Building an identity server with FreeIPA and a Raspberry PI 4

Photo by Edilson Borges on Unsplash

This article is part of a series that deals with centralized user identity in a home network. We saw how to configure OpenLDAP to manage identities and then we saw how to add different services to OpenLDAP. OpenLDAP is a very lightweight solution to identity management and is easily handled by a Raspberry PI 4 or 3. But the way we configured it, it does not support encrypted communication nor device identity. It’s just a simple user database for login. That makes it excellent for a home network with limited resources and authentication needs, but it also leaves us with the question: ok, what if I want more? What if I want an easier configuration, device management and more?

What is FreeIPA?

Photo by Minku Kang on Unsplash

FreeIPA is the answer to an easily configurable, directory services powerhouse that you can host on your Raspberry PI 4. Don’t try it on a Raspberry PI 3 though, it will struggle. FreeIPA will automatically do everything you did with OpenLDAP: user configuration, sudo configuration, automount setup, plus more: device enrollment, encrypted communication and secure authentication. It has a great web user interface from where you can setup everything: no need to get dirty with configuration files. Client setup is done automatically again, just install it and run a command. Everything is faster and easier because FreeIPA is meant for the enterprise environment where you don’t really want to manage a fleet of devices by working with config files.

On the other hand, all this power and added complexity comes with a big resource cost. When I was using OpenLDAP on my Raspberry PI 4, my RAM usage was about 0.7 GB. For FreeIPA it was around 1.2 GB. Also, FreeIPA generates a lot more network traffic due to encryption and other challenges that are put in place for device communications. But yes, the web interface is great and much easier to use and the configuration works a lot better than manually handling config files. So you have a choice: lightweight, subpar configuration that you beat into submission or a fully automated setup with a nice interface but which costs more network resources. I had both and if I had to choose again, I would pick FreeIPA. I’m just not a config file person.

Installing FreeIPA on the Fedora Server

We will install FreeIPA on a Fedora Server 35. FreeIPA was built by Redhat and is available on Ubuntu Server too, but this time we will use Fedora:

#sudo dnf install freeipa-server

FreeIPA also has a DNS package which will turn your Raspberry PI into a DNS server for your network. It’s a very cool trick which I tried once but had issues with the network configuration afterward. I’m not saying not to use it but for me, it really messed up my time synchronization and I had issues with login after that. The package is called freeipa-server-dns if you want to try. You need to install it along freeipa-server.

Before starting the FreeIPA configuration though, we need to establish the device name. This will be done the same for all devices in the network too:

#sudo hostnamectl hostname ipa.your-domain.com
#sudo nano /etc/hosts 
(add 127.0.0.1 ipa.your-domain.com at the bottom) 

Instead of ipayou can call it anything. It’s the Raspberry PI’s name in the network. After that, we can start the FreeIPA Server configuration:

#sudo ipa-server-install --no-ui-redirect --mkhomedir

The first option here specifies that when you access your Raspberry PI URL in the browser, it should not automatically redirect to FreeIPA administration UI. This is because you may have other services running on your Raspberry PI like Cockpit and so if you enter your Raspberry PI address in the browser you want Cockpit accessible too. To access FreeIPA, you will have to enter something like this: https://your-pi-address/ipa/ui. The second parameter instructs the FreeIPA server to create the user’s home directories when they first login.

When you run the above command, you will be asked a few essential questions:

• Do you want to configure integrated DNS: no
• Server host name: ipa.your-domain.com (instead of ipa, you can call it whatever you want, master, raspberry-pi, anything)
• Please confirm the domain name: your-domain.com
• Please provide a realm name: YOUR-DOMAIN.COM
• Directory manager password: this is the lowest level access for the directory server. To compare it with OpenLDAP, it’s the password you configured in the root.ldif file
• IPA admin password: the administrator’s account password, used for logging in to the FreeIPA management interface and other directory administration tasks
• Do you want to configure DNS forwarders: no
• Continue to configure the system with these values: yes

That’s it. FreeIPA will take some time to install and after that will suggest to open some firewall ports to allow the directory services communications through. You can do that with Cockpit if you have it installed. You can also check if everything is ok by running the ipactl status command.

