How to Install and Configure FreeIPA on CentOS 7 Server

FreeIPA is a free and open source identity management tool, it is the upstream project for Red Hat identity manager. Using FreeIPA tool, we can easily manage centralized authentication along with account management, policy (host-based access control) and audit. FreeIPA also provides the services like DNS and PKI.

FreeIPA is based on the following Open Source projects,

  • 389 Directory Server(LDAP)
  • MIT Kerberos
  • SSSD
  • Dogtag (Certificate System)
  • NTP & DNS

FreeIP-CentOS7

In this article we will demonstrate how to install and configure FreeIPA tool on CentOS 7 Server. Following are the details of my test Lab Server (CentOS7),

  • IP Address = 192.168.0.102
  • Hostanme = ipa.linuxtechi.lan
  • RAM = 2 GB
  • CPU =2 vCPU
  • Disk = 12 GB free space on /
  • Internet Connection

Step:1 Set static Hostname and apply updates

Set the static host name of your server using the hostnamectl command,

[[email protected] ~]# hostnamectl set-hostname "ipa.linuxtechi.lan"
[[email protected] ~]# exec bash
[[email protected] ~]#

Update the server using yum update command and then reboot it

[[email protected] ~]# yum update -y;reboot

Step:2 Update the hosts file (/etc/hosts)

Run the below echo command to update /etc/hosts file, replace the ip address and hostname as per your setup.

[[email protected] ~]# echo -e "192.168.0.102\tipa.linuxtechi.lan\t ip" >> /etc/hosts
[[email protected] ~]#

Step:3 Install FreeIPA packages using yum command

FreeIPA packages and its dependencies are available in the default package repositories. As we are planning to install integrated DNS of FreeIPA, so we will also install “ipa-server-dns

Run the below command to install FreeIPA and its dependencies

[[email protected] ~]# yum install ipa-server ipa-server-dns -y

Step:4 Start the FreeIPA Installation setup using “ipa-server-install”

Once the packages are installed successfully then use the below command to start the freeipa installation setup,

It will prompt couple of things like to configure Integrated DNS, Host name, Domain Name and Realm Name

[[email protected] ~]# ipa-server-install

Output of above command would be something like below

FreeIPA-Server-Install-part1

FreeIPA-Server-Install-part2

After pressing yes in above window, it will take some time to configure your FreeIPA server and once it has been setup successfully then we will get output something like below,

FreeIPA-Server-Install-part3

Above output confirms that it has been installed successfully.

Run the below command to allow User’s home directory creation automatically after authentication (or login)

[[email protected] ~]# authconfig --enablemkhomedir --update
[[email protected] ~]#

Note: In case you get the below errors while installing FreeIPA on CentOS 7 server,

.............
[error] CalledProcessError: Command '/bin/systemctl start certmonger.service' returned non-zero exit status 1
ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): ERROR    Command '/bin/systemctl start certmonger.service' returned non-zero exit status 1
ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): ERROR    The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
.................

This seems to be known issue on CentOS 7, so to resolve this we have restart dbus service (service dbus restart) and uninstall freeipa using the command “ipa-server-install –uninstall” and then again try to install.

Step:5 Allow FreeIPA ports in OS Firewall

In case OS firewall is running on your centos 7 server then run the beneath firewall-cmd commands to allow or open ports for FreeIPA,

[[email protected] ~]# firewall-cmd --add-service=freeipa-ldap
success
[[email protected] ~]# firewall-cmd --add-service=freeipa-ldap --permanent
success
[[email protected] ~]# firewall-cmd --reload
success
[[email protected] ~]#

Step:6 Verification & Access FreeIPA admin portal

Use the below command to check whether all services of FreeIPA are running or not

[[email protected] ~]# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
ntpd Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful
[[email protected] ~]#

Let’s verify whether admin user will get token via Kerberos using the kinit command, use the same password of admin user that we supplied during FreeIPA installation.

[[email protected] ~]# kinit admin
Password for [email protected]:
[[email protected] ~]# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: [email protected]
Valid starting       Expires              Service principal
11/26/2018 07:39:00  11/27/2018 07:38:55  krbtgt/[email protected]
[[email protected] ~]#

Access the FreeIPA admin portal using the URL:

https://ipa.linuxtechi.lan/ipa/ui

Use the user name as admin and the password that we specify during the installation.

FreeIPA-Login-Page-CentOS7

Click on Login

FreeIPA-Admin-Portal-Dashboard-CentOS7

This confirms that we have successfully setup FreeIPA on CentOS 7 Server. It also conclude the article, please do share your feedback and comments.

Read More on : How to Configure FreeIPA Client on Ubuntu 18.04 / CentOS 7 for Centralize Authentication

8 Responses

  1. yunus says:

    Thanks for correct steps

  2. Gaurav says:

    Not able to access the web UI, FreeIPA is installed successfully. error “DNS_PROBE_FINISHED_NXDOMAIN”

  3. Dave says:

    Thanks for this,it really helped me a lot.

    Is there a way this can be installed on a system with no internet connection. All i have is a Basic Server with a GUI. Can this be done and if so how?

    Thanks

    • John says:

      Dave,

      Ultimately the answer is “no”. The free-ipa package has a LOT of dependencies (~250) that you would need to download and make available to your target system.
      For me, the solution was to create a CentOS repository on a machine connected to the Internet, move it to my closed network, and install my Identity Manager from this repository.
      I also have a requirement to install CentOS Identity Manager clients from the repository, so the solution works for me.

    • Aamir says:

      Create a local yum repos! Copy all the packages or mount iso staright and point your local repos to that mount point. It will be achievable. As admin mention ipa does need packages/dependencies so local repos would be perfect solution if you don’t have internet connection!

  4. Ajad Kumar Gautam says:

    This is good article, Thank you so much for writing step by step article

Leave a Reply to Bob Cancel reply

Your email address will not be published. Required fields are marked *

Pin It on Pinterest