Installing Red Hat Identity Management (IPA) without DNS on RHEL9

Installing Red Hat Identity Management (IPA) without DNS on RHEL9 #

Red Hat Identity Management (IdM) provides centralized authentication, authorization, and account information by storing data about users, groups, hosts, and other objects necessary to manage the security aspects of a network of computers. This guide covers installing IdM/IPA server without the integrated DNS service on RHEL9.

This guide demonstrates setting up a high-availability IPA deployment with two servers:

  • Primary IPA server: ipa01.example.com (192.168.1.100)
  • Replica IPA server: ipa02.example.com (192.168.1.101)

All commands and configurations in this guide are examples. Replace them with your actual values.

For the entirety of the guide we’ll be running every single command as root.

All the commands are intended only for RPM and dnf/yum based systems such as Red Hat, Fedora, CentOS etc.

Repository Configuration #

First, ensure that the required repositories are enabled using subscription-manager:

# Enable the required repositories
subscription-manager repos --enable=rhel-9-for-x86_64-baseos-rpms
subscription-manager repos --enable=rhel-9-for-x86_64-appstream-rpms

Installation #

Installing IPA Server #

Install the IPA server package:

# Install IPA server package
dnf install ipa-server

Firewall Configuration #

Configure the firewall to allow IPA services:

# Open required ports for IPA services
firewall-cmd --add-port={80/tcp,443/tcp,389/tcp,636/tcp,88/tcp,88/udp,464/tcp,464/udp,53/tcp,53/udp,123/udp}

# Make changes permanent
firewall-cmd --runtime-to-permanent

# Reload firewall rules
firewall-cmd --reload

IPA Server Installation #

Run the IPA server installation without DNS:

# Run IPA server installation
ipa-server-install

# Follow the interactive prompts:
# - Do you want to configure integrated DNS (BIND)? [no]: no
# - Server host name: [your-fqdn]: (accept default or specify)
# - Please confirm the domain name: [your-domain]: (accept default or specify)
# - Please provide a realm name: [YOUR-DOMAIN]: (accept default or specify)
# - Directory Manager password: (enter secure password)
# - IPA admin password: (enter secure password)
# - NetBIOS domain name: (accept default or specify)
# - Do you want to configure chrony with NTP server? [no]: yes (recommended)
# - Continue to configure the system with these values? [no]: yes

Post-Installation Configuration #

Verify Installation #

After installation completes, verify the IPA server is running:

# Check IPA services status
systemctl status ipa

# Check individual services
systemctl status dirsrv@YOUR-REALM.service
systemctl status krb5kdc.service
systemctl status kadmin.service
systemctl status httpd.service

Initialize Kerberos #

Authenticate with the IPA admin user:

# Initialize Kerberos ticket for admin user
kinit admin

# Verify ticket
klist

DNS System Records #

Since we’re not using integrated DNS, check what DNS records need to be created:

# Check required DNS records (dry run)
ipa dns-update-system-records --dry-run

Important: The output from this command shows the DNS records that need to be manually created in your external DNS server for proper IPA functionality.

DNS Configuration #

Create the following DNS records in your external DNS server based on the output from the dry-run command:

Required DNS Records # 

# Example DNS records (replace with your actual values)
# A records
ipa01.example.com.      IN  A       192.168.1.100
ipa02.example.com.      IN  A       192.168.1.101

# SRV records for Kerberos
_kerberos._tcp.example.com.     IN  SRV  0 100 88 ipa01.example.com.
_kerberos._udp.example.com.     IN  SRV  0 100 88 ipa01.example.com.
_kerberos._tcp.example.com.     IN  SRV  0 100 88 ipa02.example.com.
_kerberos._udp.example.com.     IN  SRV  0 100 88 ipa02.example.com.
_kerberos-master._tcp.example.com.  IN  SRV  0 100 88 ipa01.example.com.
_kerberos-master._udp.example.com.  IN  SRV  0 100 88 ipa01.example.com.
_kpasswd._tcp.example.com.      IN  SRV  0 100 464 ipa01.example.com.
_kpasswd._udp.example.com.      IN  SRV  0 100 464 ipa01.example.com.
_kpasswd._tcp.example.com.      IN  SRV  0 100 464 ipa02.example.com.
_kpasswd._udp.example.com.      IN  SRV  0 100 464 ipa02.example.com.

# SRV records for LDAP
_ldap._tcp.example.com.         IN  SRV  0 100 389 ipa01.example.com.
_ldaps._tcp.example.com.        IN  SRV  0 100 636 ipa01.example.com.
_ldap._tcp.example.com.         IN  SRV  0 100 389 ipa02.example.com.
_ldaps._tcp.example.com.        IN  SRV  0 100 636 ipa02.example.com.

# TXT record for Kerberos realm
_kerberos.example.com.          IN  TXT  "EXAMPLE.COM"

Testing the Installation #

Test IPA functionality using the command line or in the web GUI:

# List IPA users
ipa user-find

# List IPA groups
ipa group-find

# Show IPA configuration
ipa config-show

# Check server status
ipa server-show your-ipa-server.example.com

Setting Up IPA Replica Server #

For high availability and load distribution, configure a second IPA server as a replica. This ensures that if the primary server fails, authentication services remain available.

Replica Server Preparation #

On the second server (ipa02.example.com), perform the initial setup:

# Enable the required repositories
subscription-manager repos --enable=rhel-9-for-x86_64-baseos-rpms
subscription-manager repos --enable=rhel-9-for-x86_64-appstream-rpms

# Install IPA server package
dnf install ipa-server

# Configure firewall (same as primary server)
firewall-cmd --add-port={80/tcp,443/tcp,389/tcp,636/tcp,88/tcp,88/udp,464/tcp,464/udp,53/tcp,53/udp,123/udp}
firewall-cmd --runtime-to-permanent
firewall-cmd --reload

Installing IPA Replica #

On the replica server, install IPA as a replica of the primary server:

# Install IPA replica (run on ipa02.example.com)
ipa-replica-install

Verify Replica Installation #

After installation, verify the replica is working correctly:

# Initialize Kerberos ticket for admin user
kinit admin

# Check IPA services status on replica
systemctl status ipa

# Verify replication status
ipa-replica-conncheck --master=ipa01.example.com

# Check topology
ipa topologysegment-find domain

# List all IPA servers
ipa server-find

Client Configuration #

To configure Linux clients to use the IPA domain:

# On client systems
dnf install ipa-client

# Join client to IPA domain
ipa-client-install --mkhomedir

Conclusion #

You now have a high-availability Red Hat Identity Management deployment with two servers providing centralized authentication and authorization services. The primary server (ipa01) handles initial setup and administration, while the replica server (ipa02) provides redundancy and load distribution.