FreeIPA 4.1.2 and CentOS

Tuesday, 2, December 2014 Jim Perrin Uncategorized 3 Comments

The FreeIPA community is looking for your help and feedback!

The FreeIPA development team is excited to share with you a new version of the FreeIPA server 4.1.2 running in a container on top of CentOS. It is the first time a FreeIPA upstream release is available in the CentOS docker index. It is a preview of the features that will eventually make their way in the main CentOS distribution. This version of FreeIPA showcases multiple new major features as well as improvements to existing components above what is currently available in CentOS 7.0

 

In order to use this docker container, please run
docker pull centos/freeipa

Then follow the guide/documentation available at https://registry.hub.docker.com/u/centos/freeipa/

 

These features include:

- Backup and Restore
Ability to backup server data and restore an instance in the case of disaster
http://www.freeipa.org/page/V3/Backup_and_Restore

- CA Certificate Management Utility
A tool to change IPA chaining or rotate the CA certificate on already installed server
http://www.freeipa.org/page/V4/CA_certificate_renewal

- ID Views
Ability to store POSIX data and SSH keys in IPA for users belonging to a trusted Active Directory domain. Alternative POSIX data and SSH keys can also be stored for regular IPA users making it possible to serve different POSIX data to different clients (requires SSSD 1.12.3 or later). This is useful in migration scenarios where consolidation of multiple identity stores (local files, NIS domains, legacy LDAP servers, ..) with duplicated identities and inconsistent POSIX attributes needs to be retained for some clients.
http://www.freeipa.org/page/V4/Migrating_existing_environments_to_Trust

Note: The solution requires the latest SSSD bits availble the Copr REPO. https://copr.fedoraproject.org/coprs/mkosek/freeipa/

- DNSSEC
With this version we are introducing for the first time the ability to manage DNSSEC signatures on DNS data. This feature will be available in the community version only and would not be included into CentOS 7.1.
http://www.freeipa.org/page/Releases/4.1.0#DNSSEC_Support

There are also significant improvements in UI, permissions,  keytab management, automatic membership and SUDO rules handling.
More information can be found here:
http://www.freeipa.org/page/V4/Automember_rebuild_membership
http://www.freeipa.org/page/V4/Forward_zones
http://www.freeipa.org/page/V4/Keytab_Retrieval
http://www.freeipa.org/page/V4/Keytab_Retrieval_Management
http://www.freeipa.org/page/V4/PatternFly_Adoption

The biggest and the most interesting feature of FreeIPA 4.1.2 is support for the two factor authentication using HOTP/TOTP compatible software tokens like FreeOTP (open source compatible alternative to Google Authenticator) and hardware tokens like Yubikeys. This feature allows Kerberos and LDAP clients of a FreeIPA server to authenticate using the normal account password as the first factor and an OTP
token as a second factor. For those environments where a 2FA solution is already in place, FreeIPA can act as a proxy via RADIUS. More about this feature can be read here.
http://www.freeipa.org/page/V4/OTP

If you want to see this feature in CentOS 7.1 proper we need your help!
Please give it a try and provide feedback. We really, really need it!

Please use freeipa-users@redhat.com if you have any questions.
If you notice any issues or want to file an RFE you can do it here:
https://fedorahosted.org/freeipa/ (requires a Fedora account).
You can also find us on irc.freenode.net on #freeipa.

3 thoughts on "FreeIPA 4.1.2 and CentOS"

  1. Ted says:

    Following your instructions:

    # docker pull centos/freeipa
    Pulling repository centos/freeipa
    Status: Downloaded newer image for centos/freeipa:latest
    # docker build -t freeipa-server .
    2014/11/25 07:20:48 no Dockerfile found in .

    Fail... any idea where I could find complete instructions?

  2. Joshua Lee says:

    Run freeipa in container is a great idea, but there's big chance that the container can not start after stopped.


    freeipa_1 | FreeIPA server is already configured, starting the services.
    freeipa_1 | Starting [ntpd.service]
    freeipa_1 | Starting [certmonger.service]
    freeipa_1 | Starting [ipa-dnskeysyncd.service]
    freeipa_1 | Starting [ipa.service]
    freeipa_1 | Existing service file detected!
    freeipa_1 | Assuming stale, cleaning and proceeding
    freeipa_1 | zone localhost.localdomain/IN: loaded serial 0
    freeipa_1 | zone localhost/IN: loaded serial 0
    freeipa_1 | zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 0
    freeipa_1 | zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0
    freeipa_1 | zone 0.in-addr.arpa/IN: loaded serial 0
    freeipa_1 | ipa: INFO: The ipactl command was successful
    freeipa_1 | Starting Directory Service
    freeipa_1 | Starting krb5kdc Service
    freeipa_1 | Starting kadmin Service
    freeipa_1 | Starting named Service
    freeipa_1 | Starting ipa_memcached Service
    freeipa_1 | Starting httpd Service
    freeipa_1 | Starting pki-tomcatd Service
    freeipa_1 | Starting ipa-otpd Service
    freeipa_1 | Starting ipa-dnskeysyncd Service
    freeipa_1 | Starting [rhel-domainname.service]
    freeipa_1 | domainname: you must be root to change the domain name
    freeipa_1 | Starting [sssd.service]
    freeipa_1 | could not find enclosing zone
    docker_freeipa_1 exited with code 1

  3. Akbar Khan says:

    I tried on centos 7, through yum, and working

    Server :
    curl -o /etc/yum.repos.d/mkosek-freeipa-epel-7.repo https://copr.fedoraproject.org/coprs/mkosek/freeipa/repo/epel-7/mkosek-freeipa-epel-7.repo

    yum install freeipa-server bind bind-dyndb-ldap perl

    ipa-server-install --setup-dns --no-forwarders

    Client :

    curl -o /etc/yum.repos.d/mkosek-freeipa-epel-7.repo https://copr.fedoraproject.org/coprs/mkosek/freeipa/repo/epel-7/mkosek-freeipa-epel-7.repo

    yum install freeipa-client

    ipa-client-install --enable-dns-updates --mkhomedir

Leave a Reply

Your email address will not be published. Required fields are marked *