Are you looking for an easy guide on how to install FreeIPA server on Linux ?
The step-by-step guide on this page will show how to install FreeIPA server on RHEL 8 , Rocky Linux 8 and AlmaLinux 8.
FreeIPA is a free and open source centralized identity and access management tool for Linux-based systems, it is the upstream project for Red Hat identity manager. Using FreeIPA, we can easily manage centralized authentication along with account management, policy (host-based access control) and audit.
FreeIPA is based on the following Open Source projects,
- LDAP Server – based on the 389 project
- KDC – based on MIT Kerberos implementation
- PKI based on Dogtag project
- Samba libraries for Active Directory integration
- DNS Server based on BIND and the Bind-DynDB-LDAP plugin
- NTP
Prerequisites
- Pre Installed RHEL 8 or Rocky Linux 8 or AlmaLinux 8
- Sudo User with admin rights
- RAM = 2 GB
- CPU =2 vCPU
- Disk = 12 GB free space on /
- Internet connectivity
Lab Details for FreeIPA
- IP Address = 192.168.1.102
- Hostanme = ipa.linuxtechi.lan
- OS: RHEL 8 or Rocky Linux 8 or AlmaLinux 8
Without further ado, let’s deep dive into FreeIPA installation steps,
1) Set Hostname and Install Updates
Open the terminal of your server and set the hostname using hostnamectl command,
$ sudo hostnamectl set-hostname "ipa.linuxtechi.lan" $ exec bash
Install updates using yum/dnf command and then reboot it
$ sudo dnf update -y $ sudo reboot
2) Update the hosts file & Set SELinux as Permissive
Run the below tee command to update /etc/hosts file, replace the ip address and hostname as per your setup.
$ echo -e "192.168.1.102\tipa.linuxtechi.lan\t ipa" | sudo tee -a /etc/hosts
Set the selinux as permissive, run following commands,
$ sudo setenforce 0 $ sudo sed -i 's/^SELINUX=.*/SELINUX=permissive/g' /etc/selinux/config ]$ getenforce Permissive $
3) Install FreeIPA and its Components
FreeIPA packages and its dependencies are available in the Appstream package repositories. As we are planning to install integrated DNS of FreeIPA, so we will also install “ipa-server-dns & bind-dyndb-ldap”
Run the below command to install FreeIPA and its dependencies
$ sudo dnf -y install @idm:DL1 $ sudo dnf install freeipa-server ipa-server-dns bind-dyndb-ldap -y
4) Start FreeIPA Installation
Once FreeIPA package and it’s dependencies are installed successfully then use the below command to start the freeipa installation setup,
It will prompt couple of things like to configure Integrated DNS, Host name, Domain Name and Realm Name.
$ sudo ipa-server-install
Output of above command would be something like below
After pressing yes in above window, it will take some time to configure your FreeIPA server and once it has been setup successfully then we will get output something like below,
Above output confirms that FreeIPA has been installed successfully.
5) Allow FreeIPA ports in Firewall
In case OS firewall is running on your server then run beneath firewall-cmd commands to allow FreeIPA ports,
$ sudo firewall-cmd --add-service={http,https,dns,ntp,freeipa-ldap,freeipa-ldaps} --permanent
$ sudo firewall-cmd --reload
6) Access FreeIPA admin portal
Execute the below ipactl command to check whether all services of FreeIPA are running or not
[sysops@ipa ~]$ ipactl status You must be root to run ipactl. [sysops@ipa ~]$ sudo ipactl status Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING named Service: RUNNING httpd Service: RUNNING ipa-custodia Service: RUNNING pki-tomcatd Service: RUNNING ipa-otpd Service: RUNNING ipa-dnskeysyncd Service: RUNNING ipa: INFO: The ipactl command was successful [sysops@ipa ~]$
Let’s verify whether admin user will get token via Kerberos using the kinit command, use the same password of admin user that we supplied during FreeIPA installation.
$ kinit admin $ klist
Output of above commands,
Perfect, output above confirms that admin gets the token. Now, try to access FreeIPA Web Console, type following url on web browser,
https://ipa.linuxtechi.lan/ipa/ui
or
https://<Server-IPAddress>/ipa/ui
Use the user name as admin and the password that we specify during the installation.
For FreeIPA web console, self-signed ssl certificates are used that’s why we got this window, so click on “Accept the Risk and Continue”
After entering the credentials, click on ‘Log in‘
This confirms that we have successfully setup FreeIPA on RHEL 8/Rocky Linux 8 / AlmaLinux8.
That’s all from this, I hope you have found it informative. Kindly do post your queries and feedback in below comments section.
Read Also : How to Install FreeIPA Client on RHEL | Rocky Linux | AlmaLinux
Thanks for correct steps
Not able to access the web UI, FreeIPA is installed successfully. error “DNS_PROBE_FINISHED_NXDOMAIN”
Hello Gauray. Do you solve it .I found the same problem
Do you have DNS setup? If not add in the /etc/hosts file like- 10.103.x.x ipa.linuxtechi.lan
Thanks for this,it really helped me a lot.
Is there a way this can be installed on a system with no internet connection. All i have is a Basic Server with a GUI. Can this be done and if so how?
Thanks
Dave,
Ultimately the answer is “no”. The free-ipa package has a LOT of dependencies (~250) that you would need to download and make available to your target system.
For me, the solution was to create a CentOS repository on a machine connected to the Internet, move it to my closed network, and install my Identity Manager from this repository.
I also have a requirement to install CentOS Identity Manager clients from the repository, so the solution works for me.
Create a local yum repos! Copy all the packages or mount iso staright and point your local repos to that mount point. It will be achievable. As admin mention ipa does need packages/dependencies so local repos would be perfect solution if you don’t have internet connection!
This is good article, Thank you so much for writing step by step article
Can we setup FreeIPA on CentOS 8.2 also?
showing this error
ipa.ipapython.install.cli.install_tool(Server): ERROR Integrated DNS requires ‘ipa-server-dns’ package
can i use ipa on centos 7 as a website hosting server for my own websites? i ask because it doesn’t really mention anything about being a hosting server and i have been 3 years trying to turn my home desktop into a private website server for my wife and i.
Dear Support Team,
I am unable to start httpd service of freeipa .how to resolved it.
i am getting below error, please advise, where do i need to check this DNS entry ?
Checking DNS domain byuprod.cxos.tech., please wait …
DNS zone byuprod.cxos.tech. already exists in DNS and is handled by server(s): [‘ns-1536.awsdns-00.co.uk.’, ‘ns-512.awsdns-00.net.’, ‘ns-0.awsdns-00.com.’, ‘ns-1024.awsdns-00.org.’]
The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information