Skip to main content

How to install FreeIPA Server and integrate with Freeradius on AlmaLinux 9 and Rocky Linux 9

15 minutes


Introduction

FreeIPA(Free Identity, Policy, Audit) is a free and open-source tool based on LDAP directory and Kerberos to manage the identification, authentication, and authorization of users, and hosts in a Linux network. Like Microsoft Active Directory, FreeIPA can manage a domain with users, hosts, policies, and trust relationships. So does it mean FreeIPA can establish a trust relationship with AD? Yes, FreeIPA can establish a trust relationship with an AD Forest.

The FreeIPA server can also be configured with optional packages like DNS server, certificate authority, NetBIOS, and more. It is the upstream project of RHEL identity management(IdM) and has the same functionality except for some visual differences in its UI.

In this post, we will cover the installation of the FreeIPA server on AlmaLinux / Rocky Linux 9 and configuring two-factor authentication(2FA) for users by leveraging FreeOTP. Finally, we will also briefly discuss the steps required to configure a FreeIPA server with a radius-based system like Freeradius using LDAP (FreeIPA  +  Freeradius).

Features of FreeIPA Server

Identity Management

The main feature of the FreeIPA server is identity management which facilitates the administration of user accounts, passwords, or group membership using its web UI or CLI. Moreover, the end users can also self-manage their accounts with limited permissions.

Kerberos Authentication:

Kerberos is an authentication protocol to verify the authenticity of users or hosts. The FreeIPA server is integrated with Kerberos authentication and offers a single sign-on(SSO) capability. This feature allows users to authenticate once and get access to multiple services without the need to log in again.

Certificate Management:

The FreeIPA server includes tools to manage certificates and Public Key Infrastructure (PKI) for hosts and services. This is useful for encrypting messages and validating identities.

Policy Management:

The policy management allows administrators to create and enforce policies related to access control(ACL) and permissions. This feature greatly helps to secure resources and user access.

Directory Service:

The directory service is built on the top of legacy LDAP (Lightweight Directory Access Protocol) protocol. It offers a central repository for storing identity data, searching directory entries, and implementing ACL and policies on users.  Moreover, the directory service integrates well with Kerberos.  

Integration with Other Systems:

The FreeIPA server can be integrated with external identity providers. For example, you can integrate FreeIPA with Windows Active Directory(AD) to manage users and domain controllers. 

Prerequisites

To install FreeIPA server on AlmaLinux 9 or Rocky Linux 9, ensure you meet the following requirements.

  • A running local or cloud instance of AlmaLinux 9 or Rocky Linux 9.
  • SSH access to the server with sudo privilege. 
  • The Server is configured with at least 2CPU and 4GB RAM.

 

 

Install FreeIPA Server on Rocky Linux 9 / AlmaLinux 9

In the first step, Assign a hostname to the FreeIPA server, which should be a fully qualified domain name (FQDN).

Update the package list and set the hostname of the server.

$ sudo dnf update
$ sudo hostnamectl set-hostname  ipa.kubelynx.xyz

Edit the host file to add the server IP address and hostname.

$ sudo vi /etc/hosts
172.26.14.152 ipa.kubelynx.xyz

Verify the FQDN of the server.

$ hostname -f
ipa.kubelynx.xyz

Set the timezone of the FreeIPA server.

$ sudo timedatectl set-timezone Asia/Kolkata

Please proceed to download the FreeIPA installer on the server. The complimentary freeipa-server-dns and freeipa-client bundles are not mandatory but are needed in case you opt for freeipa dns server and client authentication on the FreeIPA server.

$ sudo dnf -y install freeipa-server freeipa-server-dns freeipa-client

Once the FreeIPA installer is downloaded and installed on your server, the next step is to run the installer to set up the FreeIPA server. There are two ways through which you can invoke the installer - interactive and non-interactive.

In a non-interactive way, provide all the options along with ipa-server-install command to install it in an unattended way.

$ sudo ipa-server-install --realm KUBELYNX.XYZ \
 --ds-password DS_PassWord \
 --admin-password ADM_PassWord \
 --unattended

These four options  --realm, --ds-password, --admin-password and --unattended are the minimum number of options needed by ipa-server-install  command for non-interactive installation.

