By Sajid Qureshi, Alibaba Cloud Community Blog author.
FreeIPA is a free and open-source identity management tool for Linux and Unix environments which provides centralized account management and authentication, similar to Microsoft's Active Directory. FreeIPA is a combination of 389 Directory Server, MIT Kerberos, Apache HTTP Server, NTP, and SSSD, among others.
Follow the steps outlined below to learn how to install and setup FreeIPA authentication on an Alibaba Cloud ECS instance installed with CentOS 7.
We recommend you to update the system before installing any new packages on your CentOS server. Run the yum -y update command and all the available packages will be upgraded.
You will need to set up a few things to make sure the server is ready to run FreeIPA. Let's start with setting the hostname for your server, You can set it using the following command.
hostname ali.example.orgNext, modify the firewall rules to open required ports for FreeIPA using the following command:
firewall-cmd --permanent --add-port={80/tcp,443/tcp,389/tcp,636/tcp,88/tcp,464/tcp,53/tcp,88/udp,464/udp,53/udp,123/udp}Now reload the firewall rules to apply changes using the firewall-cmd --reload command.
Finally, you will need to verify that the DNS names resolve properly. Install the bind-utils package to get the DNS testing utilities with the yum -y install bind-utils command. After that, run the following command to check the A record, it should return YourServer IPv4 as the result.
dig +short ali.example.org AFreeIPA makes extensive use of DNS. You will need to set up DNS so your server meets the specific DNS requirements of FreeIPA. You will have to modify the host file using any text editor. Here we are using nano text editor, you can also install it using yum -y install nano as it is more user-friendly.
Also run the nano /etc/hosts command, and look for the line that has your server hostname after 127.0.0.1 just like below:
127.0.0.1 ali.example.com ali.example.com
127.0.0.1 localhost.localdomain localhost
127.0.0.1 localhost4.localdomain4 localhost4Now replace 127.0.0.1 with your server IPv4 address. If you have IPv6 enabled you will need to edit the IPv6 mapping as well, look for the below-given lines in the host file.
::1 ali.example.com ali.example.com
::1 localhost.localdomain localhost
::1 localhost6.localdomain6 localhost6Now replace ::1 to your server IPv6 address and then save and exit from the editor.
Next run the following command to make this configuration change permanent.
nano /etc/cloud/templates/hosts.redhat.tmplFind the following lines in the file.
127.0.0.1 ${fqdn} ${hostname}
127.0.0.1 localhost.localdomain localhost
127.0.0.1 localhost4.localdomain4 localhost4Replace 127.0.0.1 with your server IPv4 address like this:
your_server_ipv4 ${fqdn} ${hostname}
127.0.0.1 localhost.localdomain localhost
127.0.0.1 localhost4.localdomain4 localhost4Similarly, change the ::1 ${fqdn} ${hostname} line to use your IPv6 address.
your_server_ipv6 ${fqdn} ${hostname}
::1 localhost.localdomain localhost
::1 localhost6.localdomain6 localhost6Finally, save the file and exit from the text editor.
As we know FreeIPA is used for authentication, it requires a lot of random data for the cryptographic operations that it runs. So, you will need to configure the random number generator because a virtual machine will run out of random data or entropy very quickly. So here we will use a software random number generator called rngd, it works by taking data from the hardware devices attached to the server.
Run the following command to install rngd.
yum -y install rng-toolsThen, run the systemctl start rngd command to enable it, and make this service automatically started at boot using the systemctl enable rngd command. Next, verify this installation using the systemctl status rngd command and you should see active (running) as the result.
All the dependencies required for FreeIPA server is installed and configured now you are ready to install IPA server package.
So install FreeIPA using the yum -y install ipa-server command, and run the ipa-server-install command to run the installation script.
You'll be asked to configure FreeIPA's integrated DNS, we don't need that as of now so type no to proceed further.
Installation script prompt
Do you want to configure integrated DNS (BIND)? [no]: noNext, you'll be asked to enter the server's hostname, the domain name, and the Kerberos realm name. Kerberos is an authentication protocol which FreeIPA uses for authentication. We highly recommend you to use your domain name as the Kerberos realm otherwise it may cause you problems.
Note: Do not use your root domain name as IPA domain name.
Installation script
prompt Server host name [ali.example.org]: ali.example.org
Please confirm the domain name [example.org]: ali.example.org
Please provide a realm name [EXAMPLE.ORG]: ALI.EXAMPLE.ORG Next, create a password for the LDAP directory used for FreeIPA's LDAP performance. Now create an IPA admin password used for log into FreeIPA as admin. Finally, confirm the configuration by typing Yes and then the installer will run.
Continue to configure the system with these values? [no]: yesIt may take some time so, hold on a bit.
Next, let's verify this installation and check whether FreeIPA server functions are working properly or not. First, verify that the Kerberos realm installed correctly using the kinit admin command.
If nothing goes wrong you'll be asked for the IPA admin password then type the FreeIPA admin password you entered during the installation and hit the ENTER button. After that, verify that the FreeIPA server is working properly using the ipa user-find admin command.
You should see the following output:
User login: admin
Last name: Administrator
Home directory: /home/admin
Login shell: /bin/bash
Principal alias: admin@ALI.EXAMPLE.COM
UID: 494800000
GID: 494800000
Account disabled: FalseNow you should be able to access the web UI at https://ali.example.com, so open up your web browser and visit the URL. You will be asked to log in so, log in as admin user using admin as username and admin password you set earlier. After authentication you will be redirected to the main IPA page which should be like this:
FreeIPA users can be an individual or belong to any group of users and they can be allowed or denied to access the host's machines. Now let's add new users to explore some of FreeIPA's features. To add a new user please follow the instructions.
First, click on Identity tab on the top left corner and then click on Users. You'll see a table of users so now click on + Add button to add a new user. Fill in the general details like first name, last name and other details.
Finally, click on Add button to add the user. A new user will be asked to change his/her password for security reasons. You can add SSH keys by uploading your public SSH keys and allowing you password-less login.
In this tutorial, you learned to install and setup FreeIPA, which is an extremely versatile authentication tool, on an Alibaba Cloud ECS instance installed with CentOS 7. You can configure users and groups of users to access the policies through the FreeIPA user interface. We hope now you have enough knowledge to work with FreeIPA.
Kubernetes Eviction Policies for Handling Low RAM and Disk Space Situations - Part 1
2,605 posts | 747 followers
FollowAlibaba Clouder - September 28, 2018
Hiteshjethva - April 5, 2023
Alibaba Clouder - January 29, 2021
Alibaba Cloud Community - September 27, 2021
Alibaba Clouder - December 26, 2018
Alibaba Clouder - August 6, 2020
2,605 posts | 747 followers
Follow
RAM(Resource Access Management)
Secure your cloud resources with Resource Access Management to define fine-grained access permissions for users and groups
Learn More
ECS(Elastic Compute Service)
Elastic and secure virtual cloud servers to cater all your cloud hosting needs.
Learn More
Key Management Service
Create, delete and manage encryption keys with Alibaba Cloud Key Management Service
Learn MoreMore Posts by Alibaba Clouder