305.1 FreeIPA Installation and Maintenance (weight: 2)

Tech Tutorial: 305.1 FreeIPA Installation and Maintenance #

Introduction #

FreeIPA is an integrated Identity and Authentication solution for Linux/UNIX networked environments. A FreeIPA server provides centralized authentication, authorization, and account information by storing data about user, groups, hosts, and other objects necessary to manage the security aspects of a network of computers. In this tutorial, we will cover the setup and management of a FreeIPA domain, including replication and client integration.

Key Knowledge Areas: #

  • Installation of FreeIPA server
  • Configuration of FreeIPA server
  • Managing FreeIPA services
  • Setting up replication
  • Joining clients to the domain

Utilities: #

  • ipa-server-install
  • ipa-replica-install
  • ipa-client-install
  • ipa
  • ipa-replica-manage
  • ipa-csreplica-manage

Step-by-Step Guide #

1. Installation of FreeIPA Server #

To begin with, you need a CentOS or RHEL-based system. Make sure your system is updated and has a proper hostname.

sudo yum update -y
sudo hostnamectl set-hostname ipa.example.com

Install the FreeIPA server package:

sudo yum install ipa-server -y

Now, install the FreeIPA server with an integrated DNS. This step requires some interactive configuration such as specifying the domain name and setting up an administrative password.

sudo ipa-server-install --setup-dns --forwarder=8.8.8.8 --no-forwarders

During the installation, you will be prompted for various settings like domain, realm, DNS forwarder, and the Directory Manager’s password.

2. Managing FreeIPA Services #

After installation, you can manage FreeIPA services using the ipa command-line utility. Start by checking the status of all services:

ipa service-status

You can start, stop, or restart services using this utility:

ipa service-restart
ipa service-stop
ipa service-start

3. Setting Up Replication #

Setting up replication involves installing a replica of your primary FreeIPA server on another server. First, install the necessary packages on the replica server:

sudo yum install ipa-server -y

Run the replica installation command:

sudo ipa-replica-install --principal admin --admin-password <AdminPassword>

You will need to provide the principal and admin password used in the primary server during the setup.

4. Joining Clients to the Domain #

To join a client to the FreeIPA domain, install the FreeIPA client package:

sudo yum install ipa-client -y

Now, join the client to the domain:

sudo ipa-client-install --principal admin --password <AdminPassword> --mkhomedir

This command requires an administrative principal and password. It also creates home directories for users upon their first login.

Detailed Code Examples #

Let’s go through more detailed usage of the ipa command.

Adding a User:

ipa user-add jdoe --first=John --last=Doe --password

Adding a Host:

ipa host-add host1.example.com

Modifying a User:

ipa user-mod jdoe --shell=/bin/bash

Finding a User:

ipa user-find jdoe

Deleting a User:

ipa user-del jdoe

Conclusion #

In this tutorial, we have gone through the installation and basic management of a FreeIPA server, including how to set up replication and join clients to the domain. FreeIPA is a powerful tool for managing identities and policies in a networked environment, providing a centralized platform that simplifies user and host management. By following this guide, you should be able to establish a robust identity management system using FreeIPA.