Nonetheless, we will go ahead with executing the ipa-server-install command in an interactive manner. 

Run the ipa-server-install command by providing one or two options like --domain or --realm, however, the installer will ask you for confirmation during the setup of the IPA server.
 

$ sudo ipa-server-install --domain kubelynx.xyz --realm KUBELYNX.XYZ --setup-dns
 The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will set up the IPA Server.
Version 4.11.0
This includes:
 * Configure a stand-alone CA (dogtag) for certificate management
 * Configure the NTP client (chronyd)
 * Create and configure an instance of Directory Server
 * Create and configure a Kerberos Key Distribution Center (KDC)
 * Configure Apache (httpd)
 * Configure DNS (bind)
 * Configure SID generation
 * Configure the KDC to enable PKINIT
To accept the default shown in brackets, press the Enter key.
Enter the fully qualified domain name of the computer
on which you're setting up server software. Using the form
<hostname>.<domainname>
Example: master.example.com
Server host name [ipa.kubelynx.xyz]: ipa.kubelynx.xyz   ← FQDN of FreeIPA Server

Next, provide the directory manager and IPA admin password.

Directory Manager password: 
Password (confirm):
The IPA server requires an administrative user, named 'admin'.
This user is a regular system account used for IPA server administration.
IPA admin password: 
Password (confirm):

Configure DNS forwarders, reverse zone and a NetBIOS domain name.

Checking DNS domain kubelynx.xyz., please wait ...
Do you want to configure DNS forwarders? [yes]: yes  ← Type 'yes' for  DNS forwarders
Following DNS servers are configured in /etc/resolv.conf: 172.26.0.2  ← DNS server list fetched from  /etc/resolv.conf
Do you want to configure these servers as DNS forwarders? [yes]: yes  ← Type yes to use the above DNS server as forwarders.
All detected DNS servers were added. You can enter additional addresses now:
Enter an IP address for a DNS forwarder, or press Enter to skip: 8.8.4.4 ← Optional DNS server 1
DNS forwarder 8.8.4.4 added. You may add another.
Enter an IP address for a DNS forwarder, or press Enter to skip: 1.1.1.1 ← Optional DNS server 2
DNS forwarder 1.1.1.1 added. You may add another.
Enter an IP address for a DNS forwarder, or press Enter to skip: 
DNS forwarders: 172.26.0.2, 8.8.4.4, 1.1.1.1 ← Configured DNS server
Checking DNS forwarders, please wait ...
DNS server 172.26.0.2 does not support DNSSEC: answer to query '. SOA' is missing DNSSEC signatures (no RRSIG data)
Please fix forwarder configuration to enable DNSSEC support.
DNS server 172.26.0.2: answer to query '. SOA' is missing DNSSEC signatures (no RRSIG data)
Please fix forwarder configuration to enable DNSSEC support.
WARNING: DNSSEC validation will be disabled
Do you want to search for missing reverse zones? [yes]: yes ← Automatic detection of reverse zone.
Reverse record for IP address 172.26.14.152 already exists
Trust is configured but no NetBIOS domain name found, setting it now.
Enter the NetBIOS name for the IPA domain.
Only up to 15 uppercase ASCII letters, digits and dashes are allowed.
Example: EXAMPLE.
NetBIOS domain name [KUBELYNX]: KUBELYNX ← NetBIOS domain name.

Optionally, you can also configure the FreeIPA server with a pool of NTP servers.

Do you want to configure chrony with NTP server or pool address? [no]: yes ← Type yes for NTP server
Enter NTP source server addresses separated by comma, or press Enter to skip: 0.in.pool.ntp.org,1.in.pool.ntp.org,2.in.pool.ntp.org,3.in.pool.ntp.org ← Pool of NTP server.
Enter a NTP source pool address, or press Enter to skip:
The IPA Master Server will be configured with:
Hostname:       ipa.kubelynx.xyz
IP address(es): 172.26.14.152
Domain name:    kubelynx.xyz
Realm name:     KUBELYNX.XYZ
The CA will be configured with:
Subject DN:   CN=Certificate Authority,O=KUBELYNX.XYZ
Subject base: O=KUBELYNX.XYZ
Chaining:     self-signed
BIND DNS server will be configured to serve IPA domain with:
Forwarders:       172.26.0.2, 8.8.4.4, 1.1.1.1
Forward policy:   only
Reverse zone(s):  No reverse zone
NTP server:    0.in.pool.ntp.org
NTP server:    1.in.pool.ntp.org
NTP server:    2.in.pool.ntp.org
NTP server:    3.in.pool.ntp.org
Continue to configure the system with these values? [no]: yes
The following operations may take some minutes to complete.
Please wait until the prompt is returned.

