Note:

Install FreeIPA Server on Oracle Linux

Introduction

FreeIPA is an open-source identity and authentication management system for Linux networked environments. The server includes the 389 Directory Server as the central data store, providing full multi-master LDAPv3 functionality.

Beyond the scope of this tutorial, FreeIPA also provides MIT Kerberos for Single-Sign-on authentication, the Dogtag Certificate Authority, and optional Domain Name management through an ISC Bind server.

This tutorial shows how to install FreeIPA and configure the included LDAP directory.

Objectives

What Do You Need?

For more information on requirements for FreeIPA, see the upstream Quick Start Guide.

Setup the Lab Environment

Note: When using the free lab environment, see Oracle Linux Lab Basics for connection and other usage instructions.

  1. Open a terminal and connect via ssh to the freeipa-server instance if not already connected.

    ssh oracle@<ip_address_of_instance>

Confirm the Server HostName

The FreeIPA server requires a working DNS configuration. Clients enrolled using the ipa command-line tool look up the server by the xmlrpc_url and domain parameters defined in the file /etc/ipa/default.conf.

  1. Verify the server’s host name.

    sudo hostname

    The output should not return localhost or localhost6.

Confirm the Fully Qualified Domain Name (FQDN).

FreeIPA has a limitation of 64 characters for the FQDN that it validates during installation. If the FQDN exceeds 64 characters, use sudo hostnamectl set-hostname NAME, where NAME is the FQDN, to shorten it.

  1. Verify the FQDN and its length.

    hostname -f

    echo $(hostname -f) | wc -m

    Note: The FQDN consists of freeipa.<RND_SUBNET>.linuxvirt.oraclevcn.com, where <RND_SUBNET> is a 4 character random string prefixed by the letter o.

Confirm Name Resolution.

  1. Get the IP address of the server.

    sudo ip addr show

    Example Output:

    [oracle@freeipa ~]$ sudo ip addr show
...
2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9000 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:00:17:02:b3:9e brd ff:ff:ff:ff:ff:ff
    altname enp0s3
    inet 10.0.0.150/24 brd 10.0.0.255 scope global dynamic noprefixroute ens3
       valid_lft 85923sec preferred_lft 85923sec
    inet6 fe80::200:17ff:fe02:b39e/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever

    The IPv4 address displays on the line starting with inet.

  2. Verify the forward DNS configuration.

    host $(hostname -f)

    Example Output:

    [oracle@freeipa ~]$ host $(hostname -f)
freeipa.o6fb5.linuxvirt.oraclevcn.com has address 10.0.0.150

    Another way to verify the forward DNS configuration is to use dig +short $(hostname -f) A. Both host and dig are part of the bind-utils package, which provides different utilities to query DNS name servers.

  3. Verify the reverse DNS configuration (PTR records).

    host $(hostname -i)

    Example Output:

    [oracle@freeipa ~]$ host $(hostname -i)
150.0.0.10.in-addr.arpa domain name pointer freeipa.o6fb5.linuxvirt.oraclevcn.com.

    An alternative is to use dig +short -x $(hostname -i).

Open the Required Firewall Ports

FreeIPA requires several ports to be open and available to communicate with its services.

Service Ports Protocol
HTTP/HTTPS 80,443 TCP
LDAP/LDAPs 389,636 TCP
Kerberos 88,464 TCP and UDP
DNS 53 TCP and UDP
NTP 123 UDP

Oracle Linux provides the freeipa-4 service to open these required ports. For details, see /usr/lib/firewalld/services/freeipa-4.xml. The freeipa-4 service replaces the deprecated freeipa-ldap and freeipa-ldaps services.

  1. Add the firewalld service.

    sudo firewall-cmd --permanent --add-service=freeipa-4

    sudo firewall-cmd --reload

Install the Required Packages

  1. (Optional) Enable the FreeIPA module stream and profile.

