So I’ve been dorking around with 389-ds a LOT at work lately and it’s a bitch to setup, especially when it comes to the certs. As a hackathon project I decided to setup FreeIPA, which is the Free version of Redhat Identity Manager as a more comprehensive and easy to manage solution. I have this setup at home as well in my personal lab. Some pre-requisites first… make sure you have DNS and REVERSE LOOKUPS for all servers and clients and if you’re running iptables or a firewall on your hosts then make sure you have the following ports open, TCP/UDP: 888/444 for kerberos and 389/636 for ldap.
Here are the following specifics for our setup:
- Domain: example.com
- Realm: EXAMPLE.COM
- Server1: freeipa01.example.com
- Server2(replica): freeipa02.example.com
- Client: client01.example.com
FreeIPA Server Setup
This setup is stupid easy, you just have yum install the ipa-server, then set it up with ipa-server-install. Note you can just call run #ipa-server-install without any flags and it will ask you realm, domain, etc. It will automatically setup your certificates, kerberos, etc… etc…
# yum -y install ipa-server # ipa-server-install --domain=example.com --realm=EXAMPLE.COM
Next let’s see if IPA is working correctly by requesting a ticket for the admin user
There shouldn’t be any output, let’s validate that the ticket was issued
#klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: admin@EXAMPLE.COM Valid starting Expires Service principal 02/12/14 16:09:06 02/13/14 16:09:03 krbtgt/EXAMPLE.COM@EXAMPLE.COM 02/12/14 16:49:46 02/13/14 16:09:03 firstname.lastname@example.org
On the master(Server1):
Copy the gpg file that was just created at /var/lib/ipa to Server2(the replica) and run the following command on Server2:
I’ll specify that I find it rather important to specify the –mkhomedir flag. If you don’t then setting it up later can be a bitch.
#ipa-client-install --domain=example.com --server=freeipa01.example.com --realm=EXAMPLE.COM -p admin --password=<password> --mkhomedir --hostname=client01.example.com
Enable WebUI access from anywhere
By default the WebUI is only accessible from authenticated IPA clients. This means that non-ipa clients can not access the WebUI to manage FreeIPA. While the extra security is nice, in a dev or lab setting it might be overkill. Here’s the workaround I found so you can access the webui from any computer. How the workaround actually works is that enables kerberos authentication through the web browser itself. Note that you have to do this on all freeipa servers.
On the server(s) open the ipa.conf file used by the Apache web service.
In the <Location “/ipa”> location definition, change the KrbMethodK5Passwd attribute from off to on.
Restart the httpd service:
# service httpd restart
One small issue I found is the default admin user doesn’t seem to work if you try to access from a non-ipa client. I had to create another user(webadmin) give it admin privileges and log in to a machine as that user before I could access the WebUI from non-ipa clients.