Installing FreeIPA With Replication

Do you need a single point to add users within your organization for authenticating to multiple backends like your Linux servers? You've probably looked at OpenLDAP and found the same problem a lot of other users have: bad documentation and ridiculously hard to configure. Having done some installations of OpenLDAP in the past, the search was on to find a good alternative and more importantly, one that is far easier to do and has a good gui and CLI for adding users and groups.

 

About FreeIPA

FreeIPA is a project backed by RedHat, so it's no suprise that this article is about an installation on this platform. Installing FreeIPA is really fast and easy, but some things that you should have in mind are noted below.

 

Some notes

This installation is done on a RedHat Enterprise Linux 6 system, keep in mind that configurations may differ to earlier versions of your operating system. I will be doing an installation with replication, so if you were looking for that, you're in luck! My example machines will be named ldap1.example.com and ldap2.example.com, make sure your DNS is working properly, because the FreeIPA installer really checks the DNS (or if you want to be quick and dirty, put the machines in your hosts file).

 

Installing FreeIPA

Installing FreeIPA is done in a few steps, noted below. I will be adding the hostnames in the hosts file, just to be certain:

 

Step 1:

yum -y install ipa-server

 

Step 2:

Note: For some reason, the installation of memcached failed while installing the ipa-server package, so reinstall it just to be sure. 
yum -y install memcached

 

Step 3:

echo "<ip> ldap1.example.com" >> /etc/hosts
echo "<ip> ldap2.example.com" >> /etc/hosts

 

Step 4:

Note: For some reason the init script for ipa_memcached (/etc/init.d/memcached) tries to start the wrong memcached during installation, change the following line:

daemon --pidfile ${pidfile} /usr/bin/memcached -d -s ${SOCKET_PATH} -u ${USER} -m ${CACHESIZE} -c ${MAXCONN} -P ${pidfile} ${OPTIONS}

to:

daemon --pidfile ${pidfile} /usr/local/bin/memcached -d -s ${SOCKET_PATH} -u ${USER} -m ${CACHESIZE} -c ${MAXCONN} -P ${pidfile} ${OPTIONS}

 

Step 5:

On the first machine (ldap1.example.com) we hit the following command: 

ipa-server-install

You will be asked a few questions afterwards, this is an example output:

Server host name [ldap1.example.com]: ldap1.example.com
Please confirm the domain name [example.com]: 
Please provide a realm name [EXAMPLE.COM]:

After that you will get a question for the Directory Manager password (which is used when using the FreeIPA CLI), and for the password for the IPA admin (which is for the web-gui). After those steps the installer will have you look at the information one more time, if you confirm the installation will start. Be patient, it can take a while depending on how fast your machine is. You may run into an error while generating the CA certificate server (error: Unable to find preop.pin in /var/lib/pki-ca/conf/CS.cfg. Is your CA already configured?). If you do get this error try uninstalling the ipa-server (ipa-server-install --uninstall) and restart the pki-ca service (/etc/init.d/pki-ca stop/start).

 

Setting up replication

Believe it or not, setting up replication for FreeIPA just consists of three commands:

 

Step 1:

From the master server (ldap1.example.com) execute the following command:

ipa-replica-prepare ldap2.example.com

 

Step 2:

Secure Copy the gpg key generated in step 1 to ldap2.example.com

scp /var/lib/ipa/replica-info-ldap2.example.com.gpg [email protected]:/var/lib/ipa/

 

Step 3:

On ldap2.example.com execute the following command, note that on ldap2.example.com we don't have to execute a ipa-server-install, the replication process does that for us.

ipa-replica-install /var/lib/ipa/replica-info-ldap2.example.com.gpg

Enter the Directory Manager password and voila, replication is setup. That's all there is to it, just start up your IPA (/etc/init.d/ipa start) and surf to your gui and login (https://ldap1.example.com/ should redirect you to the gui if this is the only website installed on your server).

