How to Install FreeIPA Identity Management System on Rocky Linux 9
FreeIPA is an open-source identity management solution for Linux/Unix operating systems. It's an upstream project from the RedHat Identity Management System, which provides authentication and authorization solutions for Linux/Unix systems.
FreeIPA is built on top of multiple components, including the Directory Server, DNS, Kerberos, PKI, Certmonger, NTP Server, web administration UI, etc. It provides a centralized source of user credentials and access control. FreeIPA allows administrators to manage identity in a centralized environment easily and provides user monitoring, authentication, and access control.
In this tutorial, you will install and set up FreeIPA on Rocky Linux 9 server. You will install FreeIPA server packages and set up FreeIPA deployment. Then you will also set up a FreeIPA user. In the end, you will also learn how to install and set up the FreeIPA client on the Rocky Linux host and add it to the FreeIPA server.
Prerequisites
To complete this tutorial, you must have the following requirements:
Before you start, you must ensure that you have the following requirements in place:
- Two or more Rocky Linux 9 servers - In this tutorial, you use two Rocky Linux hosts for the FreeIPA server and the FreeIPA client.
- A non-root user with sudo/root administrator privileges.
- SELinux is running in permissive mode.
For this demo, we will use two Rocky Linux 9 servers with the following detail:
Hostname IP Address Used as
--------------------------------------------
ipa 192.168.5.25 FreeIPA Server
client 192.168.5.80 FreeIPA Client
When these requirements are ready, you can now start the FreeIPA installation.
Setup FQDN and Timezone
For this tutorial, you will first set up FQDN (Fully Qualified Domain Name) and default timezone on your FreeIPA server.
Enter the following 'hostnamectl' command to set up fqdn on your system. In this example, the FreeIPA server should have fqdn 'ipa.hwdomain.lan'.
sudo hostnamectl set-hostname ipa.hwdomain.lan
Now open the '/etc/hosts' file using the following nano editor command.
sudo nano /etc/hosts
Add the following line to the file and be sure to change the detail hostname, fqdn, and IP address with your FreeIPA server.
# ip - fqdn - hostname
192.168.5.25 ipa.hwdomain.lan ipa
Save and close the file when finished.
Next, enter the following command to verify the fqdn of your system. Then, ensure that the fqdn is resolved to your internal IP address.
sudo hostname -f
sudo ping -c3 ipa.hwdomain.lan
When successful, you should get that your fqdn is pointed to the internal IP address of your server. In this example, the fqdn 'ipa.hwdomain.lan' is pointed to IP address '192.168.5.25'.
Now enter the following 'timedatectl' command to set up the default timezone for your server. In this example, the time for the FreeIPA server will be 'Europe/Stockholm'.
sudo timedatectl set-timezone Europe/Stockholm
Now enter the following command to set up the '/etc/localtime' file for your server to the proper timezone. The list of timezone files is stored at the '/usr/share/timezone/' directory, you must create a symlink of the proper timezone file to '/etc/localtime'.
sudo unlink /etc/localtime
sudo ln -s /usr/share/timezone/Europe/Stockholm /etc/localtime
With the fqdn and timezone configured, you will next set up the firewalld and open some ports that the FreeIPA server will use.
Setup Firewalld
On RHEL-based distributions, the default firewall software installed is firewalld, and it automatically starts and runs. In this section, you will add FreeIPA service with some additional services such as NTP and DNS to the firewalld.
Enter the following 'firewall-cmd' command to add the FreeIPA, DNS, and NTP to the firewalld. Then, reload the firewalld to apply the changes. An output 'success' confirms that the operation is successful.
sudo firewall-cmd --add-service={freeipa-ldap,freeipa-ldaps,dns,ntp,http,https,kerberos} --permanent
sudo firewall-cmd --reload
Next, run the following command to verify the firewalld status and list of enabled services and ports.
sudo firewall-cmd --list-all
You should receive an output like this - The FreeIPA service, NTP, and DNS added to the firewalld.
Now that you've configured fqdn, timezone, and firewalld, you can start the FreeIPA server installation via the DNF package manager.
Installing and Configuring FreeIPA Server
On the latest Rocky Linux 9, the FreeIPA server is available by default on the 'appstream' repository. So you don't need to add the third-party repository to install the FreeIPA server package.
In this section, you will install the FreeIPA server, then set up an interactive FreeIPA deployment via the command line 'ipa-server-install', which is provided by the FreeIPA package.
