How to Install FreeIPA Server on RHEL 9 Step-by-Step

by

In this guide, we will demonstrate how to install FreeIPA server on RHEL 9 step-by-step.

Sponsored by RedHat, FreeIPA, – Identity Policy Authentication – is a free and opensource identity and Authentication management solution designed specifically for Linux/Unix environments. FreeIPA is to Linux what Active Directory is to Windows.

FreeIPA provides a centralized solution for authentication and authorization of user accounts in a Linux environment.  It is the Upstream to RedHat’s IdM (Identity Manager) and is built on top of the following opensource components:

  • NTP Server – Network Time Protocol Server
  • Apache HTTP Server – A web server that allows you to access and manage FreeIPA from the Web browser.
  • 389 Directory Server – This is an implementation of LDAP and is the main data store that provides a full multi-master LDAPv3 directory infrastructure.
  • Dogtag PKI Certificate Authority – It provides CA certificate management functions.
  • MIT Kerberos KDC – This provides a Kerberos database and service for Single-Sign-on authentication.
  • ISC Bind DNS server – It manages Domain Names
  • Python Management framework

Prerequisites

To get started, here are some of the prerequisites that you need to pay attention to:

  • A fresh installation of RHEL 9 Server
  • Minimum 4GB RAM
  • Minimum 2 vCPUs
  • Minimum 10GB hard disk space.
  • Red Hat Subscription or locally configured yum repository.
  • An FQDN (Fully Qualified Domain Name ) pointing to your server’s Public IP address. For this guide, we are using a registered domain called linuxtechwhiz.info pointing to the server’s public IP 74.207.228.169.
  • Ports 443 and 80 should not be in use by any other application

Step 1) Configure hostname and update /etc/hosts file

To start off, you need to configure the hostname of your server to correspond to the FQDN. To change the hostname, use the following syntax:

$ sudo hostnamectl set-hostname your-hostname

In our case, the command will be:

$ sudo hostnamectl set-hostname linuxtechwhiz.info

To confirm the hostname change, run the command:

$ hostname

Next, access the /etc/hosts file.

$ sudo vim /etc/hosts

Add an entry for your FQDN as shown

server-public-ip       fqdn.example.com

In our case, this will be:

74.207.228.169         linuxtechwhiz.info

Save the changes and exit.

Next, confirm that the registered domain which is also configured as the hostname resolves to the public IP of the server. You can do this by pinging the domain name.

$ ping -c 4 linuxtechwhiz.info

Ping-FQDN-Linux

Step 2) Configure SELinux

Next, you need to configure SELinux so as to access the FreeIPA server from a browser. Here, we will set the SELinux to ‘permissive’ mode.

To do so, run the following commands:

$ sudo setenforce 0
$ sudo sed -i 's/^SELINUX=.*/SELINUX=permissive/g' /etc/selinux/config

To confirm the change in the SELinux status, run the command:

$ sestatus

Set-SELinux-Permissive-Mode-Sed-Command

Then reboot the system for the changes to come into effect.

$ sudo reboot

Step 3) Install FreeIPA Server on RHEL 9

To install the FreeIPA server on your system run the command

$ sudo dnf install freeipa-server -y

This installs a host of FreeIPA packages and a host of other additional packages.

DNF-Install-FreeIPA-RHEL9

If you wish to install the FreeIPA DNS Server, go ahead and install the DNS packages as shown.

$ sudo dnf install ipa-server-dns bind-dyndb-ldap -y

DNS-FreeIPA-Package-RHEL9

Step 4) Setup FreeIPA Server

Setting up of the FreeIPA Server is simplified using a simple script that automates the configuration of several components of the FreeIPA server.

To begin the server setup run the following script,

$ sudo ipa-server-install

The script walks you through a series of prompts. The first prompt will require you to set up integrated BIND DNS. By default, pressing ENTER chooses the default selection. In this guide, we will skip using the BIND DNS option.

