPA an essential infrastructural part of a Linux-based system. It has a nice web-based GUI, and powerful command line interface.

In this tutorial we will see how to install and configure a standalone FreeIPA server on a Red Hat Enterprise Linux 7.5. Note however, that in a production system you are advised to create at least one more replica to provide high availability. We'll be hosting the service on a virtual machine with 2 CPU cores and 2 GB of RAM - on a large system you might want to add some more resources. Our lab machine runs RHEL 7.5, base install. Let's get started.

To install and configure a FreeIPA server is pretty easy - the gotcha is in the planning. You should think about what parts of the software stack you want to use, and what is the environment you want to run these services. As FreeIPA can handle DNS, if you are building a system from scratch, it might be useful give a whole DNS domain to FreeIPA, where all client machines will be calling the FreeIPA servers for DNS. This domain can be a subdomain of your infrastructure, you can even set a subdomain only for the FreeIPA servers - but think this trough carefully, as you can not change the domain later. Don't use an existing domain, FreeIPA needs to think it is the master of the given domain (the installer will check if the domain can be resolved, and if it has a SOA record other then itself).

PKI is another question: if you already have a CA (Certificate Authority) in your system, you might want to setup FreeIPA as a subordinate CA. With the help of Certmonger, FreeIPA have the ability to automatically renew client certificates (like a web server's SSL certificate), which can come in handy - but if the system has no Internet-facing service, you may not need the PKI service of FreeIPA at all. It all depends on the use case.

In this tutorial the planning is already done. We want to build a new testing lab, so we'll install and configure all features of FreeIPA, including DNS and PKI with a self-signed CA certificate. FreeIPA can generate this for us, no need to create one with tools like openssl.


Requirements

What should be set up first is a reliable NTP source for the server (FreeIPA will act as an NTP server too, but needs a source naturally), and an entry in the server's /etc/hosts file pointing to itself:

# cat /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6

192.168.122.147 rhel7.ipa.linuxconfig.org rhel7
And the hostname provided in the hosts file MUST be the FQDN of the machine.

# hostname
rhel7.ipa.linuxconfig.org
This is an important step, don't miss it. The same hostname needed in the network file:

# grep HOSTNAME /etc/sysconfig/network
HOSTNAME=rhel7.ipa.linuxconfig.org

Installing packages

The software needed is included in the Red Hat Enterprise Linux server ISO image or subscription channel, no additional repositories needed. In this demo there is a local repository set which have the contents of the ISO image. The software stack is bundled together, so a single yum command will do:

# yum install ipa-server ipa-server-dns
On a base install, yum will provide a long list of dependencies, including Apache Tomcat, Apache Httpd, 389-ds (the LDAP server), and so on. After yum finishes, open the ports needed on the firewall:

# firewall-cmd --add-service=freeipa-ldap
success
# firewall-cmd --add-service=freeipa-ldap --permanent
success


Setup

Now let's setup our new FreeIPA server. This will take time, but you only needed for the first part, when the installer asks for parameters. Most parameters can be passed as arguments to the installer, but we’ll not give any, this way we can benefit from the previous settings.
# ipa-server-install

The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will set up the IPA Server.

This includes:
  * Configure a stand-alone CA (dogtag) for certificate management
  * Configure the Network Time Daemon (ntpd)
  * Create and configure an instance of Directory Server
  * Create and configure a Kerberos Key Distribution Center (KDC)
  * Configure Apache (httpd)
  * Configure the KDC to enable PKINIT

To accept the default shown in brackets, press the Enter key.

WARNING: conflicting time&date synchronization service 'chronyd' will be disabled
in favor of ntpd

## we'll use the integrated DNS server
Do you want to configure integrated DNS (BIND)? [no]: yes

Enter the fully qualified domain name of the computer
on which you're setting up server software. Using the form
.
Example: master.example.com.

## pressing 'enter' means we accept the default in the bracelets
## this is the reason we set up the proper FDQN for the host
Server host name [rhel7.ipa.linuxconfig.org]:       

Warning: skipping DNS resolution of host rhel7.ipa.linuxconfig.org
The domain name has been determined based on the host name.

## now we don't have to type/paste domain name
## and the installer don’t need to try setting the host’s name
Please confirm the domain name [ipa.linuxconfig.org]:      
           
The kerberos protocol requires a Realm name to be defined.
This is typically the domain name converted to uppercase.

