FreeIPA Server

• Versão avaliada: Fedora 42,44 / LXC

• Requerimentos:

  • Serviço NTP configurado e funcionando.

  •  1536MB memória / 1536MB swap.

  • 8GB de Disco.

  • Domínio "<hostname>.ipa.domain.internal".

• Abaixo a configuração do recurso LXC.

Ajustando o Date Time do Servidor

• Quando usado com LXC foi necessário ajustar os parâmetros que seguem:

• Ajustar o datetime do servidor.

# timedatectl

# timedatectl set-timezone "America/Sao_Paulo"

# timedatectl set-ntp yes

Nota: Configurar o serviço Chrony para disponibilizar o serviço NTP.

Configurar Rede (LXC não requer os passos abaixo)

• Configure a interface de rede /etc/NetworkManager/system-connections/ens19.nmconnection

....

[ipv4]

address1=192.168.10.151/24,192.168.10.1

dns=192.168.10.1;

method=manual

....

• Config /etc/hostname

# hostnamectl set-hostname hl151.local.domain

Nota: Obrigatório ser "lower-case", é necessário estar em letras minúsculas para aceitar no processo de configuração do FreeIPA.

• Config /etc/hosts

# echo "192.168.10.151   hl151.local.domain   hl151" >> /etc/hosts

• Config /etc/hosts

# reboot

Dependência

• Adicionar os pacotes a instalação

$ sudo dnf install openssh-server vim firewalld <- firewalld opcional pois uso o firewall do Proxmox

Install FreeIPA

• Atualize todo o SO e pacotes:

$ sudo dnf update -y

• Instale os pacotes do FreeIPA:

$ sudo dnf install freeipa-server -y 

• Configurar o serviço FreeIPA.

$ sudo ipa-server-install --mkhomedir Opcional --no-ntp

The log file for this installation can be found in /var/log/ipaserver-install.log

==============================================================================

This program will set up the IPA Server.

Version 4.12.2

This includes:

  * Configure a stand-alone CA (dogtag) for certificate management

  * Configure the NTP client (chronyd)

  * Create and configure an instance of Directory Server

  * Create and configure a Kerberos Key Distribution Center (KDC)

  * Configure Apache (httpd)

  * Configure SID generation

  * Configure the KDC to enable PKINIT

To accept the default shown in brackets, press the Enter key.

Do you want to configure integrated DNS (BIND)? [no]: <Enter>

Enter the fully qualified domain name of the computer

on which you're setting up server software. Using the form

<hostname>.<domainname>

Example: master.example.com

Server host name [hl251.ipa.domain.internal]: <Enter>

The domain name has been determined based on the host name.

Please confirm the domain name [ipa.domain.internal]: <Enter>

The kerberos protocol requires a Realm name to be defined.

This is typically the domain name converted to uppercase.

Please provide a realm name [IPA.DOMAIN.INTERNAL]: <Enter>

Certain directory server operations require an administrative user.

This user is referred to as the Directory Manager and has full access

to the Directory for system management tasks and will be added to the

instance of directory server created for IPA.

The password must be at least 8 characters long.

Directory Manager password: <Password>

Password (confirm): <Password>

The IPA server requires an administrative user, named 'admin'.

This user is a regular system account used for IPA server administration.

IPA admin password: <Password>

Password (confirm): <Password>

Trust is configured but no NetBIOS domain name found, setting it now.

Enter the NetBIOS name for the IPA domain.

Only up to 15 uppercase ASCII letters, digits and dashes are allowed.

Example: EXAMPLE.

NetBIOS domain name [IPA]: <Enter>

Do you want to configure chrony with NTP server or pool address? [no]: <Enter> <-Selecionando "yes" ira reconfigurar o Chrony.

The IPA Master Server will be configured with:

Hostname:       hl251.ipa.domain.internal

IP address(es): 10.1.10.251

Domain name:    ipa.domain.internal

Realm name:     IPA.DOMAIN.INTERNAL

The CA will be configured with:

Subject DN:   CN=Certificate Authority,O=IPA.DOMAIN.INTERNAL

Subject base: O=IPA.DOMAIN.INTERNAL

Chaining:     self-signed

Continue to configure the system with these values? [no]: <yes>

The following operations may take some minutes to complete.

Please wait until the prompt is returned.

Disabled p11-kit-proxy

Configuring directory server (dirsrv). Estimated time: 30 seconds

  [1/42]: creating directory server instance

Validate installation settings ...

Create file system structures ...

SELinux is disabled, will not relabel ports or files.

