- 1 Description
- 2 Setup
- 3 How to test
- 4 Expected Results
- For testing purposes, a machine (or VM) with 1GB of RAM and 4 GB of free disk space for binaries, data and logs should be plenty to set up and run an IPA master.
- Make sure
/etc/hostsis sane and your hostname does not appear in either the IPv4 or IPv6 localhost lines.
- If you have an existing AD server in your network, choose a different name for the IPA server realm name. Clients that use DNS autodiscovery to find the KDC to use may get confused and try to authenticate to the AD KDC. It is recommended that FreeIPA and AD serves different domains, for example ipa.example.org and ad.example.org
How to test
First, install the FreeIPA server package:
# yum install freeipa-server
For a fully-interactive install run:
You can optionally provide all options on the command-line:
# ipa-server-install -a Secret123 -p Secret123 --domain=ipa.example.org --realm=IPA.EXAMPLE.ORG --hostname srv1.ipa.example.org -U
We recommend installing FreeIPA with integrated DNS service as it will make client autodiscovery or AD Trust configuration much easier. You will just need to make sure that the domain managed by FreeIPA is properly delegated to the FreeIPA server or that your VMs are configured to use FreeIPA server directly (by configuring your DHCP server or manually updating /etc/resolv.conf).
# yum install bind bind-dyndb-ldap # ipa-server-install --setup-dns
Or with all options on the command-line:
# ipa-server-install -a Secret123 -p Secret123 --domain=ipa.example.org --realm=IPA.EXAMPLE.ORG --hostname srv1.ipa.example.org --setup-dns --forwarder=<forwarder IP> -U
Substitute you existing DNS server's IP for <forwarder IP>, or pass --no-forwarders.
Verify the basics
Ideally each of these installation steps will conclude with no errors and a running set of IPA services.
To briefly test the installation:
# kinit admin # (the password is the admin password, or the password from -a)
Show our own user entry:
# ipa user-show admin
And make sure nss can see us too:
# id admin # getent passwd admin
We install a number of SSL certificates that should be automatically managed by certmonger:
# ipa-getcert list
There should be 2 certificates, all in MONITORING status. The certificates should be in the following NSS databases:
* /etc/httpd/alias * /etc/dirsrv/slapd-PKI-IPA
Now, check the service principals:
# kinit admin # ipa service-find
There should be 2 services: ldap and HTTP for your FreeIPA server. If you installed DNS, there should be a DNS service as well.
Verify these only if you installed with a DNS server.
# dig srv1.ipa.example.org.
Look for a line like this in the output:
srv1.ipa.example.org. 86400 IN A 192.168.0.1
# host srv1.ipa.example.org srv1.ipa.example.org has address 192.168.0.1
# ipa dns-resolve srv1.ipa.example.org --------------------------- Found 'srv1.ipa.example.org.' ---------------------------
# ipa host-show srv1.ipa.example.org Host name: srv1.ipa.example.org Principal name: host/srv1.ipa.example.org@IPA.EXAMPLE.ORG Keytab: True Managed by: srv1.ipa.example.org
Configure the Firewall
New Fedora 19 systems have FirewallD enabled by default, you may want to either open all ports required by FreeIPA server or disable the Firewall for the test and flush iptables rules so that clients do not have issues connecting FreeIPA server:
# systemctl stop firewalld.service # systemctl disable firewalld.service # iptables -F
Add a client
If you have more than two machines, install a client or a replica. If you have installed DNS, edit /etc/resolv.conf and add the FreeIPA server as a nameserver.
# yum install freeipa-client # ipa-client-install
Or with all options on the command-line.
# yum install freeipa-client # ipa-client-install --domain=ipa.example.org --server=srv1.ipa.example.org -p admin -w Secret123 -U
Verify that nss can see us:
# id admin # getent passwd admin
# yum install freeipa-admintools # kinit admin # ipa user-show admin
Remove a client
When you are done with a client, you can uninstall it:
# ipa-client-install --uninstall
The uninstallation should complete with no errors. To verify that uninstallation was successful, install the client again.
FreeIPA provides a way to uninstall the configured services and it does its best to return the system to its previous state. To run the FreeIPA server uninstaller execute:
# ipa-server-install --uninstall -U
Un-installation is intended for developers. It is a best-as-we-can restoration of files primarily to prepare the server to be re-installed.
To verify that the server is in a state where it can be re-installed re-run ipa-server-install:
If something failed in the un-installation you would get an error message that the server is already installed/configured.
All the test steps should end with the specified results.