    Note: This step is only required on Oracle Linux 8 as the FreeIPA packages are part of AppStream in Oracle Linux 9.

    sudo dnf module enable idm:DL1

  2. Install the packages for a FreeIPA server without the integrated DNS services.

    sudo dnf install -y ipa-server

    Note: The integrated DNS services are not used as part of this tutorial. If needed, add the package ipa-server-dns to the installation list.

Install and Configure the FreeIPA Server

  1. Run the install utility.

    sudo ipa-server-install

    The script starts by providing the installation log file location and a summary of what the FreeIPA server includes.

    Example Output:

    [oracle@freeipa ~]$ sudo ipa-server-install
   
The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will set up the IPA Server.
Version 4.9.8
   
This includes:
  * Configure a stand-alone CA (dogtag) for certificate management
  * Configure the NTP client (chronyd)
  * Create and configure an instance of Directory Server
  * Create and configure a Kerberos Key Distribution Center (KDC)
  * Configure Apache (httpd)
  * Configure SID generation
  * Configure the KDC to enable PKINIT
...

    The script then uses several prompts to set up the server’s configuration. The terminal shows the default response to the prompt within the brackets, and pressing Enter accepts the default response.

  2. Accept the default response of no to configure the integrated DNS service.

    Do you want to configure integrated DNS (BIND)? [no]:

  3. Accept the default host name, domain name, and realm name.

    These are the values verified at the beginning of this lab. It is recommended the realm name match the primary DNS domain name, with all uppercase letters.

    Enter the fully qualified domain name of the computer
on which you're setting up server software. Using the form
<hostname>.<domainname>
Example: master.example.com.


Server host name [freeipa.o6fb5.linuxvirt.oraclevcn.com]: 

The domain name has been determined based on the host name.

Please confirm the domain name [o6fb5.linuxvirt.oraclevcn.com]: 

The kerberos protocol requires a Realm name to be defined.
This is typically the domain name converted to uppercase.

Please provide a realm name [O6FB5.linuxvirt.ORACLEVCN.COM]:

  4. Enter and confirm the passwords for the Directory Server superuser and the FreeIPA admin user.

    The Directory Server superuser maps to cn=Directory Manager within the directory.

    Certain directory server operations require an administrative user.
This user is referred to as the Directory Manager and has full access
to the Directory for system management tasks and will be added to the
instance of directory server created for IPA.
The password must be at least 8 characters long.

Directory Manager password: 
Password (confirm): 

The IPA server requires an administrative user, named 'admin'.
This user is a regular system account used for IPA server administration.

IPA admin password: 
Password (confirm):

  5. Accept the defaults for NETBIOS domain name and configuring chrony.

    NetBIOS domain name [O6FB5]: 

Do you want to configure chrony with NTP server or pool address? [no]:

  6. The script presents a summary of the server configuration.

  7. Enter yes to accept the server configuration.

    Continue to configure the system with these values? [no]: yes

  8. The script proceeds to configure the server.

    This operation may take several minutes to complete.

    ...
Client configuration complete.
The ipa-client-install command was successful

Please add records in this file to your DNS system: /tmp/ipa.system.records.mv9i0ec2.db
==============================================================================
Setup complete

Next steps:
	1. You must make sure these network ports are open:
		TCP Ports:
		  * 80, 443: HTTP/HTTPS
		  * 389, 636: LDAP/LDAPS
		  * 88, 464: kerberos
		UDP Ports:
		  * 88, 464: kerberos
		  * 123: ntp

	2. You can now obtain a kerberos ticket using the command: 'kinit admin'
	   This ticket will allow you to use the IPA tools (e.g., ipa user-add)
	   and the web user interface.

Be sure to back up the CA certificates stored in /root/cacert.p12
These files are required to create replicas. The password for these
files is the Directory Manager password
The ipa-server-install command was successful

    Upon completion, the script provides:

    • A summary.
    • A list of records to add to the DNS system.
    • Recommendation to backup the generated CA certificates.

