HomeLab Tutorials – Part 2 – Standing up a Domain Controller with IDM

Introduction:

In our last episode, we learned how to configure a static DNS provider for our homelab network. Having a static DNS provider is my baseline requirement for a functioning homelab environment. The other big hurdle is coherent credentialing and file access. RedHat IDM (IDentity Manager) is a implementation of directory management which provides a native and centralized solution for domain asset management in Linux. A close equivalent is Active Directly from Microsoft. Now I am aware, you can use Microsoft Active Directory to control Linux endpoints. I built out a solution which provides automated access to MS AD for enterprise Debian endpoints at my company. It works well. But, its not a seamless process and requires layers of secondary configurations to configure. IDM was purpose built for Linux centric enterprises. Seeing as my goal in life is to spend all my time working with Linux enterprise solutions, I am going with IDM over MS AD.

Assumptions:

  1. RHEL 8.3 Server with default configuration (CentOS 8 will not work at time of writing).
  2. 4 GB of Ram allocated to the server.
  3. 2 Dedicated Cores allocated to the server.
  4. 50 GB of storage space allocated to the server.
  5. SSH enabled on the server.

Step 1 – Configuring Networking

As with our last tutorial, we have some networking requirements to meet before we can proceed with the IDM installation. I am lazy and don’t want to write out every explicit step that I performed to set up the network (Because I already did it last time). For a complete run list for our network configuration, refer to this wiki on setting up DNS. Below are the commands I ran for this particular server configuration:

$ hostnamectl set-hostname idm.brooksnet.lan
$ nmcli connection modify ens18 ipv4.addresses 10.240.245.245/16
$ nmcli connection modify ens18 ipv4.gateway 10.240.240.1
$ nmcli connection modify ens18 ipv4.dns 8.8.8.8,1.1.1.1
$ nmcli connection modify ens18 ipv4.dns-search .brooksnet.lan
$ nmcli connection modify ens18 ipv4.method manual
$ nmcli connection up ens18

The only real difference between this runlist and the DNS tutorial is the inclusion of the ipv4.dns-search command. This command qualifies any dns request to first check for devices on .brooksnet.lan before checking external networks. Functionally, this lets me run the command “ping dns” instead of “ping dns.brooksnet.lan”. Like all good tech overlords, I don’t enjoy doing any extra work than necessary.

Now that the base network is configured, we will configure our firewall rules. These rules are going to be a bit more complex than the rules we applied for DNS. DNS only needs one port opened for communication. IDM needs 11 ports opened across both TCP and UDP protocols. Below are the firewallcmd commands I ran to configure my firewall for IDM:

systemctl enable --now firewalld
firewall-cmd --permanent --add-service={freeipa-ldap,freeipa-ldaps,dns}
firewall-cmd --reload

Running the add-service command creates a “rule” in firewalld which allows multiple ports to be either allowed or denied at the same time. Controlling port access through services is another way to improve efficiency. Otherwise, we would have to enable or disable those 11 ports one by one, and I have no interest in doing that.

Step 2 – Installing IDM

To begin the installation, we will enable a new module in the yum package manager:

$ yum module enable idm:DL1

What we just did is tell our package manager to whitelist the installation of a long list of software packages for a distinct purpose, and with distinct package versioning. To see the full list of packages contained in the idm:DL1 module, run the following command:

$ yum module info idm

For more in depth information on yum modules refer to this documentation from RedHat. Now that we have enabled the idm:DL1 module, we are ready to install some packages!

$ yum distro-sync
$ yum module install idm:DL1/dns

The first command tells the yum package manager to check for any updates to existing packages since enabling the IDM module. Then, the second command tells the yum package manager to install all of the packages associated with the IDM module. You will note, I informed the module installation to install a specific version of IDM, such that it is configured as a IDM server (DL1 stream) and provides domain name services (dns package installation). by installing the dns package, I am preparing to allow IDM to manage dns on my homelab domain.

Step 3 – Configuring IDM

Once all of the IDM packages have been installed, the IDM service is primed for configuration on the server. To begin this process, run the following command:

$ ipa-server-install

Immediately, the installation tool will prompt you to decide whether or not to include integrated DNS. This prompt defaults to no, so we will manually type in “yes” and press enter.

