Feb 05 2017
2 Comments
By spartan2194 Uncategorized

Part 1: Install/Setup FreeIPA on CentOS 7

DynamicDNS with pfSense and Cloudflare

Setup Cloudflase

This guide is going to assume you already have the domain setup on CloudFlare.

  1. Login into Cloudflare
  2. Select your username in the top right and select “My Settings”
  3. Scroll down to the “API Key” section and select “View API Key” for “Global API Key”
  4. Copy the API Key you will need this in the next section.

 

Setup DynamicDNS for Cloudflare on pfSense

  1. Login into pfSense
  2. Select “Services” then “Dynamic DNS” and then select “Add”
  3. Select “Cloudflare” from “Service Type” drop down menu
  4. Select “WAN” for “Interface to monitor”
  5. Enter “<domain>” into hostname
  6. Enter Cloudflare username into username
  7. Enter Cloudflase API key from above into password
  8. Select “Save” then “Save and Force Update”

 

Install/Setup FreeIPA on CentOS 7 64-bit

  1. hostnamectl set-hostname <domain> –static
  2. reboot
  3. yum update -y && yum upgrade -y
  4. yum install epel-release -y && yum update -y
  5. yum install vim net-tools htop -y
  6. yum install ipa-server ipa-server-dns -y
  7. vim /etc/hosts
    1. Add “<IP addr of freeipa> <hostname> <hostname>.<domain>”
    2. save, exit
  8. ipa-server-install –setup-dns
    1. Enter “<hostname>.<domain>” for hostname
    2. Enter “<domain>” for domain
    3. Enter “<DOMAIN>” for realm
      1. The domain must be capitalized
    4. Enter a password for directory manager password
    5. Enter a password for FreeIPA admin
    6. Enter “<IP addr of FreeIPA>” for IP address for the associated hostname, press enter
    7. Enter “yes” to setup DNS forwarders.
    8. Enter DNS servers you want to request from
      1. Google DNS: 8.8.8.8, 8.8.4.4
      2. OpenDNS: 208.67.222.222, 208.67.220.220
      3. Use GRC DNS Benchmark to pick the best DNS server for you.
    9. Enter “yes” to reconfigure reverse zone
    10. Accept default for reverse zone name
    11. Enter “yes” to configure system with these values

 

Install/Setup Postfix to forward e-mails

  1. yum remove -y sendmail
  2. yum install -y postfix
  3. yum install -y mailx
  4. sed -i ‘s/inet_interfaces = localhost/inet_interfaces = all/g’ /etc/postfix/main.cf
  5. echo “virtual_alias_domains = <domain>” >> /etc/postfix/main.cf
  6. echo “virtual_alias_maps = hash:/etc/postfix/virtual” >> /etc/postfix/main.cf
  7. echo “@<domain> <e-mail to forward to>” >> /etc/postfix/virtual
  8. postmap /etc/postfix/virtual
  9. systemctl enable postfix
  10. systemctl restart postfix

 

Install/Setup FirewallD

  1. yum install firewalld -y
  2. systemctl enable firewalld
  3. systemctl start firewalld
  4. firewall-cmd –set-default-zone=internal
  5. firewall-cmd –permanent –add-service=ssh
  6. firewall-cmd –permanent –add-service=dns
  7. firewall-cmd –permanent  –add-service=smtp
  8. firewall-cmd –permanent –add-service=ntp
  9. firewall-cmd –permanent –add-service=http
  10. firewall-cmd –permanent –add-service=https
  11. firewall-cmd –permanent –add-service=ldap
  12. firewall-cmd –permanent –add-service=ldaps
  13. firewall-cmd –permanent –add-service=kerberos
  14. firewall-cmd –permanent –add-service=kpasswd
  15. firewall-cmd –reload

 

Add first user

  1. Browse to “https://<hostname>.<domain>”
  2. Select “Identity” then “Users” and then select “Add”
    1. Enter username
    2. Enter first name
    3. Enter last name
    4. Select “admins” from dropdown menu for GID
    5. Enter password
    6. Select “add” 
  3. Select the newly created user account.
    1. This page allows you to enable
      1. OTP(Google Two factor)
      2. user default shell
      3. Upload public key
      4. Add user certificate
      5. Add user to groups

Setup Google 2FA on FreeIPA accounts

  1. Select “Identity” then “Users”
  2. Select the user you wish to enable 2FA on
  3. Under “User authentication types” check ” Two factor authentication (password + OTP)”
  4. Select “Save” at the top.
  5. Select “Authentication” then “OTP Tokens” and then “Add”.
  6. From the drop-down menu select the user for the OTP token.
  7. Select “add”
  8. The next page should pop up a QR code.
  9. Logout of the FreeIPA Web GUI
  10. Login with username “testuser” and password “<password><OTP key>”
    1. Example
      1. username: testuser
      2. Password: password
      3. OTP: 784598
    2. Login
      1. Username: testuser
        1. Password: password784598

Install/Setup FreeIPA Client on CentOS 7 client

  1. yum -y install ipa-client
  2. nmcli c modify eno16777736 ipv4.dns 10.0.0.30
  3. nmcli c down eno16777736; nmcli c up eno16777736
  4. ipa-client-install
  5. Enter “yes” to continue with values
  6. Enter username that can add user to the domain
    1. Default user: admin
  7. authconfig –enablemkhomedir –update
    1. configure mkhomedir if you need ( homedirs of users are created at inital login )
  8. exit
  9. Login as domain user

 

Resources/Sources

  • https://community.jisc.ac.uk/library/janet-services-documentation/how-block-or-sinkhole-domains-bind
  • https://www.unixmen.com/configure-freeipa-server-centos-7/
  • https://www.linode.com/docs/security/firewalls/introduction-to-firewalld-on-centos
  • https://www.server-world.info/en/note?os=CentOS_7&p=ipa&f=3

2 thoughts on “Part 1: Install/Setup FreeIPA on CentOS 7

  1. Andrey says:
    July 23, 2017 at 3:25 pm

    Hey! Great post.
    Can I use OTP only for(for example) ssh connection for one server and disable OTP for FreeIpa web interface?

    Reply
    • spartan2194 says:
      July 29, 2017 at 7:45 pm

      To be honest I don’t know, I haven’t tried. However, I would assume OTP are assigned to accounts to it’s based on accounts.

      Reply

Leave a Reply to Andrey Cancel reply

Your email address will not be published. Required fields are marked *