(Last Updated On: August 12, 2019)

In this guide, we’ll look at how to Install FreeIPA Server on CentOS 7. Once you have FreeIPA running, your problems of having to manually manage user accounts/authentication on Linux Systems will come to an end. Initially, I used vanilla OpenLDAP server for identity management, it is real pain in the neck to administer.

For those new to FreeIPA, it is an Identity management system which aims to provide an easily managed Identity, Policy, and Audit for users.

FreeIPA is an Open Source project sponsored by Red Hat. It is upstream for the commercial Red Hat Identity Manager. On the client side, there is a client application used to configure target systems.

For other servers, have a look at:

How to Install FreeIPA Server on Ubuntu 18.04 and Ubuntu 16.04

How to Install and Configure FreeIPA Server on RHEL / CentOS 8

FreeIPA installation Minimum requirements

  • Server with 4gb ram – I got failed installations for 1GB and 2GB RAM
  • CentOS server – can be CentOS 7.x or CentOS 6.x
  • 2 vCPUs
  • Port 443 and 80 not used by another application
  • FQDN – Resolvable over public or private DNS server
  • 10 GB Disk space

Installing FreeIPA Server on CentOS 7

There are a few settings that we need to satisfy before installing FreeIPA on our CentOS server.

Step 1: Update system

I’m going to add the epel repository and update all packages installed on the system.

sudo yum -y install epel-release
sudo yum -y update
sudo yum  install bind-utils vim

Once the system is updated, proceed to install FreeIPA server packages.

Step 2: Install FreeIPA Server packages

The packages you install depends on which services you need IPA to provide. If you don’t need DNS service, just install ipa-server  package:

sudo yum -y install ipa-server

If you want to include DNS service, also install ipa-server-dns,  bind  and bind-dyndb-ldap:

sudo yum -y install ipa-server-dns bindipa-server  bind-dyndb-ldap

Step 3: Setup IPA Server

Configuring FreeIPA server is a straightforward process, you only need to answer few questions and everything will be configured. If you don’t have DNS server to resolve server hostname, modify /etc/hosts file to include hostname and IP address.

echo "172.16.11.20  ipa.computingforgeeks.com" | sudo tee -a /etc/hosts

Configure server hostname to match above name:

sudo hostnamectl set-hostname ipa.computingforgeeks.com

Then run ipa-server-install command to configure IPA server. You need to execute this as root user:

sudo ipa-server-install

If you want to configure DNS service as well, include  –setup-dns  option:

sudo ipa-server-install --setup-dns

You will be prompted to provide answers to a number of questions:

$ sudo ipa-server-install 

The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will set up the IPA Server.

This includes:
  * Configure a stand-alone CA (dogtag) for certificate management
  * Configure the Network Time Daemon (ntpd)
  * Create and configure an instance of Directory Server
  * Create and configure a Kerberos Key Distribution Center (KDC)
  * Configure Apache (httpd)
  * Configure the KDC to enable PKINIT

To accept the default shown in brackets, press the Enter key.

WARNING: conflicting time&date synchronization service 'chronyd' will be disabled
in favor of ntpd

Do you want to configure integrated DNS (BIND)? [no]: 

Enter the fully qualified domain name of the computer
on which you're setting up server software. Using the form
<hostname>.<domainname>
Example: master.example.com.


Server host name [ipa.computingforgeeks.com]: 

The domain name has been determined based on the host name.

Please confirm the domain name [computingforgeeks.com]: 

The kerberos protocol requires a Realm name to be defined.
This is typically the domain name converted to uppercase.

Please provide a realm name [COMPUTINGFORGEEKS.COM]: 
Certain directory server operations require an administrative user.
This user is referred to as the Directory Manager and has full access
to the Directory for system management tasks and will be added to the
instance of directory server created for IPA.
The password must be at least 8 characters long.

Directory Manager password: 
Password (confirm): 

The IPA server requires an administrative user, named 'admin'.
This user is a regular system account used for IPA server administration.

IPA admin password: 
Password (confirm): 


The IPA Master Server will be configured with:
Hostname:       ipa.computingforgeeks.com
IP address(es): 192.168.x.x
Domain name:    computingforgeeks.com
Realm name:     COMPUTINGFORGEEKS.COM

Continue to configure the system with these values? [no]: yes

The following operations may take some minutes to complete.
Please wait until the prompt is returned.

