Implementing FreeIPA as a central Identity Management Solution

Step 3. Open Firewall ports

Now that the intial configuration is set up, lets open up the ports on the firewall and then log in.
To do this, run the following commands.

[root@ds01 ~]# for x in 80 443 389 636 88 464 53 ; do iptables -I INPUT -p tcp --dport $x -j ACCEPT ; done
[root@ds01 ~]# for x in 88 464 53 123 ; do iptables -I INPUT -p udp --dport $x -j ACCEPT ; done
[root@ds01 ~]# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[  OK  ]
[root@ds01 ~]#

 

Phase 2. Connecting Red Hat / Fedora based client systems to FreeIPA for central authentication.

Next, lets add a “Member” system to the FreeIPA domain. Adding a server or workstation is basically the same process, however in this example, I’ll add a client system.

What’s the difference? I hear you say, basically I will have a GUI on my client, whereas on my servers I do not. FreeIPA has a rather elegant WebUI as well as CLI options. I’ll show you both a little later.

For now, go grab another machine to install RHEL onto, however I want you to install the GUI and a browser. If you are performing a new installation, just select “Desktop” system.

 

Step 1. Install required packages
Once your client is installed and updated, install the following packages.

[root@workstation01 ~]# yum install -y ipa-client oddjob-mkhomedir

 

Step 2. Join domain
As this is a workstation, I want my user’s home drives to be automatically created on first login, as well as the DNS entry from the host to automatically update the record in IPA as I am using DHCP for my workstations.
Run the following command to joint it to the domain. You will notice I have used the IPA admin user to join the domain.

[root@workstation01 ~]# ipa-client-install --mkhomedir --enable-dns-updates
Discovery was successful!
Hostname: workstation01.example.com
Realm: EXAMPLE.COM
DNS Domain: example.com
IPA Server: ds01.example.com
BaseDN: dc=example,dc=com

Continue to configure the system with these values? [no]: yes
User authorized to enroll computers: admin
Synchronizing time with KDC...
Password for admin@EXAMPLE.COM:

Enrolled in IPA realm EXAMPLE.COM
Created /etc/ipa/default.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm EXAMPLE.COM
DNS server record set to: workstation01.example.com -> 10.0.1.91
SSSD enabled
NTP enabled
Client configuration complete.
[root@workstation01 ~]#

2 comments on “Implementing FreeIPA as a central Identity Management Solution

  1. Kevin McNally May 6, 2015 19:31

    Cool. Great work.

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>