    The required network ports are already open using the freeipa-4 firewalld service.

Test the FreeIPA Server

The FreeIPA installation includes a command-line client and a WebUI for interacting with the server. Using the WebUI is outside the scope of this tutorial.

Access the Command-Line Interface (CLI)

  1. Authenticate the admin user against the Kerberos realm.

    kinit admin

    When prompted, enter the password for the admin user created during the installation and configuration steps. The kinit command then generates a Kerberos ticket.

  2. List the ticket’s information

    klist

    Example Output:

    [oracle@freeipa ~]$ sudo klist
Ticket cache: KCM:0
Default principal: admin@O6FB5.LINUXVIRT.ORACLEVCN.COM

Valid starting       Expires              Service principal
09/28/2022 14:05:46  09/29/2022 13:05:53  krbtgt/O6FB5.LINUXVIRT.ORACLEVCN.COM@O6FB5.LINUXVIRT.ORACLEVCN.COM

  3. Get a list of all the existing users on the FreeIPA server.

    ipa user-find

    The results return the admin user, which is the only user that currently exists.

    Example Output:

    [oracle@freeipa ~]$ sudo ipa user-find
--------------
1 user matched
--------------
  User login: admin
  Last name: Administrator
  Home directory: /home/admin
  Login shell: /bin/bash
  Principal alias: admin@O6FB5.LINUXVIRT.ORACLEVCN.COM, root@O6FB5.LINUXVIRT.ORACLEVCN.COM
  UID: 872200000
  GID: 872200000
  Account disabled: False
----------------------------
Number of entries returned 1
----------------------------

Security Settings and Hardening

Here are a few ways to use the FreeIPA server securely.

Disable Anonymous Binds

The FreeIPA LDAP server enables anonymous binds as a default, thus exposing specific configuration settings and directory values.

The nsslapd-allow-anonymous-access attribute controls this behavior. Acceptable values include:

The recommendation is to use rootdse rather than off when disallowing anonymous binds, as using off also blocks external clients from checking the server configuration. Non-domain clients such as LDAP and web clients connect anonymously by reading the root DSE file to get connection details.

  1. Check if anonymous binds are enabled.

    ldapsearch -x -h $(hostname -f) -b dc=$RND_SUBNET,dc=linuxvirt,dc=oraclevcn,dc=com
    • -x sets simple or anonymous authentication.
    • -h sets the LDAP server host.
    • -b sets the base dn for search.

    The key settings, including the base dn for the FreeIPA server are stored in the /etc/ipa/default.conf file.

    The $RND_SUBNET is an enviornment variable set in the free lab environment that represents the 4 character randomized string in the FQDN.

    Example Output:

    ...
# Default SMB Group, groups, accounts, o6fb5.linuxvirt.oraclevcn.com
dn: cn=Default SMB Group,cn=groups,cn=accounts,dc=o6fb5,dc=linuxvirt,dc=oraclevc
 n,dc=com
cn: Default SMB Group
description: Fallback group for primary group RID, do not add users to this gr
 oup
objectClass: top
objectClass: ipaobject
objectClass: posixgroup
objectClass: ipantgroupattrs
ipaUniqueID: 0c9cf178-4324-11ed-bf0b-02001704fe22
gidNumber: 921600001
ipaNTSecurityIdentifier: S-1-5-21-2697967063-3375457457-2974965896-1001
  
# search result
search: 2
result: 0 Success
  
# numResponses: 110
# numEntries: 109

    The search results return the entire tree for the LDAP directory.

  2. Modify the configuration and disable anonymous binds.

    The ldapmodify command either accepts an LDIF file with the changes to make or reads operations from the standard input.

    1. Create the LDIF file.

      cat << 'EOF' | tee ~/disable_anon_bind.ldif > /dev/null
dn: cn=config
changetype: modify
replace: nsslapd-allow-anonymous-access
nsslapd-allow-anonymous-access: rootdse
EOF

      Changing multiple attributes is possible by separating them with a dash - character on a line by itself. Each additional change starts with the attribute change type and gives the required attributes.