A successful  FreeIPA server installation will provide a comprehensive list of all the TCP/UDP ports, the client hostname, the Realm, the DNS Domain, the URL of the IPA Server, and the LDAP BaseDN. 

...
...
Client hostname: ipa.kubelynx.xyz
Realm: KUBELYNX.XYZ
DNS Domain: kubelynx.xyz
IPA Server: ipa.kubelynx.xyz
BaseDN: dc=kubelynx,dc=xyz
Configured /etc/sssd/sssd.conf
Systemwide CA database updated.
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
Adding SSH public key from /etc/ssh/lightsail_instance_ca.pub
SSSD enabled
Configured /etc/openldap/ldap.conf
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config.d/04-ipa.conf
Configuring kubelynx.xyz as NIS domain.
Client configuration complete.
The ipa-client-install command was successful
==============================================================================
Setup complete
Next steps:
    1. You must make sure these network ports are open:
        TCP Ports:
          * 80, 443: HTTP/HTTPS
          * 389, 636: LDAP/LDAPS
          * 88, 464: kerberos
          * 53: bind
        UDP Ports:
          * 88, 464: kerberos
          * 53: bind
          * 123: ntp
    2. You can now obtain a kerberos ticket using the command: 'kinit admin'
       This ticket will allow you to use the IPA tools (e.g., ipa user-add)
       and the web user interface.
...
...

At this stage, the installation of the FreeIPA server will be complete. Use the netstat command to find all the open ports of the FreeIPA server. For example to verify the ports opened by freeipa ldap server, execute the following command. 

$ sudo netstat -pltn | grep LDAP

Another important service to check that is operational is the Freeipa DNS server. It should run as a bind9 service on port number 53.

Before accessing FreeIPA web interface, check If firewalld is active on the server and if it is, you need to open few ports on firewalld.

$ sudo firewall-cmd --add-service={http,https,dns,ntp,freeipa-ldap,freeipa-ldaps} --permanent --zone=public
$ sudo firewall-cmd --reload
success

Make sure to update SELINUX mode to permissive and reboot the server.

$ sudo vi /etc/selinux/config
...
...
SELINUX=permissive
...
...
$ sudo reboot

Access FreeIPA Web UI

The FreeIIPA Web UI is a web-based application designed for easier administration of the FreeIPA server and matches the functionality of the IPA server command-line utility (CLI). It has two operating modes - self-service and administration.

The self-service mode enables users to handle their accounts independently, including updating their information, viewing their details, and changing their passwords.

The administration mode is designed for admins group members and users to administer full-fledged FreeIPA servers.

Access the web interface of your FreeIPA server at http://FQDN_FreeIPA_Server


FreeIPA server login page


Login with IPA admin and the password you configured previously.


FreeIPA server home page

Manage FreeIPA server with CLI

The primary purpose of the IPA CLI tool is to manage the FreeIPA server by running various administrative tasks using different available options. Most of these tasks are carried out remotely via XML-RPC on the specified FreeIPA server mentioned in the configuration file.

Before initiating the use of the FreeIPA CLI, you must first generate a Kerberos ticket using the following command.

$ kinit admin
Password for admin@KUBELYNX.XYZ: 

Check the Kerberos ticket expiration time.

$ klist
Ticket cache: KCM:1000
Default principal: admin@KUBELYNX.XYZ
Valid starting       Expires              Service principal
07/28/2024 20:28:56  07/29/2024 20:04:09  HTTP/ipa.kubelynx.xyz@KUBELYNX.XYZ
07/28/2024 20:28:52  07/29/2024 20:04:09  krbtgt/KUBELYNX.XYZ@KUBELYNX.XYZ

After the Kerberos ticket becomes accessible, you're ready to begin utilizing the FreeIPA CLI. Start by listing all the users signed up on the FreeIPA server.

