Installing FreeIPA With Replication
Do you need a single point to add users within your organization for authenticating to multiple backends like your Linux servers? You've probably looked at OpenLDAP and found the same problem a lot of other users have: bad documentation and ridiculously hard to configure. Having done some installations of OpenLDAP in the past, the search was on to find a good alternative and more importantly, one that is far easier to do and has a good gui and CLI for adding users and groups.
About FreeIPA
FreeIPA is a project backed by RedHat, so it's no suprise that this article is about an installation on this platform. Installing FreeIPA is really fast and easy, but some things that you should have in mind are noted below.
Some notes
This installation is done on a RedHat Enterprise Linux 6 system, keep in mind that configurations may differ to earlier versions of your operating system. I will be doing an installation with replication, so if you were looking for that, you're in luck! My example machines will be named ldap1.example.com and ldap2.example.com, make sure your DNS is working properly, because the FreeIPA installer really checks the DNS (or if you want to be quick and dirty, put the machines in your hosts file).
Installing FreeIPA
Installing FreeIPA is done in a few steps, noted below. I will be adding the hostnames in the hosts file, just to be certain:
Step 1:
yum -y install ipa-server
Step 2:
Note: For some reason, the installation of memcached failed while installing the ipa-server package, so reinstall it just to be sure.yum -y install memcached
Step 3:
echo "<ip> ldap1.example.com" >> /etc/hosts
echo "<ip> ldap2.example.com" >> /etc/hosts
Step 4:
Note: For some reason the init script for ipa_memcached (/etc/init.d/memcached) tries to start the wrong memcached during installation, change the following line:
daemon --pidfile ${pidfile} /usr/bin/memcached -d -s ${SOCKET_PATH} -u ${USER} -m ${CACHESIZE} -c ${MAXCONN} -P ${pidfile} ${OPTIONS}
to:
daemon --pidfile ${pidfile} /usr/local/bin/memcached -d -s ${SOCKET_PATH} -u ${USER} -m ${CACHESIZE} -c ${MAXCONN} -P ${pidfile} ${OPTIONS}
Step 5:
On the first machine (ldap1.example.com) we hit the following command:
ipa-server-install
You will be asked a few questions afterwards, this is an example output:
Server host name [ldap1.example.com]: ldap1.example.com Please confirm the domain name [example.com]:Please provide a realm name [EXAMPLE.COM]:
After that you will get a question for the Directory Manager password (which is used when using the FreeIPA CLI), and for the password for the IPA admin (which is for the web-gui). After those steps the installer will have you look at the information one more time, if you confirm the installation will start. Be patient, it can take a while depending on how fast your machine is. You may run into an error while generating the CA certificate server (error: Unable to find preop.pin in /var/lib/pki-ca/conf/CS.cfg. Is your CA already configured?). If you do get this error try uninstalling the ipa-server (ipa-server-install --uninstall) and restart the pki-ca service (/etc/init.d/pki-ca stop/start).
Setting up replication
Believe it or not, setting up replication for FreeIPA just consists of three commands:
Step 1:
From the master server (ldap1.example.com) execute the following command:
ipa-replica-prepare ldap2.example.com
Step 2:
Secure Copy the gpg key generated in step 1 to ldap2.example.com
scp /var/lib/ipa/replica-info-ldap2.example.com.gpg [email protected]:/var/lib/ipa/
Step 3:
On ldap2.example.com execute the following command, note that on ldap2.example.com we don't have to execute a ipa-server-install, the replication process does that for us.
ipa-replica-install /var/lib/ipa/replica-info-ldap2.example.com.gpg
Enter the Directory Manager password and voila, replication is setup. That's all there is to it, just start up your IPA (/etc/init.d/ipa start) and surf to your gui and login (https://ldap1.example.com/ should redirect you to the gui if this is the only website installed on your server).
Want more howto's and interesting interviews? Check out http://livebyt.es and signup, discuss and meet others!