FreeIPA

LDAP and DNS for your LAN

Proxmox VM creation

Configure a sensible CentOS7 vm with 4GB ram, 2 CPU cores and 10GB SSD. Ethernet adapter connected to vmbr1 bridge that is on the LAN side of the firewall, and set to boot from a Centos7 installer ISO.

CentOS Installer

Just needs keyboard, language, disk selection etc set to sensible defaults.

The network configuration (IPv4) should be something like:

IP: 10.0.5.20
Subnet: 255.255.255.0
Gateway: 10.0.5.1
Search Domain: lan.example.com (your domain with perhaps a short lan subdomain)

Set the hostname to freeipa.lan.example.com

Run the installer and set the root password - no user is needed.

Update all packages to newest version:

yum update -y

And install the packages needed:

yum install ipa-server ipa-server-dns -y

Make sure the hostname is either resolvable (ours isn't) or define it in /etc/hosts so it looks something like:

127.0.0.1      localhost localhost.localdomain localhost4 localhost4.localdomain4   
::1            localhost localhost.localdomain localhost6 localhost6.localdomain6   

10.0.5.20      freeipa.lan.example.com freeipa

Note that the FQDN needs to come before the hostname

Now we are ready to install FreeIPA. The installer can take most of the options as arguments, and will just ask you to press enter to confirm during the initial phase of the installer.

ipa-server-install -q -r LAN.EXAMPLE.COM -n lan.example.com --allow-zone-overlap -p domain_manager_password -a admin_password --setup-dns --forwarder 8.8.8.8

The realm needs to be uppercase. I am using Google's DNS, but any DNS you like will do. DM and admin password options can be omitted and entered manually during install if you want.

Grab a drink while you wait.

Open the needed firewall ports:

firewall-cmd --permanent --add-service freeipa-ldap
firewall-cmd --permanent --add-service dns
firewall-cmd --reload

Set FreeIPA server as default on Sophos UTM

To ensure that machines on the LAN will use the FreeIPA DNS (and be able to resolve internal names), open the Sophos UTM web interface. Go to Network Services -> DNS -> Forwarders. Add our new DNS server. Just set a name and set the IP. Set the interface to internal in the Advanced section:

Remove the original DNS Forwarder so that only FreeIPA remains.

Create sudo rule for administrator user

Create a rule and group that will give members full sudo rights on all client machines where the user logs on.

Log in to the FreeIPA machine via ssh and authenticate as an admin

kinit admin

Then create a sudo rule that we can attach to user groups later:

ipa sudorule-add --hostcat=all --cmdcat=all All-sudo

Now log on to the FreeIPA user interface and add a group via Identity -> Groups -> +Add -> [groupname] -> Add and Edit -> Sudo Rules -> Check "All-sudo" -> [arrow right] -> Add

Any user added to this group will now have sudo rights on all joined machines.

Note that it is possible to give much more limited/granular sudo access, and any sort of production-like setup should avoid blanket sudo rights.

If you want a familiar bash shell when using IPA users to ssh to your machines, set the "Login Shell" setting to /bin/bash instead of /bin/sh on the user profile in FreeIPA. You may need to run sss_cache -E on the client machines and log out to flush the previous setting.

Optional Guacamole schema change

If you want to use Guacamole remote desktop server with FreeIPA user and connection management you need to adjust the schema to be able to manage groups with guacamole specific attributes. Save the following as /etc/dirsrv/slapd-LAN-EXAMPLE-COM/schema/89guac.ldif (note the realm name with dashes in path):

################################################################################
#
dn: cn=schema
#
################################################################################
#
attributeTypes: (
  1.3.6.1.4.1.38971.1.1.1
  NAME 'guacConfigProtocol'
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
#
################################################################################
#
attributeTypes: (
  1.3.6.1.4.1.38971.1.1.2
  NAME 'guacConfigParameter'
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
#
################################################################################
#
objectClasses: (
  1.3.6.1.4.1.38971.1.2.1
  NAME 'guacConfigGroup'
  DESC 'Guacamole configuration group'
  SUP groupOfNames
  MUST guacConfigProtocol
  MAY guacConfigParameter )

Restart directory server to use the new schema

restart-dirsrv

To allow users to see the new attributes some changes to ACI need to be made. First log on to FreeIPA - https://freeipa.lan.example.com - and create a posix group called guacamoleusers. Identity -> Groups -> +Add.

On the FreeIPA server, save the follwing as aci.ldif , adjusting the dn in both places to match your domain:

dn: dc=lan,dc=example,dc=com
changetype: modify
add: aci
aci: (targetattr="guacConfigProtocol || guacConfigParameter")(version 3.0; acl "Guacamole permit read"; allow(read, search, compare) groupdn = "ldap:///cn=guacamoleusers,cn=groups,cn=accounts,dc=lan,dc=example,dc=com";)

Import the ACI rules on the FreeIPA server - use the Directory Manager password when prompted:

ldapadd -x -D "cn=Directory Manager" -W -f aci.ldif

CentOS 8

yum -y install @idm:DL1
yum -y install freeipa-server freeipa-server-dns