Configuring NTP daemon (ntpd)
  [1/4]: stopping ntpd
  [2/4]: writing configuration
  [3/4]: configuring ntpd to start on boot
  [4/4]: starting ntpd
Done configuring NTP daemon (ntpd).
Configuring directory server (dirsrv). Estimated time: 30 seconds
.....
Client configuration complete.
The ipa-client-install command was successful

==============================================================================
Setup complete

Next steps:
	1. You must make sure these network ports are open:
		TCP Ports:
		  * 80, 443: HTTP/HTTPS
		  * 389, 636: LDAP/LDAPS
		  * 88, 464: kerberos
		UDP Ports:
		  * 88, 464: kerberos
		  * 123: ntp

	2. You can now obtain a kerberos ticket using the command: 'kinit admin'
	   This ticket will allow you to use the IPA tools (e.g., ipa user-add)
	   and the web user interface.

Be sure to back up the CA certificates stored in /root/cacert.p12
These files are required to create replicas. The password for these
files is the Directory Manager password
...

Do you want to configure integrated DNS (BIND)? [no]: no –> Answer yes if you want to enable DNS service (bind)

Server hostname [ipa.computingforgeeks.com]:  <Enter to confirm>

Step 4: Configure Firewalld

If you have firewall service running – Firewalld for CentOS 7.x, you need to Open some ports required by FreeIPA services. The ports to open are:

TCP Ports:
   * 80, 443: HTTP/HTTPS
   * 389, 636: LDAP/LDAPS
   * 88, 464: kerberos

UDP Ports:
   * 88, 464: kerberos
   * 123: ntp

Use the following commands to configure firewalld:

sudo firewall-cmd --add-service={dns,freeipa-ldap,freeipa-ldaps} --permanent
sudo firewall-cmd --reload

Step 5: Access FreeIPA Web interface

Having opened firewall ports and configured FreeIPA server, you can access its admin web interface for administering. All IPA tasks can be done on the web interface or using the ipa command line tool. Access admin dashboard using https://ipa.computingforgeeks.com/. Replace ipa.computinforgeeks.com with your hostname.

After logging in. you should see an interface like below:

To use ipa command, you need to first get a Kerberos ticket.

# kinit admin
Password for [email protected]:

Check ticket expiry information using klist.

# klist 
Ticket cache: KEYRING:persistent:0:0
Default principal: [email protected]

Valid starting       Expires              Service principal
06/01/2018 20:14:49  06/02/2018 20:14:44  krbtgt/[email protected]

Test by listing adding a user account and listing accounts present:

# ipa user-add jmutai  --first=Josphat --last=Mutai [email protected]  --shell=/bin/bash --password
Password: 
Enter Password again to verify: 
-------------------
Added user "jmutai"
-------------------
  User login: jmutai
  First name: Josphat
  Last name: Mutai
  Full name: Josphat Mutai
  Display name: Josphat Mutai
  Initials: JM
  Home directory: /home/jmutai
  GECOS: Josphat Mutai
  Login shell: /bin/bash
  Principal name: [email protected]
  Principal alias: [email protected]
  Email address: [email protected]
  UID: 839400001
  GID: 839400001
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True

Get User Accounts:

# ipa user-find
---------------
2 users matched
---------------
  User login: admin
  Last name: Administrator
  Home directory: /home/admin
  Login shell: /bin/bash
  Principal alias: [email protected]
  UID: 839400000
  GID: 839400000
  Account disabled: False

  User login: jmutai
  First name: Josphat
  Last name: Mutai
  Home directory: /home/jmutai
  Login shell: /bin/bash
  Principal name: [email protected]
  Principal alias: [email protected]
  Email address: [email protected]
  UID: 839400001
  GID: 839400001
  Account disabled: False
----------------------------
Number of entries returned 2
----------------------------

On your first log in using LDAP account, you’ll be asked to change your password:

$ ssh [email protected]
The authenticity of host 'localhost (<no hostip for proxy command>)' can't be established.
ECDSA key fingerprint is SHA256:ZlUOPuCJMftjMABxBWAWX/CXWZEtolp2Mv84nzKDV+4.
ECDSA key fingerprint is MD5:03:61:e8:e5:21:17:98:db:96:d5:75:cb:38:c2:0a:34.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'localhost' (ECDSA) to the list of known hosts.
Password: 
Password expired. Change your password now.
Current Password: 
New password: 
Retype new password: 
Could not chdir to home directory /home/jmutai: No such file or directory

After setting up FreeIPA Server, you would probably want to configure FreeIPA client, for this refer to:

How to Configure FreeIPA Client on Ubuntu 18.04 / Ubuntu 16.04 / CentOS 7.

Also read: How to Reset FreeIPA admin Password as root user

LDAP Usage examples:

How to Configure GitLab FreeIPA Authentication

How To Integrate Harbor Registry With LDAP for user Authentication

How to Configure Jenkins FreeIPA LDAP Authentication