The following guide outlines the deployment of FreeIPA Identity management solution. The solution provides centralized identity management for Linux and LDAP clients. The solution also includes authentication and authorization controls. FreeIPA is an integrated security information management solution combining Linux (Fedora), 389 Directory Server, MIT Kerberos, NTP, DNS, Dogtag (Certificate System). It consists of a web interface and command-line administration tools. For deployment CentOS v7.9 servers have been used with FreeIPA v4.6.8. The FreeIPA servers are deployed in High Availability Multi Master topology.
Installation and Configuring of FreeIPA Servers
Install the freeipa server package from standard Centos 7 repos. Configure the freeipa server with integrated Kerberos,LDAP,DNS,CS. Use the sub domain name idm.domain.com and Kerberos realm IDM.DOMAIN.COM. The domain and realm should not exist before otherwise there will be conflicts during installation and provisioning. Create a separate local linux account on all FreeIP servers which will not be part of the IDM domain and will be used for local server management.
$ sudo yum install freeipa-server ipa-server-dns $ sudo ipa-server-install
The server install command will ask for “Directory Manager” and Admin password. Create these passwords and store than safely.
Verify all ipa services are up and running after the installation is complete:
$ sudo ipactl status Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING named Service: RUNNING httpd Service: RUNNING ipa-custodia Service: RUNNING ntpd Service: RUNNING pki-tomcatd Service: RUNNING ipa-otpd Service: RUNNING ipa-dnskeysyncd Service: RUNNING ipa: INFO: The ipactl command was successful
Configure Secondary FreeIPA Servers
Install the freeipa server package on the secondary servers. Join as client with the primary server.
$ sudo yum install freeipa-server ipa-server-dns $ sudo ipa-client-install --hostname=`hostname -f` \ --mkhomedir --domain=idm.domain.com
On the primary ipa-server add the secondary server into ipaservers group with command:
$ ipa hostgroup-add-member ipaservers --hosts bravo.idm.domain.com $ ipa hostgroup-add-member ipaservers --hosts charlie.idm.domain.com
On the secondary ipa-server run the replication command to sync as secondary server with DNS and CA.
$ sudo ipa-replica-install --setup-dns --forwarder 8.8.8.8 --setup-ca
On the tertiary ipa-server run the replication command to sync as secondary server with DNS.
$ sudo ipa-replica-install --setup-dns --forwarder 8.8.8.8
Create binddn for LDAP Clients
A bind DN is an object that you bind inside LDAP to give you permissions to do whatever you’re trying to do. For LDAP clients which do not have the FreeIPA client installed, we will create and use a binddn account (ldapadmin). The account will be used to sync users and groups with the LDAP server. On one of the IPA servers create a ldapadmin-binddn.update file with a strong password:
dn: uid=adminuser,cn=sysaccounts,cn=etc,dc=idm,dc=domain,dc=com default:objectclass:account default:objectclass:simplesecurityobject default:uid:adminuser only:userPassword:xxxxxxxxxxxxxxxxx only:passwordExpirationTime:20380119031407Z only:nsIdleTimeout:0
Import this file into the FreeIPA serve as root:
$ sudo ipa-ldap-updater ldapadmin-binddn.update
You can check if the new user is present.
$ ldapsearch -x uid=adminuser
Create DNS Delegation for the IPA Domain
Create DNS delegation for the sub domain idm.domain.com and create DNS glue record in the authoritative server for domain.com.
alpha.idm.domain.com. IN A 172.16.16.2; glue record bravo.idm.domain.com. IN A 172.16.17.2; glue record charlie.idm.domain.com. IN A 172.16.18.2; glue record $ORIGIN idm.domain.com. $TTL 1D @ IN NS alpha.idm.domain.com. @ IN NS bravo.idm.domain.com. @ IN NS charlie.idm.domain.com.
Configure backups for Disaster recovery
FreeIPA supports backing up of data and configurations in case of disaster recovery. There are two types of backups. One is full backup which causes the FreeIPA services to stop while the backup is being performed. Second is data only backup which can be done online without stopping FreeIPA services. Configure full backups on monthly basis and data only backup on daily or weekly basis as required using crontab. The backups are performed using the FreeIPA built-in utility ipa-backup. The backups files are stored in /var/lib/backup directory by default.
