24 Apr

Setup FreeIPA Server on Azure/AWS/GCP

in Active Directory, AWS, Azure, Google GCP, LDAP

Setup and install FreeIPA on RHEL 9.3 server on Azure, AWS or GCP. FreeIPA on Red Hat Linux Enterprise (RHEL) is an integrated security information management solution combining Linux, 389 Directory Server, MIT Kerberos, NTP, DNS, Dogtag (Certificate System). It consists of a web interface and command-line administration tools. Deploy directly from any of the cloud marketplaces. Links below.

Cloud FreeIPA

FreeIPA on Azure

Deploy FreeIPA on RHEL 9.3 on Azure

FreeIPA on AWS

Coming soon…

FreeIPA on GCP

Coming soon…

Getting Started with FreeIPA on RHEL

Once your FreeIPA server has been deployed, the following links explain how to connect to a Linux VM:

Once connected and logged in, the following section explains how to start using FreeIPA.

Setting Up FreeIPA on Red Hat Linux Enterprise

1) Configure Local DNS

The first step is to configure the hostname of your server to match your FQDN. So we run the following command, replace with your domain name. In my example i will use a our DNS name.

sudo hostnamectl set-hostname your-hostname

Note: Make sure your FQDN (Fully Qualified Domain Name ) is pointing to the Private IP Address of your FreeIPA server before starting. This is the most important step make sure your DNS resolution is working before starting.

				
					sudo hostnamectl set-hostname cloudinfrastructureservices.co.uk

To confirm the hostname has updated, run the following command:

				
					hostname

Next, we need to update the local hosts file with your FQDN, for example:

server-public-ip fqdn.yourdomain.com

				
					sudo vim /etc/hosts

Here is how my hosts file looks:

				
					10.1.0.4 cloudinfrastructureservices.co.uk
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6

To edit the hosts file press Shift+I and to save and exit press esc and type :wq!

2) Configure SELinux

We now need to configure SELinux so you can access FreeIPA server via your browser. We need to set the SELinux to ‘permissive‘ mode by running the following commands:

				
					sudo setenforce 0
sudo sed -i 's/^SELINUX=.*/SELINUX=permissive/g' /etc/selinux/config

Run the following command to confirm the changes have been applied:

				
					sestatus

Then reboot the server.

				
					sudo reboot

3) Setup FreeIPA Server

Once you’ve rebooted and logged back in, the next step is to run the FreeIPA installation script that will configure FreeIPA as per your requirements. Run the following command:

				
					sudo ipa-server-install

A series of questions will be prompted, the first question is to ask if ‘you want to configure integrated DNS (BIND) ?‘. type no

On the next screen it will ask to confirm your server hostname and domain. Since we did this at the beginning we hit Enter and type in your domain name

Next is to provide a realm name. Type a name or in my example i leave the default name provided and press enter.

Next is to provide a Directory Manager Password, and then specify the password for the IPA server administrator.

On the next screen will ask you what NetBIOS name you would like, so enter a name. Then it will ask you to choose whether or not to configure Chrony with NTP Server. This is entirely up to you, and in our case, we have chosen not to configure Chrony.

Shortly after, details of the IPA Master will be displayed. To continue configuring the system, type ‘Yes’

The installation will then start to configure your FreeIPA server and perform the following tasks:

Configure a stand-alone CA (dogtag) for certificate management
Create and configure a Kerberos Key Distribution Center (KDC)
Create and configure an instance of Directory Server
Configure Apache (httpd)
Configure the KDC to enable PKINIT

Once the installation has finished you will see the following output showing the ports or services that you need to open and will confirm the installation was successful.

				
					
==============================================================================
Setup complete

Next steps:
        1. You must make sure these network ports are open:
                TCP Ports:
                  * 80, 443: HTTP/HTTPS
                  * 389, 636: LDAP/LDAPS
                  * 88, 464: kerberos
                UDP Ports:
                  * 88, 464: kerberos
                  * 123: ntp

        2. You can now obtain a kerberos ticket using the command: 'kinit admin'
           This ticket will allow you to use the IPA tools (e.g., ipa user-add)
           and the web user interface.

Be sure to back up the CA certificates stored in /root/cacert.p12
These files are required to create replicas. The password for these
files is the Directory Manager password
The ipa-server-install command was successful

Check FreeIPA Services Status

If you run the following command it will confirm all the FreeIPA services are running:

				
					sudo ipactl status

And you should see the following output:

Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa: INFO: The ipactl command was successful

Access FreeIPA Admin Portal

Let’s verify whether admin user will get token via Kerberos using the kinit command, use the same password of admin user that we supplied during FreeIPA installation.

				
					kinit admin

When prompted add the admin password you entered during the installation. Then run:

				
					klist

And you should see an output displaying the valide starting and expiring dates.

				
					Valid starting       Expires              Service principal
04/24/2024 11:01:59  04/25/2024 10:36:46  krbtgt/WPCLOUDSSO.COM@WPCLOUDSSO.COM
[azuretest@ipa ~]$

Now you can access the FreeIPA Web console using the URL with /ipa/ui. So my example would be:

				
					https://cloudinfrastructureservices.co.uk/ipa/ui

You will receive a certificate warning because we created a self signed cert so you can ignore this and proceed to access the portal.

You’ll then be presented with a login box. Here you enter admin@yourdomain.com

Then login to the Red Hat Identity Management Portal with same user.

Then you will be logged into the FreeIPA portal.

That’s it, you’re now ready to start using FreeIPA. Refer to the official documentation on using FreeIPA.

FreeIPA Documentations / Support

Documentation on using FreeIPA can be found on: https://www.freeipa.org/page/Documentation.html

Troubleshooting on: https://www.freeipa.org/page/Troubleshooting.html

FreeIPA Firewall Ports

By default the following ports are open with this image.

FreeIPA needs the following firewall ports open:

Ports	Service	Protocol
80, 443	HTTP/HTTPS	TCP
389, 636	LDAP/LDAPS	TCP
88, 464	Kerberos	TCP/UDP
53	DNS	TCP/UDP
123	NTP	UDP

The following command allows the above ports:

				
					sudo firewall-cmd --permanent --add-port={80/tcp,443/tcp,389/tcp,636/tcp,88/tcp,464/tcp,53/tcp,88/udp,464/udp,53/udp,123/udp}
sudo firewall-cmd --reload

If you are using any of the cloud security groups and need to change / add ports refer to the following guides:

To setup AWS firewall rules refer to – AWS Security Groups

To setup Azure firewall rules refer to – Azure Network Security Groups

To setup Google GCP firewall rules refer to – Creating GCP Firewalls

Disclaimer: FreeIPA is a registred trademark of Red Hat, Inc and is licensed under the GNU General Public License v3 . No warrantee of any kind, express or implied, is included with this software. Use at your risk, responsibility for damages (if any) to anyone resulting from the use of this software rest entirely with the user. The author is not responsible for any damage that its use could cause.