FreeIPA - Identity Management

Overview

FreeIPA is an identity management & single sign on solution for Linux / Unix Networks. Its somewhat comparable to active directory in the Windows world.

How it Works

Under the hood FreeIPA is really just wraps up a Kerberos KDC/KTG Server with an LDAP backend and a nice pretty web interface.

Access to hosts on the network are controlled via Host Based Access (HBA) Control Rules, which say what users are allowed access (via ssh) to what hosts.

Restarting All IPA Services

You can use the command below to restart all FreeIPA services.

sudo ipactl restart

There's also a systemd daemon for the main ipa service.

sudo systemctl restart ipa

Resetting The Admin Password

I've had to do this once when restoring from a backup after changing the admin pass and loosing the old one. So I might have to do it again some day.

root@freeipa:~# export LDAPTLS_CACERT=/etc/ipa/ca.crt
root@freeipa:~# ldappasswd -ZZ -D 'cn=directory manager' -W -S uid=admin,cn=users,cn=accounts,dc=yourdomain,dc=net -H ldap://freeipa.yourdomain.net
New password: 
Re-enter new password: 
Enter LDAP Password:

For Enter LDAP Password: use the Directory Manager password there (aka ldap admin).

Source

Let's Encrypt SSL Configuration

Basic Overview

My FreeIPA server uses Let's Encrypt certificates.

Here are the instructions for setting up a 3rd party cert for the ldap server & https web interface.

https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP

To get the CA certs loaded for LE see the section below.

Adding Let's Encrypt CA Authorities

I'm using let's encrypt for the certs for the FreeIPA server. Because of how SSL works, FreeIPA will not accept the LE certs unless it has the CA certs too. This is how you can add a CA cert for LE in Fedora/FreeIPA.

Where it started: I found the basic commands on this github writeup link and modified them.

My Commands to add the R3 CA Authority.

wget https://letsencrypt.org/certs/lets-encrypt-r3.pem
ipa-cacert-manage install lets-encrypt-r3.pem -n R3 -t C,,
ipa-certupdate

Found the latest ca cert file here: https://letsencrypt.org/certificates/

Then I was able to use the ipa-server-certinstall to install the cert.

ipa-server-certinstall -w -d "/etc/letsencrypt/live/freeipa.yourdomain.net/fullchain.pem" "/etc/letsencrypt/live/freeipa.yourdomain.net/privkey.pem"

Update: Needs even more cert authorities.

Made / borrowed this script do get them all.

#!/bin/bash
# Fetches LE CA certs for FreeIPA & runs update-ca-certificates.
# John R., Oct. 2024.

[[ $EUID -ne 0 ]] && echo "Run as root!" && exit 23

set -x
if ! [[ -d /usr/local/share/ca-certificates/extra ]]; then
    mkdir -p /usr/local/share/ca-certificates/extra
fi

wget -O /usr/local/share/ca-certificates/extra/isrgrootx1.crt https://letsencrypt.org/certs/isrgrootx1.pem
wget -O /usr/local/share/ca-certificates/extra/isrg-root-x2.crt https://letsencrypt.org/certs/isrg-root-x2.pem
wget -O /usr/local/share/ca-certificates/extra/lets-encrypt-r3.crt https://letsencrypt.org/certs/lets-encrypt-r3.pem
wget -O /usr/local/share/ca-certificates/extra/lets-encrypt-e1.crt https://letsencrypt.org/certs/lets-encrypt-e1.pem
wget -O /usr/local/share/ca-certificates/extra/lets-encrypt-r4.crt https://letsencrypt.org/certs/lets-encrypt-r4.pem
wget -O /usr/local/share/ca-certificates/extra/lets-encrypt-e2.crt https://letsencrypt.org/certs/lets-encrypt-e2.pem
wget -O /usr/local/share/ca-certificates/extra/e5.crt https://letsencrypt.org/certs/2024/e5.pem
wget -O /usr/local/share/ca-certificates/extra/e6.crt https://letsencrypt.org/certs/2024/e6.pem
wget -O /usr/local/share/ca-certificates/extra/r10.crt https://letsencrypt.org/certs/2024/r10.pem
wget -O /usr/local/share/ca-certificates/extra/r11.crt https://letsencrypt.org/certs/2024/r11.pem

update-ca-certificates

Original Source

Modified Version on my Github

Renewing an expired cert

If the cert for the FreeIPA server expires you can still use the ipa-server-certinstall tool to renew it, like you normally would. However, there's a catch. You have to prepend your command with the faketime util and set the date to a time before when the current certificate expired.

EXPIRED!
Not After: Mon, 25 Nov 2024 02:26:25 GMT

sudo faketime '2024-11-24 08:15:42' ipa-server-certinstall -w -d "/etc/letsencrypt/live/freeipa.yourdomain.net/fullchain.pem" "/etc/letsencrypt/live/freeipa.yourdomain.net/privkey.pem"
Directory Manager password: 

Enter private key unlock password: 

Please restart ipa services after installing certificate (ipactl restart)
The ipa-server-certinstall command was successful

Then just run sudo ipactl restart to restart the FreeIPA services.