How to Install FreeIPA Server with Let's Encrypt on CentOS 7, Red Hat, and Ubuntu

Servers
1

FreeIPA is an open-source identity management system that combines various components such as Linux (Fedora), 389 Directory Server, MIT Kerberos, NTP, DNS Bind, Dogtag, Apache web server, and Python. It provides a command-line administration tool and a web-based user interface for easy management.

Let’s Encrypt is a non-profit certificate authority that offers free X.509 certificates for Transport Layer Security encryption. These certificates are valid for 90 days and can be renewed anytime.

This guide will walk you through the installation of FreeIPA Server with Let’s Encrypt on CentOS 7, Red Hat, and Ubuntu. Here are the steps:

Step 1: Set Up Hosts

First, change the server hostname and edit the ‘/etc/hosts’ file to set up the fully qualified domain name (FQDN) of the server.

sudo hostnamectl set-hostname ipa.ldap.vmbs.uk
sudo echo "10.0.208.10 ipa.ldap.vmbs.uk ipa ipa.ldap ldap" >> /etc/hosts

Make sure the changes are added correctly by checking the ‘/etc/hosts’ file.

Step 2: Install FreeIPA Packages

Next, install the FreeIPA packages from the official repository. Disable SELinux if necessary.

sudo yum install -y ipa-server bind-dyndb-ldap ipa-server-dns
sudo vi /etc/selinux/config

In the SELinux configuration file, change SELINUX=enforcing to SELINUX=disabled. Save the file and reboot the server.

Step 3: Configure FreeIPA Server

After the server restarts, run the following command to set up the FreeIPA server:

sudo ipa-server-install

Follow the prompts to configure the FreeIPA server. You will need to provide the necessary information during the installation process.

Step 4: Verify the Configuration

Once the installation is complete, verify the configuration by running the following commands:

sudo kinit admin
sudo ipa user-find admin

This will verify the availability of the admin user in the FreeIPA database.

Step 5: Access FreeIPA Web UI

Open a web browser and navigate to the FreeIPA domain URL, such as https://ipa.ldap.vmbs.uk. You should see the FreeIPA web UI login page without any certificate errors.

Step 6: Install Let’s Encrypt Certificates

To install Let’s Encrypt certificates for the FreeIPA web interface, follow these steps:

  1. Clone the FreeIPA Let’s Encrypt repository and navigate to the directory:

    cd ~
git clone https://github.com/freeipa/freeipa-letsencrypt.git
cd freeipa-letsencrypt

  2. Update the configuration files:

    • In setup-le.sh, set the WORKDIR variable to the desired directory (e.g., /root/).
    • In renew-le.sh, set the WORKDIR and EMAIL variables accordingly.

  3. Run the setup script to prepare the machine:

    ./setup-le.sh

    This will install Let’s Encrypt client packages, install Let’s Encrypt CA certificates into the FreeIPA certificate store, and request a new certificate for the FreeIPA web interface.

  4. Run the renew script to automatically renew the certificate:

    ./renew-le.sh

    This script will be executed once a day to check if the certificate needs renewal.

By following these

steps, you can install FreeIPA Server with Let’s Encrypt on CentOS 7, Red Hat, and Ubuntu. Enjoy the benefits of an open-source identity management system with secure SSL/TLS certificates. If you encounter any issues, feel free to ask for help or consult the FreeIPA team through their official communication channels.

2

If you encounter issues with pki-tomcat and need to remove it manually, you can follow these steps:

  1. Run the following command to destroy the CA instance:
pkidestroy -s CA -i pki-tomcat
  1. Remove the log directory associated with pki-tomcat:
rm -rf /var/log/pki/pki-tomcat
  1. Remove the sysconfig file for pki-tomcat:
rm -rf /etc/sysconfig/pki-tomcat
  1. Remove the sysconfig directory for pki-tomcat:
rm -rf /etc/sysconfig/pki/tomcat/pki-tomcat
  1. Remove the data directory for pki-tomcat:
rm -rf /var/lib/pki/pki-tomcat
  1. Remove the configuration directory for pki-tomcat:
rm -rf /etc/pki/pki-tomcat

By following these steps, you will manually remove the pki-tomcat instance and its associated directories. Make sure to proceed with caution and only perform these steps if necessary.

