FreeIPA
Contents
Introduction[edit]
FreeIPA is the integrated security information management solution used at the Hackerspace Gent.
It uses a combination of 389 Directory Server (LDAPv3), MIT Kerberos, NTP (optional), DNS (optional), and DogTag (Certificate System).
Access[edit]
URL: https://ipa.hackerspace.gent
First time access: You will be prompted for a new password. Don't forget to set your correct email address.
Management[edit]
Allow users to modify their own email (or some other fields)[edit]
IPA Server > Self Service Permissions > Add
Self-service name: "Users can manage their own email address" Attributes: mail
Hooking up services to LDAP for authentication[edit]
Creating a normal user is highly discouraged. Create dedicated system accounts which are only allowed to bind.
You will need to connected directly via LDAP to make the appropriate changes.
[root@ipa ~]# ldapmodify -x -D 'cn=Directory Manager' -W Enter LDAP Password: dn: uid=<application account name>,cn=sysaccounts,cn=etc,dc=hackerspace,dc=gent changetype: add objectclass: account objectclass: simplesecurityobject uid: <application account name> userPassword: <password for the application> passwordExpirationTime: 20380119031407Z nsIdleTimeout: 0 <blank line> ^D
Example of configuration:
URL ldap://ipa.hackerspace.gent:389 BindDN "uid=<application account name>,cn=sysaccounts,cn=etc,dc=hackerspace,dc=gent" Password "<password for the application>" BaseDN "cn=users,cn=accounts,dc=hackerspace,dc=gent" SearchFilter "(uid=%u)" BaseDN "cn=groups,cn=accounts,dc=hackerspace,dc=gent" SearchFilter "(member=%g)"
STARTTLS[edit]
If you want to use STARTTLS for securing the connection between the application and LDAP, you can use the CA Certificate:
-----BEGIN CERTIFICATE----- MIIEmjCCAwKgAwIBAgIBATANBgkqhkiG9w0BAQsFADA7MRkwFwYDVQQKDBBIQUNL RVJTUEFDRS5HRU5UMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcN MjEwNzE5MjEzMDQwWhcNNDEwNzE5MjEzMDQwWjA7MRkwFwYDVQQKDBBIQUNLRVJT UEFDRS5HRU5UMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggGiMA0G CSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQC3D0sY2uxKfvyNm1kwQwMOUuI+qu4F vzMrb3Pu48PPUg7pEF9rvpiyv55OzPEl9rVIOyxHMq+1DroN1cREpY7ttiuGU0UB 1WP40KElU1drfLKlpNhtDB70TtsvQ9JkR4QBZLHdSEKwRaL0UL11yuiqXTplLw+q WR2O0vJPg8dwatpJWIqoPqLx/IsCLcNlbDJ0NBFbFhD1Txr9r/ZATQX94duxfpch bM3cWl90nBtvYnBGzo5ZOBeQD5RVLhZyW9Iu64MovkG3lEpbAOdjGeQbUOiyFwKK 9LOv1kmMDhAFVtKPOAJfCVNPlR0mo7hOMqrsaqbwnF3mQ7MwXjyvvCKdrCHKvu6t d90Aqbm2nN/dSfw9gh7eEEVgnZzX9QI+g8/g43NXU9XfAXUvvL3QN16P3d+CEw6v Dte+6YE4s36Bb5l+1jwQD3fDT4YuafjKJSTpqRjIZWAKXdOgLFfDWWYbT2XHCxa4 eJA8aACNywD82sYIFze1MvT7yVV5ct2a5LMCAwEAAaOBqDCBpTAfBgNVHSMEGDAW gBSaZr01cho5oLUbMv4Od+NnDxiA+DAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB /wQEAwIBxjAdBgNVHQ4EFgQUmma9NXIaOaC1GzL+DnfjZw8YgPgwQgYIKwYBBQUH AQEENjA0MDIGCCsGAQUFBzABhiZodHRwOi8vaXBhLWNhLmhhY2tlcnNwYWNlLmdl bnQvY2Evb2NzcDANBgkqhkiG9w0BAQsFAAOCAYEADrVAhnOXKQk6Ukxh+LqhduPl IF/jQl/6FHHo3ViGAsqWIQ32CczM6hep0uy4Qgxr8Vkl2DaCOxCXUYLhDVJD7a5D iuKclvoaR0km1uJAtLgABztysTNySDNnnfYpZgTul6jnwnrIrKOv7OsDYlLeFbot cQLI8KZn0m2dR6Sbk6gz/npp+xe4u9ETGqALPst3zNzX5iO+4Xj0nOYDQS6II3h0 K4d0FtCTqsQV+TcaWDSA4Lfb+tPc2qscBeD9PcZOcLTLoeeo7v5WZqXgtJ83mpOE /afRpxYGYltSufkF6uK2M0LuI7wIw/BxJzjfEykYcHDwJgRpIaRXmhotUtEPD/Vn 0chhOrhoYMxDAyXQ7emUmxwoYcUGYnKoKjhrndg1wTQeY7ECBv8G+y/oBLjVGu57 2I9e1M0Go1N1AAEzfSkEtLtVDDLvJecNQwnYRRHvoUY7eaZkbQiZVEwiF6293AEd pMhkQ5KqmnBlTxVnj/2dxhqRsuc/9B4j1mMoufJh -----END CERTIFICATE-----
