FreeIPA

From HSG Wiki
Revision as of 13:43, 8 August 2021 by Carroarmato0 (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Introduction

FreeIPA is the integrated security information management solution used at the Hackerspace Gent.

It uses a combination of 389 Directory Server (LDAPv3), MIT Kerberos, NTP (optional), DNS (optional), and DogTag (Certificate System).

Access

URL: https://ipa.hackerspace.gent

First time access: You will be prompted for a new password. Don't forget to set your correct email address.


Management

Allow users to modify their own email (or some other fields)

IPA Server > Self Service Permissions > Add

Self-service name: "Users can manage their own email address"
Attributes: mail

Hooking up services to LDAP for authentication

Creating a normal user is highly discouraged. Create dedicated system accounts which are only allowed to bind.

You will need to connected directly via LDAP to make the appropriate changes.

[root@ipa ~]# ldapmodify -x -D 'cn=Directory Manager' -W
Enter LDAP Password:
dn: uid=<application account name>,cn=sysaccounts,cn=etc,dc=hackerspace,dc=gent
changetype: add
objectclass: account
objectclass: simplesecurityobject
uid: <application account name>
userPassword: <password for the application>
passwordExpirationTime: 20380119031407Z
nsIdleTimeout: 0
<blank line>
^D

Example of configuration:

URL             ldap://ipa.hackerspace.gent:389
BindDN          "uid=<application account name>,cn=sysaccounts,cn=etc,dc=hackerspace,dc=gent"
Password        "<password for the application>"

BaseDN          "cn=users,cn=accounts,dc=hackerspace,dc=gent"
SearchFilter    "(uid=%u)"

BaseDN          "cn=groups,cn=accounts,dc=hackerspace,dc=gent"
SearchFilter    "(member=%g)"

STARTTLS

If you want to use STARTTLS for securing the connection between the application and LDAP, you can use the CA Certificate:

-----BEGIN CERTIFICATE-----
MIIEmjCCAwKgAwIBAgIBATANBgkqhkiG9w0BAQsFADA7MRkwFwYDVQQKDBBIQUNL
RVJTUEFDRS5HRU5UMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcN
MjEwNzE5MjEzMDQwWhcNNDEwNzE5MjEzMDQwWjA7MRkwFwYDVQQKDBBIQUNLRVJT
UEFDRS5HRU5UMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggGiMA0G
CSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQC3D0sY2uxKfvyNm1kwQwMOUuI+qu4F
vzMrb3Pu48PPUg7pEF9rvpiyv55OzPEl9rVIOyxHMq+1DroN1cREpY7ttiuGU0UB
1WP40KElU1drfLKlpNhtDB70TtsvQ9JkR4QBZLHdSEKwRaL0UL11yuiqXTplLw+q
WR2O0vJPg8dwatpJWIqoPqLx/IsCLcNlbDJ0NBFbFhD1Txr9r/ZATQX94duxfpch
bM3cWl90nBtvYnBGzo5ZOBeQD5RVLhZyW9Iu64MovkG3lEpbAOdjGeQbUOiyFwKK
9LOv1kmMDhAFVtKPOAJfCVNPlR0mo7hOMqrsaqbwnF3mQ7MwXjyvvCKdrCHKvu6t
d90Aqbm2nN/dSfw9gh7eEEVgnZzX9QI+g8/g43NXU9XfAXUvvL3QN16P3d+CEw6v
Dte+6YE4s36Bb5l+1jwQD3fDT4YuafjKJSTpqRjIZWAKXdOgLFfDWWYbT2XHCxa4
eJA8aACNywD82sYIFze1MvT7yVV5ct2a5LMCAwEAAaOBqDCBpTAfBgNVHSMEGDAW
gBSaZr01cho5oLUbMv4Od+NnDxiA+DAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB
/wQEAwIBxjAdBgNVHQ4EFgQUmma9NXIaOaC1GzL+DnfjZw8YgPgwQgYIKwYBBQUH
AQEENjA0MDIGCCsGAQUFBzABhiZodHRwOi8vaXBhLWNhLmhhY2tlcnNwYWNlLmdl
bnQvY2Evb2NzcDANBgkqhkiG9w0BAQsFAAOCAYEADrVAhnOXKQk6Ukxh+LqhduPl
IF/jQl/6FHHo3ViGAsqWIQ32CczM6hep0uy4Qgxr8Vkl2DaCOxCXUYLhDVJD7a5D
iuKclvoaR0km1uJAtLgABztysTNySDNnnfYpZgTul6jnwnrIrKOv7OsDYlLeFbot
cQLI8KZn0m2dR6Sbk6gz/npp+xe4u9ETGqALPst3zNzX5iO+4Xj0nOYDQS6II3h0
K4d0FtCTqsQV+TcaWDSA4Lfb+tPc2qscBeD9PcZOcLTLoeeo7v5WZqXgtJ83mpOE
/afRpxYGYltSufkF6uK2M0LuI7wIw/BxJzjfEykYcHDwJgRpIaRXmhotUtEPD/Vn
0chhOrhoYMxDAyXQ7emUmxwoYcUGYnKoKjhrndg1wTQeY7ECBv8G+y/oBLjVGu57
2I9e1M0Go1N1AAEzfSkEtLtVDDLvJecNQwnYRRHvoUY7eaZkbQiZVEwiF6293AEd
pMhkQ5KqmnBlTxVnj/2dxhqRsuc/9B4j1mMoufJh
-----END CERTIFICATE-----