Enter the following 'dnf install' command to install the FreeIPA server, FreeIPA DNS, and FreeIPA client packages. When prompted, input y to confirm and press ENTER to proceed.
sudo dnf install freeipa-server freeipa-server-dns freeipa-client
Once FreeIPA is installed, enter the following 'ipa-server-install' command to start the interactive deployment of your FreeIPA server. In this example, you will use the parameter '--setup-dns', which will also install the DNS server on your FreeIPA server.
sudo ipa-server-install --setup-dns
In the following output, you should see the list of tasks that you will be doing to set up and configure the FreeIPA server.
First, the 'ipa-server-install' will verify the fqdn of your system and ensure that your server fqdn is pointed to the proper IP address (via DNS or /etc/hosts). In this example, the fqdn 'ipa.hwdomain.lan' are configured via the /etc/hosts file, so you're ready to go.
For the default domain name and realm name, both will follow the fqdn of the host. So, the fqdn 'ipa.hwdomain.lan' will give you the default domain name 'hwdomain.lan' with the realm name 'HWDOMAIN.LAN'.
Press ENTER to use the default value for the hostname (fqdn), domain name, and realm name.
Now input a new password for the Directory Manager and the IPA admin user. Be sure to use more than 8 characters and a strong password.
Next, you will be asked to set up the default DNS forwarders for your FreeIPA server and set up the reverse DNS (rDNS) of your FreeIPA server IP address. Press ENTER to confirm the default configuration for both settings.
Leave it as default for the NetBIOS domain name configuration and press ENTER. For the NTP settings, input no.
Now review the basic settings of your FreeIPA server, then input 'yes' to confirm and press ENTER to proceed to the installation.
When FreeIPA server installation is successful, you should receive an output such as 'Setup complete - The ipa-server-install command was successful'. You will also see the instruction for the next steps, which is setting up a firewall to open some ports and how to get a Kerberos ticket for an administrator.
With this, you have now finished the basic configuration of the FreeIPA server via 'ipa-server-install'. In the next step, you will authenticate against Kerberos and obtain an admin ticket that allows you to set up FreeIPA from your terminal.
Kerberos Admin Authentication and FreeIPA Web UI Dashboard
After configuring the FreeIPA server via 'ipa-server-install', you will now verify FreeIPA installation by obtaining an admin ticket from Kerberos and logging in to the FreeIPA web administration dashboard.
Enter the following 'kinit' command to authenticate against the Kerberos server via the 'admin' user. When asked for the password, input your IPA admin password.
kinit admin
Now verify the authentication and list of obtained Kerberos tickets by entering the following 'klist' command.
klist
If Kerberos authentication is successful, you should receive an output of the cached ticket for default principal '[email protected]' as the following screenshot.
Next, you will verify the FreeIPA server by visiting the administration dashboard from your local machine. Before you start, open the '/etc/hosts' file on your local computer via the following nano editor command.
sudo nano /etc/hosts
Add the following line to the file and be sure to change the domain name IP address with your FreeIPA server details.
# ip - domain
192.168.5.25 ipa.hwdomain.lan ipa
Save and close the file when finished.
Next, open your web browser and visit the FreeIPA server domain name (i.e: https://ipa.hwdomain.lan/). You should see the FreeIPA login page.
Input the default user admin and your FreeIPA password, then click 'Log in'.
If successful, you should get the FreeIPA web administration dashboard like the following screenshot.
With this in mind, you have now successfully installed and configured the FreeIPA server on Rocky Linux 9. In the next step, you will learn how to manage the FreeIPA server by adding a new user and group via terminal, then add a new Linux host machine using the FreeIPA client package.
Setup First FreeIPA User and Group
In this section, you will learn how to use the 'ipa' command for managing users and groups. You will use the 'ipa' command with different parameters for creating a user, checking a list of users, creating a group, checking the list of groups, and adding a FreeIP user to a specific group. And lastly, you will verify the list of users and groups via the FreeIPA administration dashboard.
Enter the following 'ipa config-mod' command to modify the default shell for FreeIPA users to '/bin/bash'. When executed, this command will also print out other default user settings for FreeIPA.
ipa config-mod --defaultshell=/bin/bash
Below is a similar output that will be printed out to your terminal.
