Freeipa Server Installation

in #sysops7 years ago (edited)

Freeipa Server Installation



Freeipa

For more information on Red Hat's FreeIPA, visit freeipa.org


Description:


FreeIPA is an integrated security information management solution combining
Linux (Fedora), 389 Directory Server, MIT Kerberos, NTP, DNS, Dogtag (Certificate System).
It consists of a web interface and command-line administration tools, and
provides centralized authentication, authorization and account information by storing
data about user, groups, hosts and other objects necessary to manage computers on the network.


Pre-Requisites:


1.    OS:

COMPATABILITY NOTICE:

These instructions are only compatible with CentOS 7     and RHEL 7  


2.    Set host file entry:
Set host file entry so that the ipa server can resolve itself. This should be the first entry.

Set the host file in /etc/hosts

1.2.3.4     ipa.yourcompany.com ipa


3.    Install Epel:

yum install -y epel-release


4.    Install and configure bind:

yum install bind bind-utils


Configure Bind:


1.    Set up the bind configuration:
Edit the /etc/named.conf file to create the bind configuration

//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//

acl "trusted" {
        1.2.3.4;         # ns1 - can be set to localhost
        1.2.3.5;         # ns2 - set to secondary DNS server
        1.0.0.0/24;      # Your Company Subnet
};

options {
        // turns on IPv6 for port 53, IPv4 is on by default for all ifaces
        listen-on-v6 {any;};

    listen-on port 53 { 127.0.0.1; 1.2.3.4; };
        listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        allow-transfer  { 1.2.3.5; };           # Allow tranfers to secondary dns server.
        allow-query     { trusted; };           # Allow queries from the trusted list above.

    forward first;
        // forward non authoritative queries to google's dns nameservers.
        forwarders {
                8.8.8.8;
                8.8.4.4;
        };

         // - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
         // - If you are building a RECURSIVE (caching) DNS server, you need to enable
         //   recursion.
         // - If your recursive DNS server has a public IP address, you MUST enable access
         // control to limit queries to your legitimate users. Failing to do so will
         // cause your server to become part of large scale DNS amplification
         // attacks. Implementing BCP38 within your network would greatly
         // reduce such attack surface

  recursion no;

  dnssec-enable yes;
  dnssec-validation yes;

  etc.... (Defaults)
};

// At the end of the file add:
include "/etc/named/named.conf.local";


2.    Set the zone files that will be loaded:
We are creating/loading a primary zone, and reverse lookup zone.

Edit /etc/named/named.conf.local to set the local dns zones

zone "yourcompany.com" {
    type master;
    file "/etc/named/zones/db.yourcompany.com"; # zone file path
    };

zone "3.2.1.in-addr.arpa" {
    type master;
    file "/etc/named/zones/db.1.2.3";  # 1.2.3.0/24 subnet
    };


3.    Create the zone files directory:

mkdir /etc/named/zones; chmod -R 775 /etc/named


4.    Setup the primary zone file:
Edit the main zone file /etc/named/zones/db.yourcompany.com

;
; BIND data file for local loopback interface
;
$TTL    604800
@       IN      SOA     ns1.yourcompany.com. admin.yourcompany.com. (
                2               ; Serial
                604800          ; Refresh
                86400           ; Retry
                2419200         ; Expire
                604800 )        ; Negative Cache TTL

; name servers - NS records
        IN      NS      ns1.yourcompany.com.
        IN      NS      ns2.yourcompany.com.

; name servers - A records
ns1.yourcompany.com.            IN      A       1.2.3.4
ns2.yourcompany.com.            IN      A       1.2.3.5

; 1.2.3.0/24 - A records
ipa             IN      A       1.2.3.4
svripa1         IN      A       1.2.3.4
svripa2         IN      A       1.2.3.5


5.    Set up the Reverse Zone File:
Edit the reverse zone file /etc/named/zones/db.1.2.3

;
; BIND data file for local loopback interface
;
$TTL    604800
@       IN      SOA     ns1.yourcompany.com. admin.yourcompany.com. (
                3               ; Serial
                604800          ; Refresh
                86400           ; Retry
                2419200         ; Expire
                604800 )        ; Negative Cache TTL

; name servers
      IN      NS      ns1.yourcompany.com.
      IN      NS      ns2.yourcompany.com.