From other devices in the home network you should now be able to access the FreeIPA admin interface at the Raspberry PI’s IP address: https://your-pi-address/ipa/ui. There is a note I have to make: the server host name you configured earlier is the name of your Raspberry PI device in the new domain you are creating. Each device you add to the domain will have a name ending with the domain, like my-desktop.domain.com or work-laptop.domain.com. The device name in a domain is very important. It’s like a user name but for the device. Get used to it and get used to adding your domain name after it every time.

When you login to your FreeIPA administration UI, you will have a single user available: the admin user with the password you configured for it at the installation step. After you login, you will be presented with a nice UI from where you can begin the configuration of your whole domain. We will talk about the configuration in the next article, but if you feel brave enough you should already be able to add and configure users, sudoers and automounts. We will talk about all of that next time, but now:

Installing FreeIPA on the clients

Photo by Kari Shea on Unsplash

We start the same way, by installing FreeIPA and some needed components:

#sudo dnf install nfs-common autofs freeipa-client

Next we configure the device’s name in the network:

#sudo hostnamectl hostname my-pc.your-domain.com
#sudo nano /etc/hosts 
(add 127.0.0.1 my-pc.your-domain.com and 192.168.0.11 ipa.your-domain.com using the Raspberry PI IP address)

And next we start the FreeIPA client configuration:

#sudo ipa-client-install --mkhomedir

You will have to answer again to a set of questions:

• Proceed with fixed values and no DNS discovery: yes
• The client hostname will be detected, you should check if it’s ok
• Same for domain name
• Continue to configure the system with these values: yes
• User authorized to enroll computers: admin
• Password for admin: the admin password you configured earlier on the server

After the configuration you should reboot the client and login normally or if you already configured a user in the domain, you can login using domain users. The client setup is done. Also, at this time I should remind the obvious: you cannot setup FreeIPA on your phone. You will be able to add all your devices in the domain but there is nothing you can do about the phones. Take it as you will, I am just stating that you cannot gain full domain control in your home because of this issue that lies with Android and iOS rather than with FreeIPA.

FreeIPA troubleshooting

Photo by JESHOOTS.COM on Unsplash

There are many ways a FreeIPA setup can go wrong but the most common part is messing up the device names. Please be careful to set your device name before configuring FreeIPA using hostnamectl and /etc/hosts. If you mess this step up, it’s quite hard to recover. It usually involves full FreeIPA client reconfiguration like this:

#ipa-client-uninstall --uninstall
#update-ca-trust -f

If you reinstall the server, the clients won’t be able to access the FreeIPA admin interface because the browser’s certificates will remember the old and now inactive setup. To refresh this, you need to run:

#update-ca-trust -f

And then remove the existing certificates in the browser. In Firefox I was not able to remove all traces of certificates and I had to remove the whole certificate database. You can find it by going to about:profile in Firefox address bar, then default, select open location and from there remove cert9.db.

At other points, I couldn’t login using my domain credentials and I found that the certificate keytab on the clients is outdated and I had to refresh it like so:

#sudo ipa-getkeytab --keytab=/etc/krb5.keytab --server ipa.your-domain.com -p host/my-pc.your-domain.com@YOUR-DOMAIN.COM
* sudo systemctl restart sssd

At other point I managed to enroll a client with the server name if you can imagine. I had to re-enroll the client using the proper name. The server seemed to work fine after that (using ipa-client-uninstall and then ipa-client-install again) so I did not have to reinstall the server too.

Overall the configuration complexity is lower, but the system complexity is higher and so there will be times when you need to troubleshoot. Usually this comes down to uninstalling the client and installing it again. You will certainly feel that Kerberos stuff being used and pushed around and that may even stay in the way of your regular network operations. But again, it is easy to set up and if you don’t mess anything up during config, your domain will run better and will be easier to add devices, users, groups and rights to it.

Next time we will talk about configuring FreeIPA using the provided user interface. I decided to split that part to cut on the article length and also because the configuration is easy enough if you feel brave. That’s it for now! See you next time!