FedoraRHEL Based

How To Install FreeIPA on Fedora 42

r00t

Install FreeIPA on Fedora 42

FreeIPA provides a comprehensive identity management solution for Linux environments, combining user authentication, authorization, and account information into a centralized system. By integrating key technologies like LDAP, Kerberos, DNS, and certificate management, FreeIPA creates a robust identity management framework that simplifies administration while enhancing security. This guide walks you through installing and configuring FreeIPA on Fedora 42, covering everything from basic setup to advanced configurations.

Understanding FreeIPA

FreeIPA (Free Identity, Policy, and Audit) serves as an integrated security information management solution for Linux/Unix environments. It functions similar to Active Directory in Windows environments, providing centralized identity management capabilities.

The core components of FreeIPA include:

  • 389 Directory Server (LDAP) for storing user information and policies
  • MIT Kerberos for secure authentication and single sign-on
  • Integrated DNS server for name resolution and service discovery
  • Certificate Authority for managing digital certificates
  • Web UI for easy administration

These integrated components provide significant benefits for organizations:

  • Centralized user and group management across multiple systems
  • Enhanced security through consistent policy enforcement
  • Simplified compliance and auditing capabilities
  • Reduced administrative overhead for IT teams
  • Seamless single sign-on experience for users

FreeIPA is particularly valuable for organizations with multiple Linux systems where manual user management becomes impractical.

Hardware and System Requirements

Before proceeding with installation, ensure your system meets these requirements:

  • CPU: Minimum 2 cores (4+ recommended for production)
  • RAM: At least 2GB (4GB+ recommended for production)
  • Disk Space: Minimum 12GB free space
  • Network: Static IP address and proper DNS configuration
  • Operating System: Fedora 42 with latest updates

For network configuration, these elements are essential:

  • Fully Qualified Domain Name (FQDN) properly configured
  • Forward and reverse DNS records for the FreeIPA server
  • Proper time synchronization (critical for Kerberos)

While these requirements are sufficient for testing or small deployments, consider increasing resources for production environments with many users or hosts.

Prerequisites and Preparation

Proper preparation is crucial for a successful FreeIPA installation. Follow these steps carefully:

Update Your System

First, ensure your Fedora system is fully updated:

sudo dnf check-update
sudo dnf upgrade -y

Configure Hostname and DNS

Set a fully qualified domain name for your server:

sudo hostnamectl set-hostname ipa.example.com

Edit the hosts file to include your server’s FQDN:

sudo nano /etc/hosts

Add an entry like:

192.168.1.100   ipa.example.com   ipa

Verify the hostname is correctly set:

hostname -f

Set Up Time Synchronization

Proper time synchronization is critical for Kerberos authentication:

sudo dnf install -y chrony
sudo systemctl enable --now chronyd

Verify time synchronization:

chronyc tracking

The time offset should be minimal (under 5 seconds) for Kerberos to function properly.

Installing FreeIPA Server Packages

Now that your system is prepared, install the necessary FreeIPA packages:

Basic Installation

For a standard installation with integrated DNS (recommended):

sudo dnf install -y freeipa-server freeipa-server-dns

For installation without DNS management:

sudo dnf install -y freeipa-server

The installation will download and install numerous dependencies, including:

  • 389-ds-base (Directory Server)
  • krb5-server (Kerberos)
  • httpd (Apache web server)
  • pki-ca (Certificate Authority)
  • bind (DNS server, if selected)

Verify that the packages installed correctly:

rpm -qa | grep ipa-server

Configuring the FreeIPA Server

With packages installed, it’s time to configure the FreeIPA server:

Basic Server Configuration

For an interactive installation:

sudo ipa-server-install

For more control with specific parameters:

sudo ipa-server-install \
  --realm EXAMPLE.COM \
  --domain example.com \
  --ds-password SecurePassword1 \
  --admin-password SecurePassword2 \
  --hostname ipa.example.com \
  --setup-dns \
  --auto-reverse

Key parameters include:

  • –realm: Kerberos realm (typically domain in uppercase)
  • –domain: Your DNS domain
  • –ds-password: Directory Manager password
  • –admin-password: Admin account password
  • –setup-dns: Configure integrated DNS server
  • –auto-reverse: Create reverse DNS zones automatically

The installation process will:

  1. Configure the Directory Server
  2. Set up Kerberos
  3. Install the Certificate Authority
  4. Configure the web interface
  5. Set up DNS (if selected)
  6. Start all required services

This process typically takes 5-10 minutes to complete.

Verifying Installation Success

After installation completes, verify that services are running:

sudo ipactl status

All services should show as “RUNNING”. Test authentication:

kinit admin

If successful, you can view your ticket with:

klist

DNS Configuration and Management

If you installed FreeIPA with integrated DNS, proper configuration is essential:

Managing DNS Zones

View existing zones:

ipa dnszone-find

Add a new DNS zone:

ipa dnszone-add newzone.example.com

Adding DNS Records

Add various record types:

# A record
ipa dnsrecord-add example.com www --a-rec=192.168.1.10

# CNAME record
ipa dnsrecord-add example.com mail --cname-rec=mailserver.example.com.

# MX record
ipa dnsrecord-add example.com @ --mx-rec="10 mail.example.com."

Testing DNS Configuration

Verify that DNS resolution works correctly:

dig @localhost example.com
dig @localhost -x 192.168.1.100

Proper DNS configuration is crucial for Kerberos authentication and service discovery in your FreeIPA environment.