Next, enter the following 'ipa user-add' command to add a new FreeIPA. In this example, you will create a new user 'rocky'. When prompted for a password, input and verify a new password for your user.
ipa user-add rocky --first=Rocky --last=Linux --password
Now verify the details of user 'rocky' by entering the 'ipa user-find' command below. When you see the detailed information about user 'rocky', this means that you've successfully created a FreeIPA user.
ipa user-find rocky
You can also use the 'ipa user-show' command to show details of FreeIPA users.
ipa user-show --raw rocky
Output:
Next, enter the following 'ipa group-add' command to create a new group called 'development'. Then, verify the group 'development by entering the 'ipa group-find' command to ensure that the group is created.
ipa group-add --desc='Development Team' development
ipa group-find development
An output '1 group matched confirms that group 'development' added and available on the FreeIPA server.
Now enter the following 'ipa group-add-member' command to add the FreeIPA user 'rocky' to the group 'development'.
ipa group-add-member --user=rocky development
An output 'Number of members added 1' confirms that the user 'rocky' added to the group 'development'.
Now go back to the FreeIPA administration dashboard, click on the 'Identity' menu, and click on the 'Users' tab. You should now see the new FreeIPA user 'rocky' created and available on the FreeIPA server.
Lastly, click on the 'Groups' tab to verify the list of groups on FreeIPA. The new group 'development' is available on the FreeIPA server. Click on the group 'development' to get details information, and you should see the user 'rocky' added and available in the 'development' group.
At this point, you have now created a FreeIPA user and group from the terminal via the 'ipa' command management tool. Also, you've verified that your user and group are added via the FreeIPA web administration dashboard. In the next step, you will learn how to add a Linux host/machine to the FreeIPA server.
Adding Hosts to FreeIPA Server: Rocky Linux
FreeIPA provides the easiest way for adding a new host to the FreeIPA server, which can be done via the FreeIPA client package that provides the 'ipa-client-install' utility. In this section, you will add a Rocky Linux 9 machine to the FreeIPA server 'ipa.hwdomain.lan'.
Below are the steps you must do to add a new host to the FreeIPA server:
- Add host DNS records from FreeIPA Server
- Set up /etc/hosts file and /etc/resolv.conf file
- Installing FreeIPA client and adding host via 'ipa-client-install'
Now let's start adding the Rocky Linux host to the FreeIPA server.
Add DNS Records
First, you must add the DNS record of your client machine to the FreeIPA server. And this can be done via the 'ipa dnsrecord-add' command that you can execute from the FreeIPA server.
Enter the following 'ipa dnsrecord-add' to add a new DNS record for the host machine 'client' with the IP address '192.168.5.80'. With this, the client machine will have the domain name 'client.hwdomain.lan'.
In this example, you will define the A record for the host called 'client' with IP address '192.168.5.80'. The domain 'hwdomain.lan' is follow the default domain name of your FreeIPA server.
ipa dnsrecord-add hwdomain.lan client --a-rec 192.168.5.80
Now verify the DNS record 'client' by entering the 'ipa dnsrecord-find' command below. You should see the 'client' machine with the A record resolved to the IP address '192.168.5.80'.
ipa dnsrecord-find hwdomain.lan client
Lastly, enter the following 'dig' command to verify the DNS domain name of the client machine 'client.hwdomain.lan'.
dig client.hwdomain.lan
If successful, you should receive an output like this - The client machine domain name 'client.hwdomain.lan' is pointed to the server IP address '192.168.5.80'.
With this, you're now ready to set up the 'client' machine and add it to the FreeIPA server.
Setup FQDN, /etc/hosts, and resolver
Now connect to the 'client' machine to set up the basic system settings before installing FreeIPA client packages.
In this section, you will set up the '/etc/hosts' file and define the FreeIPA server domain name and IP address. Then, you will modify the '/etc/resolv.conf' file to set up the default DNS resolver of the 'client' machine using the DNS resolver of the FreeIPA server. This will ensure that your client machine can access the FreeIPA server via the domain name.
Enter the following nano editor command to open the '/etc/hosts' file.
sudo nano /etc/hosts
Add the following lines to the file and be sure to change the IP address and the domain name with your FreeIPA server.
# ip - fqdn/domain - hostname
192.168.5.25 ipa.hwdomain.lan ipa
Save and exit the file when finished.
Next, open the file '/etc/resolv.conf' using the following nano editor command.
sudo nano /etc/resolv.conf
Add the following line to the top of the line and be sure to change the IP address with your FreeIPA server IP address.
# list resolver
nameserver 192.168.5.25
Save and close the file when finished.
