Freeipa Server Setup on Centos 7

on Feb. 12, 2015, 11:37 a.m.

The second part of my homelab redo was to setup a Freeipa server.

First thing to check is that you have your fqdn in your host file

vi /etc/hosts


127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.0.5 ipa.example.com ipa

Install the necessary packages
yum -y install ipa-server bind-dyndb-ldap

Issue this command to start the configuration of IPA
ipa-server-install --setup-dns

Add the necessary rules to firewalld
firewall-cmd --permanent --add-service=ntp
firewall-cmd --permanent --add-service=http
firewall-cmd --permanent --add-service=https
firewall-cmd --permanent --add-service=ldap
firewall-cmd --permanent --add-service=ldaps
firewall-cmd --permanent --add-service=kerberos
firewall-cmd --permanent --add-service=kpasswd
firewall-cmd --permanent --add-service=dns
firewall-cmd --reload

Set home directories to be auto created
yum -y install ipa-client pam_mkhomedir.so oddjob-mkhomedir
echo "session required pam_mkhomedir.so skel=/etc/skel/ umask=0022" >> /etc/pam.d/system-auth
authconfig --enablemkhomedir --update

Create sudo lookup account to bind too.
ldappasswd -x -S -W -h ipa.example.com -ZZ -D "cn=Directory Manager" uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com

Tell the nsswitch to look at ldap for sudoers
echo sudoers: files ldap >> /etc/nsswitch.conf

If ubuntu add sudo to /etc/sssd/sssd.conf
services = nss, pam, ssh, sudo

Add the bind account info


cat << EOF > /etc/sudo-ldap.conf
binddn uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com
bindpw
ssl start_tls
tls_cacertfile /etc/ipa/ca.crt
tls_checkpeer yes
uri ldap://ipa.example.com
sudoers_base ou=SUDOers,dc=example,dc=com
EOF

Set the nis lookup domain


cat << EOF >> /etc/rc.d/rc.local
nisdomainname example.com
EOF

Enable and start necessary services
systemctl enable oddjobd
systemctl start oddjobd
systemctl enable sssd
systemctl start sssd