Commands
In this tutorial, we will review the Kubernetes cluster install on CentOS8. This procedure will mirror our previous article about this subject. Install a Kubernetes
Discover how to easily set up and manage a secure and centralized authentication system using a FreeIPA server on CentOS 8.
Identity Management or IdM is an essential component in any organization’s IT infrastructure. It is the process of identifying, authenticating, and authorizing users and their access to resources within a network. In the Linux world, FreeIPA (Identity, Policy, and Audit) is the most popular and comprehensive open-source solution for Identity Management. FreeIPA is a centralized authentication server that provides various security features, including Kerberos, LDAP, DNS, and Certificate Authority.
In this article, we will provide a step-by-step guide on how to install and use the IPA Server on CentOS 8, which is a Red Hat Enterprise Linux-based operating system.
Before installing the IPA server, you need to meet the following prerequisites:
A server running CentOS 8 or Red Hat Enterprise Linux 8.
A fully qualified domain name (FQDN) that points to the server’s IP address.
A static IP address for the server.
Root access or sudo privileges to the server.
Update the system packages and install the necessary dependencies:
$ sudo dnf update -y
$ sudo dnf install ipa-server bind-dyndb-ldap -y
After installing the necessary dependencies, run the ipa-server-install command to install the IPA server.
$ sudo ipa-server-install
During the installation process, the IPA server will prompt you to configure the following parameters:
Domain name: Enter the domain name you want to use for your IPA server.
Realm name: Enter the realm name that corresponds to your domain name.
Directory Manager password: Set a password for the Directory Manager account.
Kerberos KDC master password: Set a password for the Kerberos KDC master account.
Administrative user password: Set a password for the IPA administrative user.
After the installation process is complete, start the IPA server using the following command:
$ sudo systemctl start ipa-server
To check the status of the IPA server, use the following command:
$ sudo systemctl status ipa-server
Once the packages are installed, you can start configuring the IPA server. Run the following command to start the installation wizard:
$ sudo ipa-server-install
The installation wizard will guide you through the configuration process. Here are the prompts you need to answer:
Do you want to configure integrated DNS (BIND)? [no]: yes
Please confirm the domain name [example.com]: (enter your domain name)
Please provide a realm name [EXAMPLE.COM]: (enter your realm name)
Directory Manager password: (enter a strong password)
IPA admin password: (enter a strong password)
Do you want to configure DNS forwarders? [yes]: yes
Enter an IP address for a DNS forwarder, or leave blank to skip: (enter your DNS forwarder IP address)
Do you want to search for missing reverse zones? [yes]: yes
Do you want to create reverse zone for IP range ‘192.168.1.0/24’? [yes]: yes
Please specify the reverse zone name [1.168.192.in-addr.arpa.]: (enter your reverse zone name)
Once you have answered all the prompts, the installation will begin. The process may take a few minutes to complete.
To install a replica server, you first need to install the IPA server as shown in the previous section.On a new CentOS8 server that will be the replica–install the necessary dependencies:
$ sudo dnf update -y
$ sudo dnf -y install ipa-server ipa-server-dns
After installing the dependencies, run the following command to install the replica server:
$ sudo ipa-replica-install --setup-ca --setup-dns
During the installation process, the replica server will prompt you to enter the IPA server’s hostname and Directory Manager (admin) password. It will also generate an OTP (One-Time Password) that you need to enter on the primary IPA server to establish a secure connection.
Once the installation is complete, verify that the replica server is working correctly by running the following command:
$ sudo ipa-replica-conncheck
This command will check the replication status between the primary and replica servers. Configure the firewall on the replica server to allow the necessary ports for the IPA server to function correctly. You can use the following command to open the required ports:
$ sudo firewall-cmd --permanent --add-service={http,https,dns,freeipa-ldap,freeipa-ldaps,kerberos,kpasswd,ntp}
$ sudo firewall-cmd --reload
Finally, run the following command to check the replication status:
$ sudo ipa-replica-manage list
Enroll a machine as a client
To enroll a machine as an IPA client, follow these steps:
Install the IPA client package by running the following command:
$ sudo dnf install ipa-client
Once the packages are installed, you can start configuring the IPA client. Run the following command to start the installation wizard:
$ sudo dnf install ipa-client
The installation wizard will guide you through the configuration process. Here are the prompts you need to answer:
Do you want to configure DNS forwarders? [yes]: yes
Enter an IP address for a DNS forwarder, or leave blank to skip: (enter your DNS forwarder IP address)
Please provide the domain name of your IPA server: (enter your domain name)
Please provide the IPA server name: (enter your IPA server name)
Please provide the realm name: (enter your realm name)
Enter the password for the admin user: (enter the IPA admin password)
Once you have answered all the prompts, the installation will begin. The process may take a few minutes to complete.
To check the status of the IPA client, run the following command:
$ sudo systemctl status ipa.service
If the client is running, you should see a message that says “Active: active (running)“.
To verify that the IPA client is installed and running correctly, run the following command:
$ sudo kinit admin
If the command returns a message that says “Password for admin@<realm-name>:”, then the installation was successful.
To enroll a machine into the IPA server, run the following command:
$ sudo ipa-client-automount --mkhomedir
This command will enroll the machine into the IPA server and create home directories for users.
To verify that the machine is enrolled in the IPA server, run the following command:
$ sudo klist
If the command returns a list of tickets, the machine is enrolled in the IPA server.
Once the IPA server is up and running, you can use it to manage user accounts, groups, and access policies. Here are some basic usage examples:
| Create a new user | $ sudo ipa user-add <username> |
| Create a new group | $ sudo ipa group-add <groupname> |
| Add a user to a group | $ sudo ipa group-add-member <groupname> –users=<username> |
| Create a new sudo rule | $ sudo ipa sudorule-add <sudorule-name> –cmdcat=all –hostcat=all –runasuser=all |
| Add a user to a sudo rule | $ sudo ipa sudorule-add-user <sudorule-name> –users=<username> |
The IPA server is a powerful open-source solution for centralized identity management in Linux environments. It offers several features, such as user authentication, policy enforcement, certificate management, and more. In this article, we’ve walked you through the step-by-step guide on how to install and use the IPA server on CentOS 8.
We hope this guide has been helpful and informative. With this information, Linux professionals can easily manage user accounts and access policies in their organizations.
Related Posts
In this tutorial, we will review the Kubernetes cluster install on CentOS8. This procedure will mirror our previous article about this subject. Install a Kubernetes
In this tutorial, we will review the installation procedure for standing up an Ubuntu 20.04 server on KVM. We will focus specifically, on version 20.04
In this article, we will review network time protocol (NTP) installation and configuration on a CentOS8 or RHEL8 operating system. As part of this process,