$ ipa user-find
--------------
1 user matched
--------------
 User login: admin
 Last name: Administrator
 Home directory: /home/admin
 Login shell: /bin/bash
 Principal alias: admin@KUBELYNX.XYZ, root@KUBELYNX.XYZ
 UID: 661400000
 GID: 661400000
 Account disabled: False
----------------------------
Number of entries returned 1
----------------------------

Add a new user account in the FreeIPA server with the following command.

$ ipa user-add alfred --first=Alfred --last=Gomez --email=alfred@googlemail.com --password
Password: 
Enter Password again to verify: 
-------------------
Added user "alfred"
-------------------
 User login: alfred
 First name: Alfred
 Last name: Gomez
 Full name: Alfred Gomez
 Display name: Alfred Gomez
 Initials: AG
 Home directory: /home/alfred
 GECOS: Alfred Gomez
 Login shell: /bin/sh
 Principal name: alfred@KUBELYNX.XYZ
 Principal alias: alfred@KUBELYNX.XYZ
 User password expiration: 20240728150920Z
 Email address: alfred@googlemail.com
 UID: 661400003
 GID: 661400003
 Password: True
 Member of groups: ipausers
 Kerberos keys available: True

List all the users again to verify that the new user has been indeed added.

$ ipa user-find
---------------
2 users matched
---------------
...
...

To delete a user using ipa, use the following command.

$  ipa user-del alfred
---------------------
Deleted user "alfred"
---------------------

Use the help command to invoke the built-in documentation system of the FreeIPA server.

$ ipa help

2FA authentication with FreeIPA and FreeOTP

The two-factor authentication (2FA) system enhances the security of the authentication process by allowing the use of one-time passwords (OTP). The FreeIPA server is capable of incorporating the 2FA authentication feature for users.

To add or update the user authentication scheme to 2FA, use the option --user-auth-type=otp along with IPA CLI.  

$ ipa user-mod alfred --user-auth-type=otp
----------------------
Modified user "alfred"
----------------------
 User login: alfred
 First name: Alfred
 Last name: Gomez
 Home directory: /home/alfred
 Login shell: /bin/sh
 Principal name: alfred@KUBELYNX.XYZ
 Principal alias: alfred@KUBELYNX.XYZ
 Email address: alfred@googlemail.com
 UID: 661400004
 GID: 661400004
 User authentication types: otp
 Account disabled: False
 Password: True
 Member of groups: ipausers
 Kerberos keys available: True

You can do the same operation using the FreeIPA web UI by selecting the user name and ticking the 2FA scheme.


2FA authentication in FreeIPA server


In the next step, add the OTP token by choosing the option under the 'Actions' menu on the user's page.


FreeIPA server add OTP token


Choose the OTP type as time-based(TOTP) and provide a description of the OTP. Adjust other OTP options as per your requirements.


FreeIPA add OTP options.


In this step, scan the QR code on your mobile device using FreeOTP. Download and install FreeOTP on your mobile using if you have not done it yet.


Scan QR code in FreeIPA server


After scanning the above QR code, the token generator will be available on your mobile device.


FreeIPA Token Generator


To enable 2-factor authentication (2FA) for users on a FreeIPA server, follow the steps provided in the above section. However, it's necessary to adjust the authentication settings in your client applications to incorporate 2FA functionality. This includes applications such as OpenVPN, SSH, any web or email service, and any application that supports 2FA.

 

 

Integrate FreeIPA with Freeradius using LDAP (FreeIPA + Freeradius)

The configuration of FreeIPA server with Freeradius(FreeIPA + Freeradius) is optional but should you be willing to integrate your FreeIPA server with a RADIUS-based authentication system like Freeradius, follow the steps in the next section. The Freeradius is a popular multi-protocol policy server, compatible with various protocols RADIUS, DHCPv4 DHCPv6, DNS, and more to authenticate and authorize users in a network.

The Freeradius server authenticates RADIUS-compatible systems like VPN, firewalls, routers, 802.1x (WiFi), dialup, PPPoE, VoIP, and many others by using the software token provided by the IPA server. When a user logs in to a RADIUS-compatible system, a RADIUS request will be sent to the Freeradius server. The Freeradius server will query the LDAP server to determine the user's existence with the right credentials.

To demonstrate the integration of the FreeIPA server with the Freeradius server using LDAP, We will create a test user and a group on the FreeIPA server as an admin.   

Add a Radius group, e.g. vpn_group, wifi_group.

$ ipa group-add radius_group
--------------------------
Added group "radius_group"
--------------------------
 Group name: radius_group
 GID: 1742200003

Add an user.

$  ipa user-add --first=Radius --last=User  radius_user1 --password
Password: 
Enter Password again to verify: 
-------------------------
Added user "radius_user1"
-------------------------
 User login: radius_user1
 First name: Radius
 Last name: User
 Full name: Radius User
 Display name: Radius User
 Initials: RU
 Home directory: /home/radius_user1
 GECOS: Radius User
 Login shell: /bin/sh
 Principal name: radius_user1@KUBELYNX.XYZ
 Principal alias: radius_user1@KUBELYNX.XYZ
 User password expiration: 20240731074218Z
 Email address: radius_user1@kubelynx.xyz
 UID: 1742200005
 GID: 1742200005
 Password: True
 Member of groups: ipausers
 Kerberos keys available: True

Add the user to the group radius_group which we have created previously.

$  ipa group-add-member radius_group --users=radius_user1
 Group name: radius_group
 GID: 1742200003
 Member users: radius_user1
-------------------------
Number of members added 1
-------------------------

Search the user in the LDAP database.

$ ldapsearch -D "cn=Directory Manager" -x uid=radius_user1 -W
Enter LDAP Password:

Users are required to reset their password during their first login attempt on the FreeIPA server. Go to the FreeIPA server's URL and sign in as radius_user1 to update the password by entering the previous password and the new one. An OTP is not required at this point.


Update password for FreeIPA user


Once the password is updated successfully, add an OTP token for the user. The following command will print the OTP token in the terminal allowing you to copy it to your mobile device or forward it to the end user. 

$ ipa otptoken-add --owner=radius_user1 --type=totp
------------------
Added OTP token ""
------------------
 Unique ID: 7c2f5669-b65c-4570-9260-e5a7c353efb4
 Type: TOTP
 Owner: radius_user1
 Key: 4Sm06Ct2FStk0V4TBTyafgjtwfamJtHrkDemu5Myptw2mMo=
 Algorithm: sha1
 Digits: 6
 Clock offset: 0
 Clock interval: 30
 URI: otpauth://totp/radius_user1@KUBELYNX.XYZ:7c2f5669-b65c-4570-9260-e5a7c353efb4?issuer=radius_user1%40KUBELYNX.XYZ&secret=4EU3J2BLOYKSWZGRLYJQKPE2PYEO3QPWUYTND24QG6TLXEZSU3ODNGGK&digits=6&algorithm=SHA1&period=30
 ...
 ...

Enable two-factor authentication for the user.

$ ipa user-mod radius_user1 --user-auth-type=otp

At this stage, the configuration of the test user and group in the FreeIPA server is complete.

Next, create a bind user in the LDAP database. This bind user will be used by the Freeradius server to log in and search the directory tree with LDAP bind() operation.

$ vi bind-user.ldif 
dn: uid=bind-user,dc=kubelynx,dc=xyz
changetype: add
objectclass: account
objectclass: simplesecurityobject
uid: bind-user
userPassword: password

Create the bind user.

$ ldapmodify -h ipa.kubelynx.xyz -p 389 -x -D "cn=Directory Manager" -w 'password123' -f bind-user.ldif
adding new entry "uid=bind-user,dc=kubelynx,dc=xyz"

Install Freeradius

Install the freeradius packages with the following command.

$ sudo dnf install freeradius freeradius-utils freeradius-ldap freeradius-krb5

Create certificates for the radius server.

$ cd  /etc/raddb/certs
$ ./bootstrap

To configure the RADIUS server to authenticate software tokens provided by the FreeIPA server, you need to enable the RADIUS server to accept requests from RADIUS clients including the FreeIPA server. For that append the following stanza to the radius server client configuration file.

