More actions
Overview
FreeIPA is an identity management & single sign on solution for Linux / Unix Networks. Its somewhat comparable to active directory in the Windows world.
How it Works
Under the hood FreeIPA is really just wraps up a Kerberos KDC/KTG Server with an LDAP backend and a nice pretty web interface.
Access to hosts on the network are controlled via Host Based Access (HBA) Control Rules, which say what users are allowed access (via ssh) to what hosts.
Restarting All IPA Services
You can use the command below to restart all FreeIPA services.
sudo ipactl restart
There's also a systemd daemon for the main ipa service.
sudo systemctl restart ipa
Resetting The Admin Password
I've had to do this once when restoring from a backup after changing the admin pass and loosing the old one. So I might have to do it again some day.
root@freeipa:~# export LDAPTLS_CACERT=/etc/ipa/ca.crt root@freeipa:~# ldappasswd -ZZ -D 'cn=directory manager' -W -S uid=admin,cn=users,cn=accounts,dc=yourdomain,dc=net -H ldap://freeipa.yourdomain.net New password: Re-enter new password: Enter LDAP Password:
For Enter LDAP Password:
use the Directory Manager password there (aka ldap admin).
Let's Encrypt SSL Configuration
Basic Overview
My FreeIPA server uses Let's Encrypt certificates.
Here are the instructions for setting up a 3rd party cert for the ldap server & https web interface.
https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP
To get the CA certs loaded for LE see the section below.
Adding Let's Encrypt CA Authorities
I'm using let's encrypt for the certs for the FreeIPA server. Because of how SSL works, FreeIPA will not accept the LE certs unless it has the CA certs too. This is how you can add a CA cert for LE in Fedora/FreeIPA.
Where it started: I found the basic commands on this github writeup link and modified them.
My Commands to add the R3 CA Authority.
wget https://letsencrypt.org/certs/lets-encrypt-r3.pem ipa-cacert-manage install lets-encrypt-r3.pem -n R3 -t C,, ipa-certupdate
Found the latest ca cert file here: https://letsencrypt.org/certificates/
Then I was able to use the ipa-server-certinstall
to install the cert.
ipa-server-certinstall -w -d "/etc/letsencrypt/live/freeipa.yourdomain.net/fullchain.pem" "/etc/letsencrypt/live/freeipa.yourdomain.net/privkey.pem"
Update: Needs even more cert authorities.
Made / borrowed this script do get them all.
#!/bin/bash
# Fetches LE CA certs for FreeIPA & runs update-ca-certificates.
# John R., Oct. 2024.
[[ $EUID -ne 0 ]] && echo "Run as root!" && exit 23
set -x
if ! [[ -d /usr/local/share/ca-certificates/extra ]]; then
mkdir -p /usr/local/share/ca-certificates/extra
fi
wget -O /usr/local/share/ca-certificates/extra/isrgrootx1.crt https://letsencrypt.org/certs/isrgrootx1.pem
wget -O /usr/local/share/ca-certificates/extra/isrg-root-x2.crt https://letsencrypt.org/certs/isrg-root-x2.pem
wget -O /usr/local/share/ca-certificates/extra/lets-encrypt-r3.crt https://letsencrypt.org/certs/lets-encrypt-r3.pem
wget -O /usr/local/share/ca-certificates/extra/lets-encrypt-e1.crt https://letsencrypt.org/certs/lets-encrypt-e1.pem
wget -O /usr/local/share/ca-certificates/extra/lets-encrypt-r4.crt https://letsencrypt.org/certs/lets-encrypt-r4.pem
wget -O /usr/local/share/ca-certificates/extra/lets-encrypt-e2.crt https://letsencrypt.org/certs/lets-encrypt-e2.pem
wget -O /usr/local/share/ca-certificates/extra/e5.crt https://letsencrypt.org/certs/2024/e5.pem
wget -O /usr/local/share/ca-certificates/extra/e6.crt https://letsencrypt.org/certs/2024/e6.pem
wget -O /usr/local/share/ca-certificates/extra/r10.crt https://letsencrypt.org/certs/2024/r10.pem
wget -O /usr/local/share/ca-certificates/extra/r11.crt https://letsencrypt.org/certs/2024/r11.pem
update-ca-certificates
Renewing an expired cert
If the cert for the FreeIPA server expires you can still use the ipa-server-certinstall
tool to renew it, like you normally would. However, there's a catch. You have prepend your command with the faketime
util and set the date to a time before when the current certificate expired.
EXPIRED! Not After: Mon, 25 Nov 2024 02:26:25 GMT
sudo faketime '2024-11-24 08:15:42' ipa-server-certinstall -w -d "/etc/letsencrypt/live/freeipa.yourdomain.net/fullchain.pem" "/etc/letsencrypt/live/freeipa.yourdomain.net/privkey.pem" Directory Manager password: Enter private key unlock password: Please restart ipa services after installing certificate (ipactl restart) The ipa-server-certinstall command was successful
Then just run sudo ipactl restart
to restart the FreeIPA services.