; PTR Records
4      IN      PTR     ns1.yourcompany.com.         ; 1.2.3.4
4      IN      PTR     ipa.yourcompany.com.         ; 1.2.3.4
4      IN      PTR     svripa1.yourcompany.com.     ; 1.2.3.4
5      IN      PTR     ns2.yourcompany.com.         ; 1.2.3.5
5      IN      PTR     svripa2.yourcompany.com.     ; 1.2.3.5


6.    Check the zone files:
Run a check on the main bind configurations, and look for errors.

named-checkconf /etc/named.conf
named-checkconf /etc/named/named.conf.local


NOTICE:

If no errors are found, the check will simply return back to the prompt.

named-checkzone yourcompany.com /etc/named/zones/db.yourcompany.com


/etc/named/zones/db.clusterfrak.com:1: no TTL specified; using SOA MINTTL instead
zone clusterfrak.com/IN: loaded serial 3
OK


named-checkzone 3.2.1.in-addr.arpa /etc/named/zones/db.1.2.3


/etc/named/zones/db.10.79.0:1: no TTL specified; using SOA MINTTL instead
zone 0.79.10.in-addr.arpa/IN: loaded serial 3
OK


7.    Set permissions on the named conf/db files:

chown -R named:named /etc/named
chown -R named:named /var/named
chmod 644 /etc/named/zones/db.*


8.    Set SE Linux Policies:

restorecon -rv /var/named
restorecon -rv /etc/named


9.    Start and enable bind:

systemctl start named.service
systemctl enable named.service
systemctl status named.service


Configure the IPA server:


1.    Configure DNS:
Configure the IPA server to use itself as the primary DNS
edit /etc/sysconfig/network-scripts/ifcfg-enoxxxxx and add the following:

DNS1=1.2.3.4


2.    Restart network, and check /etc/resolv.conf:

systemctl restart network.service


Check the /etc/resolv.conf file to ensure that the settings look correct.

# Generated by NetworkManager
search yourcompany.com
nameserver 1.2.3.4
nameserver 1.2.3.5


3.    Set SELinux Value to allow zone writes:

edit the etc/sysconfig/named

ENABLE_ZONE_WRITE=yes


4.    Check SELinux Values:

setsebool named_write_master_zones 1
getsebool named_write_master_zones


named_write_master_zones --> on


5.    Check Resolution:

ping svripa1.yourcompany.com


PING svripa1.yourcompany.com (1.2.3.4) 56(84) bytes of data.
64 bytes from ipa.yourcompany.com (1.2.3.4): icmp_seq=1 ttl=64 time=0.032 ms
64 bytes from ipa.yourcompany.com (1.2.3.4): icmp_seq=2 ttl=64 time=0.049 ms


nslookup svripa1


Server:     1.2.3.4
Address:    1.2.3.4#53

Name:   svripa1.yourcompany.com
Address: 1.2.3.4


Install IPA:


1.    Install IPA and IPA Utils:

 yum -y install ipa-server ipa-server-dns


2.    Setup IPA DNS:

ipa-server-install --setup-dns


The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will set up the IPA Server.

This includes:
  * Configure a stand-alone CA (dogtag) for certificate management
  * Configure the Network Time Daemon (ntpd)
  * Create and configure an instance of Directory Server
  * Create and configure a Kerberos Key Distribution Center (KDC)
  * Configure Apache (httpd)
  * Configure DNS (bind)

To accept the default shown in brackets, press the Enter key.

Enter the fully qualified domain name of the computer
on which you're setting up server software. Using the form
<hostname>.<domainname>
Example: master.example.com.


Server host name [ipa.yourcompany.com]:

Warning: skipping DNS resolution of host ipa.clusterfrak.com
The domain name has been determined based on the host name.

Please confirm the domain name [yourcompany.com]:

The kerberos protocol requires a Realm name to be defined.
This is typically the domain name converted to uppercase.

Please provide a realm name [YOURCOMPANY.COM]:
Certain directory server operations require an administrative user.
This user is referred to as the Directory Manager and has full access
to the Directory for system management tasks and will be added to the
instance of directory server created for IPA.
The password must be at least 8 characters long.

Directory Manager password:
Password (confirm):

The IPA server requires an administrative user, named 'admin'.
This user is a regular system account used for IPA server administration.

IPA admin password:
Password (confirm):

Existing BIND configuration detected, overwrite? [no]: yes
Do you want to configure DNS forwarders? [yes]: yes
Enter an IP address for a DNS forwarder, or press Enter to skip: 8.8.8.8
DNS forwarder 8.8.8.8 added. You may add another.
Enter an IP address for a DNS forwarder, or press Enter to skip: 8.8.4.4
DNS forwarder 8.8.4.4 added. You may add another.
Enter an IP address for a DNS forwarder, or press Enter to skip:
Checking DNS forwarders, please wait ...
Do you want to configure the reverse zone? [yes]: yes
Please specify the reverse zone name [3.2.1.in-addr.arpa.]:
Using reverse zone(s) 3.2.1.in-addr.arpa.

The IPA Master Server will be configured with:
Hostname:       ipa.yourcompany.com
IP address(es): 1.2.3.4
Domain name:    yourcompany.com
Realm name:     YOURCOMPANY.COM

BIND DNS server will be configured to serve IPA domain with:
Forwarders:    8.8.8.8, 8.8.4.4
Reverse zone(s):  3.2.1.in-addr.arpa.

Continue to configure the system with these values? [no]: yes

The following operations may take some minutes to complete.
Please wait until the prompt is returned.

Configuring NTP daemon (ntpd)
  [1/4]: stopping ntpd
  [2/4]: writing configuration
  [3/4]: configuring ntpd to start on boot
  [4/4]: starting ntpd
Done configuring NTP daemon (ntpd).
Configuring directory server (dirsrv). Estimated time: 1 minute
  [1/42]: creating directory server user
  [2/42]: creating directory server instance
  [3/42]: adding default schema
  [4/42]: enabling memberof plugin
  [5/42]: enabling winsync plugin
  [6/42]: configuring replication version plugin
  [7/42]: enabling IPA enrollment plugin
  [8/42]: enabling ldapi
  [9/42]: configuring uniqueness plugin
  [10/42]: configuring uuid plugin
  etc.....

  Done configuring DNS key synchronization service (ipa-dnskeysyncd).
Restarting ipa-dnskeysyncd
Restarting named
Restarting the web server
==============================================================================
Setup complete

Next steps:
    1. You must make sure these network ports are open:
        TCP Ports:
          * 80, 443: HTTP/HTTPS
          * 389, 636: LDAP/LDAPS
          * 88, 464: kerberos
          * 53: bind
        UDP Ports:
          * 88, 464: kerberos
          * 53: bind
          * 123: ntp

    2. You can now obtain a kerberos ticket using the command: 'kinit admin'
       This ticket will allow you to use the IPA tools (e.g., ipa user-add)
       and the web user interface.

Be sure to back up the CA certificates stored in /root/cacert.p12
These files are required to create replicas. The password for these
files is the Directory Manager password


Verify Kerberos Tickets:


kinit admin
Password for admin@YOURCOMPANY.COM:


klist
Ticket cache: KEYRING:persistent:0:0
Default principal: admin@CLUSTERFRAK.COM

Valid starting       Expires              Service principal
01/25/2016 21:57:28  01/26/2016 21:57:22  krbtgt/CLUSTERFRAK.COM@CLUSTERFRAK.COM


Change Default Shell:


ipa config-mod --defaultshell=/bin/bash


  Maximum username length: 32
  Home directory base: /home
  Default shell: /bin/bash
  Default users group: ipausers
  Default e-mail domain: clusterfrak.com
  Search time limit: 2
  Search size limit: 100
  User search fields: uid,givenname,sn,telephonenumber,ou,title
  Group search fields: cn,description
  Enable migration mode: FALSE
  Certificate Subject base: O=CLUSTERFRAK.COM
  Password Expiration Notification (days): 4
  Password plugin features: AllowNThash
  SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023
  Default SELinux user: unconfined_u:s0-s0:c0.c1023
  Default PAC types: nfs:NONE, MS-PAC


Enable services through firewall:


firewall-cmd --zone=public --permanent --add-service=http
firewall-cmd --zone=public --permanent --add-service=https
firewall-cmd --zone=public --permanent --add-service=ldap
firewall-cmd --zone=public --permanent --add-service=ldaps
firewall-cmd --zone=public --permanent --add-service=kerberos
firewall-cmd --zone=public --permanent --add-service=dns

firewall-cmd --zone=public --permanent --add-port=53/udp
firewall-cmd --zone=public --permanent --add-port=88/udp
firewall-cmd --zone=public --permanent --add-port=464/udp
firewall-cmd --zone=public --permanent --add-port=123/udp

firewall-cmd --reload


Check the firewall rules:


firewall-cmd --zone=public --list-services


dhcpv6-client dns http https kerberos ldap ldaps ssh


firewall-cmd --zone=public --list-ports


464/udp 123/udp 53/udp 88/udp


Post Requisites:


None


References:


clusterfrak.com

Digital Ocean Bind 9 Guide

Unixmen.com

Sort:  

Thanks for bringing this to my attention. The company I work for has been debating over which solution to integrate to gain centralized authentication for our infrastructure (mostly linux servers and web applications).

I have worked in quite a few enterprise environments of which we have had freeipa as our centralized auth system for linux boxes. It can be integrated into active directory, or be stand alone, it can have replicatants in other datacenters, or regions, it has a pretty sleek UI, and does user SSH Key management, integrated DHCP/DNS, and can function as an internal CA using dogtag technology.. Its a great solution, highly recommended !! I will be posting an article shortly on how to set up clients to join the freeipa domain. I have it written already, it should be up within the hour.

Thanks for the reply. I will look for that client article.

I posted it yesterday, take a look through my published blogs and you will find it :)

Interesting thoughts