Categories
Security Technology

Authentication for Free, as in Beer (FreeIPA)

I’ve been busy with work lately, but got some time this Sunday to work on the next part of my build – authentication.

The Unraid build itself is coming on well, but I now have 14 separate docker containers doing things for me, all with their own individual authentication methods. If I plan on opening up the server to external access (which I do), then I need something to manage usernames and passwords from a central point.

That something is LDAP.

LDAP stands for Lightweight Directory Access Protocol, and is an open, vendor-neutral, industry standard application protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network.

The most common implementation of LDAP that people will probably have heard of is Microsoft’s Active Directory, itself an implementation of LDAP. It’s what I’m most familiar with, having worked with flavors of AD from 2003 onwards. It’s easy to setup and easy to work with, and is – in my view – the best implementation of LDAP for a heavily Windows-based environment.

I’m not exactly running a completely Windows environment. My primary machine, and that of my girlfriend, is running Windows 10. However, I have 14 docker containers (and growing), and some implementations I want to do that require some integration with whatever LDAP server you’re running, and I’m not sure how well AD would play with those.

Lastly, AD requires you to be running Windows Server, which requires a license, and also some fairly decent system requirements.

Plus, it’s fun to learn new things.

So I’ll be using something called FreeIPA (hopefully the punny title makes sense now) on a CentOS 8 install, with 2 vCPUs, 4GB RAM and a 60GB disk.

Read on for how it’s done.

Install and Setup FreeIPA Server on CentOS 8

Prerequisites

Set a static hostname for the system. The hostname must be fully qualified and not localhost or localhost6.

hostnamectl set-hostname freeipa.morsepacific.home

Make the hostname resolvable. If you have a DNS server with your FreeIPA server entries, all good. Otherwise configure your /etc/hosts file accordingly.
I’m using my router for DNS when setting this up, so I’ll use the hosts file method. We’ll configure a DNS server as part of FreeIPA later.

echo "192.168.4.199 freeipa.morsepacific.home" | sudo tee -a /etc/hosts

Open Firewall Ports

firewall-cmd --add-service={freeipa-ldap,freeipa-ldaps,dns,ntp} --permanent

firewall-cmd --reload

Install FreeIPA

FreeIPA packages are provided by the Identity Management system module of CentOS 8 AppStream repos. Therefore, you need to enable the idm:DL1 stream by running the command:

dnf module enable idm:DL1

Next, run system update:

dnf distro-sync

Then install FreeIPA

dnf install ipa-server ipa-server-dns

Setup FreeIPA with integrated DNS server

We’ll be setting up FreeIPA with an integrated DNS server, as we currently don’t have a machine setup for DNS.

ipa-server-install --setup-dns

At this point, we’re prompted for a number of options, which will differ depending on your setup and requirements.

Java Strikes Again

At this point, my installation failed due to an error when trying to setup the Certificate Authority. According to this thread, it’s bug with the openjdk version, which pretty much sums up my experiences with Linux; read some documentation that says ‘Just do this’, follow it to the letter, and then have Java somehow fuck it all up.

Fix crappy Java issues

Install Java as usual (version 272 will get installed by default)

yum install java-1.8.0-openjdk java-1.8.0-openjdk-devel java-1.8.0-openjdk-headless

Remove Java only (leaving the dependencies)

rpm -e --nodeps java-1.8.0-openjdk java-1.8.0-openjdk-devel java-1.8.0-openjdk-headless

Download the desired Java version (265)

wget http://mirror.centos.org/centos/8/AppStream/x86_64/os/Packages/java-1.8.0-openjdk-headless-1.8.0.265.b01-0.el8_2.x86_64.rpm

Install the downloaded Java packages

rpm -ivh java*

Check installed Java version

java -version

openjdk version “1.8.0_265”
OpenJDK Runtime Environment (build 1.8.0_265-b01)
OpenJDK 64-Bit Server VM (build 25.265-b01, mixed mode
)

Then we can try installing FreeIPA again. This means uninstalling it using ipa-server-install –uninstall, then starting again. Thanks Java!

Generate a Kerberos Ticket

In order to use the IPA tools/commands, use the web user interface and perform any other administrative tasks, you need to obtain a kerberos ticket by running

kinit admin

When prompted, enter the administrator password set during the installation setup.

You can list kerberos tickets using the klist command as well.

Access the FreeIPA Web Interface

You can access the web interface by browsing to https://yourconfiguredaddress.home, in my case https://freeipa.morsepacific.home.

From here you can configure the rest of your server.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s