    2. Apply the LDIF changes.

      ldapmodify -x -D "cn=Directory Manager" -W -H ldap:// -ZZ -f ~/disable_anon_bind.ldif
      • -x sets simple or anonymous authentication.
      • -D sets the bind dn.
      • -W prompts for the LDAP admin password.
      • -H uses the LDAP Uniform Resource Identifier (URI) to connect rather than the LDAP server host.
      • -ZZ starts a TLS request and forces a successful response.

      Note: The -ZZ is required due to the use of self-signed certificates.

      Example Output:

      [oracle@freeipa ~]$ ldapmodify -x -D "cn=Directory Manager" -W -H ldap:// -ZZ -f ~/disable_anon_bind.ldif
Enter LDAP Password: 
modifying entry "cn=config"

    3. Restart the FreeIPA server.

      sudo systemctl restart ipa.service

  3. Verify the modification by anonymously querying the directory.

    ldapsearch -x -h $(hostname -f) -b dc=$RND_SUBNET,dc=linuxvirt,dc=oraclevcn,dc=com

    Notice the response Anonymous access is not allowed.

    Example Output:

    [oracle@freeipa ~]$ ldapsearch -x -h freeipa.o6fb5.linuxvirt.oraclevcn.com -b dc=o6fb5,dc=linuxvirt,dc=oraclevcn,dc=com
# extended LDIF
#
# LDAPv3
# base <dc=o6fb5,dc=linuxvirt,dc=oraclevcn,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
  
# search result
search: 2
result: 48 Inappropriate authentication
text: Anonymous access is not allowed.
  
# numResponses: 1

  4. Verify querying the directory works using authentication.

    ldapsearch -D uid=admin,cn=users,cn=accounts,dc=$RND_SUBNET,dc=linuxvirt,dc=oraclevcn,dc=com -W -H ldap://

    Example Output:

    ...
# freeipa.o6fb5.linuxvirt.oraclevcn.com + 389, subordinate-ids, dna, ipa, etc, 
 o6fb5.linuxvirt.oraclevcn.com
dn: dnaHostname=freeipa.o6fb5.linuxvirt.oraclevcn.com+dnaPortNum=389,cn=subord
 inate-ids,cn=dna,cn=ipa,cn=etc,dc=o6fb5,dc=linuxvirt,dc=oraclevcn,dc=com
objectClass: dnaSharedConfig
objectClass: top
dnaHostname: freeipa.o6fb5.linuxvirt.oraclevcn.com
dnaPortNum: 389
dnaSecurePortNum: 636
dnaRemainingValues: 32766
  
# search result
search: 2
result: 0 Success
  
# numResponses: 475
# numEntries: 474

Verify TLS is Enabled

Starting with Oracle Linux 8, FreeIPA uses the system-wide crypto policy. See the crypto-policies(7) man page for more details.

  1. List the current system-wide crypto policy.

    cat /etc/crypto-policies/config

  2. List the crypto policy details.

    cat /usr/share/crypto-policies/$(cat /etc/crypto-policies/config)/nss.txt

    Example Output:

    [oracle@freeipa ~]$ cat /usr/share/crypto-policies/$(cat /etc/crypto-policies/config)/nss.txt
library=
name=Policy
NSS=flags=policyOnly,moduleDB
config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:CURVE25519:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:aes256-cbc:aes128-gcm:aes128-cb   > c:SHA256:SHA384:SHA512:SHA224:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:ECDSA:RSA-PSS:RSA-PKCS:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048"

    Notice the DEFAULT policy uses a minimum of TLS 1.2.

Check the FreeIPA Server Status

The FreeIPA server includes the ipactl utility to view the status of configured services. The same utility can also start, stop, and restart the entire FreeIPA server. If you need to start, stop, or restart individual components, use systemctl COMMAND name.service.