Next, it will prompt for a server hostname. At this prompt, it is important to confirm that the hostname is a fully qualified domain name (not just the hostname, but also the .domain.type text block). In our case, the fully qualified domain name (FQDN) was set during step one of this tutorial, so simply press enter.

After confirming the hostname, the IDM configuration wizard will prompt for confirmation of the domain name. In my case, the domain name is brooksnet.lan. IDM will attempt to resolve the domain name from the FQDN of the server. If the prompt lists the domain name correctly, simply press enter.

Likewise, IDM will request the realm name, and it will default to the uppercase version of the domain name found in the previous step. Simply press enter again.

Next, IPA needs to set a default directory manager password. This password is used to authenticate access for making changes to the domain user, groups, and computers joined to IDM. I recommend generating a random and complex password, then store that password somewhere safe. Also, don’t use a percent sign in the password. My autogen password contained a percent sign. PKI-Tomcat CA creation failed repeatedly and ruined the installation until I figured this out.

Once the Directory manager password is set, the wizard will prompt for an administrative user account to be generated. This is to dissuade users from logging in as root. Root is dangerous and should be avoided.

Don’t be too worried about the error shown above. My network is not configured for IPV6 and so IDM is confused what to do with that IP address. It will default to IPV4. when prompted to configure DNS forwarders, press enter. This process is an automated configuration which achieves the same goal as what we manually performed in the previous DNS configuration tutorial.

Next, IDM will prompt for the DNS forwarders you would like to use. We already configured external DNS in step one, so continue on by pressing Enter at the prompts.

After configuring the DNS fowarders, IDM will ask about creating reverse DNS zones, which again is covered in the DNS configuration tutorial.

I personally want my domain synced externally to a time service. The questions about NTP servers are just that. I recommend visiting www.ntppool.org for more information on configuring NTP time. I am not an expert on NTP within the context of IDM, so do not take my instructions as law.

I’m not confident if I can simply put domain names in those prompts instead of IP addresses, but using IP Addresses has worked in the past and so that is what I am doing here. If I am wrong, please do let me know in the comments and I will correct my instructions!

I went back and retested it, and yes, you can use domain names instead of IP Addresses without issue. This is better, because IP Addresses can change, but as long as the ntp provider is active, the FQDN will resolve to the correct IP Address (which is a large part of this exercise).

Once the NTP service is configured, you will be prompted to approve the complete configuration for IDM installation. This prompt defaults to “no”, so make sure you type in “yes” at the prompt if everything looks correct! The installation will now commence and will take time. With the resources I allotted to my IDM instance, it takes about 10 minutes to stand up the service.

If the installation was successful, you should see the output below:

Finally, we will run one last command, which will initialize access to the service.

If you have configured IDM as your DNS provider on your router, you should now be able to reach it through your web browser.

Step 3 – Joining client devices to IDM

We will be assuming that all of our client devices are Debian based for now. This is NOT a reasonable assumption long term, but for the moment should not cause any issues. Before we configure IDM on a client using automation, we need to understand how the process works. This is done manually. Once we have the process lined out, we can create scripts to do this for us. To that end, below is the process I used to join my chef infra server to the domain.

The first thing we need to do is install the IDM client on our client device:

$ apt install freeipa-client | yes

The yes command will accept all defaults presented by the auto-configuration which runs when freeipa-client is installed. After the installation completes, we will begin the IDM client joining process:

$ ipa-client-install --mkhomedir --enable-dns-updates

The above command will start off a script which joins the computer to the IDM domain controller. If DNS is configured to point at the domain controller, then the configuration script will automatically find the domain controller and auto-configure itself to be joined.

Make sure to confirm “yes” at the prompt, otherwise the installation will quit. The installation script will now attempt to use the Domain Controller’s publicly available NTP configuration to sync time with the Domain Controller. Once that is successful, it will prompt for the domain joining username and password, which we set in the last episode of this series.

Simply plug in the domain joining username and password and then watch the client device join successfully!

And here we are! On our next episode, we will learn how to auto-configure IDM and Chef to run on new clients when they first initialize.

Leave a Comment