Setup and install FreeIPA on RHEL 9.3 server on Azure, AWS or GCP. FreeIPA on Red Hat Linux Enterprise (RHEL) is an integrated security information management solution combining Linux, 389 Directory Server, MIT Kerberos, NTP, DNS, Dogtag (Certificate System). It consists of a web interface and command-line administration tools. Deploy directly from any of the cloud marketplaces. Links below.
Cloud FreeIPA
FreeIPA on Azure
Deploy FreeIPA on RHEL 9 on Azure
FreeIPA on AWS
Coming soon…
FreeIPA on GCP
Coming soon…
Getting Started with FreeIPA on RHEL
Once your FreeIPA server has been deployed, the following links explain how to connect to a Linux VM:
Once connected and logged in, the following section explains how to start using FreeIPA.
Setting Up FreeIPA on Red Hat Linux Enterprise
1) Configure Local DNS
The first step is to configure the hostname of your server to match your FQDN. So we run the following command, replace with your domain name. In my example i will use a our DNS name.
sudo hostnamectl set-hostname your-hostname
Note: Make sure your FQDN (Fully Qualified Domain Name ) is pointing to the Private IP Address of your FreeIPA server before starting. This is the most important step make sure your DNS resolution is working before starting.
To edit the hosts file press Shift+I and to save and exit press esc and type :wq!
2) Configure SELinux
We now need to configure SELinux so you can access FreeIPA server via your browser. We need to set the SELinux to ‘permissive‘ mode by running the following commands:
sudo setenforce 0
sudo sed -i 's/^SELINUX=.*/SELINUX=permissive/g' /etc/selinux/config
Run the following command to confirm the changes have been applied:
sestatus
Then reboot the server.
sudo reboot
3) Setup FreeIPA Server
Once you’ve rebooted and logged back in, the next step is to run the FreeIPA installation script that will configure FreeIPA as per your requirements. Run the following command:
sudo ipa-server-install
A series of questions will be prompted, the first question is to ask if ‘you want to configure integrated DNS (BIND) ?‘. type no
On the next screen it will ask to confirm your server hostname and domain. Since we did this at the beginning we hit Enter and type in your domain name
Next is to provide a realm name. Type a name or in my example i leave the default name provided and press enter.
Next is to provide a Directory Manager Password, and then specify the password for the IPA server administrator.
On the next screen will ask you what NetBIOS name you would like, so enter a name. Then it will ask you to choose whether or not to configure Chrony with NTP Server. This is entirely up to you, and in our case, we have chosen not to configure Chrony.
Shortly after, details of the IPA Master will be displayed. To continue configuring the system, type ‘Yes’
The installation will then start to configure your FreeIPA server and perform the following tasks:
Configure a stand-alone CA (dogtag) for certificate management
Create and configure a Kerberos Key Distribution Center (KDC)
Create and configure an instance of Directory Server
Configure Apache (httpd)
Configure the KDC to enable PKINIT
Once the installation has finished you will see the following output showing the ports or services that you need to open and will confirm the installation was successful.
==============================================================================
Setup complete
Next steps:
1. You must make sure these network ports are open:
TCP Ports:
* 80, 443: HTTP/HTTPS
* 389, 636: LDAP/LDAPS
* 88, 464: kerberos
UDP Ports:
* 88, 464: kerberos
* 123: ntp
2. You can now obtain a kerberos ticket using the command: 'kinit admin'
This ticket will allow you to use the IPA tools (e.g., ipa user-add)
and the web user interface.
Be sure to back up the CA certificates stored in /root/cacert.p12
These files are required to create replicas. The password for these
files is the Directory Manager password
The ipa-server-install command was successful
Check FreeIPA Services Status
If you run the following command it will confirm all the FreeIPA services are running:
Let’s verify whether admin user will get token via Kerberos using the kinit command, use the same password of admin user that we supplied during FreeIPA installation.
kinit admin
When prompted add the admin password you entered during the installation. Then run:
klist
And you should see an output displaying the valide starting and expiring dates.
Valid starting Expires Service principal
04/24/2024 11:01:59 04/25/2024 10:36:46 krbtgt/WPCLOUDSSO.COM@WPCLOUDSSO.COM
[azuretest@ipa ~]$
Now you can access the FreeIPA Web console using the URL with /ipa/ui. So my example would be:
https://cloudinfrastructureservices.co.uk/ipa/ui
You will receive a certificate warning because we created a self signed cert so you can ignore this and proceed to access the portal.
You’ll then be presented with a login box. Here you enter admin@yourdomain.com
Then login to the Red Hat Identity Management Portal with same user.
Then you will be logged into the FreeIPA portal.
That’s it, you’re now ready to start using FreeIPA. Refer to the official documentation on using FreeIPA.
Disclaimer: FreeIPA is a registred trademark of Red Hat, Inc and is licensed under the GNU General Public License v3 . No warrantee of any kind, express or implied, is included with this software. Use at your risk, responsibility for damages (if any) to anyone resulting from the use of this software rest entirely with the user. The author is not responsible for any damage that its use could cause.
Cloud Solution Architect. Helping customers transform their business to the cloud. 20 years experience working in complex infrastructure environments and a Microsoft Certified Solutions Expert on everything Cloud.