Install FreeIPA Server on Oracle Linux

1
0
Send lab feedback

Install FreeIPA Server on Oracle Linux

Introduction

FreeIPA is an open-source identity and authentication management system for Linux networked environments. The server includes the 389 Directory Server as the central data store, providing full multi-master LDAPv3 functionality.

Beyond the scope of this tutorial, FreeIPA also provides MIT Kerberos for Single-Sign-on authentication, the Dogtag Certificate Authority, and optional Domain Name management through an ISC Bind server.

This tutorial shows how to install FreeIPA and configure the included LDAP directory.

Objectives

In this tutorial, you will learn how to:

  • Install FreeIPA Server
  • Disable anonymous binds
  • Add Users and Groups

Prerequisites

  • Minimum of a single Oracle Linux system

  • Each system should have Oracle Linux installed and configured with:

    • A non-root user account with sudo access
    • Access to the Internet
    • An FQDN (Fully Qualified Domain Name ) pointing to your server’s IP address

For more information on requirements for FreeIPA, see the upstream Quick Start Guide .

Deploy Oracle Linux

Note: If running in your own tenancy, read the linux-virt-labs GitHub project README.md and complete the prerequisites before deploying the lab environment.

  1. Open a terminal on the Luna Desktop.

  2. Clone the linux-virt-labs GitHub project.

    git clone https://github.com/oracle-devrel/linux-virt-labs.git

  3. Change into the working directory.

    cd linux-virt-labs/ol

  4. Install the required collections.

    ansible-galaxy collection install -r requirements.yml

  5. Update the Oracle Linux instance configuration.

    cat << EOF | tee instances.yml > /dev/null
compute_instances:
  1:
    instance_name: "freeipa"
    type: "server"
EOF

  6. Deploy the lab environment.

    ansible-playbook create_instance.yml -e localhost_python_interpreter="/usr/bin/python3.6" -e "@instances.yml"

    The free lab environment requires the extra variable local_python_interpreter, which sets ansible_python_interpreter for plays running on localhost. This variable is needed because the environment installs the RPM package for the Oracle Cloud Infrastructure SDK for Python, located under the python3.6 modules.

    The default deployment shape uses the AMD CPU and Oracle Linux 8. To use an Intel CPU or Oracle Linux 9, add -e instance_shape="VM.Standard3.Flex" or -e os_version="9" to the deployment command.

    Important: Wait for the playbook to run successfully and reach the pause task. At this stage of the playbook, the installation of Oracle Linux is complete, and the instances are ready. Take note of the previous play, which prints the public and private IP addresses of the nodes it deploys and any other deployment information needed while running the lab.

Confirm the Server DNS Configuration

The FreeIPA server requires a working DNS setup. Clients enrolled using the ipa command-line tool look up the server by the xmlrpc_url and domain parameters defined in the file /etc/ipa/default.conf.

  1. Open a terminal and connect via SSH to the freeipa instance.

    ssh oracle@<ip_address_of_instance>

  2. Verify the server's hostname.

    sudo hostname

    The output should not return localhost or localhost6.

Confirm the Fully Qualified Domain Name (FQDN).

FreeIPA has a limitation of 64 characters for the FQDN that it validates during installation. If the FQDN exceeds 64 characters, use sudo hostnamectl set-hostname NAME, where NAME is the FQDN, to shorten it.

  1. Verify the FQDN. and its length.

    hostname -f

  2. Get the length of the FQDN

    echo $(hostname -f) | wc -m

Confirm Name Resolution.

  1. Get the IP address of the server.

    ip -4 -o addr show ens3 | grep -oP '(?<=inet\s)\d+(\.\d+){3}'

    Where ens3 is the name of the network interface on the system.

  2. Verify the forward DNS configuration.

    host $(hostname -f)

    Another way to verify the forward DNS configuration is to use dig +short $(hostname -f) A. Both host and dig are part of the bind-utils package, which provides different utilities to query DNS name servers.

  3. Verify the reverse DNS configuration (PTR records).

    host $(hostname -i)

    An alternative is to use dig +short -x $(hostname -i).

