×
Community Blog Set Up Centralized Linux Authentication with FreeIPA on Alibaba Cloud

Set Up Centralized Linux Authentication with FreeIPA on Alibaba Cloud

In this tutorial, you will learn how to install and setup FreeIPA authentication on an Alibaba Cloud ECS instance installed with CentOS 7.

By Sajid Qureshi, Alibaba Cloud Community Blog author.

FreeIPA is a free and open-source identity management tool for Linux and Unix environments which provides centralized account management and authentication, similar to Microsoft's Active Directory. FreeIPA is a combination of 389 Directory Server, MIT Kerberos, Apache HTTP Server, NTP, and SSSD, among others.

Prerequisites

  1. You must have an Alibaba Cloud Elastic Compute Service (ECS) instance activated and have verified your valid payment method. If you are a new user, you can get a free account in your Alibaba Cloud account. If you don't know about how to set up your ECS instance, you can refer to this tutorialor quick-start guide. Your ECS instance must have at least 1GB RAM and 1 Core processor.
  2. A domain name registered from Alibaba Cloud. If you have already registered a domain from Alibaba Cloud or any other host, you can update its domain nameserver records.

Procedure

Follow the steps outlined below to learn how to install and setup FreeIPA authentication on an Alibaba Cloud ECS instance installed with CentOS 7.

Updating the system

We recommend you to update the system before installing any new packages on your CentOS server. Run the yum -y update command and all the available packages will be upgraded.

Preparing the Server

You will need to set up a few things to make sure the server is ready to run FreeIPA. Let's start with setting the hostname for your server, You can set it using the following command.

hostname ali.example.org

Next, modify the firewall rules to open required ports for FreeIPA using the following command:

firewall-cmd --permanent --add-port={80/tcp,443/tcp,389/tcp,636/tcp,88/tcp,464/tcp,53/tcp,88/udp,464/udp,53/udp,123/udp}

Now reload the firewall rules to apply changes using the firewall-cmd --reload command.

Finally, you will need to verify that the DNS names resolve properly. Install the bind-utils package to get the DNS testing utilities with the yum -y install bind-utils command. After that, run the following command to check the A record, it should return YourServer IPv4 as the result.

dig +short ali.example.org A

Setting Up DNS

FreeIPA makes extensive use of DNS. You will need to set up DNS so your server meets the specific DNS requirements of FreeIPA. You will have to modify the host file using any text editor. Here we are using nano text editor, you can also install it using yum -y install nano as it is more user-friendly.

Also run the nano /etc/hosts command, and look for the line that has your server hostname after 127.0.0.1 just like below:

127.0.0.1 ali.example.com ali.example.com
127.0.0.1 localhost.localdomain localhost
127.0.0.1 localhost4.localdomain4 localhost4

Now replace 127.0.0.1 with your server IPv4 address. If you have IPv6 enabled you will need to edit the IPv6 mapping as well, look for the below-given lines in the host file.

::1 ali.example.com ali.example.com
::1 localhost.localdomain localhost
::1 localhost6.localdomain6 localhost6

Now replace ::1 to your server IPv6 address and then save and exit from the editor.

Next run the following command to make this configuration change permanent.

nano /etc/cloud/templates/hosts.redhat.tmpl

Find the following lines in the file.

127.0.0.1 ${fqdn} ${hostname}
127.0.0.1 localhost.localdomain localhost
127.0.0.1 localhost4.localdomain4 localhost4

Replace 127.0.0.1 with your server IPv4 address like this:

your_server_ipv4 ${fqdn} ${hostname}
127.0.0.1 localhost.localdomain localhost
127.0.0.1 localhost4.localdomain4 localhost4

Similarly, change the ::1 ${fqdn} ${hostname} line to use your IPv6 address.

your_server_ipv6 ${fqdn} ${hostname}
::1 localhost.localdomain localhost
::1 localhost6.localdomain6 localhost6

Finally, save the file and exit from the text editor.

Installing the FreeIPA Server

As we know FreeIPA is used for authentication, it requires a lot of random data for the cryptographic operations that it runs. So, you will need to configure the random number generator because a virtual machine will run out of random data or entropy very quickly. So here we will use a software random number generator called rngd, it works by taking data from the hardware devices attached to the server.

Run the following command to install rngd.

yum -y install rng-tools

Then, run the systemctl start rngd command to enable it, and make this service automatically started at boot using the systemctl enable rngd command. Next, verify this installation using the systemctl status rngd command and you should see active (running) as the result.

All the dependencies required for FreeIPA server is installed and configured now you are ready to install IPA server package.

So install FreeIPA using the yum -y install ipa-server command, and run the ipa-server-install command to run the installation script.

You'll be asked to configure FreeIPA's integrated DNS, we don't need that as of now so type no to proceed further.

Installation script prompt 
Do you want to configure integrated DNS (BIND)? [no]: no

Next, you'll be asked to enter the server's hostname, the domain name, and the Kerberos realm name. Kerberos is an authentication protocol which FreeIPA uses for authentication. We highly recommend you to use your domain name as the Kerberos realm otherwise it may cause you problems.

Note: Do not use your root domain name as IPA domain name.

Installation script 
prompt Server host name [ali.example.org]: ali.example.org 
Please confirm the domain name [example.org]: ali.example.org 
Please provide a realm name [EXAMPLE.ORG]: ALI.EXAMPLE.ORG  

Next, create a password for the LDAP directory used for FreeIPA's LDAP performance. Now create an IPA admin password used for log into FreeIPA as admin. Finally, confirm the configuration by typing Yes and then the installer will run.

Continue to configure the system with these values? [no]: yes

It may take some time so, hold on a bit.

Next, let's verify this installation and check whether FreeIPA server functions are working properly or not. First, verify that the Kerberos realm installed correctly using the kinit admin command.

If nothing goes wrong you'll be asked for the IPA admin password then type the FreeIPA admin password you entered during the installation and hit the ENTER button. After that, verify that the FreeIPA server is working properly using the ipa user-find admin command.

You should see the following output:

  User login: admin
  Last name: Administrator
  Home directory: /home/admin
  Login shell: /bin/bash
  Principal alias: admin@ALI.EXAMPLE.COM
  UID: 494800000
  GID: 494800000
  Account disabled: False

Now you should be able to access the web UI at https://ali.example.com, so open up your web browser and visit the URL. You will be asked to log in so, log in as admin user using admin as username and admin password you set earlier. After authentication you will be redirected to the main IPA page which should be like this:

8

Configuring Users

FreeIPA users can be an individual or belong to any group of users and they can be allowed or denied to access the host's machines. Now let's add new users to explore some of FreeIPA's features. To add a new user please follow the instructions.

First, click on Identity tab on the top left corner and then click on Users. You'll see a table of users so now click on + Add button to add a new user. Fill in the general details like first name, last name and other details.

Finally, click on Add button to add the user. A new user will be asked to change his/her password for security reasons. You can add SSH keys by uploading your public SSH keys and allowing you password-less login.

Conclusion

In this tutorial, you learned to install and setup FreeIPA, which is an extremely versatile authentication tool, on an Alibaba Cloud ECS instance installed with CentOS 7. You can configure users and groups of users to access the policies through the FreeIPA user interface. We hope now you have enough knowledge to work with FreeIPA.

0 0 0
Share on

Alibaba Clouder

2,599 posts | 758 followers

You may also like

Comments