The FreeIPA community is looking for your help and feedback!
The FreeIPA development team is excited to share with you a new version of the FreeIPA server 4.1.2 running in a container on top of CentOS. It is the first time a FreeIPA upstream release is available in the CentOS docker index. It is a preview of the features that will eventually make their way in the main CentOS distribution. This version of FreeIPA showcases multiple new major features as well as improvements to existing components above what is currently available in CentOS 7.0
In order to use this docker container, please run
docker pull centos/freeipa
Then follow the guide/documentation available at https://registry.hub.docker.com/u/centos/freeipa/
These features include:
- Backup and Restore
Ability to backup server data and restore an instance in the case of disaster
http://www.freeipa.org/page/V3/Backup_and_Restore
- CA Certificate Management Utility
A tool to change IPA chaining or rotate the CA certificate on already installed server
http://www.freeipa.org/page/V4/CA_certificate_renewal
- ID Views
Ability to store POSIX data and SSH keys in IPA for users belonging to a trusted Active Directory domain. Alternative POSIX data and SSH keys can also be stored for regular IPA users making it possible to serve different POSIX data to different clients (requires SSSD 1.12.3 or later). This is useful in migration scenarios where consolidation of multiple identity stores (local files, NIS domains, legacy LDAP servers, ..) with duplicated identities and inconsistent POSIX attributes needs to be retained for some clients.
http://www.freeipa.org/page/V4/Migrating_existing_environments_to_Trust
Note: The solution requires the latest SSSD bits availble the Copr REPO. https://copr.fedoraproject.org/coprs/mkosek/freeipa/
- DNSSEC
With this version we are introducing for the first time the ability to manage DNSSEC signatures on DNS data. This feature will be available in the community version only and would not be included into CentOS 7.1.
http://www.freeipa.org/page/Releases/4.1.0#DNSSEC_Support
There are also significant improvements in UI, permissions, keytab management, automatic membership and SUDO rules handling.
More information can be found here:
http://www.freeipa.org/page/V4/Automember_rebuild_membership
http://www.freeipa.org/page/V4/Forward_zones
http://www.freeipa.org/page/V4/Keytab_Retrieval
http://www.freeipa.org/page/V4/Keytab_Retrieval_Management
http://www.freeipa.org/page/V4/PatternFly_Adoption
The biggest and the most interesting feature of FreeIPA 4.1.2 is support for the two factor authentication using HOTP/TOTP compatible software tokens like FreeOTP (open source compatible alternative to Google Authenticator) and hardware tokens like Yubikeys. This feature allows Kerberos and LDAP clients of a FreeIPA server to authenticate using the normal account password as the first factor and an OTP
token as a second factor. For those environments where a 2FA solution is already in place, FreeIPA can act as a proxy via RADIUS. More about this feature can be read here.
http://www.freeipa.org/page/V4/OTP
If you want to see this feature in CentOS 7.1 proper we need your help!
Please give it a try and provide feedback. We really, really need it!
Please use freeipa-users@redhat.com if you have any questions.
If you notice any issues or want to file an RFE you can do it here:
https://fedorahosted.org/freeipa/ (requires a Fedora account).
You can also find us on irc.freenode.net on #freeipa.
Following your instructions:
# docker pull centos/freeipa
Pulling repository centos/freeipa
Status: Downloaded newer image for centos/freeipa:latest
# docker build -t freeipa-server .
2014/11/25 07:20:48 no Dockerfile found in .
Fail... any idea where I could find complete instructions?
Run freeipa in container is a great idea, but there's big chance that the container can not start after stopped.
freeipa_1 | FreeIPA server is already configured, starting the services.
freeipa_1 | Starting [ntpd.service]
freeipa_1 | Starting [certmonger.service]
freeipa_1 | Starting [ipa-dnskeysyncd.service]
freeipa_1 | Starting [ipa.service]
freeipa_1 | Existing service file detected!
freeipa_1 | Assuming stale, cleaning and proceeding
freeipa_1 | zone localhost.localdomain/IN: loaded serial 0
freeipa_1 | zone localhost/IN: loaded serial 0
freeipa_1 | zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 0
freeipa_1 | zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0
freeipa_1 | zone 0.in-addr.arpa/IN: loaded serial 0
freeipa_1 | ipa: INFO: The ipactl command was successful
freeipa_1 | Starting Directory Service
freeipa_1 | Starting krb5kdc Service
freeipa_1 | Starting kadmin Service
freeipa_1 | Starting named Service
freeipa_1 | Starting ipa_memcached Service
freeipa_1 | Starting httpd Service
freeipa_1 | Starting pki-tomcatd Service
freeipa_1 | Starting ipa-otpd Service
freeipa_1 | Starting ipa-dnskeysyncd Service
freeipa_1 | Starting [rhel-domainname.service]
freeipa_1 | domainname: you must be root to change the domain name
freeipa_1 | Starting [sssd.service]
freeipa_1 | could not find enclosing zone
docker_freeipa_1 exited with code 1
I tried on centos 7, through yum, and working
Server :
curl -o /etc/yum.repos.d/mkosek-freeipa-epel-7.repo https://copr.fedoraproject.org/coprs/mkosek/freeipa/repo/epel-7/mkosek-freeipa-epel-7.repo
yum install freeipa-server bind bind-dyndb-ldap perl
ipa-server-install --setup-dns --no-forwarders
Client :
curl -o /etc/yum.repos.d/mkosek-freeipa-epel-7.repo https://copr.fedoraproject.org/coprs/mkosek/freeipa/repo/epel-7/mkosek-freeipa-epel-7.repo
yum install freeipa-client
ipa-client-install --enable-dns-updates --mkhomedir