Open the Required Firewall Ports

FreeIPA requires several ports to be open and available to communicate with its services.

ServicePortsProtocol
HTTP/HTTPS80,443TCP
LDAP/LDAPs389,636TCP
Kerberos88,464TCP and UDP
DNS53TCP and UDP
NTP123UDP

Oracle Linux provides the freeipa-4 service to open these required ports. For details, see /usr/lib/firewalld/services/freeipa-4.xml. The freeipa-4 service replaces the deprecated freeipa-ldap and freeipa-ldaps services.

  1. Add the firewalld service.

    sudo firewall-cmd --permanent --add-service=freeipa-4

  2. Reload the firewalld service so the changes take effect.

    sudo firewall-cmd --reload

Install the Required Packages

  1. Enable the FreeIPA module stream and profile.

    Oracle Linux 8:

    sudo dnf module enable -y idm:DL1

    Oracle Linux 9:

    There is nothing to do on Oracle Linux 9 as the FreeIPA packages are part of the AppStream repository.

  2. Install the packages for a FreeIPA server without the integrated DNS services.

    sudo dnf install -y ipa-server

    Note: We do not use the integrated DNS services as part of this tutorial. If needed, add the package ipa-server-dns to the installation list.

Install and Configure the FreeIPA Server

  1. Run the install utility.

    sudo ipa-server-install

    The script starts by providing the installation log file location and a summary of what the FreeIPA server includes.

    Example Output:

    [oracle@freeipa ~]$ sudo ipa-server-install
   
The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will set up the IPA Server.
Version 4.9.8
   
This includes:
  * Configure a stand-alone CA (dogtag) for certificate management
  * Configure the NTP client (chronyd)
  * Create and configure an instance of Directory Server
  * Create and configure a Kerberos Key Distribution Center (KDC)
  * Configure Apache (httpd)
  * Configure SID generation
  * Configure the KDC to enable PKINIT
...

    The script then uses several prompts to set up the server's configuration. The terminal shows the default response to the prompt within the brackets, and pressing Enter accepts the default response.

  2. Accept the default response of no to configure the integrated DNS service.

    Do you want to configure integrated DNS (BIND)? [no]:

  3. Accept the default host, domain, and realm names.

    These are the values verified at the beginning of this lab. The recommended configuration is that the realm name matches the primary DNS domain name with all uppercase letters.

    Enter the fully qualified domain name of the computer
on which you're setting up server software. Using the form
<hostname>.<domainname>
Example: master.example.com.


Server host name [freeipa.lv.vcn.oraclevcn.com]: 

The domain name has been determined based on the host name.

Please confirm the domain name [lv.vcn.oraclevcn.com]: 

The kerberos protocol requires a Realm name to be defined.
This is typically the domain name converted to uppercase.

Please provide a realm name [LV.VCN.ORACLEVCN.COM]:

  4. Enter and confirm the passwords for the Directory Server superuser and the FreeIPA admin user.

    The Directory Server superuser maps to cn=Directory Manager within the directory.

    Certain directory server operations require an administrative user.
This user is referred to as the Directory Manager and has full access
to the Directory for system management tasks and will be added to the
instance of directory server created for IPA.
The password must be at least 8 characters long.

Directory Manager password: 
Password (confirm): 

The IPA server requires an administrative user, named 'admin'.
This user is a regular system account used for IPA server administration.

IPA admin password: 
Password (confirm):

  5. Accept the defaults for setting the NETBIOS domain name and no to configure chrony.

    NetBIOS domain name [LV]: 

Do you want to configure chrony with NTP server or pool address? [no]:

  6. The script presents a summary of the server configuration.

  7. Enter yes to accept the server configuration.

    Continue to configure the system with these values? [no]: yes

  8. The script proceeds to configure the server.

    This operation may take several minutes to complete.

