What FreeIPA is?
FreeIPA is an open-source identity management solution that provides centralized authentication, authorization, and account information for Linux and Unix systems. It is built on top of several open-source technologies, including Kerberos, LDAP, and DNS. In this article, I will walk you through the process of installing and configuring the FreeIPA server on CentOS 9 and adding clients to it.
Prerequisites
Before we get started with the installation, make sure that you have the following:
- Up to date CentOS 9 system
- At least 2GB of RAM and 20GB of storage (it can be ignored but better to have it)
- Root privileges or sudo access
Systems use in this lab:
| Server Name | IP | Role |
| centos9.lab.local | 192.168.1.90 | FreeIPA Server |
| centos8-client.lab.local | 192.168.1.82 | FreeIPA Client |
Step 1: Update the System
The first step is to update the system to the latest packages. Open a terminal and run the following command:
$ dnf update -yStep 2: Install FreeIPA Server
The next step is to install the FreeIPA server. Run the following command in the terminal:
$ dnf -y install freeipa-server freeipa-server-dns freeipa-clientStep 3: Configure Firewall
By default, the firewall on CentOS 9 blocks all incoming connections. You need to open the necessary ports for the FreeIPA server to function properly. Run the following commands to open the required ports:
$ firewall-cmd --permanent --add-service={dns,freeipa-ldap,freeipa-ldaps,freeipa-replication}
$ firewall-cmd --reloadStep 4: Configure FreeIPA Server
Now once we have installed FreeIPA server, we need to configure it. Run the following command to start the configuration process:
$ ipa-server-install --setup-dnsIf you have a less memory than minimal requirement and really want to install FreeIPA Server then use flag --skip-mem-check to proceed with the installation.
Follow the prompts and enter the necessary information, such as the domain name, realm name, and administrative password, etc. In my example it looks like this:
The installation will take some time to complete – it contains several main steps with sub-steps.
Once the configuration is done, the FreeIPA server will start automatically. Of course you will be prompted about the details how to reach the FreeIPA server as follows:
Let’s connect to https://centos9.lab.local and see if we can login.
Of course web site is available, I provided my credentials used during the installation and voilĂ – we are s
Step 5: Create test user
Once we have all setup in place already, we need to test and validate if Kerberos authentication works from client side. This is why I will create a test user on FreeIPA Server just to use it for test login at the end. To create a user we need to first create a Kerberos ticket otherwise user creation will be denied because FreeIPA Server will not authenticate us properly. To create a Kerberos ticket and run the following command:
$ kinit admin
$ klist
This command will authenticate you as the FreeIPA administrator.
And to create a user:
$ ipa user-add testuser --first=Test --last=User --passwordYou will be prompted to provide a full username and password. Please do so. Now we are done with server configuration.
Step 6: Install FreeIPA Client
Last step to use the FreeIPA server is to install FreeIPA clients on your client systems. Run the following command to install the FreeIPA client on CentOS 9:
$ dnf install -y ipa-clientOnce the installation is complete, you need to configure the client to connect to the FreeIPA server. Run the following command and follow the prompts to configure the client:
$ ipa-client-installEnter the necessary information, such as the FreeIPA server hostname and administrative password (used previously during the installation process). Once the configuration is complete, you can create a Kerberos ticket required for authentication by running the following command:
Once installation is complete you will for sure see it.
Instead of providing the details on prompt you can use appropriate flags for all of them:
$ ipa-client-install --hostname=centos8-2.lab.local --mkhomedir --server=centos9.lab.local --domain lab.local --realm LAB.LOCALStep 7: Test the Setup
To test the FreeIPA server setup, log in with the newly created user account “testuser” into centos8-2 machine by running this command:
$ ssh testuser@lab.local@centos8-1.lab.localOr via PuTTY like me below. For first login you will be prompted to change the initial password, please do so. After it you will be authenticated and logged into the system.
Conclusion
In this article, I have covered the installation and configuration of the FreeIPA server on CentOS 9, as well as adding clients to the FreeIPA domain on CentOS 8. FreeIPA provides a powerful solution for managing identity and authentication in a Linux-based network, and it offers various features to administrators for example to authenticate LDAP users or protect NFSv4 with Kerberos. You can manage users, groups, and access policies through the FreeIPA web interface or command-line tools. By centralizing authentication and authorization, you can simplify user management, improve security, and ensure compliance with regulatory requirements. With a little bit of effort, you can have a robust and reliable identity management system up and running in no time.