Want more howto's and interesting interviews? Check out http://livebyt.es and signup, discuss and meet others!

Share this page:

Suggested articles

10 Comment(s)

Add comment

Comments

By: sles
Reply  

>FreeIPA is a project backed by RedHat, so it's no suprise that this article is about an installation on this platform.

 

 

well, there are other distributions , you know.

so is it possible on, let's say ubuntu?

 

thank you!

By:
Reply  

hi sles,

 A quick Google search didn't get me anything useful you could use, you could search the apt-repositories on your machine for IPA. 

By: Anonymous
Reply  

Spent the last 45 minutes reading about IPA and looking for an Ubuntu Server solution. It does not exist. Debian doesn't have a port, though a few people are working on it. It appears that will fail due to all the different languages involved in IPA. It is not a 1-language tool. Most of the dependency issues appear to be in java code. So - don't hold your breath. If you really want IPA as a solution, running a CentOS server and buggy Ubuntu clients appears to be the only answer for now. For a small network with minimal security concerns, plain NIS is probably the easiest solution. Sadly, NIS+/NISplus doesn't seem a viable option on Linux. Or just use carefully managed /etc/group, passwd files .... since most computer-to-computer connections will be over ssh (hopefully using ssh-keys), maintaining passwds on each isn't too important. It is just about having the uid/gid numbers match.

By: Rob Scope
Reply  

Maybe this link can help:

https://wiki.ubuntu.com/Server/IdentityManagement

 Kind regards

Rob

By: Jubal
Reply  

Calling OpenLDAP badly documented explains easily the other ridiculous claim in the article, i.e. that it's hard to configure. Perhaps the esteemed author should actually try to read the documentation OpenLDAP comes with?

By:
Reply  

Good point, the thing I'm mentioning is, have you ever tried to install OpenLDAP on say CentOS 6/RHEL 6? It's ridiculous when you look at the amount of config files and how they are layed out, and I have searched a lot until I found this site http://www.computerglitch.net/bin/texts/CentOS6_LDAP.php, which explains the process (but again, not documented by the project itself). 

By: m15k
Reply  

Let's try not to get too bent out of shape over a subjective assertion.  If OpenLDAP has buttered your bread and been your go to software stack, there is no reason to change.  But, what if you are someone, who has had difficulty in installing and configuring.  Perhaps not even wanting to try IPA as you figure it is more of the same.  The OPs post does a good job at saying hey this can do what you want, and it is different enough from OpenLDAP that if you had trouble with it, maybe try FreeIPA.  

By:
Reply  


I got this error while trying to install IPA on a openvz guest.
Turns out the install script checks for broadcast address matches. 

 In the article below, instead of jumping to the line number it states, just do a search for "cannot use IP network address" as the line numbers have changed.

 https://www.redhat.com/archives/freeipa-users/2012-February/msg00064.html

 Marl

By: Deepak Dimri
Reply  

I am trying to configure replication between two FreeIPA centos 7 servers. As per the document i need same FreeIPA version running on both the machines, i have v 4.2.0 on both, and run ipa-replica-prepare on the master and then simply run ipa-replica-install on the replica server along with replica file. But i am unable to get pass the below error message:

[[email protected] ipa]# ipa-replica-install /var/lib/ipa/replica-info-replica.ipa.com.gpg ipa.ipapython.install.cli.install_tool(Replica): ERROR IPA client is already configured on this system. Please uninstall it first before configuring the replica, using 'ipa-client-install --uninstall'.

when i try 'ipa-client-install --uninstall' then i am getting bellow message:

ipa-client-install --uninstall IPA client is configured as a part of IPA server on this system. Refer to ipa-server-install for uninstallation.

What should i be doing to get around these annoying errors? has any one got freeIPA replication working on centos? the documentation has pretty simple steps but certainly it does not work for me.

Thanks, Deepak

By: gene
Reply  

so how are the clients configured to see the replica?  what file and what variable is set to see the replica?