How to Install the FreeIPA Server on Rocky Linux 9

the CIQ TeamMarch 6, 2024

FreeIPA is an open-source, user identity management solution that greatly simplifies user authentication, as well as the creation and enforcement of policies and identity stores. This platform makes it easier for admins to work with identity management at scale.

The feature list for FreeIPA includes:

Support for large groups of Linux machines.
Built-in support for 389 Directory Server, MIT Kerberos, NTP, DNS, Dogtag certificate system, SSSD, Active Directory support, and morel.
Replication for redundancy.
Built on top of well known open source protocols.
Extensible management interfaces (including CLI, Web UI, XMLRPC and JSONRPC AP) as well as Python SDK.

With FreeIPA you can enjoy centralized authentication management, fine-grained access control, One Time Password (OTP) support, and integrated Public Key Infrastructure (PKI) support.

If this sounds like something your business could use, keep reading to find out how to install this helpful service.

What you'll need

To get FreeIPA up and running, you'll need an instance of Rocky Linux 9, a user with sudo privileges, 4GB of RAM, 2 vCPUs, 10GB of storage, and an FQDN that is configured such that network traffic to the domain can be routed to the hosting server.

With those things at the ready, let's get to work.

Set your hostname and time-zone

Before you start the installation, you must first set the hostname for your machine. Fortunately, Rocky Linux has a built-in tool for this. Log into your machine and (if you use a desktop environment) open a terminal window.

At the terminal, set your hostname like so:

sudo hostnamectl set-hostname FQDN

Where FQDN is your actual fully qualified domain name.

Next, you'll want to map your server IP address and hostname in /etc/hosts. Open that file for editing with:

sudo nano /etc/hosts

At the bottom of that file, you'll add an entry in the following layout:

192.168.1.100 ipa.example.com ipa

Of course, you'll replace 192.168.1.100 with your server's IP address and ipa.example.com with your actual FQDN.

Save and close the file.

If you haven't already set your timezone, you can do that with the following command:

sudo timedatectl set-timezone TIMEZONE

Where TIMEZONE is your actual time zone in the proper format (such as America/Kentucky/Louisville).

Configure the firewall

Next, we must open the firewall for the required ports with the following two command:

sudo firewall-cmd --add-service={freeipa-ldap,freeipa-ldaps,dns,ntp,http,https,kerberos} --permanent
sudo firewall-cmd --reload

Install FreeIPA

It's now time to install FreeIPA, which can be done with the command:

sudo dnf install freeipa-server freeipa-server-dns freeipa-client -y

When the above command completes, you can then begin the interactive portion of the installation with the command:

sudo ipa-server-install --setup-dns

Make sure to answer the questions (or accept the defaults) and then, when prompted, create passwords for the Directory Manager and the IPA admin.

You'll have to answer a few more questions and then finally OK the installation to continue. When this completes, you'll see:

The ipa-server-install command was successful.

When your terminal is returned, issue the following command to authenticate against the Kerberos server:

kinit admin

You'll be prompted to type the admin password you created during the installation. When this completes, you can then open a web browser and point it to https://DOMAIN (where DOMAIN is your FQDN). Login with admin as the username and the admin password you created during the installation. You'll then find yourself on the FreeIPA dashboard, where you can start managing identities.

Using the ipa command

You can also work with the ipa command to add users. Say you want to add the user Olivia Nightingale. This can be done with the command:

ipa user-add olivia --first=Olivia --last=Nightingale --password

You'll be prompted to type and verify a password. You can verify the addition by searching for the user with the command:

ipa user-find olivia

The output should include the details for the user.

You can add groups with the ipa command like so:

ipa group-add --desc='Editorial Department' editorial Once added, you can verify it by searching for the group like so:

ipa group-find editorial

Add the newly created user to the new group with the command:

ipa group-add-member --user=olivia editorial

And that's the gist of installing and using FreeIPA on Rocky Linux 9. This tool will quickly become invaluable to your business. With this tool you can add more hosts, users, and groups to make identity management even easier.

Setting up the FreeIPA client

With the server taken care of, you then want to install and configure the client, so you can connect to the server. Install the required software with:

sudo yum install freeipa-client -y

When that completes, start the installation process with the command:

sudo ipa-client-install --mkhomedir

You will be asked to provide the following:

Domain name of the FreeIPA server
IPA server name
Client Hostname
User authorized to enroll computers
Password for the user authorized to enroll computers\

Once this is taken care of, change to the user you created with the ipa user-add command from above like so:

su - USERNAME

Where USERNAME is the name of the user.

You can then open a session to ensure all is well by issuing the command:

ssh -k UESRNAME@DOMAIN

Where USERNAME is the username you created with ipa user-add and DOMAIN is the domain of your FreeIPA server. If you can successfully log in, all is working as expected.