Scenario: Customer have pack of Linux servers with local auth. Goal is to deploy FreeIPA cluster to authenticate and authorize users to access to Linux servers. Solution should be Dockerized.
Solution: deploy 1 Master FreeIPA server and 2 replica FreeIPA servers in Docker containers. After that – enroll Linux servers to FreeIPA.
Preparation:
Use Ubuntu 24.04 in “base server” configuration. Assign IP and DNS.
Master server deployment (first server in cluster):
Update Os and install necessary packages
apt update
apt upgrade -y
apt install -y ca-certificates curl wget net-toolsInstall Docker:
wget -O /etc/apt/keyrings/docker.asc https://download.docker.com/linux/ubuntu/gpg
chmod a+r /etc/apt/keyrings/docker.asc
apt install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-pluginPrepare shell script to run/stop container:
cat << EOF > /opt/ipa/restart_idm.sh
#!/bin/sh
docker compose -f /opt/ipa/docker-compose.yml down
docker compose -f /opt/ipa/docker-compose.yml up -d
EOF
chmod +x /opt/ipa/restart_idm.shCreate dirs and docker-compose.yml
mkdir /opt/ipa && cd /opt/ipa && mkdir /opt/ipa/data
touch /opt/ipa/docker-compose.ymlContent of docker-compose.yml
cat << EOF > /opt/ipa/docker-compose.yml
services:
freeipa-server:
image: freeipa/freeipa-server:fedora-rawhide-4.12.1
container_name: freeipa-server
hostname: linux-idm1.your-domain.ca
privileged: true
restart: always
volumes:
- /opt/ipa/data:/data
ports:
- "80:80"
- "443:443"
- "389:389"
- "636:636"
- "88:88"
- "464:464"
- "88:88/udp"
- "464:464/udp"
- "123:123/udp"
environment:
- PASSWORD=SuperPassword123
command: ipa-server-install -U -n your-domain.ca -r YOUR_REALM.YOUR_DOMAIN.CA --no-ntp
networks:
- inside
networks:
inside:
external: false
ipam:
config:
- subnet: 10.100.10.0/24
EOFExecute restart script to launch container
/opt/ipa/restart_idm.shWatch installation process:
docker logs -f freeipa-serverWait for message “FreeIPA server configured.“
Login to web-UI: http://linux-idm1.your-domain.ca
Login: admin password:SuperPassword123
Edit file /opt/ipa/docker-compose.yml
Remove lines:
environment: PASSWORD=SuperPassword123
command: ipa-server-install -U -n your-domain.ca -r YOUR_REALM.YOUR_DOMAIN.CA --no-ntprestart IDM server with:
/opt/ipa/restart_idm.shYAY!!!! After container restart (this will take some time), server will be ready for work.
For replica server you do all the same tasks until you reach docker-compose.yml part.
Here docker-compose.yml for replica servers:
cat << EOF > /opt/ipa/docker-compose.yml
services:
freeipa-server:
image: freeipa/freeipa-server:fedora-rawhide-4.12.1
container_name: freeipa-server
hostname: linux-idm2.your-domain.ca
privileged: true
restart: always
volumes:
- /opt/ipa/data:/data
ports:
- "80:80"
- "443:443"
- "389:389"
- "636:636"
- "88:88"
- "464:464"
- "88:88/udp"
- "464:464/udp"
- "123:123/udp"
command: ipa-replica-install -U --domain=your-domain.ca -r YOUR_REALM.YOUR_DOMAIN.CA --server=linux-idm1.your-domain.ca --no-ntp --admin-password=SuperPassword123
networks:
- inside
networks:
inside:
external: false
ipam:
config:
- subnet: 10.100.10.0/24
EOFRest is similar to Master server:
Start container.
Wait for message “FreeIPA server configured.”
Edit /opt/ipa/docker-compose.yml to remove line with “command”
Restart container.
After restart server will be ready for work.
Removing any master server from cluster:
Note: You can remove only endpoint/branch master server from cluster. Otherwise, replication within cluster will be broken. You will need DM password.
On any OTHER master server in cluster execute:
docker exec -it freeipa-server /bin/shThis will grant you access to shell of docker container with IDM server running on it.
Execute to remove server from cluster.
ipa-replica-manage del <server_to_remove_FQDN>Enroll Linux server to IDM.
To enroll server, you will need account at IDM with enrollment rights.
Enrollment process need FQDN to be specified for enrolling server
Check hostname:
hostnameUpdate hostname:
hostnamectl set-hostname your-server-hostname.your-domain.caInstall IPA client and enroll server:
apt install freeipa-client
ipa-client-install --domain=your-domain.ca --server=linux-idm1.your-domain.ca --realm=YOUR_REALM.YOUR_DOMAIN.CA --mkhomediroption –mkhomedir will create homedirs for new users, who login to server.