Create database backend: dc=local,dc=domain ...

Perform post-installation tasks ...

  [2/42]: adding default schema

  [3/42]: enabling memberof plugin

  [4/42]: enabling winsync plugin

  [5/42]: configure password logging

..............

  [8/8]: adding SIDs to existing users and groups

This step may take considerable amount of time, please wait..

Done.

Configuring client side components

This program will set up IPA client.

Version 4.12.2

Using existing certificate '/etc/ipa/ca.crt'.

Client hostname: hl251.ipa.domain.internal

Realm: IPA.DOMAIN.INTERNAL

DNS Domain: ipa.domain.internal

IPA Server: hl251.ipa.domain.internal

BaseDN: dc=ip,dc=domain,dc=internal

Configured /etc/sssd/sssd.conf

Systemwide CA database updated.

Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub

Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub

Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub

Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub

Could not update DNS SSHFP records.

SSSD enabled

Configured /etc/openldap/ldap.conf

Configured /etc/ssh/ssh_config

Configured /etc/ssh/sshd_config.d/04-ipa.conf

Configuring local.domain as NIS domain.

Client configuration complete.

The ipa-client-install command was successful

Please add records in this file to your DNS system: /tmp/ipa.system.records.30obul4f.db

==============================================================================

Setup complete

Next steps:

1. You must make sure these network ports are open:

TCP Ports:

  * 80, 443: HTTP/HTTPS

  * 389, 636: LDAP/LDAPS

  * 88, 464: kerberos

  * 53: bind

UDP Ports:

  * 88, 464: kerberos

  * 53: bind

  * 123: ntp

2. You can now obtain a kerberos ticket using the command: 'kinit admin'

  This ticket will allow you to use the IPA tools (e.g., ipa user-add)

  and the web user interface.

Be sure to back up the CA certificates stored in /root/cacert.p12

These files are required to create replicas. The password for these

files is the Directory Manager password

The ipa-server-install command was successful

Testar o funcionamento

$ sudo ipactl status

Directory Service: RUNNING

krb5kdc Service: RUNNING

kadmin Service: RUNNING

httpd Service: RUNNING

ipa-custodia Service: RUNNING

pki-tomcatd Service: RUNNING

ipa-otpd Service: RUNNING

ipa: INFO: The ipactl command was successful

$ sudo kinit admin

Password for admin@IPA.DOMAIN.INTERNAL: 

$ sudo klist

Ticket cache: FILE:/tmp/krb5cc_0

Default principal: admin@IPA.DOMAIN.INTERNAL

Valid starting     Expires            Service principal

05/01/26 11:18:11  05/02/26 10:59:19  krbtgt/IPA.DOMAIN.INTERNAL@IPA.DOMAIN.INTERNAL

$ sudo ipa user-find

--------------

1 user matched

--------------

  User login: admin

  Last name: Administrator

  Home directory: /home/admin

  Login shell: /bin/bash

  Principal name: admin@IPA.DOMAIN.INTERNAL

  Principal alias: admin@IPA.DOMAIN.INTERNAL, root@IPA.DOMAIN.INTERNAL

  UID: 1576800000

  GID: 1576800000

  Account disabled: False

----------------------------

Number of entries returned 1

----------------------------

$ sudo ipa group-find

----------------

4 groups matched

----------------

  Group name: admins

  Description: Account administrators group

  GID: 1576800000

  Group name: editors

  Description: Limited admins who can edit other users

  GID: 1576800002

  Group name: ipausers

  Description: Default group for all users

  Group name: trust admins

  Description: Trusts administrators group

----------------------------

Number of entries returned 4

----------------------------

• Validar o funcionamento do serviço.

# systemctl status ipa.service

• Acompanhar o log do serviço.

# journalctl -fu ipa.service

Segurança

• Configurar regra de firewall local do fedora para o servidor e serviço.

$ sudo systemctl start firewalld.service

$ sudo systemctl enable firewalld.service

$ sudo firewall-cmd --state 

$ sudo firewall-cmd --list-all

$ sudo firewall-cmd --permanent --add-service={freeipa-ldap,freeipa-ldaps,http,https,ldap,ldaps,kerberos,kpasswd,dns,ntp}

$ sudo firewall-cmd --permanent --add-service=ssh

$ sudo firewall-cmd --reload

Resumo das portas:

TCP: 80,443,389,636,88,464,53,22

UDP: 88,464,53,123

Nota: Para avaliação não necessita ativação.

Link: 1 / 2 / 3 / 4 / 5 / 6