    ...
Client configuration complete.
The ipa-client-install command was successful

Please add records in this file to your DNS system: /tmp/ipa.system.records.mv9i0ec2.db
==============================================================================
Setup complete

Next steps:
	1. You must make sure these network ports are open:
		TCP Ports:
		  * 80, 443: HTTP/HTTPS
		  * 389, 636: LDAP/LDAPS
		  * 88, 464: kerberos
		UDP Ports:
		  * 88, 464: kerberos
		  * 123: ntp

	2. You can now obtain a kerberos ticket using the command: 'kinit admin'
	   This ticket will allow you to use the IPA tools (e.g., ipa user-add)
	   and the web user interface.

Be sure to back up the CA certificates stored in /root/cacert.p12
These files are required to create replicas. The password for these
files is the Directory Manager password
The ipa-server-install command was successful

    Upon completion, the script provides:

    • A summary.
    • A list of records to add to the DNS system.
    • Recommendation to backup the generated CA certificates.

    The required network ports are already open using the freeipa-4 firewalld service.

Test the FreeIPA Server

The FreeIPA installation includes a command-line client and a WebUI for interacting with the server. Using the WebUI is outside the scope of this tutorial.

Access the Command-Line Interface (CLI)

  1. Authenticate the admin user against the Kerberos realm.

    kinit admin

    When prompted, enter the password for the admin user created during the installation and configuration steps. The kinit command then generates a Kerberos ticket.

  2. List the ticket's information

    klist

    Example Output:

    [oracle@freeipa ~]$ sudo klist
Ticket cache: KCM:0
Default principal: admin@LV.VCN.ORACLEVCN.COM

Valid starting       Expires              Service principal
09/28/2022 14:05:46  09/29/2022 13:05:53  krbtgt/LV.VCN.ORACLEVCN.COM@LV.VCN.ORACLEVCN.COM

  3. Get a list of all the existing users on the FreeIPA server.

    ipa user-find

    The results return the admin user, which is the only user that currently exists.

    Example Output:

    [oracle@freeipa ~]$ sudo ipa user-find
--------------
1 user matched
--------------
  User login: admin
  Last name: Administrator
  Home directory: /home/admin
  Login shell: /bin/bash
  Principal alias: admin@LV.VCN.ORACLEVCN.COM, root@LV.VCN.ORACLEVCN.COM
  UID: 872200000
  GID: 872200000
  Account disabled: False
----------------------------
Number of entries returned 1
----------------------------

Security Settings and Hardening

Here are a few ways to use the FreeIPA server securely.

Disable Anonymous Binds

The FreeIPA LDAP server enables anonymous binds as a default, thus exposing specific configuration settings and directory values.

The nsslapd-allow-anonymous-access attribute controls this behavior. Acceptable values include:

  • on: allows all anonymous binds (default)
  • rootdse: allows anonymous binds only for root DSE information
  • off: disallows any anonymous binds

The recommendation is to use rootdse rather than off when disallowing anonymous binds, as using off also blocks external clients from checking the server configuration. Non-domain clients like LDAP and web clients connect anonymously by reading the root DSE file to get connection details.

  1. Check if anonymous binds are enabled.

    ldapsearch -x -h $(hostname -f) -b dc=lv,dc=vcn,dc=oraclevcn,dc=com
    • -x sets simple or anonymous authentication.
    • -h sets the LDAP server host.
    • -b sets the base dn for search.

    The key settings, including the base dn for the FreeIPA server are stored in the /etc/ipa/default.conf file.

    Example Output:

    ...
# Default SMB Group, groups, accounts, lv.vcn.oraclevcn.com
dn: cn=Default SMB Group,cn=groups,cn=accounts,dc=lv,dc=vcn,dc=oraclevc
 n,dc=com
cn: Default SMB Group
description: Fallback group for primary group RID, do not add users to this gr
 oup
objectClass: top
objectClass: ipaobject
objectClass: posixgroup
objectClass: ipantgroupattrs
ipaUniqueID: 0c9cf178-4324-11ed-bf0b-02001704fe22
gidNumber: 921600001
ipaNTSecurityIdentifier: S-1-5-21-2697967063-3375457457-2974965896-1001
  
# search result
search: 2
result: 0 Success
  
# numResponses: 110
# numEntries: 109

    The search results return the entire tree for the LDAP directory.

