DEV Community

Dhirva Makadiya
Dhirva Makadiya

Posted on

Set up FreeIPA Server & Client.

In this guide, we'll set up a FreeIPA server and client on AWS EC2 instances using CentOS 9, restrict particular users to allow/deny SSH to a particular client, and also restrict the particular user to allow/deny only particular sudo commands inside the client.

What is FreeIPA?

FreeIPA aims to provide a centrally managed Identity, Policy, and Audit (IPA) system. It is an integrated Identity and Authentication solution for Linux/UNIX networked environments. A FreeIPA server provides centralized authentication, authorization, and account information by storing data about users, groups, hosts, and other objects necessary to manage the security aspects of a network of computers.

Advantages of FreeIPA

  • Convenient User and Group Management: FreeIPA provides an interface for creating, editing, and deleting users and groups. This simplifies the tasks of administrators to manage user access.
  • Centralized Management: Administrators can centrally manage and monitor users and devices on the network, which increases security and facilitates administration.
  • Free and Open-Source
  • Enhanced Security: The platform provides mechanisms for two-factor authentication, centralized management of certificates and keys, and role-based access control.

Setup FreeIPA Server and Client

1. Provision EC2 Instances

  • Launch two EC2 instances: Server: FreeIPA Server Client: FreeIPA Client
  • Attach Elastic IP (EIP) to each instance for static public IP.

2. Initial Setup on FreeIPA Server



yum update -y
dnf install nano
dnf install firewalld
systemctl enable firewalld
systemctl start firewalld


Enter fullscreen mode Exit fullscreen mode

3. Configure DNS Records

  • Log in to GoDaddy and navigate to your domain management.
  • Add DNS records for FreeIPA domains:

ipa.letsgoanywhere.info pointing to FreeIPA Server's public IP
free.ipa.letsgoanywhere.info pointing to FreeIPA Server's public IP
client.ipa.letsgoanywhere.info pointing to FreeIPA Client's public IP
Image description

4. Configure FreeIPA Server
Connect to the server through SSH



echo "<server_private_ip> free.ipa.letsgoanywhere.info" | sudo tee -a /etc/hosts
echo "free.ipa.letsgoanywhere.info" | sudo tee /etc/hostname
sudo reboot

# After reboot:
sudo yum install ipa-server ipa-server-dns -y
sudo firewall-cmd --permanent --add-service={dns,ntp,http,https,ldap,ldaps,kerberos,kpasswd}
sudo firewall-cmd --reload
sudo ipa-server-install --setup-dns


Enter fullscreen mode Exit fullscreen mode

NOTE: Remember the following values while setting up FreeIPA server dns
Hostname : free.ipa.letsgoanywhere.info
Domainname: ipa.letsgoanywhere.info
IP : <Private ip of IPA server>
Continue to configure system with these values: yes

  • To obtain a ticket-granting, run the following command:
    kinit admin

  • Access FreeIPA web UI using the FreeIPA Server's public IP. Log in as admin with the admin password.
    Image description

  • Add a new user and explore user management features. By default only one admin user is present.
    Image description

5. Configure FreeIPA Client
Connect to the client through SSH



sudo yum update -y
sudo dnf install nano

# Update hostname and hosts file
sudo hostnamectl set-hostname client.ipa.letsgoanywhere.info
echo "<private-ip-of-client> client.ipa.letsgoanywhere.info" | sudo tee -a /etc/hosts
echo "<private-ip-of-server> free.ipa.letsgoanywhere.info" | sudo tee -a /etc/hosts

# Install and configure FreeIPA client
sudo yum install ipa-client -y
sudo ipa-client-install --hostname=client.ipa.letsgoanywhere.info --mkhomedir --server=free.ipa.letsgoanywhere.info --domain=ipa.letsgoanywhere.info --realm=IPA.LETSGOANYWHERE.INFO



Enter fullscreen mode Exit fullscreen mode

NOTE: Remember the following values while setting up the FreeIPA client
Proceed with fixed values and no DNS discovery: yes (Check all client and server hostnames and domain names)
Continue to configure the system with these values: yes
User authorized to enroll computers: Username: admin and Password: <which we had set up for IPA admin server setup>

  • After the server and client are connected it will show two hosts in FreeIPA server. Initially, before the client setup, there was only one host present. Image description

6. Testing

  • Test connectivity from the FreeIPA Server to the FreeIPA Client. To connect to FreeIPA client first we need to connect to FreeIPA server and inside it we will SSH with client's IP. ```

ssh @

Example: ssh abc@54.175.68.226

![Image description](https://dev-to-uploads.s3.amazonaws.com/uploads/articles/5fs3jt5zlnc58l618ej0.png)

## **Restrict/Allow particular user to connect(SSH) to any particular client**

1. Create a user which you want to restrict to SSH to particular client
![Image description](https://dev-to-uploads.s3.amazonaws.com/uploads/articles/6ichvnlc6al16qz0epcf.png)
2. Go to Policy > HBAC rule and disable the current rules
![Image description](https://dev-to-uploads.s3.amazonaws.com/uploads/articles/g36w9k6abd1ewmd80x4t.png)
3. Add new HBAC rule where we allow only demo user to SSH to client and no other user is allowed to SSH to that particular client.
![Image description](https://dev-to-uploads.s3.amazonaws.com/uploads/articles/2nhambs41y9wiyutxltj.png)
4. Test: If we SSH using the demo user we can connect to a client but if we SSH using user2 it shows permission denied as we have allowed only demo user to connect to client.
![Image description](https://dev-to-uploads.s3.amazonaws.com/uploads/articles/qaucfdq1qj69f00vwjnv.png) 

## **Restrict/Allow particular user to execute commands inside client**

1. Go to Policy > Sudo > Sudo commands. Add commands which you want to allow demo user to execute using sudo.
![Image description](https://dev-to-uploads.s3.amazonaws.com/uploads/articles/6n0co9gt0ntffxekglrk.png)
2. Create sudo command group and add the sudo commands inside this group
![Image description](https://dev-to-uploads.s3.amazonaws.com/uploads/articles/eadu7n0xmn82omua5x9n.png)
3. Create a sudo rule where we will allow the demo user to execute the `sudo touch demo.txt` command only. All other sudo commands will be denied by default.
![Image description](https://dev-to-uploads.s3.amazonaws.com/uploads/articles/xniiqb8zhrg8qsrlwmha.png)
![Image description](https://dev-to-uploads.s3.amazonaws.com/uploads/articles/66zrwpgt84ccc3l9d58n.png)

4. Test: Using demo user if we run `sudo touch demo.txt`, it is allowed. But if we run `sudo touch demo.pdf`, it shows permission denied.
![Image description](https://dev-to-uploads.s3.amazonaws.com/uploads/articles/5uxcdcryzmd0r65a5wlr.png)

## **Conclusion**

> By following these steps, you'll have a fully functional FreeIPA server and client setup integrated with a custom domain. 
Most importantly we have restricted users to allow/deny to execute sudo commands and to ssh to particular clients using FreeIPA server. This configuration enables secure identity management and user authentication using FreeIPA.

Enter fullscreen mode Exit fullscreen mode

Top comments (0)