FreeIPA is an integrated security information management solution combining Linux (Fedora), 389 Directory Server, MIT Kerberos, NTP, DNS, Dogtag (Certificate System). It consists of a web interface and command-line administration tools. Officially launched in 2008, the project itself refers to an installation tool and identity and service management environment, based on RedHat’s 389 Directory Server project, and integrates multiple pre-existing projects such as:1 OpenLDAP for directory service, MIT Kerberos 5 for authentication and sessions, Apache HTTP Server and Apache Tomcat for management interface and web service.

A identity and Authentication solution

At freeIPA they believe that identity (machine, user, virtual machines, groups, authentication credentials), policy (host based access control) and audit (this component is deferred)  information must be open, interoperable and manageable. And to improve these approaches, we are constantly visualizing projects that carry out this type of task in order to integrate and deepen solutions.

Because of its vital importance and the way it is interrelated, freeIPA believes that identity, policy and audit information must be open, interoperable and manageable. The aim is to make identity, policy and auditing (someday) easy to manage centrally for the Linux and Unix world

Installing freeIPA on CentOS 7

In order to achieve an optimal installation of freeIPA, one of the first things we need to do is to define the hostname of the computer. We write in a terminal:

             sudo -i

After entering the password, we will be root user:

             hostnamectl set-hostname ipa.osradar.com

1.-hostname
1.-hostname

Now, adding the host entry:

             echo “192.168.250.7 ipa.osradar.com ipa” >> /etc/hosts

Then we proceed to install the necessary packages. These include ipa-server which is the primary and bind-dyndb-ldap for handling DNS.

             yum install ipa-server bind-dyndb-ldap ipa-server-dns

2.- Installing necesary packages
2.- Installing necesary packages

To the terminal to solve the dependencies, proceed to give us the summary and install the packages.

3.- Installing
3.- Installing

After the process is done, we must run the installation script with the –setup-dns parameter to request the configuration of the DNS.

4.- Running the script
4.- Running the script

As we previously configured the hostname, the first two questions are simply to press ENTER. You will then be asked to define a password.

5.- Running the installation script
5.- Running the installation script

Then, we’ll set an IPA administrator password:

6.- IPA Password
6.- IPA Password

Then, he presents the “summary” of the configuration and asks us if we want to start it.So, therefore, we say YES.

7.-configure system
7.-configure system
8.- Starting installation
8.- Starting installation

In the following images, so we will see how the installation process continues

9.- Installing freeIPA
9.- Installing freeIPA
10.-Continuing the installation
10.-Continuing the installation

The installation is a bit long, so we will continue to see lines and lines of configurations.

11.- Continuing with the installation
11.- Continuing with the installation
12.-More and more configuratons
12.-More and more configuratons

And finally, it tells us that the installation has been successful.

13 .- Successful installation
13 .- Successful installation

Basic settings after installation

The same script, at the end of the installation, tells us that we must open certain ports in order for the services to run properly. So that’s the next step, that’s what we’re writing about:

firewall-cmd –permanent –add-service={ntp,http,https,ldap,ldaps,kerberos,kpasswd,dns}

14.- Opening ports
14.- Opening ports

Next we must refresh the firewall configuration:

             firewall-cmd –reload

Now we need to generate the Kerberos ticket. The Kerberos ticket is essentially a temporary pass-book to authenticate with Kerberos and allows us to use the IPA tools with the user interface:

              kinit admin

And with this command we can see our ticket:

klist

To ensure that the user directories were created correctly, we used authconfig:

             authconfig –enablemkhomedir –update

15.- Using authconfig
15.- Using authconfig

To enable System Security Services Daemon (sssd), we run:

            chkconfig sssd on

and:

             service sssd start

After that, reboot the server.

16.-Enabling sssd
16.-Enabling sssd

Finally, we can access from our browser to the administration panel

              http://IP_SERVER

The centralization of processes is important for companies to be able to manage information effectively and correctly. FreeIPA provides an open, free and flexible solution to managing security policy processes.

Spread the love
  • 16
    Shares

LEAVE A REPLY

Please enter your comment!
Please enter your name here