Next, configure the server hostname and the domain name.

Ipa-Server-Install-Command-RHEL9

Then, provide the realm name, and Directory Manager Password, and then specify the password for the IPA server administrator.

IPA-Server-Install-Directory-Manager-Password

Next, provide the NetBIOS name. You can choose whether or not to configure Chrony with NTP Server. This is entirely up to you, and in our case, we have chosen not to configure Chrony.

Shortly after, details of the IPA Master will be displayed. To continue configuring the system, type ‘Yes

Type-Yes-IPA-Master-Configure-RHEL9

Thereafter, the script will continue to perform the following tasks.

  • Configure a stand-alone CA (dogtag) for certificate management
  • Create and configure a Kerberos Key Distribution Center (KDC)
  • Create and configure an instance of Directory Server
  • Configure Apache (httpd)
  • Configure the KDC to enable PKINIT

At the end of the configuration of the IPA server, you will get the following output indicating the ports or services that you need to open and that the configuration and setup of the server were successful.

IPA-Server-Configuration-after-Installation-RHEL9

Step 5) Configure Firewalld for FreeIPA

At this juncture, the FreeIPA Server has successfully been installed. However, you need to allow a few crucial services on the firewall. These are services that are currently being used by the server.

Therefore, run the following command:

$ sudo firewall-cmd --add-service={http,https,dns,ntp,freeipa-ldap,freeipa-ldaps} --permanent
$ sudo firewall-cmd --reload

Step 6) Accessing the FreeIPA Server

Finally, you can access the WebUI by browsing your FQDN on a browser as follows.

https://linuxtechwhiz.info

Initially, you will encounter a warning on your browser. This happens because a self-signed certificate was generated for your server during the setup of FreeIPA and is not recognized by a Certificate Authority.

To bypass this hurdle, click ‘Advanced’.

Access-FreeIPA-WebPage-RHEL9

Then click ‘Proceed to domain name’.

Proceed-with-domain-freeipa-webpage

On your browser, authenticate with the admin username and password that you generated in Step 4.

This gives you access to the dashboard as shown.

FreeIPA-Dashboard-RHEL9

Using FreeIPA on Command-line

FreeIPA installation provides a command-line client that allows you to interact with the server. Before you start using the CLI, first, you need to generate a Kerberos ticket.

To generate a Kerberos ticket, run the command:

$ sudo kinit admin

Sudo-kinit-admin-rhel9

You can check the ticket’s expiry information as shown.

$ sudo klist

sudo-kinit-check-expiry-rhel9

Additionally, you can set the admin user’s default shell to /bin/bash as shown.

$ sudo ipa config-mod --defaultshell=/bin/bash

Set-DefaultShell-Bash-FreeIPA-RHEL9

Also, you can enable the creation of the admin user’s home directory on login.

$ sudo authconfig --enablemkhomedir --update

Enable-Home-directory-Admin-User-FreeIPA

Now you can try logging in as an admin user using SSH

SSH-Admin-FreeIPA

You can also create a new user account using the following command. The command creates a new user called linuxtechi with Test and User as the first name and last name respectively.

$ sudo ipa user-add linuxtechi \
  --first=Test --last=User \
  [email protected] --password

Create-User-IPA-Command-RHEL9

To list all the users created in the FreeIPA server run the command

$ sudo ipa user-find

From the output, you can see that two users have been created – the admin user created during the setup process and linuxtechi which we have just created.

List-Users-in-FreeIPA-RHEL9

Uninstall FreeIPA Server

If you no longer need the FreeIPA server, you can uninstall it as shown.

$ sudo ipa-server-install --uninstall

Conclusion

In this guide, we demonstrated how to Install and Setup FreeIPA Server on RHEL 9. I hope you have found it informative, so do post you queries and feedback in below comments section.

1 thought on “How to Install FreeIPA Server on RHEL 9 Step-by-Step”

Leave a Comment