FreeIPA

FreeIPA is a collection of Tools and a Web- GUI for managing an AD (Active Directory). As docker Image, it delivers LDAP for central storing of Users, Hosts and Keys. The bind- DNS will serve Hostnames to IP- Adresses and the Kerberos will deliver SSO attached to the Users.

This chapter will describe, how to install FreeIPA in a rootless Docker- Environement, use letsencrypt Crtificates for SSL and TLS and how to setup central user- management with it.

You will need a Docker- Host, that is rechable from the Internet wil its fully qualifierd Domain- Name (FQDN) as described before. The given Ports must be reachable from the clients.

FreeIPA will not use a Database - all needed informations are stored into the Docker Data- Volume.

Frst, create a Directory in your Docker-Compose directry that you chose before in http://obel1x.de/doku.php?id=content:serverbasics:docker#create_a_place_for_yamls

Then, create your docker-compsoe.yml like this:

services:
  freeipa:
    image: freeipa/freeipa-server:almalinux-9
    restart: unless-stopped
    hostname: [FQDN_HOSTNAME]
#For dns setup:
#    read_only: true
    environment:
      IPA_SERVER_HOSTNAME: [FQDN_HOSTNAME]
      TZ: "Europe/Berlin"
      PASSWORD: 'NEWPASSWORD'
#      DEBUG_NO_EXIT: 1
    tty: true
    stdin_open: true
    cgroup: host
    cap_add:
      - NET_ADMIN
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - ipa_data:/data
      - ipa_journal:/var/log/journal
      - /run/user/[UID_OF_DOCKERUSER]/docker.sock:/var/run/docker.sock
      - /sys/fs/cgroup:/sys/fs/cgroup:rw
      - caddy_data:/etc/letsencrypt:ro
    tmpfs:
      - /run
      - /tmp
    sysctls:
      - net.ipv6.conf.all.disable_ipv6=0
      - net.ipv6.conf.lo.disable_ipv6=0
    security_opt:
      - "seccomp:unconfined"
    command:
      - -U
      - --domain=clients.[FQDN_HOSTNAME]
# Must match the last part of the Domain-Name and must be upper case and routed to the domain
      - --realm=[DOMAINPART_OF_HOSTNAME]
      - --http-pin=[NEWHTTPDPIN]
      - --dirsrv-pin=[NEWDIRSRVPIN]
      - --setup-dns
#      - --no-host-dns
#NTP - not needed, this is the server which time is taken from /etc/localtime see volumes
#This server has also a chrony-daemon running here to sync time
      - --no-ntp
#      - --ntp-server=172.0.0.11
      - --auto-forwarders
#      - --forwarder=192.168.178.1
#Error: Unable to determine the amount of available RAM
      - --skip-mem-check
    ports:
#HTTP(s): Will be proxiesd by Caddy
#      - "8082:80"
#      - "8443:443"
#LDAP (needed)
      - "389:389"
#LDAPs (needed)
      - "636:636"
#Kerberos (needed)
      - "88:88"
      - "464:464"
      - "88:88/udp"
      - "464:464/udp"
#DNS (needed)
      - "53:53"
      - "53:53/udp"
#NTP - not needed, takes chronyd of the host
#      - "123:123/udp"
#Unknown:
#      - "7389:7389"
#      - "9443:9443"
#      - "9444:9444"
#      - "9445:9445"
volumes:
 ipa_data:
 ipa_journal:
 caddy_data:

The caddy_data Volume contains the Certifictes for encryption.

Caddy wil be used for Proxy, so in your Caddyfile (see https://obel1x.de/dokuwiki/doku.php?id=content:serverbasics:docker-caddy#caddy_configuration) use this:

# FreeIPA
http://[FQDN_HOSTNAME]:80 {
        reverse_proxy serverpc-freeipa-1:80
}
https://[FQDN_HOSTNAME]:443 {
        header Strict-Transport-Security max-age=31536000;
        reverse_proxy https://serverpc-freeipa-1:443 {
            transport http {
                tls
                tls_insecure_skip_verify
            }
        }
}

First thing you should do, is to secure the (LDAP)- ports with the certificate from letsenrcypt that Caddy uses. Without those matching certificates in place, Kerberos later won't accept the self signed- certificates that FreeIPA will create during install.

Your Caddyfile should have mounted the Certificates from Caddy to /etc/letsencrypt. To use the Certificates, you need to split the files named *.crt into the included parts.

The Parts will be: 1. Certificate for your FQDN 2. Certificate of the Issuer

For setting up the Truststore, we will nee the Certificate of the Issuer in one file and than import it to the keystore of freeipa webserver and ldap-server.

To do this, root-bash into your Container of running FreeIPA and do the following:

[root@ipa test]# DOMAIN="[FQDN_HOSTNAME]"
[root@ipa test]# cd /etc/letsencrypt/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${DOMAIN}
[root@ipa test]# csplit -f cert ${DOMAIN}.crt '/-----BEGIN CERTIFICATE-----/' '{*}'
[root@ipa test]# ipa-cacert-manage -p '[ipapassword]' -t C,, install cert-02
[root@ipa test]# ipa-certupdate
[root@ipa test]# ipa-server-certinstall -d -w /etc/letsencrypt/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${DOMAIN}/${DOMAIN}.crt /etc/letsencrypt/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${DOMAIN}/${DOMAIN}.key --pin='' -p '[ipapassword]'
[root@ipa test]# ipactl restart

The first ipa-cacert-manage will install the intermediate- certificate of letsencrypt.

You can check ift its the right one, by using openssl x509 -in cert-02 -text -noout and check if the subject is like

Subject: C = US, O = Let's Encrypt, CN = E6

If the Subject contains you FQDN , its the wrong certificate.

When ipa-server-certinstall has been sucessfully run, your server should use those Certificates for Kerberos, LDAP and your Webservice.

Test if your Certificates for LDAP and Web do match:

openssl s_client -connect [FQDN_HOSTNAME]:636 -showcerts </dev/null

should be the same as:

openssl s_client -connect [FQDN_HOSTNAME]:443 -showcerts </dev/null

If not, check the above Certificates and loctaions to be from letsencrpt wih openssl. Mind that „openssl x509“ will only accept the first Certificate in a file. You can use „openssl certstore“ to ceck everything in the file, e.g.:

openssl storeutl -text -noout -certs ca.crt

Coming soon…