FreeIPA
FreeIPA is a collection of Tools and a Web- GUI for managing an AD (Active Directory). As docker Image, it delivers LDAP for central storing of Users, Hosts and Keys. The bind- DNS will serve Hostnames to IP- Adresses and the Kerberos will deliver SSO attached to the Users.
This chapter will describe, how to install FreeIPA in a rootless Docker- Environement, use letsencrypt Crtificates for SSL and TLS and how to setup central user- management with it.
Prerequiusite
You will need a Docker- Host, that is rechable from the Internet wil its fully qualifierd Domain- Name (FQDN) as described before. The given Ports must be reachable from the clients.
Docker composer
FreeIPA will not use a Database - all needed informations are stored into the Docker Data- Volume.
Frst, create a Directory in your Docker-Compose directry that you chose before in http://obel1x.de/doku.php?id=content:serverbasics:docker#create_a_place_for_yamls
Then, create your docker-compsoe.yml
like this:
services: freeipa: image: freeipa/freeipa-server:almalinux-9 restart: unless-stopped hostname: [FQDN_HOSTNAME] #For dns setup: # read_only: true environment: IPA_SERVER_HOSTNAME: [FQDN_HOSTNAME] TZ: "Europe/Berlin" PASSWORD: 'NEWPASSWORD' # DEBUG_NO_EXIT: 1 tty: true stdin_open: true cgroup: host cap_add: - NET_ADMIN volumes: - /etc/localtime:/etc/localtime:ro - ipa_data:/data - ipa_journal:/var/log/journal - /run/user/[UID_OF_DOCKERUSER]/docker.sock:/var/run/docker.sock - /sys/fs/cgroup:/sys/fs/cgroup:rw - caddy_data:/etc/letsencrypt:ro tmpfs: - /run - /tmp sysctls: - net.ipv6.conf.all.disable_ipv6=0 - net.ipv6.conf.lo.disable_ipv6=0 security_opt: - "seccomp:unconfined" command: - -U - --domain=clients.[FQDN_HOSTNAME] # Must match the last part of the Domain-Name and must be upper case and routed to the domain - --realm=[DOMAINPART_OF_HOSTNAME] - --http-pin=[NEWHTTPDPIN] - --dirsrv-pin=[NEWDIRSRVPIN] - --setup-dns # - --no-host-dns #NTP - not needed, this is the server which time is taken from /etc/localtime see volumes #This server has also a chrony-daemon running here to sync time - --no-ntp # - --ntp-server=172.0.0.11 - --auto-forwarders # - --forwarder=192.168.178.1 #Error: Unable to determine the amount of available RAM - --skip-mem-check ports: #HTTP(s): Will be proxiesd by Caddy # - "8082:80" # - "8443:443" #LDAP (needed) - "389:389" #LDAPs (needed) - "636:636" #Kerberos (needed) - "88:88" - "464:464" - "88:88/udp" - "464:464/udp" #DNS (needed) - "53:53" - "53:53/udp" #NTP - not needed, takes chronyd of the host # - "123:123/udp" #Unknown: # - "7389:7389" # - "9443:9443" # - "9444:9444" # - "9445:9445" volumes: ipa_data: ipa_journal: caddy_data:
The caddy_data Volume contains the Certifictes for encryption.
Caddyfile
Caddy wil be used for Proxy, so in your Caddyfile (see https://obel1x.de/dokuwiki/doku.php?id=content:serverbasics:docker-caddy#caddy_configuration) use this:
# FreeIPA http://[FQDN_HOSTNAME]:80 { reverse_proxy serverpc-freeipa-1:80 } https://[FQDN_HOSTNAME]:443 { header Strict-Transport-Security max-age=31536000; reverse_proxy https://serverpc-freeipa-1:443 { transport http { tls tls_insecure_skip_verify } } }
Encryption
First thing you should do, is to secure the (LDAP)- ports with the certificate from letsenrcypt that Caddy uses. Without those matching certificates in place, Kerberos later won't accept the self signed- certificates that FreeIPA will create during install.
Your Caddyfile should have mounted the Certificates from Caddy to /etc/letsencrypt. To use the Certificates, you need to split the files named *.crt into the included parts.
The Parts will be: 1. Certificate for your FQDN 2. Certificate of the Issuer
For setting up the Truststore, we will nee the Certificate of the Issuer in one file and than import it to the keystore of freeipa webserver and ldap-server.
To do this, root-bash into your Container of running FreeIPA and do the following:
[root@ipa test]# DOMAIN="[FQDN_HOSTNAME]" [root@ipa test]# cd /etc/letsencrypt/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${DOMAIN} [root@ipa test]# csplit -f cert ${DOMAIN}.crt '/-----BEGIN CERTIFICATE-----/' '{*}' [root@ipa test]# ipa-cacert-manage -p '[ipapassword]' -t C,, install cert-02 [root@ipa test]# ipa-certupdate [root@ipa test]# ipa-server-certinstall -d -w /etc/letsencrypt/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${DOMAIN}/${DOMAIN}.crt /etc/letsencrypt/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${DOMAIN}/${DOMAIN}.key --pin='' -p '[ipapassword]' [root@ipa test]# ipactl restart
The first ipa-cacert-manage will install the intermediate- certificate of letsencrypt.
You can check ift its the right one, by using openssl x509 -in cert-02 -text -noout
and check if the subject is like
Subject: C = US, O = Let's Encrypt, CN = E6
If the Subject contains you FQDN , its the wrong certificate.
When ipa-server-certinstall has been sucessfully run, your server should use those Certificates for Kerberos, LDAP and your Webservice.
Test if your Certificates for LDAP and Web do match:
openssl s_client -connect [FQDN_HOSTNAME]:636 -showcerts </dev/null
should be the same as:
openssl s_client -connect [FQDN_HOSTNAME]:443 -showcerts </dev/null
If not, check the above Certificates and loctaions to be from letsencrpt wih openssl. Mind that „openssl x509“ will only accept the first Certificate in a file. You can use „openssl certstore“ to ceck everything in the file, e.g.:
openssl storeutl -text -noout -certs ca.crt
LDAP - Zentrales AD
Coming soon…