## the Kerberos realm is mapped from the domain name
Please provide a realm name [IPA.LINUXCONFIG.ORG]:      
Certain directory server operations require an administrative user.
This user is referred to as the Directory Manager and has full access
to the Directory for system management tasks and will be added to the
instance of directory server created for IPA.
The password must be at least 8 characters long.

## Directory Manager user is for the low-level operations, like creating replicas
Directory Manager password: 
## use a very strong password in a production environment!      
Password (confirm):          

The IPA server requires an administrative user, named 'admin'.
This user is a regular system account used for IPA server administration.

## admin is the "root" of the FreeIPA system – but not the LDAP directory
IPA admin password:          
Password (confirm): 

Checking DNS domain ipa.linuxconfig.org., please wait ...
## we could setup forwarders, but this can be set later as well
Do you want to configure DNS forwarders? [yes]: no     
No DNS forwarders configured
Do you want to search for missing reverse zones? [yes]: no

The IPA Master Server will be configured with:
Hostname:       rhel7.ipa.linuxconfig.org
IP address(es): 192.168.122.147
Domain name:    ipa.linuxconfig.org
Realm name:     IPA.LINUXCONFIG.ORG

BIND DNS server will be configured to serve IPA domain with:
Forwarders:       No forwarders
Forward policy:   only
Reverse zone(s):  No reverse zone

Continue to configure the system with these values? [no]: yes

## at this point the installer will work on its own,
## and complete the process in a few minutes. The perfect time for coffee.
The following operations may take some minutes to complete.    
Please wait until the prompt is returned.      

Configuring NTP daemon (ntpd)
  [1/4]: stopping ntpd ...
The output of the installer is rather long, you can see as all components configured, restarted, and verified. At the end of the output, there some steps needed for full functionality, but not for the installation process itself.
... The ipa-client-install command was successful

==============================================================================
Setup complete

Next steps:
 1. You must make sure these network ports are open:
  TCP Ports:
    * 80, 443: HTTP/HTTPS
    * 389, 636: LDAP/LDAPS
    * 88, 464: kerberos
    * 53: bind
  UDP Ports:
    * 88, 464: kerberos
    * 53: bind
    * 123: ntp

 2. You can now obtain a kerberos ticket using the command: 'kinit admin'
    This ticket will allow you to use the IPA tools (e.g., ipa user-add)
    and the web user interface.

Be sure to back up the CA certificates stored in /root/cacert.p12
These files are required to create replicas. The password for these
files is the Directory Manager password
As the installer points out, be sure to backup the CA cert, and open additional needed ports on the firewall.

Now let's enable home directory creation on login:
# authconfig --enablemkhomedir –-update


Verification

We can start testing if we have a working service stack. Let's test if we can get a Kerberos ticket for the admin user (with the password given to the admin user during install):
# kinit admin
Password for admin@IPA.LINUXCONFIG.ORG
 : 
# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: admin@IPA.LINUXCONFIG.ORG

Valid starting       Expires              Service principal
2018-06-24 21.44.30  2018-06-25 21.44.28  krbtgt/IPA.LINUXCONFIG.ORG@IPA.LINUXCONFIG.ORG
The host machine is enrolled into our new domain, and the default rules grant ssh access to the above-created admin user to all enrolled host. Let's test if these rules work as expected by opening ssh connection to localhost:
# ssh admin@localhost
Password: 
Creating home directory for admin.
Last login: Sun Jun 24 21:41:57 2018 from localhost
$ pwd
/home/admin
$ exit
Let's check the status of the whole software stack:

# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
ntpd Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful
And - with the Kerberos ticket acquired earlier - ask for information about the admin user using the CLI tool:

# ipa user-find admin
--------------
1 user matched
--------------
  User login: admin
  Last name: Administrator
  Home directory: /home/admin
  Login shell: /bin/bash
  Principal alias: admin@IPA.LINUXCONFIG.ORG
  UID: 630200000
  GID: 630200000
  Account disabled: False
----------------------------
Number of entries returned 1
----------------------------


And finally, login to the web-based management page using the admin user's credentials (the machine running the browser must be able to resolve the name of the FreeIPA server). Use HTTPS, the server will redirect if plain HTTP is used. As we installed a self-signed root certificate, the browser will warn us about it.

FreeIPA login page
Login page of the FreeIPA WUI
The default page after login shows the list of our users, where now only the admin user appears.

FreeIPA user list
The default page after login is the userlist in FreeIPA WUI


With this we completed our goal, we have a running FreeIPA server ready to be populated with users, hosts, certificates, and various rules.

No comments:

Post a Comment