Install FreeIPA Server Centos 7
Install FreeIPA Server Centos 7 – Artikel kali ini akan membahas cara Install FreeIPA Server Centos 7
Untuk cara Install Centos 7, anda bisa melihat pada artikel sebelumnya disini.
Install FreeIPA Server Centos 7
1 2 3 4 5 |
Hostname: cipa1.cacan.local IP Address: 192.168.3.51 Domain: cacan.local |
Setting Hosts & Hostname
Set hosts dan hostname dengan perintah berikut:
1 2 3 4 5 6 |
sudo cp /etc/hosts{,._orig} sudo cp /etc/hosts{,.`date +%Y%m%d-%H%M%S`} sudo echo "192.168.3.51 cipa1.cacan.local" | sudo tee -a /etc/hosts sudo hostnamectl set-hostname cipa1.cacan.local |
Update Repository
Lalu update repository terbaru dengan perintah sebagai berikut:
1 2 3 4 |
sudo yum -y install epel-release sudo yum -y update |
Install FreeIPA Server
Setelah itu kita install FreeIPA dengan perintah sebagai berikut:
1 2 3 |
sudo yum install -y ipa-server-dns bindipa-server bind-dyndb-ldap |
Configure FreeIPA Server
Selanjutnya konfigurasi FreeIPA Server dengan perintah berikut:
1 2 3 |
sudo ipa-server-install --setup-dns --allow-zone-overlap |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 |
The log file for this installation can be found in /var/log/ipaserver-install.log ============================================================================== This program will set up the IPA Server. This includes: * Configure a stand-alone CA (dogtag) for certificate management * Configure the Network Time Daemon (ntpd) * Create and configure an instance of Directory Server * Create and configure a Kerberos Key Distribution Center (KDC) * Configure Apache (httpd) * Configure the KDC to enable PKINIT To accept the default shown in brackets, press the Enter key. Do you want to configure integrated DNS (BIND)? [no]: Enter the fully qualified domain name of the computer on which you're setting up server software. Using the form <hostname>.<domainname> Example: master.example.com. Server host name [cipa1.cacan.local]: The domain name has been determined based on the host name. Please confirm the domain name [cacan.local]: The kerberos protocol requires a Realm name to be defined. This is typically the domain name converted to uppercase. Please provide a realm name [CACAN.LOCAL]: Certain directory server operations require an administrative user. This user is referred to as the Directory Manager and has full access to the Directory for system management tasks and will be added to the instance of directory server created for IPA. The password must be at least 8 characters long. Directory Manager password: Password (confirm): The IPA server requires an administrative user, named 'admin'. This user is a regular system account used for IPA server administration. IPA admin password: Password (confirm): Do you want to configure DNS forwarders? [yes]: yes Enter the IP address of DNS forwarder to use, or press Enter to finish. Enter IP address for a DNS forwarder: 8.8.8.8 DNS forwarder 8.8.8.8 added Enter IP address for a DNS forwarder: 8.8.4.4 DNS forwarder 8.8.4.4 added Enter IP address for a DNS forwarder: <enter> Do you want to configure the reverse zone? [yes]: yes Please specify the reverse zone name [3.168.192.in-addr.arpa.]: 3.168.192.in-addr.arpa Using reverse zone 3.168.192.in-addr.arpa. The IPA Master Server will be configured with: Hostname: cipa1.cacan.local IP address(es): 192.168.3.51 Domain name: cacan.local Realm name: CACAN.LOCAL BIND DNS server will be configured to serve IPA domain with: Forwarders: 8.8.8.8, 8.8.4.4 Forward policy: only Reverse zone(s): 3.168.192.in-addr.arpa. Continue to configure the system with these values? [no]: yes The following operations may take some minutes to complete. Please wait until the prompt is returned. Configuring NTP daemon (ntpd) [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd Done configuring NTP daemon (ntpd). Configuring directory server (dirsrv). Estimated time: 30 seconds [1/44]: creating directory server instance [2/44]: enabling ldapi ... [44/44]: configuring directory to start on boot Done configuring directory server (dirsrv). Configuring Kerberos KDC (krb5kdc) [1/10]: adding kerberos container to the directory [2/10]: configuring KDC ... [10/10]: configuring KDC to start on boot Done configuring Kerberos KDC (krb5kdc). Configuring kadmin [1/2]: starting kadmin [2/2]: configuring kadmin to start on boot Done configuring kadmin. Configuring ipa-custodia [1/5]: Making sure custodia container exists [2/5]: Generating ipa-custodia config file [3/5]: Generating ipa-custodia keys [4/5]: starting ipa-custodia [5/5]: configuring ipa-custodia to start on boot Done configuring ipa-custodia. Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes [1/28]: configuring certificate server instance ... [27/28]: adding 'ipa' CA entry [28/28]: configuring certmonger renewal for lightweight CAs Done configuring certificate server (pki-tomcatd). Configuring directory server (dirsrv) [1/3]: configuring TLS for DS instance [2/3]: adding CA certificate entry [3/3]: restarting directory server Done configuring directory server (dirsrv). Configuring ipa-otpd [1/2]: starting ipa-otpd [2/2]: configuring ipa-otpd to start on boot Done configuring ipa-otpd. Configuring the web interface (httpd) [1/22]: stopping httpd [2/22]: setting mod_nss port to 443 ... [20/22]: starting httpd [21/22]: configuring httpd to start on boot [22/22]: enabling oddjobd Done configuring the web interface (httpd). Configuring Kerberos KDC (krb5kdc) [1/1]: installing X509 Certificate for PKINIT Done configuring Kerberos KDC (krb5kdc). Applying LDAP updates Upgrading IPA:. Estimated time: 1 minute 30 seconds [1/10]: stopping directory server [2/10]: saving configuration [3/10]: disabling listeners [4/10]: enabling DS global lock [5/10]: disabling Schema Compat [6/10]: starting directory server [7/10]: upgrading server [8/10]: stopping directory server [9/10]: restoring configuration [10/10]: starting directory server Done. Restarting the KDC Configuring client side components Using existing certificate '/etc/ipa/ca.crt'. Client hostname: cipa1.cacan.local Realm: CACAN.LOCAL DNS Domain: cacan.local IPA Server: cipa1.cacan.local BaseDN: dc=cacan,dc=local Skipping synchronizing time with NTP server. New SSSD config will be created Configured sudoers in /etc/nsswitch.conf Configured /etc/sssd/sssd.conf trying https://cipa1.cacan.local/ipa/json [try 1]: Forwarding 'schema' to json server 'https://cipa1.cacan.local/ipa/json' trying https://cipa1.cacan.local/ipa/session/json [try 1]: Forwarding 'ping' to json server 'https://cipa1.cacan.local/ipa/session/json' [try 1]: Forwarding 'ca_is_enabled' to json server 'https://cipa1.cacan.local/ipa/session/json' Systemwide CA database updated. Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub [try 1]: Forwarding 'host_mod' to json server 'https://cipa1.cacan.local/ipa/session/json' Could not update DNS SSHFP records. SSSD enabled Configured /etc/openldap/ldap.conf Configured /etc/ssh/ssh_config Configured /etc/ssh/sshd_config Configuring cacan.local as NIS domain. Client configuration complete. The ipa-client-install command was successful ============================================================================== Setup complete Next steps: 1. You must make sure these network ports are open: TCP Ports: * 80, 443: HTTP/HTTPS * 389, 636: LDAP/LDAPS * 88, 464: kerberos UDP Ports: * 88, 464: kerberos * 123: ntp 2. You can now obtain a kerberos ticket using the command: 'kinit admin' This ticket will allow you to use the IPA tools (e.g., ipa user-add) and the web user interface. Be sure to back up the CA certificates stored in /root/cacert.p12 These files are required to create replicas. The password for these files is the Directory Manager password |
Untuk melihat log dari proses konfigurasi FreeIPA Server, gunakan perintah berikut:
1 2 3 |
sudo tail -f /var/log/ipaserver-install.log |
Configure Firewall
Selanjutnya kita buatkan firewall untuk port-port yang dibutuhkan oleh FreeIPA Server
1 2 3 4 5 6 7 8 9 |
TCP Ports: * 80, 443: HTTP/HTTPS * 389, 636: LDAP/LDAPS * 88, 464: kerberos UDP Ports: * 88, 464: kerberos * 123: ntp |
Untuk membuat firewall, gunakan perintah berikut:
1 2 3 4 |
sudo firewall-cmd --add-service={dns,freeipa-ldap,freeipa-ldaps} –permanent sudo firewall-cmd --reload |
Access FreeIPA Web Interface
Selanjutnya akses FreeIPA Web Interface melalui browser kesayangan anda dengan URL https://cipa1.cacan.local/


1 2 3 4 |
Username: admin Password: ******** |

Kerberos ticket
Setelah instalasi FreeIPA selesai, kita konfigurasi user administrator dengan menggunakan Kerberos dengan perintah berikut:
1 2 3 |
sudo kinit admin |
1 2 3 |
Password for admin@CACAN.LOCAL: |
Selanjutnya cek dengan menggunakan perintah berikut:
1 2 3 |
sudo klist |
1 2 3 4 5 6 7 |
Ticket cache: KEYRING:persistent:0:0 Default principal: admin@CACAN.LOCAL Valid starting Expires Service principal 05/16/2019 01:25:02 05/17/2019 01:24:58 krbtgt/CACAN.LOCAL@CACAN.LOCAL |
Management User
Add User
Selanjutnya kita buat user baru dengan perintah berikut:
1 2 3 |
sudo ipa user-add rony --first=Rony --last=Chandra --email=rony@cacan.local --shell=/bin/bash –password |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 |
Password: Enter Password again to verify: ----------------- Added user "rony" ----------------- User login: rony First name: Rony Last name: Chandra Full name: Rony Chandra Display name: Rony Chandra Initials: RC Home directory: /home/rony GECOS: Rony Chandra Login shell: /bin/bash Principal name: rony@CACAN.LOCAL Principal alias: rony@CACAN.LOCAL User password expiration: 20190315182758Z Email address: rony@cacan.local UID: 1806600001 GID: 1806600001 Password: True Member of groups: ipausers Kerberos keys available: True |
Find User
Untuk mencari data user gunakan perintah berikut:
1 2 3 |
sudo ipa user-find |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 |
--------------- 2 users matched --------------- User login: admin Last name: Administrator Home directory: /home/admin Login shell: /bin/bash Principal alias: admin@CACAN.LOCAL UID: 1806600000 GID: 1806600000 Account disabled: False User login: rony First name: Rony Last name: Chandra Home directory: /home/rony Login shell: /bin/bash Principal name: rony@CACAN.LOCAL Principal alias: rony@CACAN.LOCAL Email address: rony@cacan.local UID: 1806600001 GID: 1806600001 Account disabled: False ---------------------------- Number of entries returned 2 ---------------------------- |
Sampai disini cara Install FreeIPA Centos 7 sudah selesai. Pada kesempatan lain kita akan bahas tentang FreeIPA lebih mendalam lagi.
Semoga bermanfaat