Freeipa Server Installation

For more information on Red Hat's FreeIPA, visit


FreeIPA is an integrated security information management solution combining Linux (Fedora), 389 Directory Server, MIT Kerberos, NTP, DNS, Dogtag (Certificate System). It consists of a web interface and command-line administration tools, and provides centralized authentication, authorization and account information by storing data about user, groups, hosts and other objects necessary to manage computers on the network.


1.    OS:

These instructions are only compatible with CentOS 7     and RHEL 7  

2.    Set host file entry:
Set host file entry so that the ipa server can resolve itself. This should be the first entry.

Set the host file in /etc/hosts ipa

3.    Install Epel:

yum install -y epel-release

4.    Install and configure bind:

yum install bind bind-utils

Configure Bind:

1.    Set up the bind configuration:
Edit the /etc/named.conf file to create the bind configuration

// named.conf
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
// See /usr/share/doc/bind*/sample/ for example named configuration files.

acl "trusted" {;         # ns1 - can be set to localhost;         # ns2 - set to secondary DNS server;      # Your Company Subnet

options {
        // turns on IPv6 for port 53, IPv4 is on by default for all ifaces
        listen-on-v6 {any;};

    listen-on port 53 {;; };
        listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        allow-transfer  {; };           # Allow tranfers to secondary dns server.
        allow-query     { trusted; };           # Allow queries from the trusted list above.

    forward first;
        // forward non authoritative queries to google's dns nameservers.
        forwarders {

         // - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
         // - If you are building a RECURSIVE (caching) DNS server, you need to enable
         //   recursion.
         // - If your recursive DNS server has a public IP address, you MUST enable access
         // control to limit queries to your legitimate users. Failing to do so will
         // cause your server to become part of large scale DNS amplification
         // attacks. Implementing BCP38 within your network would greatly
         // reduce such attack surface

  recursion no;

  dnssec-enable yes;
  dnssec-validation yes;

  etc.... (Defaults)

// At the end of the file add:
include "/etc/named/named.conf.local";

2.    Set the zone files that will be loaded:
We are creating/loading a primary zone, and reverse lookup zone.

Edit /etc/named/named.conf.local to set the local dns zones

zone "" {
    type master;
    file "/etc/named/zones/"; # zone file path

zone "" {
    type master;
    file "/etc/named/zones/db.1.2.3";  # subnet

3.    Create the zone files directory:

mkdir /etc/named/zones; chmod -R 775 /etc/named

4.    Setup the primary zone file:
Edit the main zone file /etc/named/zones/

; BIND data file for local loopback interface
$TTL    604800
@       IN      SOA (
                2               ; Serial
                604800          ; Refresh
                86400           ; Retry
                2419200         ; Expire
                604800 )        ; Negative Cache TTL

; name servers - NS records
        IN      NS
        IN      NS

; name servers - A records            IN      A            IN      A

; - A records
ipa             IN      A
svripa1         IN      A
svripa2         IN      A

5.    Set up the Reverse Zone File:
Edit the reverse zone file /etc/named/zones/db.1.2.3

; BIND data file for local loopback interface
$TTL    604800
@       IN      SOA (
                3               ; Serial
                604800          ; Refresh
                86400           ; Retry
                2419200         ; Expire
                604800 )        ; Negative Cache TTL

; name servers
      IN      NS
      IN      NS

; PTR Records
4      IN      PTR         ;
4      IN      PTR         ;
4      IN      PTR     ;
5      IN      PTR         ;
5      IN      PTR     ;

6.    Check the zone files:
Run a check on the main bind configurations, and look for errors.

named-checkconf /etc/named.conf
named-checkconf /etc/named/named.conf.local

If no errors are found, the check will simply return back to the prompt.

named-checkzone /etc/named/zones/
/etc/named/zones/ no TTL specified; using SOA MINTTL instead
zone loaded serial 3

named-checkzone /etc/named/zones/db.1.2.3
/etc/named/zones/db.10.79.0:1: no TTL specified; using SOA MINTTL instead
zone loaded serial 3

7.    Set permissions on the named conf/db files:

chown -R named:named /etc/named
chown -R named:named /var/named
chmod 644 /etc/named/zones/db.*

8.    Set SE Linux Policies:

restorecon -rv /var/named
restorecon -rv /etc/named

9.    Start and enable bind:

systemctl start named.service
systemctl enable named.service
systemctl status named.service

Configure the IPA server:

1.    Configure DNS:
Configure the IPA server to use itself as the primary DNS
edit /etc/sysconfig/network-scripts/ifcfg-enoxxxxx and add the following:


2.    Restart network, and check /etc/resolv.conf:

systemctl restart network.service

Check the /etc/resolv.conf file to ensure that the settings look correct.

# Generated by NetworkManager

3.    Set SELinux Value to allow zone writes:
edit the etc/sysconfig/named


4.    Check SELinux Values:

setsebool named_write_master_zones 1
getsebool named_write_master_zones
named_write_master_zones --> on

5.    Check Resolution:

PING ( 56(84) bytes of data.
64 bytes from ( icmp_seq=1 ttl=64 time=0.032 ms
64 bytes from ( icmp_seq=2 ttl=64 time=0.049 ms

nslookup svripa1


Install IPA:

1.    Install IPA and IPA Utils:

 yum -y install ipa-server ipa-server-dns

2.    Setup IPA DNS:

ipa-server-install --setup-dns

The log file for this installation can be found in /var/log/ipaserver-install.log
This program will set up the IPA Server.

