FreeIPA Server/Client setup on CentOS 6.5

So I’ve been dorking around with 389-ds a LOT at work lately and it’s a bitch to setup, especially when it comes to the certs.  As a hackathon project I decided to setup FreeIPA, which is the Free version of Redhat Identity Manager as a more comprehensive and easy to manage solution.  I have this setup at home as well in my personal lab.  Some pre-requisites first… make sure you have DNS and REVERSE LOOKUPS for all servers and clients and if you’re running iptables or a firewall on your hosts then make sure you have the following ports open, TCP/UDP: 888/444 for kerberos and 389/636 for ldap.

Here are the following specifics for our setup:

  • Domain:                   
  • Realm:                               EXAMPLE.COM
  • Server1:                   
  • Server2(replica):       
  • Client:                      

FreeIPA Server Setup

This setup is stupid easy, you just have yum install the ipa-server, then set it up with ipa-server-install.  Note you can just call run #ipa-server-install without any flags and it will ask you realm, domain, etc.  It will automatically setup your certificates, kerberos, etc… etc…

# yum -y install ipa-server
# ipa-server-install --realm=EXAMPLE.COM

Next let’s see if IPA is working correctly by requesting a ticket for the admin user

#kinit admin

There shouldn’t be any output, let’s validate that the ticket was issued

Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin@EXAMPLE.COM

Valid starting     Expires            Service principal
02/12/14 16:09:06  02/13/14 16:09:03  krbtgt/EXAMPLE.COM@EXAMPLE.COM
02/12/14 16:49:46  02/13/14 16:09:03  host/

Replication Setup

On the master(Server1):


Copy the gpg file that was just created at /var/lib/ipa to Server2(the replica) and run the following command on Server2:

#ipa-replica-install /var/lib/ipa/

Client Setup

I’ll specify that I find it rather important to specify the –mkhomedir flag. If you don’t then setting it up later can be a bitch.

#ipa-client-install --realm=EXAMPLE.COM -p admin  --password=<password> --mkhomedir

Enable WebUI access from anywhere

By default the WebUI is only accessible from authenticated IPA clients. This means that non-ipa clients can not access the WebUI to manage FreeIPA. While the extra security is nice, in a dev or lab setting it might be overkill. Here’s the workaround I found so you can access the webui from any computer. How the workaround actually works is that enables kerberos authentication through the web browser itself. Note that you have to do this on all freeipa servers.

On the server(s) open the ipa.conf file used by the Apache web service.

#vim /etc/httpd/conf.d/ipa.conf

In the <Location “/ipa”> location definition, change the KrbMethodK5Passwd attribute from off to on.

KrbMethodK5Passwd on

Restart the httpd service:

# service httpd restart

One small issue I found is the default admin user doesn’t seem to work if you try to access from a non-ipa client. I had to create another user(webadmin) give it admin privileges and log in to a machine as that user before I could access the WebUI from non-ipa clients.


Leave a Reply

Your email address will not be published. Required fields are marked *