3

How to Configure RADIUS Authentication with FreeIPA and ADTrust

RADIUS authentication is a widely used method for providing secure network access. By integrating FreeIPA with ADTrust or Samba, you can set up RADIUS authentication for your network. This guide provides step-by-step instructions on how to configure RADIUS authentication with FreeIPA and ADTrust on various platforms.

Installation

  1. Install the ipa-adtrust or Samba package:

    • CentOS/RHEL:
      yum install -y ipa-adtrust
    • Ubuntu/Debian:
      apt-get install -y samba

  2. Run the installation command:

    • CentOS/RHEL:
      ipa-adtrust-install
    • Ubuntu/Debian:
      samba-tool domain join <domain> DC -U <admin_user>

    Follow the prompts to complete the installation and provide the necessary information.

  3. Verify the status of the installed services:

    • CentOS/RHEL:
      ipactl status
    • Ubuntu/Debian:
      systemctl status samba

    Ensure that the required services, such as Directory Service, krb5kdc, named, httpd, pki-tomcatd, smb, and winbind, are running.

  4. Restart FreeIPA or Samba:

    • CentOS/RHEL:
      ipactl restart
    • Ubuntu/Debian:
      systemctl restart samba

RADIUS Service Configuration

  1. Add the RADIUS service on the FreeIPA or Samba server:

    ipa service-add 'radius/radius.vmbs.uk'
ipa service-add-host --hosts=radius.vmbs.uk radius/radius.vmbs.uk

    These commands add the RADIUS service and generate a keytab file for authentication.

  2. Create a role and assign permissions for ipaNTHash:

    ipa privilege-add 'Radius services' --desc='Privileges needed to allow radiusd servers to operate'
ipa privilege-add-permission 'Radius services' --permissions='ipaNTHash service read'
ipa role-add 'Radius server' --desc="Radius server role"
ipa role-add-privilege --privileges="Radius services" 'Radius server'

    These commands set up the necessary role and permissions for RADIUS authentication.

  3. Add the RADIUS server as a member of the “Radius server” role:

    ipa role-add-member --hosts=radius.vmbs.uk 'Radius server'

System Account Configuration

  1. Create a system account and assign permissions:

    ldapmodify -x -D 'cn=Directory Manager' -W

    Enter the password for the Directory Manager and execute the following LDAP modification:

   dn: cn=sysaccounts,cn=etc,dc=vmbs,dc=uk
   changetype: modify
   add: memberUid
   memberUid: krbprincipalname=radius/radius.vmbs.uk@LDAP.VMBS.UK,cn=services,cn=accounts,dc=ldap,dc=vmbs,dc=uk
  1. Add the service account to the adtrust agents or trusted domain:
   dn: cn=adtrust agents,cn=sysaccounts,cn=etc,dc=ldap,dc=vmbs,dc=uk
   changetype:

 modify
   add: memberUid
   memberUid: krbprincipalname=radius/radius.vmbs.uk@LDAP.VMBS.UK,cn=services,cn=accounts,dc=ldap,dc=vmbs,dc=uk

Service Account Configuration

  1. Create a password for the service account:
    dn: krbprincipalname=radius/radius.vmbs.uk@LDAP.VMBS.UK,cn=services,cn=accounts,dc=ldap,dc=vmbs,dc=uk
    changetype: modify
    add: objectClass
    objectClass: simpleSecurityObject
    -
    add: userPassword
    userPassword: <enter a password of your choice>
  1. Add the service account to the “Radius server” role:
    dn: cn=Radius server,cn=roles,cn=accounts,dc=ldap,dc=vmbs,uk
    memberOf: cn=Radius services,cn=privileges,cn=pbac,dc=ldap,dc=vmbs,dc=uk
    memberOf: cn=ipaNTHash service read,cn=permissions,cn=pbac,dc=ldap,dc=vmbs,dc=uk
    description: Radius server role
    cn: Radius server
    objectClass: groupofnames
    objectClass: nestedgroup
    objectClass: top
    member: krbprincipalname=radius/radius.vmbs.uk@LDAP.VMBS.UK,cn=services,cn=accounts,dc=ldap,dc=vmbs,dc=uk

These steps guide you through the configuration of RADIUS authentication with FreeIPA and ADTrust/Samba. Make sure to adjust the commands and configuration details according to your specific platform and environment.