Prevent annoying BasicAuth popup to appear on login page

In browsers outside of Firefox, for example, in Chrome, you may initially get to see a BasicAuth which doesn't seem to work for logging in. The only way to log in would be to cancel the popup a few times until presented with the proper expected login page of FreeIPA. This is because by default the first authentication mechanism is Kerberos which Chrome does not really recognize. To disable this behavior, a change needs to be made in the HTTPD configuration of FreeIPA.

[root@ipa ~]# nano /etc/httpd/conf.d/ipa.conf
...
# Protect /ipa and everything below it in webspace with Apache Kerberos auth
<Location "/ipa">
  ...
  # Do not attempt to negotiate Kerberos authentication as IE and Chrome do not support the standard
  # showing a confusing Basic Auth popup window by which the user cannot login with.
  BrowserMatch Windows gssapi-no-negotiate
  ...
</Location>

[root@ipa ~]# systemctl restart httpd

Automembership to Groups

By default, all new users created in FreeIPA are automatically part of the ipausers group (this can be changed in IPA Server > Configuration > Default users group.

While this can be fine, it might pose an issue on systems expecting to work with posixgroups in LDAP.

A possible solution is to create a separate dedicated group with the posixgroup option selected and use the automembership functionality to add both pre-existing and new users to said group while still being part of the original ipausers group.

Identity > Automember > User group rules > Add.

Add an Inclusive rule with Attribute uid and value .*

Backup

FreeIPA has a command to backup all the essentials. This will stop all IPA services to have a consitent backup.

[root@ipa ~]# ipa-backup 
Preparing backup on ipa.hackerspace.gent
Local roles match globally used roles, proceeding.
Stopping IPA services
Backing up ipaca in HACKERSPACE-GENT to LDIF
Backing up userRoot in HACKERSPACE-GENT to LDIF
Backing up HACKERSPACE-GENT
Backing up files
Starting IPA service
Backed up to /var/lib/ipa/backup/ipa-full-2021-08-08-15-37-11
The ipa-backup command was successful

Currently, the backup is run through a cronjob and backed up to a NAS.

[root@ipa ~]# crontab -l
# Backup FreeIPA every day at 5am and transfer to Nasty
0 5 * * * /usr/sbin/ipa-backup && rsync -a --no-perms --delete /var/lib/ipa/backup/ -e 'ssh -i ~/.ssh/id_rsa -p 22' hsg@nasty.0x20:/volume1/BACKUPS/freeipa/
# Delete backups every Saturday at midnight, older than 7 days
0 0 * * 0 find /var/lib/ipa/backup/* -type d -ctime +7 -delete

Restore

Theoretically speaking, the following command should be able to restore from backup:

[root@ipa ~]# ipa-restore /var/lib/ipa/backup/ipa-full-2021-08-08-15-37-11/