Installing FreeIPA With Replication

Do you need a single point to add users within your organization for authenticating to multiple backends like your Linux servers? You've probably looked at OpenLDAP and found the same problem a lot of other users have: bad documentation and ridiculously hard to configure. Having done some installations of OpenLDAP in the past, the search was on to find a good alternative and more importantly, one that is far easier to do and has a good gui and CLI for adding users and groups.

 

About FreeIPA

FreeIPA is a project backed by RedHat, so it's no suprise that this article is about an installation on this platform. Installing FreeIPA is really fast and easy, but some things that you should have in mind are noted below.

 

Some notes

This installation is done on a RedHat Enterprise Linux 6 system, keep in mind that configurations may differ to earlier versions of your operating system. I will be doing an installation with replication, so if you were looking for that, you're in luck! My example machines will be named ldap1.example.com and ldap2.example.com, make sure your DNS is working properly, because the FreeIPA installer really checks the DNS (or if you want to be quick and dirty, put the machines in your hosts file).

 

Installing FreeIPA

Installing FreeIPA is done in a few steps, noted below. I will be adding the hostnames in the hosts file, just to be certain:

 

Step 1:

yum -y install ipa-server

 

Step 2:

Note: For some reason, the installation of memcached failed while installing the ipa-server package, so reinstall it just to be sure.
yum -y install memcached

 

Step 3:

echo "<ip> ldap1.example.com" >> /etc/hosts
echo "<ip> ldap2.example.com" >> /etc/hosts

 

Step 4:

Note: For some reason the init script for ipa_memcached (/etc/init.d/memcached) tries to start the wrong memcached during installation, change the following line:

daemon --pidfile ${pidfile} /usr/bin/memcached -d -s ${SOCKET_PATH} -u ${USER} -m ${CACHESIZE} -c ${MAXCONN} -P ${pidfile} ${OPTIONS}

to:

daemon --pidfile ${pidfile} /usr/local/bin/memcached -d -s ${SOCKET_PATH} -u ${USER} -m ${CACHESIZE} -c ${MAXCONN} -P ${pidfile} ${OPTIONS}

 

Step 5:

On the first machine (ldap1.example.com) we hit the following command:

ipa-server-install

You will be asked a few questions afterwards, this is an example output:

Server host name [ldap1.example.com]: ldap1.example.com
Please confirm the domain name [example.com]: 
Please provide a realm name [EXAMPLE.COM]: 

After that you will get a question for the Directory Manager password (which is used when using the FreeIPA CLI), and for the password for the IPA admin (which is for the web-gui). After those steps the installer will have you look at the information one more time, if you confirm the installation will start. Be patient, it can take a while depending on how fast your machine is. You may run into an error while generating the CA certificate server (error: Unable to find preop.pin in /var/lib/pki-ca/conf/CS.cfg. Is your CA already configured?). If you do get this error try uninstalling the ipa-server (ipa-server-install --uninstall) and restart the pki-ca service (/etc/init.d/pki-ca stop/start).

 

Setting up replication

Believe it or not, setting up replication for FreeIPA just consists of three commands:

 

Step 1:

From the master server (ldap1.example.com) execute the following command:

ipa-replica-prepare ldap2.example.com

 

Step 2:

Secure Copy the gpg key generated in step 1 to ldap2.example.com

scp /var/lib/ipa/replica-info-ldap2.example.com.gpg [email protected]:/var/lib/ipa/

 

Step 3:

On ldap2.example.com execute the following command, note that on ldap2.example.com we don't have to execute a ipa-server-install, the replication process does that for us.

ipa-replica-install /var/lib/ipa/replica-info-ldap2.example.com.gpg

Enter the Directory Manager password and voila, replication is setup. That's all there is to it, just start up your IPA (/etc/init.d/ipa start) and surf to your gui and login (https://ldap1.example.com/ should redirect you to the gui if this is the only website installed on your server).

Want more howto's and interesting interviews? Check out http://livebyt.es and signup, discuss and meet others!

Share this page:

10 Comment(s)