Sign in Subscribe
By Oran Clay

Building An Enterprise on SUSE/openSUSE - EP 02 - FreeIPA Server

Building An Enterprise on SUSE/openSUSE - EP 02 - FreeIPA Server
audio-thumbnail
Building An Enterprise on SUSE openSUSE EP 02 Micro OS FreeIPA Server
0:00
/936.999909

This is article two on a series of designing an enterprise ecosystem on SUSE/openSUSE. This article will only reference openSUSE, but the information will be broadly applicable to the SUSE Enterprise Linux comparable systems.

Understanding the Tool

FreeIPA Server is the upstream opensource project that most of the industry knows as Red Hat Identity Management, and it provides the central source of identity, permissions, and security certificates for this design of an Enterprise domain. Most of you will be familiar with Microsoft's Active Directory Domain Controller services which perform functionally the same services from a Linux context. The services break down into the following roles:

  • Directory Server
  • Kerberos
  • DNS
  • Certificate Authority
  • NTP

Microsoft's Active Directory Domain Controller services integrate a few other standard features that FreeIPA does not integrate, but are available through other services in a Linux Ecosystem. Examples of these services are:

  • Group Policy Objects (GPO)
  • Print Server Management
  • File Storage

GPO services are pre-configured settings options setup for the benefit of Windows System Administrators, they are fantastic and a primary feature that has kept enterprises on Linux over the last 20 years. However, GPO is extremely simple to replicate functionally in the Linux Ecosystem through the use of SALT for state management, and configuration. This SALT configuration is best managed through a service called UYUNI/SUSE Manager.

Print Server Management is configurable through the use of central CUPS print servers, and managed through SALT with UYUNI/SUSE Manager. This is not always ideal in higher security environments, but FreeIPA does support segmentation tools that can give more fine grained control of the environment when necessary.

File Storage is important for those leaving Windows Servers because Microsoft has made storage setups easy and simple to use. But today storage options are far superior on Linux and you have a wide variety of tools available such as TrueNAS, or even just shared storage mounts with openSUSE in YAST. These mounts can then be passed as mounting points with FreeIPA user settings.

The Tools In The Tools

Knowing the names of the tools is like knowing the colors of the rainbow, you might be able to see them, but the real knowledge is knowing how refraction works. I won't give you a full lecture on each tool, but you do need to know what each tool is for troubleshooting and configuration.

1 - Directory Server

LDAP, LDAP, and LDAP. Everything will pretty much always come back to using LDAP (Light Weight Directory Access Protocol) to interact with a database that stores Identity information. There are a handful of Directory databases that can be behind the LDAP protocol, but functionally consider them like Postgres vs MariaDB vs SQL Server, they all speak SQL and until you're doing something specific and large it doesn't matter enough to care about. In the case of FreeIPA the specific tool is 389 Directory server, more information on this specific project can be found at www.port389.org.

2 - Kerberos

Kerberos is the tool for mutual authentication. When your user logs in it gets a cryptographic key from the Kerberos server and this ticket grants you authentication to other tools joined to FreeIPA to sign users in without needing to authenticate against LDAP again. Functionally a beginner needs to know that this service provides mutual authentication, encryption of authentication, and authentication tickets that can be used to authenticate multiple services without needing a password every time. FreeIPA utilizes the MIT implementation of Kerberos, further information on it can be found at web.mit.edu/kerberos

3 - DNS

Domain Name System. This service converts human domain names into ip addresses. FreeIPA has a special implementation of DNS that is trying to solve several replication and management issues with Enterprise DNS, it is excellent but is ultimately also based on the BIND DNS Server project. The website for the project was down at time of writing so its not linked here.

4 - Certificate Authority

An enterprise's certificate authority is vital to a well managed SSL layer in the enterprise. The certificate authority is a single authority that can issue a public certificate that you can tell all of your computers to trust, this will allow you to sign SSL certificates that you computer considers just as valid as the public ones your browser stores for "known secure" certificate authority sources.

The service utilizes DogTag, documentation can be found at dogtagpki.org.

5 - NTP

I don't recommend this service personally, as I think the correct place for NTP is either the router or a dedicated Raspberry Pi running Time Pi. However, FreeIPA does utilize a time server running chrony, documentation can be found at chrony-project.org

Lets Get Cooking

If you don't know how to setup an openSUSE MicroOS with FDE and cockpit, then you should read Article 1 here. However, this guide will work on any system that supports Podman. For the purposes of this guide we will suppose that our company is called "domain" and our website is "domain.local", we will be using the subdomain "net" for our intranet network of company tools. Therefore our FreeIPA server will serve as the authority controller for the domain "net.domain.local", and as the first server in this domain we will call it "aaa". This leads to the following:

  • Domain - net.domain.local
  • Domain Authority Server (FreeIPA) - aaa.net.domain.local
  • Kerberos Domain - NET.DOMAIN.LOCAL
  1. Make and configure your user for this project. I always start with podman-runner
useradd podman-runner
passwd -l podman-runner
loginctl enable-linger podman-runner
  1. Create the volume for the pod. As a best practice, name it the same as your server, this way when you store backups together you can always identify what volumes go to what server. NEVER EVER NAME THIS VOLUME "freeipa" or "ipa", always give it a name that identifies where it goes so you can't get them confused as you grow.
sudo -u podman-runner podman volume create aaa.net.domain.local
  1. Create the podman pod. Note that this pod must have a name of the FreeIPA server fqdn as this will be the pod's localhost address and domain name which is necessary for the FreeIPA setup script. Additionally leave the port number high as we will setup the forwarding later to manage the port access through the firewall.
sudo -u podman-runner podman pod create \
    --name aaa.net.domain.local \
    --restart=always \
    -p 8080:80 \
    -p 8443:443 \
    -p 8389:389 \
    -p 8636:636 \
    -p 8888:88 \
    -p 8464:464 \
    -p 8888:88/udp \
    -p 8464:464/udp \
    -p 8123:123/udp \
    -p 5353:53/tcp \
    -p 5353:53/udp \
    -v /etc/localtime:/etc/localtime:ro \
    -v /sys/fs/cgroup:/sys/fs/cgroup \
    -v aaa.net.domain.local:/data:Z
  1. Create the podman container. Ensure you set a version tag for which flavor you want of FreeIPA server, at time of writing the up to date version I choose is "docker.io/freeipa/freeipa-server:almalinux-9-4.12.2"
sudo -u podman-runner podman run -it \
    --name aaa \
    --pod aaa.net.domain.local \
    --restart=always \
    docker.io/freeipa/freeipa-server:almalinux-9-4.12.2

Now lets set the configuration for the FreeIPA Server. By running this container with -it an interactive terminal will open with which you can interact with the setup script and complete these options.

  1. "Do you want to configure integrated DNS (BIND)? [no]:
    1. Enter "yes" so the DNS Server is setup
  2. "Server host name [aaa.net.domain.local]:"
    1. This is the domain name of your server. It should be correct, hit enter to proceed
  3. "The domain name has been determined based on the host name.
    Please confirm the domain name [net.domain.local]:"
    1. This should be correct, hit enter to proceed
  4. Please provide a realm name [NET.DOMAIN.LOCAL]:
    1. This should be set correctly from your fqdn of the pod. Hit Enter to proceed
  5. "Directory Manager password:"
    1. Enter a really good password. Make it long and make it strong.
  6. "IPA admin password:"
    1. Remember what I said about passwords. While your last one sucked, so make a new better one.
  7. Do you want to configure DNS Forwarders? [yes]
    1. This will setup BIND dns services so devices joined to the domain can update and manage their DNS addresses
  8. Do you want to configure these server as DNS forwarders? [yes]:
    1. This will pull the default dns servers from your host machine, make sure they are correct before entering yes. If the answer is no, update the dns server by entering no and then hit yes when ready to proceed
  9. Enter an IP address for a DNS forwarder, or press Enter to skip.
    1. Press Enter to keep the configurations listed above from /etc/resolv.conf
  10. Do you want to search for mission reverse zones? [yes]:
    1. This always seems to fail, but it doesn't hurt. Its unlikely the reverse zones exist but if they do, you want them found now.
  11. Do you want to create reverse zone for IP ##.##.##.## [yes]:
    1. Press enter to create the reverse zone for the server
  12. Please specify the reverse zone name [0.0.##.in-addr.arpa.]:
    1. If everything up to here has been correct then you can safely select enter to proceed
  13. NetBIOS domain name [NET]:
    1. Select Enter to use NET, this is the correct default
  14. Do you want to configure chrony with NTP server or pool address? [no]:
    1. Select Enter to proceed unless you have a NTP Server pool or address you are ready to configure
  15. Continue to configure the system with these values? [no]:
    1. The screen will be displaying your configuration options, ensure they are correct and then enter "yes"
  16. The service will now setup , this typically takes a few minutes, when it completes close the terminal session to close the exec session

Server Configurations

Now the software is installed in the pod, but we have to configure it to be stable. To do this we will do three things:

  1. Set SELinux policies
setsebool -P virt_qemu_ga_read_nonsecurity_files 1
ausearch -c 'qemu-ga' --raw | audit2allow -M my-qemuga
semodule -X 300 -i my-qemuga.pp
  1. Set Firewall Forwarding Settings with firewall-cmd to forward traffic and allow traffic through the firewall
sudo firewall-cmd --zone=public --permanent --add-port=80/tcp
sudo firewall-cmd --zone=public --permanent --add-port=443/tcp
sudo firewall-cmd --zone=public --permanent --add-port=389/tcp
sudo firewall-cmd --zone=public --permanent --add-port=636/tcp
sudo firewall-cmd --zone=public --permanent --add-port=88/tcp
sudo firewall-cmd --zone=public --permanent --add-port=464/tcp
sudo firewall-cmd --zone=public --permanent --add-port=53/tcp
sudo firewall-cmd --zone=public --permanent --add-port=53/udp
sudo firewall-cmd --zone=public --permanent --add-port=8080/tcp
sudo firewall-cmd --zone=public --permanent --add-port=8443/tcp
sudo firewall-cmd --zone=public --permanent --add-port=8389/tcp
sudo firewall-cmd --zone=public --permanent --add-port=8636/tcp
sudo firewall-cmd --zone=public --permanent --add-port=8888/tcp
sudo firewall-cmd --zone=public --permanent --add-port=8464/tcp
sudo firewall-cmd --zone=public --permanent --add-port=88/udp
sudo firewall-cmd --zone=public --permanent --add-port=464/udp
sudo firewall-cmd --zone=public --permanent --add-port=123/udp
sudo firewall-cmd --zone=public --permanent --add-port=8888/udp
sudo firewall-cmd --zone=public --permanent --add-port=8464/udp
sudo firewall-cmd --zone=public --permanent --add-port=8123/udp
sudo firewall-cmd --zone=public --permanent --add-port=5353/tcp
sudo firewall-cmd --zone=public --permanent --add-port=5353/udp
sudo firewall-cmd --zone=public --add-forward-port=port=80:proto=tcp:toport=8080 --permanent
sudo firewall-cmd --zone=public --add-forward-port=port=443:proto=tcp:toport=8443 --permanent
sudo firewall-cmd --zone=public --add-forward-port=port=389:proto=tcp:toport=8389 --permanent
sudo firewall-cmd --zone=public --add-forward-port=port=636:proto=tcp:toport=8636 --permanent
sudo firewall-cmd --zone=public --add-forward-port=port=88:proto=tcp:toport=8888 --permanent
sudo firewall-cmd --zone=public --add-forward-port=port=464:proto=tcp:toport=8464 --permanent
sudo firewall-cmd --zone=public --add-forward-port=port=88:proto=udp:toport=8888 --permanent
sudo firewall-cmd --zone=public --add-forward-port=port=464:proto=udp:toport=8464 --permanent
sudo firewall-cmd --zone=public --add-forward-port=port=123:proto=udp:toport=8123 --permanent
sudo firewall-cmd --zone=public --add-forward-port=port=53:proto=tcp:toport=5353 --permanent
sudo firewall-cmd --zone=public --add-forward-port=port=53:proto=udp:toport=5353 --permanent

sudo firewall-cmd --reload
  1. Setup service restarting with systemd. Please note the method used here is depreciated, but podman has failed to create a replacement that doesn't suck so we will continue to ignore the depreciation warnings.
    1. Create the file location
sudo -u podman-runner mkdir -p /home/podman-runner/.config/systemd/user

b. Create the system service file

sudo -u podman-runner podman generate systemd --name aaa --new | sudo -u podman-runner tee /home/podman-runner/.config/systemd/user/container-aaa.service

c. Reload systemctl and enable the service

export XDG_RUNTIME_DIR=/run/user/$(id -u podman-runner)
sudo -u podman-runner XDG_RUNTIME_DIR=$XDG_RUNTIME_DIR systemctl --user daemon-reexec
sudo -u podman-runner XDG_RUNTIME_DIR=$XDG_RUNTIME_DIR systemctl --user daemon-reload
sudo -u podman-runner XDG_RUNTIME_DIR=$XDG_RUNTIME_DIR systemctl --user enable container-aaa.service
  1. Now we need to activate the web UI. This can be done by doing the initial Kerberos authentication as follows
sudo -u podman-runner podman exec -it aaa /bin/bash
[root@aaa /]# kinit admin
Password for admin@NET.DOMAIN.LOCAL:
  1. Now we need to configure the server to respond to all DNS queries. By default the server will only respond to queries for the domain, you can add the text 'allow-recursion { any; };' to the file /etc/named/ipa-options-ext.conf and it will tell the server to respond to all incoming dns queries and forward ones it does not know.
  2. Now you can go to aaa.net.domain.local and sign into the web UI to configure SUDO, DNS, Users, and Hosts. We will cover these basics in a later article

Come Back For More

I'd like to say this is a simple process, but unfortunately installing enterprise software safely and reasonably securely is an uphill battle. But it you've read this to the end, we're all here pulling for ya. So if your boss doesn't find you useful, they're right. Keep coming back so we can fix it.

EOF.

Subscribe to The Architect Project

Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe