[ad_1]
A tutorial to learn the steps and commands to install FreeIPA on CentOS 8, AlmaLinux or Rocky Linux 8 Server distributions to obtain a centralized authentication, authorization and account information system.
FreeIPA stands for Free Identity, Policy, Audit and it is an open source identity management solution based on LDAP and Kerberos directory with optional components such as DNS server, CA, etc. It can manage a domain with users, computers, policies, and trust relationships. Doesn’t that sound like Microsoft Active Directory? Yes, that is exactly what it is. FreeIPA can also configure forest-to-forest trust with existing Active Directory forests and even live in a DNS zone below an Active Directory-managed zone, as long as they do not overlap. It consists of a web interface and command line administration tools.
Conditions:
- the hostname must be fully qualified and can be resolved. Here we are using a subdomain, namely demo.how2shout.com
- At least 1 GB of RAM and 10 GB of free disk
Steps to install FreeIPA on AlmaLinux or Rocky Linux 8
The commands below can also be used on CentOS 8, Oracle Linux, VzLinux, and other RPM-based operating systems.
1. Define the hostname in AlmaLinux or Rocky
Since we need a fully qualified domain name to access FreeIPA and use it properly, we need to define the FQDN hostname we want to use. For example, here we are using demo.how2shout.com which can be resolved using our DNS server. However, if you don’t have a DNS server, we need to manually add entries to the Almalinux server host file to resolve the system IP address for our fully qualified hostname.
sudo hostnamectl set-hostname demo.example.com
Replace demo.example.com with the one you want to set for your server hostname.
The domain used for the hostname must resolve the IP address to reach the server. Then point your server’s IP address to the host name, that is, the fully qualified domain name, in the host file.
echo "192.168.0.110 demo.example.com demo" | sudo tee -a /etc/hosts
Replace– 192.168.0.110 with the IP address of your server and demo.example.com with your FQDN hostname.
To note: If you want to test FreeIPA locally, it is then recommended to use a reserved TLD such as .local. .test or even .home can be used- Example: demo.IPA.local
Once done, confirm that the system can ping the host to resolve the issue.
ping -c 2 demo.example.com
Now restart:
sudo reboot
2. Run the system update
Before we go any further, let’s run the system update command once to make sure all system packages are up to date, and this will rebuild the system repository cache as well.
sudo dnf update
3. Activate the Red Hat Enterprise Linux Identity Management system module
FreeIPA Server and client packages are available through the application flow repository by default, however, to get them we first need to enable the IDM – Identity Management system module on our AlmaLinux or Rocky Linux that we are using.
sudo dnf install @idm:DL1
4. Install FreeIPA on AlmaLinux or Rocky Linux 8
Once the IDM module is activated on your server system, it is time to install all the required packages for FreeIPA on our system.
sudo dnf install ipa-server
If you also want to install the FreeIPA DNS server, also run the following command:
sudo dnf install ipa-server-dns bind-dyndb-ldap
5. Configure the FreeIPA server
So far we’ve downloaded and installed all the key stuff we needed to set up the FreeIPA server on AlmaLinux or Rocky, so let’s start with that.
sudo ipa-server-install
The above command will start the text assistant. He will ask you common questions. The first will be the integration of BIND DNS, by default it will be set to ‘NO‘. So, just press the Enter continue without. However, if you want to set up DNS BIND on your Alma or Rocky to resolve domain names, type it in and press Enter.
After that the script will automatically detect the hostname of the server and the domain you set for the hostname
So, just press the Enter key for both options.
After configuring the above entries, the installer will ask you to configure a directory manager password, and IPA administrator password for the web interface. Then it will ask to configure the NTP server with chronicle accept the default (no) or type Yes according to your choice.
Remember when he asks you to continue to configure the system these values, type – Yes and hit the Enter key.
6. Configure the Linux firewall
If you are using your server on a cloud service, use its firewall to whitelist the following ports:
You need to make sure that these network ports are open:
TCP Ports:
80, 443: HTTP / HTTPS
389, 636: LDAP / LDAPS
88, 464: Kerberos
UDP Ports:
88, 464: Kerberos
123: NTP
Whereas, if you are using Firewalld in your server system, just run the following two commands:
sudo firewall-cmd --add-service={http,https,dns,ntp,freeipa-ldap,freeipa-ldaps} --permanent
sudo firewall-cmd --reload
7. Access the FreeIPA GUI web interface
After the installation is finished by the script, open your system browser and point it to the FQDN hostname that you defined for the system at the beginning, for example https://demo.example.com or even if you type https://your-server-ip this will automatically redirect it to the FQDN.
8. Log in
The default username for logging into FreeIPA is administrator while the password is the same as the one you defined when installing the FreeIPA server in Steps 5 of this article.
FreeIPA command line
Those who do not wish to use the FreeIPA web GUI can use the command line to perform various operations such as creating users, testing SSH connection for users, etc.
To start using CLI, type-
sudo kinit admin
First Enter the password of the system user, then the password that you defined for FreeIPA during its installation.
Once logged in you can start using ipa orders. For full details on its command options, see the man page:
man ipa
for example, to create a user-
sudo ipa user-add testuser --first=Test --last=User --email=testuser@example.com --password
Once the user has been added, you can authenticate it with:
You can now authenticate as a new user with
kinit
To list user accounts
sudo ipa user-find
To log in with the created user:
ssh [email protected]
For more information, see the official documents.
Uninstall FreeIPA from AlmaLinux or rocky
If you have a problem with the open source identity management system or if you no longer need it, use the command below to remove FreeIPA from CentOS, AlmaLinux, Rocky, or any similar Linux system you are using.
sudo ipa-server-install --uninstall
Other articles:
[ad_2]