  2. Modify the configuration and disable anonymous binds.

    The ldapmodify command either accepts an LDIF file with the changes to make or reads operations from the standard input.

    1. Create the LDIF file.

      cat << 'EOF' | tee ~/disable_anon_bind.ldif > /dev/null
dn: cn=config
changetype: modify
replace: nsslapd-allow-anonymous-access
nsslapd-allow-anonymous-access: rootdse
EOF

      Changing multiple attributes is possible by separating them with a dash - character on a line by itself. Each additional change starts with the attribute change type and gives the required attributes.

    2. Apply the LDIF changes.

      ldapmodify -x -D "cn=Directory Manager" -W -H ldap:// -ZZ -f ~/disable_anon_bind.ldif
      • -x sets simple or anonymous authentication.
      • -D sets the bind dn.
      • -W prompts for the LDAP admin password.
      • -H uses the LDAP Uniform Resource Identifier (URI) to connect rather than the LDAP server host.
      • -ZZ starts a TLS request and forces a successful response.

      Note: The -ZZ is required due to the use of self-signed certificates.

      Example Output:

      [oracle@freeipa ~]$ ldapmodify -x -D "cn=Directory Manager" -W -H ldap:// -ZZ -f ~/disable_anon_bind.ldif
Enter LDAP Password: 
modifying entry "cn=config"

    3. Restart the FreeIPA server.

      sudo systemctl restart ipa.service

  3. Verify the modification by anonymously querying the directory.

    ldapsearch -x -h $(hostname -f) -b dc=lv,dc=vcn,dc=oraclevcn,dc=com

    Notice the response Anonymous access is not allowed.

    Example Output:

    [oracle@freeipa ~]$ ldapsearch -x -h freeipa.lv.vcn.oraclevcn.com -b dc=lv,dc=vcn,dc=oraclevcn,dc=com
# extended LDIF
#
# LDAPv3
# base <dc=lv,dc=vcn,dc=oraclevcn,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
  
# search result
search: 2
result: 48 Inappropriate authentication
text: Anonymous access is not allowed.
  
# numResponses: 1

  4. Verify querying the directory works using authentication.

    ldapsearch -D uid=admin,cn=users,cn=accounts,dc=lv,dc=vcn,dc=oraclevcn,dc=com -W -H ldap://

    Example Output:

    ...
# freeipa.lv.vcn.oraclevcn.com + 389, subordinate-ids, dna, ipa, etc, 
 lv.vcn.oraclevcn.com
dn: dnaHostname=freeipa.lv.vcn.oraclevcn.com+dnaPortNum=389,cn=subord
 inate-ids,cn=dna,cn=ipa,cn=etc,dc=lv,dc=vcn,dc=oraclevcn,dc=com
objectClass: dnaSharedConfig
objectClass: top
dnaHostname: freeipa.lv.vcn.oraclevcn.com
dnaPortNum: 389
dnaSecurePortNum: 636
dnaRemainingValues: 32766
  
# search result
search: 2
result: 0 Success
  
# numResponses: 475
# numEntries: 474

Verify TLS is Enabled

Starting with Oracle Linux 8, FreeIPA uses the system-wide crypto policy. See the crypto-policies(7) man page for more details.

  1. List the current system-wide crypto policy.

    cat /etc/crypto-policies/config

  2. List the crypto policy details.

    cat /usr/share/crypto-policies/$(cat /etc/crypto-policies/config)/nss.txt

    Example Output:

    [oracle@freeipa ~]$ cat /usr/share/crypto-policies/$(cat /etc/crypto-policies/config)/nss.txt
library=
name=Policy
NSS=flags=policyOnly,moduleDB
config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:CURVE25519:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:aes256-cbc:aes128-gcm:aes128-cb   > c:SHA256:SHA384:SHA512:SHA224:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:ECDSA:RSA-PSS:RSA-PKCS:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048"

    Notice the DEFAULT policy uses a minimum of TLS 1.2.