  1. Show the status of all the services.

    sudo ipactl status

    Example Output:

    [oracle@freeipa ~]$ sudo ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa: INFO: The ipactl command was successful

    Use sudo ipactl --help to see additional command options.

Create Users and Groups

With the FreeIPA server basic install and configuration complete, the next step is handling identity management, which consists of creating users and groups. Before doing this, generate a Kerberos token.

  1. Generate a token for the user admin.

    kinit admin

  2. Get a list of existing tokens.

    klist

    The Kerberos tokens are valid for 24 hours by default. Due to previously running these commands in the step titled “Access the Command-Line Interface (CLI)”, the listing displays the original token rather than creating a new one.

  3. Add a new user group.

    FreeIPA defines a user group as a set of users with standard password policies, privileges, and other characteristics.

    A user group can include:

    • users
    • other user groups
    • external users which exist outside of FreeIPA
   ipa group-add foo

Example Output:

[oracle@freeipa ~]$ ipa group-add foo
-----------------
Added group "foo"
-----------------
  Group name: foo
  GID: 1326400003

The FreeIPA server supports three group types:

The group foo is a POSIX user group. To specify a different group type, use one of these options:

   ipa group-find

Example Output:

[oracle@freeipa ~]$ ipa group-find
----------------
5 groups matched
----------------
  Group name: admins
  Description: Account administrators group
  GID: 1326400000
   
  Group name: editors
  Description: Limited admins who can edit other users
  GID: 1326400002
   
  Group name: foo
  GID: 1326400003
   
  Group name: ipausers
  Description: Default group for all users
  
  Group name: trust admins
  Description: Trusts administrators group
----------------------------
Number of entries returned 5
----------------------------

The FreeIPA server creates the following user groups during installation.

Warning: Do not delete the admin group as it contains the default admin user. The FreeIPA server requires the admin group to operate correctly.

  1. Add a new user account.

    ipa user-add

    The command runs an interactive script prompting for the minimal set of data FreeIPA needs to create a user account.

    Example Output:

    [oracle@freeipa ~]$ ipa user-add
First name: Oracle
Last name: User
User login [ouser]: oracle
-------------------
Added user "oracle"
-------------------
  User login: oracle
  First name: Oracle
  Last name: User
  Full name: Oracle User
  Display name: Oracle User
  Initials: OU
  Home directory: /home/oracle
  GECOS: Oracle User
  Login shell: /bin/sh
  Principal name: oracle@OD1F5.LINUXVIRT.ORACLEVCN.COM
  Principal alias: oracle@OD1F5.LINUXVIRT.ORACLEVCN.COM
  Email address: oracle@od1f5.linuxvirt.oraclevcn.com
  UID: 1326400004
  GID: 1326400004
  Password: False
  Member of groups: ipausers
  Kerberos keys available: False

    Alternatively, running the command with several options allows for creating a user account in a non-interactive mode. To get a list of available options, run ipa user-add --help.

  2. Add the new user to the new user group.

    ipa group-add-member foo --users=oracle

    Example Output:

    [oracle@freeipa ~]$ ipa group-add-member foo --users=oracle
  Group name: foo
  GID: 1326400003
  Member users: oracle
-------------------------
Number of members added 1
-------------------------

The ipa command has more functionality than what is shown. For additional commands, run ipa help commands for a comprehensive list.

Summary

That concludes this lab, which introduces the basics of installing and using the FreeIPA server. Explore further using the links below or reading through the product manual pages, as FreeIPA has many additional features beyond what’s covered here.

For More Information

See other related resources:

More Learning Resources

Explore other labs on docs.oracle.com/learn or access more free learning content on the Oracle Learning YouTube channel. Additionally, visit education.oracle.com/learning-explorer to become an Oracle Learning Explorer.

For product documentation, visit Oracle Help Center.