In this tutorial, we will show you how to install FreeIPA on CentOS 7 server. For those of you who didn’t know, FreeIPA is an open-source identity management system for Linux/Unix environments that provides centralized account management and authentication, like Microsoft Active Directory or LDAP.
FreeIPA has many components, including Kerberos, NTP, DNS, and Dogtag (a certificate system) in order to provide security on your CentOS 7 server. The full FreeIPA package essentially provides Linux systems with the ability for centralized authentication, authorization, and account information by storing data about users, groups, hosts, and all the other objects that are needed to manage security for networks.
This article assumes you have at least basic knowledge of Linux, know how to use the shell, and most importantly, you host your site on your own VPS. The installation is quite simple and assumes you are running in the root account, if not you may need to add ‘sudo‘ to the commands to get root privileges. I will show you the step-by-step install FreeIPA open source identity management system on CentOS 7 server.
Prerequisites
- A server running one of the following operating systems: CentOS 7.
- It’s recommended that you use a fresh OS install to prevent any potential issues.
- SSH access to the server (or just open Terminal if you’re on a desktop).
- A
non-root sudo useror access to theroot user. We recommend acting as anon-root sudo user, however, as you can harm your system if you’re not careful when acting as the root.
Install FreeIPA on CentOS 7
Step 1. First, let’s start by ensuring your system is up-to-date.
yum clean all yum -y update
Step 2. Installing FreeIPA.
The first thing that we are going to do is to prepare the CentOS 7 server to run FreeIPA. In order to do this, we are going to set the IP address on the system, In our case, the host IP is 192.168.1.2/24:
hostnamectl set-hostname ipa.idroot.us echo "192.168.1.2 ipa.idroot.local ipa" >> /etc/hosts
Next, Install the package dependencies required for our setup with the following commands if they are not already installed:
yum install bind-dyndb-ldap ipa-server-dns sssd-client sssd-common sssd-common-pac sssd-ldap sssd-proxy python-sssdconfig authconfig authconfig-gtk
Then, install FreeIPA using the following command:
yum install ipa-server -y
Step 3. Configuring FreeIPA.
The setup process for FreeIPA can take a long time to complete depending on the server specifications. Begin the setup process with the following command:
ipa-server-install --setup-dns
Here is how this configuration will look by running the previous command:
[root@idroot.us ~]# ipa-server-install --setup-dns The log file for this installation can be found in /var/log/ipaserver-install.log ============================================================================== This program will set up the IPA Server. This includes: * Configure a stand-alone CA (dogtag) for certificate management * Configure the Network Time Daemon (ntpd) * Create and configure an instance of Directory Server * Create and configure a Kerberos Key Distribution Center (KDC) * Configure Apache (httpd) * Configure DNS (bind) To accept the default shown in brackets, press the Enter key. Enter the fully qualified domain name of the computer on which you're setting up server software. Using the form <hostname>.<domainname> Example: master.example.com. Server host name [ipa.idroot.local]: [ENTER] Warning: skipping DNS resolution of host ipa.idroot.local The domain name has been determined based on the host name. Please confirm the domain name [idroot.local]:[ENTER] The kerberos protocol requires a Realm name to be defined. This is typically the domain name converted to uppercase. Please provide a realm name [IDROOT.LOCAL]: [ENTER] Certain directory server operations require an administrative user. This user is referred to as the Directory Manager and has full access to the Directory for system management tasks and will be added to the instance of directory server created for IPA. The password must be at least 8 characters long. Directory Manager password: [ENTER PASSWORD] Password (confirm): [ENTER PASSWORD] . . . . .
After the FreeIPA installation, authenticate to the Kerberos realm to ensure that the administrator is configured correctly:
kinit admin
Next, we are going to use authconfig to guarantee that the user directories are created and enable sssd:
authconfig --enablemkhomedir --update chkconfig sssd on
Step 4. Configure firewall for FreeIPA.
These commands are used to allow FreeIPA services in the case the security daemon Firewalld is running on your system:
firewall-cmd --permanent --add-service={ntp,http,https,ldap,ldaps,kerberos,kpasswd,dns}
firewall-cmd --reload
Step 5. Accessing FreeIPA.
FreeIPA will be available on HTTP port 80 by default. Open your favorite browser and navigate to https://ipa.idroot.local/ and complete the required steps to finish the installation.
Congratulations! You have successfully installed FreeIPA. Thanks for using this tutorial for installing FreeIPA open source identity management on CentOS 7 systems. For additional help or useful information, we recommend you to check the official FreeIPA website.