Check the FreeIPA Server Status

The FreeIPA server includes the ipactl utility to view the status of configured services. The same utility can also start, stop, and restart the entire FreeIPA server. If you need to start, stop, or restart individual components, use systemctl COMMAND name.service.

  1. Show the status of all the services.

    sudo ipactl status

    Example Output:

    [oracle@freeipa ~]$ sudo ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa: INFO: The ipactl command was successful

    Use sudo ipactl --help to see additional command options.

Create Users and Groups

With the FreeIPA server basic install and configuration complete, the next step is handling identity management, which consists of creating users and groups. Before doing this, generate a Kerberos token.

  1. Generate a token for the user admin.

    kinit admin

  2. Get a list of existing tokens.

    klist

    The Kerberos tokens are valid for 24 hours by default. Due to previously running these commands in the step titled "Access the Command-Line Interface (CLI)", the listing displays the original token rather than creating a new one.

  3. Add a new user group.

    FreeIPA defines a user group as a set of users with standard password policies, privileges, and other characteristics.

    A user group can include:

    • users
    • other user groups
    • external users which exist outside of FreeIPA
    ipa group-add foo

    Example Output:

    [oracle@freeipa ~]$ ipa group-add foo
-----------------
Added group "foo"
-----------------
  Group name: foo
  GID: 1326400003

    The FreeIPA server supports three group types:

    • POSIX (default)
    • Non-POSIX
    • External

    The group foo is a POSIX user group. To specify a different group type, use one of these options:

    • --nonposix to create a non-POSIX group
    • --external to create an external group

  4. Get a list of all the existing user groups.

    ipa group-find

    Example Output:

    [oracle@freeipa ~]$ ipa group-find
----------------
5 groups matched
----------------
  Group name: admins
  Description: Account administrators group
  GID: 1326400000
   
  Group name: editors
  Description: Limited admins who can edit other users
  GID: 1326400002
   
  Group name: foo
  GID: 1326400003
   
  Group name: ipausers
  Description: Default group for all users
  
  Group name: trust admins
  Description: Trusts administrators group
----------------------------
Number of entries returned 5
----------------------------

    The FreeIPA server creates the following user groups during installation.

    • admins
    • ipausers
    • trust admins

    Warning: Do not delete the admin group as it contains the default admin user. The FreeIPA server requires the admin group to operate correctly.

  5. Add a new user account.

    ipa user-add

    The command runs an interactive script prompting for the minimal set of data FreeIPA needs to create a user account.

    Example Output:

    [oracle@freeipa ~]$ ipa user-add
First name: Oracle
Last name: User
User login [ouser]: oracle
-------------------
Added user "oracle"
-------------------
  User login: oracle
  First name: Oracle
  Last name: User
  Full name: Oracle User
  Display name: Oracle User
  Initials: OU
  Home directory: /home/oracle
  GECOS: Oracle User
  Login shell: /bin/sh
  Principal name: oracle@LV.VCN.ORACLEVCN.COM
  Principal alias: oracle@LV.VCN.ORACLEVCN.COM
  Email address: oracle@lv.vcn.oraclevcn.com
  UID: 1326400004
  GID: 1326400004
  Password: False
  Member of groups: ipausers
  Kerberos keys available: False

    Alternatively, running the command with several options allows for creating a user account in a non-interactive mode. To get a list of available options, run ipa user-add --help.

  6. Add the new user to the new user group.

    ipa group-add-member foo --users=oracle

    Example Output:

    [oracle@freeipa ~]$ ipa group-add-member foo --users=oracle
  Group name: foo
  GID: 1326400003
  Member users: oracle
-------------------------
Number of members added 1
-------------------------

The ipa command has more functionality than what is shown. For additional commands, run ipa help commands for a comprehensive list.

Next Steps

That concludes this lab, which introduces the basics of installing and using the FreeIPA server. Explore further using the links below or reading through the product manual pages, as FreeIPA has many additional features beyond what's covered here.

SSR