Firewall and Security Configuration

Secure your FreeIPA server by properly configuring the firewall:

Opening Required Ports

Configure firewalld to allow FreeIPA services:

sudo firewall-cmd --permanent --add-service=freeipa-ldap
sudo firewall-cmd --permanent --add-service=freeipa-ldaps
sudo firewall-cmd --permanent --add-service=dns
sudo firewall-cmd --permanent --add-service=http
sudo firewall-cmd --permanent --add-service=https
sudo firewall-cmd --permanent --add-service=kerberos
sudo firewall-cmd --permanent --add-service=kpasswd
sudo firewall-cmd --permanent --add-service=ntp
sudo firewall-cmd --reload

Alternatively, open individual ports:

# TCP ports
sudo firewall-cmd --permanent --add-port={80,443,389,636,88,464,53}/tcp
# UDP ports
sudo firewall-cmd --permanent --add-port={88,464,53,123}/udp
sudo firewall-cmd --reload

SELinux Configuration

FreeIPA is designed to work with SELinux enabled. Typically, no manual SELinux configuration is needed, but you can check for issues:

sudo ausearch -m avc -ts recent

Password Policies

Implement strong password policies:

ipa pwpolicy-mod global_policy --maxlife=90 --minlength=8 --minclasses=3

This example sets passwords to expire after 90 days, requires at least 8 characters, and mandates 3 character classes (uppercase, lowercase, numbers, special characters).

Post-Installation Verification

After installation, verify that all components are functioning correctly:

Service Status Check

Verify all services are running:

sudo ipactl status

Web Interface Access

Access the web interface by navigating to:

https://ipa.example.com

Log in with the admin username and password configured during installation.

Install FreeIPA on Fedora 42

Testing Authentication

Test Kerberos authentication:

kinit admin
klist

If successful, you’ll see a valid Kerberos ticket for the admin user.

FreeIPA Client Configuration

To enable centralized authentication, enroll client machines in your FreeIPA domain:

Installing Client Packages

On client systems:

sudo dnf install -y freeipa-client

Client Enrollment

Enroll the client in the FreeIPA domain:

sudo ipa-client-install --domain=example.com --server=ipa.example.com --realm=EXAMPLE.COM

For unattended installation:

sudo ipa-client-install --domain=example.com --server=ipa.example.com --realm=EXAMPLE.COM --principal=admin --password=AdminPassword --unattended

Testing Client Authentication

After enrollment, test authentication:

kinit admin
id admin

This should show the admin user’s UID, GID, and group memberships from FreeIPA.

User and Group Management

Manage users and groups through command-line or web interface:

Creating Users

Add a new user:

ipa user-add username --first=First --last=Last --email=user@example.com --password

Set password expiration on first login:

ipa user-add username --first=First --last=Last --password --password-expiration

Managing Groups

Create and populate groups:

ipa group-add developers --desc="Development team"
ipa group-add-member developers --users=username1,username2

Password Policies

Create group-specific password policies:

ipa pwpolicy-add developers --maxlife=60 --minlength=10 --minclasses=4

Advanced Configuration

Enhance your FreeIPA deployment with advanced features:

Setting Up Replicas

For high availability, create replicas:

# On the new replica server
sudo dnf install -y freeipa-server
sudo ipa-replica-install --principal admin --admin-password AdminPassword

Active Directory Integration

Establish trust with Active Directory:

sudo ipa-adtrust-install
ipa trust-add --type=ad ad.example.com --admin Administrator --password

SSH Key Management

Manage SSH keys centrally:

ipa user-mod username --sshpubkey="ssh-rsa AAAAB3Nz... user@host"

Automount Configuration

Configure automount for home directories:

sudo ipa-client-automount

Troubleshooting Common Issues

When encountering problems, check these common areas:

DNS Issues

If client enrollment fails with DNS errors:

# Verify DNS resolution
dig ipa.example.com
dig -x 192.168.1.100

# Check for SRV records
dig _ldap._tcp.example.com SRV

Authentication Problems

For authentication failures:

# Check time synchronization
chronyc tracking

# Debug Kerberos authentication
KRB5_TRACE=/dev/stdout kinit username

# Check SSSD logs
sudo tail -f /var/log/sssd/*.log

Service Failures

If services fail to start:

# Check service status
sudo ipactl status

# Check service logs
sudo journalctl -u dirsrv@EXAMPLE-COM.service
sudo journalctl -u krb5kdc

Key Log Locations

Important log files for troubleshooting:

  • Installation log: /var/log/ipaserver-install.log
  • Directory Server: /var/log/dirsrv/slapd-EXAMPLE-COM/
  • Kerberos: /var/log/krb5kdc.log
  • Web UI: /var/log/httpd/error_log
  • Client installation: /var/log/ipaclient-install.log

Congratulations! You have successfully installed FreeIPA. Thanks for using this tutorial for installing FreeIPA on your Fedora 42 Linux system. For additional or useful information, we recommend you check the official FreeIPA website.

VPS Manage Service Offer
If you don’t have time to do all of this stuff, or if this is not your area of expertise, we offer a service to do “VPS Manage Service Offer”, starting from $10 (Paypal payment). Please contact us to get the best deal!
Tags
r00t
Photo of r00t

r00t

r00t is an experienced Linux enthusiast and technical writer with a passion for open-source software. With years of hands-on experience in various Linux distributions, r00t has developed a deep understanding of the Linux ecosystem and its powerful tools. He holds certifications in SCE and has contributed to several open-source projects. r00t is dedicated to sharing her knowledge and expertise through well-researched and informative articles, helping others navigate the world of Linux with confidence.
Copyright © 2025 idroot.us | All Rights Reserved | Follow us for more Linux tutorials!
Back to top button