# /etc/crontab file ........ # Create full backup of IPA start of every month 9 3 1 * * root /usr/sbin/ipa-backup # Create data backup of IPA every week 9 4 * * 0 root /usr/sbin/ipa-backup --data
The backups can be recovered using the command ipa-restore giving the full path of backup directory.
$ sudo ipa-restore /var/lib/ipa/backup/ipa-full-2021-10-13-14-22-34
Fix Login Popup on Windows Clients
Log in to the FreeIPA servers, edit /etc/httpd/conf.d/ipa-rewrite.conf. Add to the end of this file:
# /etc/httpd/conf.d/ipa-rewrite.conf
........
........
#The following disables the annoying kerberos popup for Chrome
RewriteCond %{HTTP_COOKIE} !ipa_session
RewriteCond %{HTTP_REFERER} ^(.+)/ipa/ui/$
RewriteRule ^/ipa/session/json$ - [R=401,L]
RedirectMatch 401 ^/ipa/session/login_kerberos
Restart the httpd service
$ sudo systemctl restart httpd
FreeIPA Server Logs
To verify FreeIPA server operations and identify errors, following are the log files locations for different application components:
- /var/log/httpd/error_log (FreeIPA API call logs (Apache errors))
- /var/log/krb5kdc.log (FreeIPA KDC utilization)
- /var/log/dirsrv/slapd-$REALM/access (Directory Server utilization)
- /var/log/dirsrv/slapd-$REALM/errors (Directory Server errors)
- /var/log/pki/pki-tomcat/ca/transactions (FreeIPA PKI transactions/logs)
Securing the Servers with Firewall
The servers require fixed firewall rules and for this iptables service will be enabled and configured (instead of firewalld).
$ sudo yum install iptables-services $ sudo systemctl mask firewalld $ sudo systemctl stop firewalld $ sudo systemctl enable iptables $ sudo systemctl start iptables $ sudo systemctl enable ip6tables $ sudo systemctl start ip6tables
Configure the firewall rules in the file /etc/sysconfig/iptables and /etc/sysconfig/ip6tables. The SSH/Kerberos/LDAP/HTTP ports needs to be restricted. Incoming DNS and NTP will be allowed. The FreeIPA application requires following ports to be accessible:
• TCP Ports:
◦ 53: DNS
◦ 80, 443: HTTP/HTTPS
◦ 389, 636: LDAP/LDAPS
◦ 88, 464: kerberos
• UDP Ports:
◦ 53: DNS
◦ 88, 464: kerberos
◦ 123: ntp
## /etc/sysconfig/iptables *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT # IPA Ports - HTTP/LDAP/KERBEROS -A INPUT -p tcp -m state --state NEW -m tcp -m multiport -s 172.16.0.0/16 --dports 80,443,389,636,88,464 -j ACCEPT -A INPUT -p udp -m state --state NEW -m udp -m multiport -s 172.16.0.0/16 --dports 88,464 -j ACCEPT # DNS -A INPUT -p tcp -m state --state NEW -m tcp --dport 53 -j ACCEPT -A INPUT -p udp -m state --state NEW -m udp --dport 53 -j ACCEPT # NTP -A INPUT -p udp -m state --state NEW -m udp --dport 123 -j ACCEPT # SSH -A INPUT -p tcp -m state --state NEW -m tcp -s 172.16.20.0/29 --dport 22 -j ACCEPT # -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT
Installation and Configuring of FreeIPA Clients
The FreeIPA client application can be installed on Ubuntu/Centos Servers to join the Kerberos/LDAP domain and implement Authentication and Policy control on the linux servers.
Install FreeIPA client on CentOS servers
$ sudo yum install ipa-client
Install FreeIPA client on Ubuntu servers
$ sudo apt install freeipa-client
Make sure that the IPA client servers have a valid hostname (servername.domain.com), have a valid DNS entry and the servers are synced with NTP.
Configure the client to join the Kerberos/LDAP real. The following command will automatically find the IPA servers and enable home directory creation of users when they log on to the servers.
$ sudo ipa-client-install --hostname=`hostname -f` \ --mkhomedir --domain=idm.domain.com
References
https://www.freeipa.org/page/Documentation
https://www.freeipa.org/page/V4/Replica_Setup
https://www.freeipa.org/page/Creating_a_binddn_for_Foreman
https://support.canonical.com/ua/s/article/Add-new-LDAP-Domain-to-a-Foundations-Cloud-Build
http://jdshewey.blogspot.com/2017/08/fixing-annoying-popup-in-freeipa.html