Our look at the FreeIPA server as an Identity management server continues with this installment. We look today at adding other systems to the FreeIPA platform to take advantage of the server we created. (Yesterday in our post we created a FreeIPA server, Creating an Identity Management Server with Free-IPA.)
Let’s get things started. We cover both a text-based install for headless platform servers, and also how to enable a new GUI-based install.
1. Install on A Text Based Console
1. Install the FreeIPA client software
CentOS, along with Red Hat Enterprise Linux and Fedora, has the FreeIPA as part of its standard repositories. So we don’t need to do much to meet this goal.
yum install freeipa-client
2. Configure the connection to the FreeIPA server
Now we need to configure our new local system to use the FreeIPA server for authentication, and to alter the various local services to convert them to use the central server(s).
There is a simple script that we need to run that captures the information and makes the changes.
ipa-client-install
This then prompts us for the details we’ve configured in the FreeIPA server. Firstly this will be the name of the IPA server, this then retrieves the Kerberos realm and DNS domain as well as the Base DN for the LDAP configuration.
We’re then asked for a user with permissions to enrol computers. This is the Kerberos user, not the LDAP user, so we use admin and the password for the response, rather than the uid=admin... LDAP entry.
The FreeIPA client then executes scripts to configure the various subsystems to use the FreeIPA server for authentication. This doesn’t allow the creation of home directories for users that login to systems, so is recommended only for servers that support key services, rather than user access. If you want all your users to login and have access to a server (such as a file server), then use the options in the section below.
3. Adjusting the behaviour of the FreeIPA client
If new users log on to a system they haven’t reached before, you’ll probably want to change the command issued in section 2 to:
ipa-client-install --mkhomedir
This process creates the home directories for new users logging on. (The alternative to this would be to have central home directories held on a server, and mount these on all servers) If you choose neither route, then the user will be logged in to the server and will be placed in the / directory.
yum upgrade on the server, you might have better luck once it’s been rebooted. https://bugzilla.redhat.com/show_bug.cgi?id=1504688 refers.4. Check that it works
Fire up a new connection to the server, and log in with a user that we’ve created on the FreeIPA server.
You should be logged in, and if the user hasn’t logged in before, be asked to change the password. If the server was configured with --mkhomedir you should be in a home directory belonging to the user.
2. For a new GUI-based client install
Proceed through the CentOS install process, and when you complete the install, you will be asked to create a user. Instead, click the Setup for Enterprise Login button at the bottom of the screen. You then need to add the realm (EXAMPLE.COM), and an existing user and password. The next dialog box will pop-up and ask you to confirm the user ID for attaching the computer to the FreeIPA platform. Here we need to enter our admin user and password.
That’s it. You’ll be logged in with the user, and able to use the machine, with all the rights and privileges that entails.