$ vi /etc/raddb/clients.conf 
client localnet {
       ipaddr = 172.26.14.135/20
       proto = *
       secret = yoursecret
       nas_type = other
       limit {
               max_connections = 16
               lifetime = 0
               idle_timeout = 30
       }
}

Next edit two files, /etc/raddb/sites-enabled/default and /etc/raddb/sites-enabled/inner-tunnel, and remove the line -ldap and add the following lines in its place.

...
...
ldap
if ((ok || updated) && User-Password) {
  update {
                control:Auth-Type := ldap
  }
}
...
...

Freeradius enable ldap module


Also, uncomment the following lines from both files.

...
...
Auth-Type LDAP {
                             ldap
}
...
...

Freeradius enable LDAP authentication type


Enable the LDAP module for the Freeradius server.

$ ln -s /etc/raddb/mods-available/ldap /etc/raddb/mods-enabled/

Next, edit the file /etc/raddb/mods-enabled/ldap where all configurations related to LDAP are stored. Adjust the configuration parameters in this file according to your FreeIIPA environment setting.

...
...
 ldap {
           server = 'ipa.kubelynx.xyz' ← IPA server address
           identity = 'uid=bind-user,dc=kubelynx,dc=xyz' ← The domain name for bind user.
           password = password ← The password for bind user.
           base_dn = 'dc=kubelynx,dc=xyz'  ← The base DN to use for all searches.
           …
           …
 user {
           #  Where to start searching in the tree for users
           base_dn = "cn=users,cn=accounts,${..base_dn}" 
           filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" ← User filter(uid).          
           …
           …
 }
 group {
           base_dn = "cn=radius_group,cn=groups,cn=accounts,${..base_dn}" ← Base domain for Group filter.
           filter = "(objectClass=groupOfNames)" ← Group name is the filter.
           name_attribute = cn
           membership_filter = "(|(member=%{control:${..user_dn}})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))"
           …
           …       
 }
...
...

Save the file and run the Radius server in the debug mode to test the configuration settings.

$ radiusd -X

Open another terminal and authenticate the user(radius_user1) with the radius server. The password should be password+OTP

$ radtest radius_user1 newpassword380066  ipa.kubelynx.xyz 1812 yoursecret
Sent Access-Request Id 1 from 0.0.0.0:55078 to 172.26.14.135:1812 length 98
    User-Name = "radius_user1"
    User-Password = "newpassword380066"
    NAS-IP-Address = 172.26.14.135
    NAS-Port = 1812
    Message-Authenticator = 0x00
    Cleartext-Password = "newpassword380066"
Received Access-Accept Id 1 from 172.26.14.135:1812 to 172.26.14.135:55078 length 20



If you receive an Accept-Accept response then the integration between FreeIPA and Freeradius is working perfectly. An Accept-Reject response will print the errors in the debug console for you to investigate the cause of the error.

Enable the systemd radius service and start it.

$ sudo systemctl enable radiusd.service
$ sudo systemctl start radiusd.service
$ sudo systemctl status radiusd.service

Optionally, you can set a group rules(not related to LDAP) in /etc/freeradius/users.

DEFAULT LDAP-Group == "radius_group"
DEFAULT Auth-Type := Reject
 Reply-Message = "Sorry, you're not part of radius group."

Hereby, All unauthenticated users will get the above configured reply message for the group radius_group. Restart radius server and perform a radtest with an unauthenticated user to see the result.

 

 

Conclusion

In this article, we've explored the process of installing and configuring a FreeIPA server on AlmaLinux 9 and Rocky Linux 9, addressing several key elements. Additionally, this article provides instructions on how to configure a FreeIPA server to connect with Freeradius using LDAP module.

The FreeIPA serves as a robust tool for handling identity and authentication across various Linux setups. Even though the process of setting up and managing a FreeIPA server can be complex, it continues to be a compelling choice for groups looking to enhance the security and control of user access. Another caveat for deploying a FreeIPA server is that it should be one of the closely guarded servers in any network due to obvious reasons.

fivestar_rating
No votes yet
Comments