So you would like to migrate your user account management and centralized authentication from raw OpenLDAP to FreeIPA server running on Ubuntu 18.04 server? Well, we got you covered as in this article, we are going to learn how to install and configure FreeIPA server on Ubuntu 18.04 server.
If you have a CentOS 7.x server, you may also be interested in looking at our article on installing FreeIPA server on a CentOS server.
Before you can install FreeIPA server, ensure that the following minimum requirements are met;
- The hostname is fully-qualified e.g ipa.computingforgeeks.com for my case.
- The hostname must be resolvable. If you don’t a DNS server, you can define your hostname in the hosts file.
- At least 2-4GB of RAM, 10GB disk space, 2 vCPUs
If you need a low resource utilization LDAP server, check:
Preparing FreeIPA Server
Well, before we proceed with the installation and configuration of our FreeIPA server on Ubuntu 18.04, let us do a little bit of in-house preparation.
Check your hostname to ensure that it is in FQDN format:
$ hostname -f ipa
This doesn’t look good. Let us make it fully qualified.
sudo hostnamectl set-hostname ipa.example.com
# hostname ipa.example.com
Define your FQDN in the hosts file to make it resolvable:
echo "192.168.58.121 ipa.example.com ipa" | sudo tee -a /etc/hosts
Update the package repository:
sudo apt update -y
FreeIPA server performs a lot of cryptographic operations while running and thus your VM must have enough entropy to ensure FreeIPA cryptographic operations doesn’t stall. To achieve high entropy, install and configure rng-tools.
sudo apt install rng-tools
Once the installation is done, edit the file, /etc/default/rng-tools and set the input source for random data as /dev/urandom by adding the line, HRNGDEVICE=/dev/urandom as shown;
$ sudo vim /etc/default/rng-tools ….. # This is a POSIX shell fragment # Set to the input source for random data, leave undefined # for the initscript to attempt auto-detection. Set to /dev/null # for the viapadlock and tpm drivers. #HRNGDEVICE=/dev/hwrng #HRNGDEVICE=/dev/null HRNGDEVICE=/dev/urandom …..
Enable and start the rng-tools:
sudo systemctl enable rng-tools sudo systemctl start rng-tools
Now that our server is prerequisite compliant, let us get to work.
Install FreeIPA Server packages.
Run the following command to install FreeIPA package
sudo apt -y install freeipa-server
In the mid of installation, you will be prompted to enter the Kerberos realm, the hostnames of Kerberos servers and the hostname of the administrative server for the Kerberos realm.
Enter EXAMPLE.COM, ipa.example.com, ipa.example.com respectively.
You will also encounter errors relating to Kerberos and tomcat, you can safely ignore them.
After the installation is complete, run the FreeIPA installation command. This will prompt you for a number of configuration options and install FreeIPA:
The first prompt will be about FreeIPA’s integrated DNS and since we do not need this service in this setup, then we can’t configure it.
To accept the default options shown in square brackets, just press Enter key.… Do you want to configure integrated DNS (BIND)? [no]: Enter Enter the fully qualified domain name of the computer on which you're setting up server software. Using the form <hostname>.<domainname> Example: master.example.com. Server host name [ipa.computingforgeeks.com]: Enter The domain name has been determined based on the host name. Please confirm the domain name [computingforgeeks.com]: Enter The kerberos protocol requires a Realm name to be defined. This is typically the domain name converted to uppercase. Please provide a realm name [COMPUTINGFORGEEKS.COM]: Enter Certain directory server operations require an administrative user. This user is referred to as the Directory Manager and has full access to the Directory for system management tasks and will be added to the instance of directory server created for IPA. The password must be at least 8 characters long Directory Manager password: <secure password> Password (confirm): <secure password> The IPA server requires an administrative user, named 'admin'. This user is a regular system account used for IPA server administration. IPA admin password: <secure password> Password (confirm): <secure password> The IPA Master Server will be configured with: Hostname: ipa.example.com IP address(es): 192.168.58.121 Domain name: computingforgeeks.com Realm name: COMPUTINGFORGEEKS.COM The CA will be configured with: Subject DN: CN=Certificate Authority,O=EXAMPLE.COM Subject base: O=EXAMPLE.COM Chaining: self-signed Continue to configure the system with these values? [no]: yes ...output cut… Client configuration complete. The ipa-client-install command was successful ============================================================================== Setup complete Next steps:
1.You must make sure these network ports are open: TCP Ports: * 80, 443: HTTP/HTTPS * 389, 636: LDAP/LDAPS * 88, 464: kerberos UDP Ports: * 88, 464: kerberos * 123: ntp
2You can now obtain a kerberos ticket using the command: 'kinit admin' This ticket will allow you to use the IPA tools (e.g., ipa user-add) and the web user interface.
Now that the FreeIPA server setup is complete, open the ports required for various FreeIPA server services through the firewall.
If you ufw is not running, you can enable it and allow all incoming connections to the above ports.
sudo ufw enable
Allow tcp ports
for i in 80 443 389 636 88 464; do sudo ufw allow proto tcp from any to any port $i; done
Allow udp ports
for i in 88 464 123; do sudo ufw allow proto udp from any to any port $i; done
Reload ufw to save the changes.
sudo ufw reload
Now that the ports have been opened through the firewall, let us verify our FreeIPA server by initializing a Kerberos token for the admin user.
For the normal administrative activity, an administrative account admin has been created. When prompted for the password, use the one you specified during the configuration step for the admin user.
# kinit admin Password for [email protected]:
Check Kerberos tickets:
If that is successful, try to find if the user admin, exists on the FreeIPA server.
# ipa user-find admin -------------- 1 user matched -------------- User login: admin Last name: Administrator Home directory: /home/admin Login shell: /bin/bash Principal alias: [email protected] UID: 1506000000 GID: 1506000000 Account disabled: False ---------------------------- Number of entries returned 1 ----------------------------
Well, seems like all is well. You can now perform any IPA tasks from web dashboard as well as from command line. To login to web dashboard, use the address
The web login username is admin and the password is the one supplied during the configuration step for the admin user.
Then you should get to FreeIPA Management interface:Next guide you would want to go through is How to Configure FreeIPA Client on Ubuntu 18.04 / Ubuntu 16.04 / CentOS 7.
If you need LDAP Authentication on your GitLab Server, read: