I’ve been busy with work lately, but got some time this Sunday to work on the next part of my build – authentication.
The Unraid build itself is coming on well, but I now have 14 separate docker containers doing things for me, all with their own individual authentication methods. If I plan on opening up the server to external access (which I do), then I need something to manage usernames and passwords from a central point.
That something is LDAP.
LDAP stands for Lightweight Directory Access Protocol, and is an open, vendor-neutral, industry standard application protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network.
The most common implementation of LDAP that people will probably have heard of is Microsoft’s Active Directory, itself an implementation of LDAP. It’s what I’m most familiar with, having worked with flavors of AD from 2003 onwards. It’s easy to setup and easy to work with, and is – in my view – the best implementation of LDAP for a heavily Windows-based environment.
I’m not exactly running a completely Windows environment. My primary machine, and that of my girlfriend, is running Windows 10. However, I have 14 docker containers (and growing), and some implementations I want to do that require some integration with whatever LDAP server you’re running, and I’m not sure how well AD would play with those.
Lastly, AD requires you to be running Windows Server, which requires a license, and also some fairly decent system requirements.
Plus, it’s fun to learn new things.
So I’ll be using something called FreeIPA (hopefully the punny title makes sense now) on a CentOS 8 install, with 2 vCPUs, 4GB RAM and a 60GB disk.
Read on for how it’s done.
Install and Setup FreeIPA Server on CentOS 8
Prerequisites
Set a static hostname for the system. The hostname must be fully qualified and not localhost or localhost6.
hostnamectl set-hostname freeipa.morsepacific.home
Make the hostname resolvable. If you have a DNS server with your FreeIPA server entries, all good. Otherwise configure your /etc/hosts file accordingly.
I’m using my router for DNS when setting this up, so I’ll use the hosts file method. We’ll configure a DNS server as part of FreeIPA later.
echo "192.168.4.199 freeipa.morsepacific.home" | sudo tee -a /etc/hosts
Open Firewall Ports
firewall-cmd --add-service={freeipa-ldap,freeipa-ldaps,dns,ntp} --permanent
firewall-cmd --reload
Install FreeIPA
FreeIPA packages are provided by the Identity Management system module of CentOS 8 AppStream repos. Therefore, you need to enable the idm:DL1 stream by running the command:
dnf module enable idm:DL1
Next, run system update:
dnf distro-sync
Then install FreeIPA
dnf install ipa-server ipa-server-dns
Setup FreeIPA with integrated DNS server
We’ll be setting up FreeIPA with an integrated DNS server, as we currently don’t have a machine setup for DNS.
ipa-server-install --setup-dns
At this point, we’re prompted for a number of options, which will differ depending on your setup and requirements.
Java Strikes Again
At this point, my installation failed due to an error when trying to setup the Certificate Authority. According to this thread, it’s bug with the openjdk version, which pretty much sums up my experiences with Linux; read some documentation that says ‘Just do this’, follow it to the letter, and then have Java somehow fuck it all up.
Fix crappy Java issues
Install Java as usual (version 272 will get installed by default)
yum install java-1.8.0-openjdk java-1.8.0-openjdk-devel java-1.8.0-openjdk-headless
Remove Java only (leaving the dependencies)
rpm -e --nodeps java-1.8.0-openjdk java-1.8.0-openjdk-devel java-1.8.0-openjdk-headless
Download the desired Java version (265)
wget http://mirror.centos.org/centos/8/AppStream/x86_64/os/Packages/java-1.8.0-openjdk-headless-1.8.0.265.b01-0.el8_2.x86_64.rpm
Install the downloaded Java packages
rpm -ivh java*
Check installed Java version
java -version
openjdk version “1.8.0_265”
OpenJDK Runtime Environment (build 1.8.0_265-b01)
OpenJDK 64-Bit Server VM (build 25.265-b01, mixed mode)
Then we can try installing FreeIPA again. This means uninstalling it using ipa-server-install –uninstall, then starting again. Thanks Java!
Generate a Kerberos Ticket
In order to use the IPA tools/commands, use the web user interface and perform any other administrative tasks, you need to obtain a kerberos ticket by running
kinit admin
When prompted, enter the administrator password set during the installation setup.
You can list kerberos tickets using the klist command as well.
Access the FreeIPA Web Interface
You can access the web interface by browsing to https://yourconfiguredaddress.home, in my case https://freeipa.morsepacific.home.
From here you can configure the rest of your server.
An Englishman in Boston 