Lastly, enter the following 'ping' command to verify the FreeIPA server domain name and the client machine domain name.
ping -c3 ipa.hwdomain.lan
ping -c3 client.hwdomain.lan
You should receive an output like this - The FreeIPA server domain name 'ipa.hwdomain.lan' will be pointed to the IP address '192.168.5.25' as defined on the '/etc/hosts' file.
And the client machine domain name 'client.hwdomain.lan' will be pointed to the correct IP address '192.168.5.80', which is configured via the FreeIPA DNS server and confirms that you've correct and proper DNS resolver settings.
With this, you're ready to install the FreeIPA client package and add your client machine to the FreeIPA server.
Installing and Configuring Client
First, enter the following 'dnf install' command for installing the FreeIPA client package and the additional package 'oddjob-mkhomedir'. When prompted, input y to confirm and press ENTER to proceed.
sudo dnf install freeipa-client oddjob-mkhomedir
When the installation is finished, enter the following 'ipa-client-install' command to add your client machine to the FreeIPA server. Be sure to change the parameter '--server=ipa.hwdomain.lan' with your FreeIPA server, and also the '--domain hwdomain.lan' and '--realm HWDOMAIN.LAN' parameters.
ipa-client-install --hostname=`hostname -f` \
--mkhomedir \
--server=ipa.hwdomain.lan \
--domain hwdomain.lan \
--realm HWDOMAIN.LAN
Input 'yes' to proceed with the fixed value of the FreeIPA server details. and for the NTP server settings, input 'no'.
Now review the client configurations, then input 'yes' to confirm.
You will now be prompted for user authentication to the Kerberos server. This is needed because the Kerberos ticket must be cached when adding a new host to the FreeIPA server.
Input the default user 'admin' and input your password. When successful, you should receive an output like this - The process should now begin.
When the process is finished, you should receive an output such as 'Client configuration complete - The ipa-client-install command was successful'.
With this in mind, you have now added a Rocky Linux client machine to the FreeIPA server via the 'ipa-client-install' utility that provides by the FreeIPA client package. You can now also log in to the client machine using the FreeIPA user you've added.
Logging into Client via FreeIPA User
In this section, you will verify the installation of the FreeIPA server and client by connecting to the client machine via the FreeIPA user. You will connect to the host machine 'client.hwdomain.lan' with the FreeIPA user 'rocky' via SSH.
Back to your FreeIPA server and run the 'ssh' command below to connect to the 'client.hwdomain'lan' with the FreeIPA user 'rocky'. Input 'yes' to accept the SSH fingerprint of the host machine.
ssh [email protected]
When asked for the password, input the password for the FreeIPA user 'rocky'. When you have the correct password, you will be asked to change the current password to ith new password.
Input the current password, then input the new password for the user 'rocky' and repeat the password. When successful, you should be logged in to the 'client.hwdomain.lan' machine via the 'rocky' FreeIPA user. Also, the home directory for the FreeIPA user is automatically created during the login process.
Enter the following command to verify the current status of your connection. You should see the user that you're using is 'rocky', which is part of the 'development' group. Also, you can see the fqdn of the client machine is 'client.hwdomain.lan'.
id
whoami
hostname -f
Lastly, via the web administration dashboard, you will verify the list of hosts/machines available on the FreeIPA server.
Back to the FreeIPA administration dashboard and click the 'Identity' menu, then select the 'Hosts' tab. You should see the 'client.hwdomain.lan' added and available on the FreeIPA server.
Now click on the link 'client.hwdomain.lan' to get detailed information about the host. You should get detail of the host machine in the following screenshot.
With this in mind, you have now successfully installed the FreeIPA server on Rocky Linux 9 and also added client host Rocky Linux via the FreeIPA client.
Conclusion
In this tutorial, you have learned how to install and deploy the FreeIPA server on the ROcky Linux 9 server. You have configured the FreeIPA server on Rocky Linux with DNS enabled via Bind and firewalld also configured.
In addition to that, you have also learned the basic usage of the 'ipa' command for creating and managing FreeIPA users and groups, and also learned how to obtain Kerberos ticket via the kinit command and login to the FreeIPA web administration via the admin user and password.
Lastly, you have added the client machine to the FreeIPA server via the FreeIPA client package. You've learned step-by-step how to do it, and also verified your settings by logging into the client machine via FreeIPA user.
With this, you can now add more hosts, users, and groups to your FreeIPA server. You can also integrate FreeIPA into your production. To get details information, visit the FreeIPA's official documentation.