FreeIPA - Identity Management System

Introduction to FreeIPA

FreeIPA is used for authentication at Freeside, FreeIPA provides an all in one system that implementing the LDAP protocol along with Kerberos and CA services. It is advised to familiarise yourself with LDAP and Kerberos before using FreeIPA.

Here is a basic introduction to LDAP and an ELI5 For Kerbros

The FreeIPA documentation can also be very useful.

URL for FreeIPA: ipa.freeside.co.uk (150.237.94.146)

Installing a FreeIPA server

Instead of including infomation which will go out of date on the Wiki I shall link to a guide on http://server-world.info Their guides are straight to the point and regulary updated for new Distro updates.
Fedora 27 : FreeIPA : Server World - This is the guide I followed to setup FreeIPA

Installing a FreeIPA Client

First make sure the Client has a FQDN example fs-importantserver-01.freeside.co.uk localhost in your /etc/host, a corresponding enty should be made on the DNS server hosted on ipa.freeside.co.uk by editing the /etc/host file.

You should also check that the DNS is set on the Client to use the server 150.237.94.146 without this FreeIPA won’t automatically be able to retrieve infomation from kerbros and you will have problems connecting to kerbros down the line.
Setting the DNS requires you to run the following series of commands:
# nmcli con mod <connection> ipv4.dns "150.237.94.146"
# nmcli con down <connection>
# nmcli con up <connection>
<connection> can be found by running # nmcli con.

Installing a client is a simple as typing the command:

ipa-client-install --server=ipa.freeside.co.uk --domain=freeside.co.uk --fixed-primary --hostname=fs-desktop-04.freeside.co.uk

You’ll now the asked a series of questions. Here are the answers you should use:

Proceed with fixed values and no DNS discovery? [no]: yes
Do you want to configure chrony with NTP server or pool address? [no]: yes
Enter NTP source server addresses separated by comma, or press Enter to skip: 
Enter a NTP source pool address, or press Enter to skip: europe.pool.ntp.org
Client hostname: fs-desktop-04.freeside.co.uk
Realm: FREESIDE.CO.UK
DNS Domain: freeside.co.uk
IPA Server: ipa.freeside.co.uk
BaseDN: dc=freeside,dc=co,dc=uk
NTP pool: europe.pool.ntp.org

Continue to configure the system with these values? [no]: yes

After this, you’ll be asked to answer a username and password. This should be the username and password of an admin on the FreeIPA server.

Next, add to setup home directory mounting:

sudo ipa-client-automount --location=default --server=ipa.freeside.co.uk

We don’t use server autodiscovery, so you do need to specify the --server there explicitly. On other networks here you do have FreeIPA server autodiscovery setup, you don’t need to specify the server automatically if you’ve got the DNS server correctly configured.

Configuring a service to use LDAP Authentication:

The ldap Base shoould be cn=users, cn=accounts,dc=freeside,dc=co,dc=uk
dc=freeside,dc=co,dc=uk on it’s own would work but the application may use the the compat tree which would result in the application not being able to retrieve user infomation such as emails.

The bind DN is uid=system,cn=sysaccounts,cn=etc,dc=freeside,dc=co,dc=uk
this is a system account which does not have write privilidges. DO NOT USE A BIND WITH WRITE PERMISSION

TODO:

  • Guide how to use the FreeIPA interface
  • Screenshots

Troubleshooting Q&A

Home directories are not mounting correctly

You may have either 1 of 2 problems.

Firstly, you have have forgotten to setup automounting. This is a separate step to the ipa-client-install step. See the ipa-client-automount command above.

Secondly, you may have run into SELinux. Try this:

sudo setsebool use_nfs_home_dirs true

…and reboot.

Home directories are mounting correctly, but I’m getting a permission denied / stale file handle error

This is a seriously nasty one. Several things here will help:

  • Ensure that the desktops and the storage server are all up-to-date and running the same release of Fedora
  • Ensure that the FreeIPA server is fully patched
  • Make sure that the file /etc/gssproxy/99-nfs-client.confis as follows:
[service/nfs-client]
  mechs = krb5
  cred_store = keytab:/etc/krb5.keytab
  cred_store = ccache:FILE:/var/lib/gssproxy/clients/krb5cc_%U
  cred_store = client_keytab:/var/lib/gssproxy/clients/%U.keytab
  cred_usage = initiate
  allow_any_uid = yes
  trusted = yes
  euid = 0

Don’t forget to reboot too.