Prevent annoying BasicAuth popup to appear on login page[edit]
In browsers outside of Firefox, for example, in Chrome, you may initially get to see a BasicAuth which doesn't seem to work for logging in. The only way to log in would be to cancel the popup a few times until presented with the proper expected login page of FreeIPA. This is because by default the first authentication mechanism is Kerberos which Chrome does not really recognize. To disable this behavior, a change needs to be made in the HTTPD configuration of FreeIPA.
[root@ipa ~]# nano /etc/httpd/conf.d/ipa.conf ... # Protect /ipa and everything below it in webspace with Apache Kerberos auth <Location "/ipa"> ... # Do not attempt to negotiate Kerberos authentication as IE and Chrome do not support the standard # showing a confusing Basic Auth popup window by which the user cannot login with. BrowserMatch Windows gssapi-no-negotiate ... </Location> [root@ipa ~]# systemctl restart httpd
Automembership to Groups[edit]
By default, all new users created in FreeIPA are automatically part of the ipausers group (this can be changed in IPA Server > Configuration > Default users group.
While this can be fine, it might pose an issue on systems expecting to work with posixgroups in LDAP.
A possible solution is to create a separate dedicated group with the posixgroup option selected and use the automembership functionality to add both pre-existing and new users to said group while still being part of the original ipausers group.
Identity > Automember > User group rules > Add.
Add an Inclusive rule with Attribute uid and value .*
Backup[edit]
FreeIPA has a command to backup all the essentials. This will stop all IPA services to have a consitent backup.
[root@ipa ~]# ipa-backup Preparing backup on ipa.hackerspace.gent Local roles match globally used roles, proceeding. Stopping IPA services Backing up ipaca in HACKERSPACE-GENT to LDIF Backing up userRoot in HACKERSPACE-GENT to LDIF Backing up HACKERSPACE-GENT Backing up files Starting IPA service Backed up to /var/lib/ipa/backup/ipa-full-2021-08-08-15-37-11 The ipa-backup command was successful
Currently, the backup is run through a cronjob and backed up to a NAS.
[root@ipa ~]# crontab -l # Backup FreeIPA every day at 5am and transfer to Nasty 0 5 * * * /usr/sbin/ipa-backup && rsync -a --no-perms --delete /var/lib/ipa/backup/ -e 'ssh -i ~/.ssh/id_rsa -p 22' hsg@nasty.0x20:/volume1/BACKUPS/freeipa/ # Delete backups every Saturday at midnight, older than 7 days 0 0 * * 0 find /var/lib/ipa/backup/* -type d -ctime +7 -delete
Restore[edit]
Theoretically speaking, the following command should be able to restore from backup:
[root@ipa ~]# ipa-restore /var/lib/ipa/backup/ipa-full-2021-08-08-15-37-11/