This includes:
  * Configure a stand-alone CA (dogtag) for certificate management
  * Configure the Network Time Daemon (ntpd)
  * Create and configure an instance of Directory Server
  * Create and configure a Kerberos Key Distribution Center (KDC)
  * Configure Apache (httpd)
  * Configure DNS (bind)

To accept the default shown in brackets, press the Enter key.

Enter the fully qualified domain name of the computer
on which you're setting up server software. Using the form

Server host name []:

Warning: skipping DNS resolution of host
The domain name has been determined based on the host name.

Please confirm the domain name []:

The kerberos protocol requires a Realm name to be defined.
This is typically the domain name converted to uppercase.

Please provide a realm name [YOURCOMPANY.COM]:
Certain directory server operations require an administrative user.
This user is referred to as the Directory Manager and has full access
to the Directory for system management tasks and will be added to the
instance of directory server created for IPA.
The password must be at least 8 characters long.

Directory Manager password:
Password (confirm):

The IPA server requires an administrative user, named 'admin'.
This user is a regular system account used for IPA server administration.

IPA admin password:
Password (confirm):

Existing BIND configuration detected, overwrite? [no]: yes
Do you want to configure DNS forwarders? [yes]: yes
Enter an IP address for a DNS forwarder, or press Enter to skip:
DNS forwarder added. You may add another.
Enter an IP address for a DNS forwarder, or press Enter to skip:
DNS forwarder added. You may add another.
Enter an IP address for a DNS forwarder, or press Enter to skip:
Checking DNS forwarders, please wait ...
Do you want to configure the reverse zone? [yes]: yes
Please specify the reverse zone name []:
Using reverse zone(s)

The IPA Master Server will be configured with:
IP address(es):
Domain name:
Realm name:     YOURCOMPANY.COM

BIND DNS server will be configured to serve IPA domain with:
Reverse zone(s):

Continue to configure the system with these values? [no]: yes

The following operations may take some minutes to complete.
Please wait until the prompt is returned.

Configuring NTP daemon (ntpd)
  [1/4]: stopping ntpd
  [2/4]: writing configuration
  [3/4]: configuring ntpd to start on boot
  [4/4]: starting ntpd
Done configuring NTP daemon (ntpd).
Configuring directory server (dirsrv). Estimated time: 1 minute
  [1/42]: creating directory server user
  [2/42]: creating directory server instance
  [3/42]: adding default schema
  [4/42]: enabling memberof plugin
  [5/42]: enabling winsync plugin
  [6/42]: configuring replication version plugin
  [7/42]: enabling IPA enrollment plugin
  [8/42]: enabling ldapi
  [9/42]: configuring uniqueness plugin
  [10/42]: configuring uuid plugin

  Done configuring DNS key synchronization service (ipa-dnskeysyncd).
Restarting ipa-dnskeysyncd
Restarting named
Restarting the web server
Setup complete

Next steps:
    1. You must make sure these network ports are open:
        TCP Ports:
          * 80, 443: HTTP/HTTPS
          * 389, 636: LDAP/LDAPS
          * 88, 464: kerberos
          * 53: bind
        UDP Ports:
          * 88, 464: kerberos
          * 53: bind
          * 123: ntp

    2. You can now obtain a kerberos ticket using the command: 'kinit admin'
       This ticket will allow you to use the IPA tools (e.g., ipa user-add)
       and the web user interface.

Be sure to back up the CA certificates stored in /root/cacert.p12
These files are required to create replicas. The password for these
files is the Directory Manager password

Verify Kerberos Tickets:

kinit admin
Password for admin@YOURCOMPANY.COM:

Ticket cache: KEYRING:persistent:0:0
Default principal: admin@CLUSTERFRAK.COM

Valid starting       Expires              Service principal
01/25/2016 21:57:28  01/26/2016 21:57:22  krbtgt/CLUSTERFRAK.COM@CLUSTERFRAK.COM

Change Default Shell:

ipa config-mod --defaultshell=/bin/bash
  Maximum username length: 32
  Home directory base: /home
  Default shell: /bin/bash
  Default users group: ipausers
  Default e-mail domain:
  Search time limit: 2
  Search size limit: 100
  User search fields: uid,givenname,sn,telephonenumber,ou,title
  Group search fields: cn,description
  Enable migration mode: FALSE
  Certificate Subject base: O=CLUSTERFRAK.COM
  Password Expiration Notification (days): 4
  Password plugin features: AllowNThash
  SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023
  Default SELinux user: unconfined_u:s0-s0:c0.c1023
  Default PAC types: nfs:NONE, MS-PAC

Enable services through firewall:

firewall-cmd --zone=public --permanent --add-service=http
firewall-cmd --zone=public --permanent --add-service=https
firewall-cmd --zone=public --permanent --add-service=ldap
firewall-cmd --zone=public --permanent --add-service=ldaps
firewall-cmd --zone=public --permanent --add-service=kerberos
firewall-cmd --zone=public --permanent --add-service=dns

firewall-cmd --zone=public --permanent --add-port=53/udp
firewall-cmd --zone=public --permanent --add-port=88/udp
firewall-cmd --zone=public --permanent --add-port=464/udp
firewall-cmd --zone=public --permanent --add-port=123/udp

firewall-cmd --reload

Check the firewall rules:

firewall-cmd --zone=public --list-services
dhcpv6-client dns http https kerberos ldap ldaps ssh

firewall-cmd --zone=public --list-ports
464/udp 123/udp 53/udp 88/udp

Post Requisites:



Digital Ocean Bind 9 Guide