The other day I logged into my Pi-Hole to update some DNS entries. I noticed a new version was available and decided to SSH into the device to run this. I tried a bunch of different username/password combinations and was lucky to finally log in. I realised that this was probably the time to implement some sort of centralized authentication on my network.
This post will outline a basic, single FreeIPA server setup. I am running the FreeIPA server on Fedora 33 Server and the client PC is running Fedora 33 Workstation. I will create a new post in future to include addtional FreeIPA servers with replication.
The server will be set up with the hostname and IP address in the table below. I have added a DNS entry to this on my Pi-Hole so other FreeIPA servers can find this host later on. It’s also useful as I will be using my host PC to access the FreeIPA web interface.
If you are following this guide in your own setup, make sure that DNS is resolving correctly. This will be the most likely cause of your issue.
Set a static IP address on the server (192.168.1.7 is my Pi-Hole):
Run any updates to the system and reboot:
Set the hostname of the machine to the FQDN of the server:
Update /etc/hosts with the IP address and FQDN (FQDN must be specified first!):
Install the FreeIPA server and FreeIPA DNS packages:
Add the following firewall rules. You can see which ports are opened by viewing /usr/lib/firewalld/services/ldap.xml and /usr/lib/firewalld/services/ldaps.xml
Run the FreeIPA server installer. Be sure to add the mkhomedir option, as this will create a folder in /home for a user logging in for the first time. If you ommit this option, then things may not run properly for logged in users.
Next you will be prompted for some information. You can specify all this on the command line but I like to answer it interactively. I say yes to install the integrated DNS server. The script detects the hostname and domain name automatically and I will be using IPA.RICOSHARP.COM as the realm name. Enter a password for the admin and Directory Manager accounts when prompted.
Next I will change the DNS of the FreeIPA server to itself:
I also like to change a few default settings such as the default shell and removing the default email domain:
Now create a test user:
Thankfully all the above can also be done easily in the web interface. In my case it is here:
I’ll setup DHCP later but for now the client PC is running with these static network settings. The DNS server is our FreeIPA server which helps the client discover information when running the client installation.
Now on a client PC, install freeipa-client
Run the FreeIPA client installer. If your DNS is setup correctly everything wil be found and you will only need to enter the admin username/password when prompted. Don’t forget to add the mkhomedir option. I also like to add the enable-dns-updates option so the client’s DNS entries update on the server when an IP address changes.
Now reboot the client PC and try logging in with the test account.