Introduction

I've been playing around with FreeIPA and Keycloak for a project. They're super neat, so I wanted some better notes on them.

Essentially, FreeIPA is a service that provides account and system management and authentication. It provides a handful of ways to authenticate, such as LDAP, Kerberos, and RADIUS, as well a TON of other features, such as role management (who can run what with sudo on which boxes). Keycloak provides SAML2 and OIDC so that you can log in one single time and any of the systems that support either protocol know who you are without having to sign in again. This is known as Single Sign On (SSO).

Preload the Learning

I was trying to do all of this without understanding what any of it meant. Been there, done that, wouldn't recommend it. Do yourself a favor and spin up on some of this technology first. Here are some resources I found helpful.

https://youtu.be/BFkFRnayIYY

https://youtu.be/bSAX_Nxr4Tk

https://youtu.be/XJYy6Aq-PJ8

FreeIPA

It makes sense to worry about getting FreeIPA set up, then worrying about Keycloak because Keycloak depends on FreeIPA.

I tried a handful of OS's, but landed on Fedora for the following reasons:

• Ubuntu 20.04: Apparently at one point in time, FreeIPA had issues with BIND (DNS), and those issues stopped it from being added to the 20.04 repos. They've been resolved, but the package was never added. It seems unlikely we will see it in Ubuntu before 22.04.
• Ubuntu 18.04: I thought about using 18.04 as it's still supported and is an LTS release, but I still had issues getting FreeIPA to play nicely.
• CentOS Stream: Love it or hate it, Stream is what CentOS is now. I really wanted this to work, but couldn't get the SSH key on my Yubikey to play nicely with the CRYPTO_POLICY pertaining to SSH. I understand this is a failure on my part and that it would have worked fine were I willing to change my certs, but I didn't want to since I just set it up and it was using a strong algorithm. CentOS would probably be a pretty solid choice if it weren't for this limitation in my setup.

Installation

Start off by downloading and installing Fedora as usual. Right now, the current version is 34. Since there's no need for a desktop, I recommend the Server installation. When you get to the Installation Summary, make sure to only set a username and password for your User and leave Root disabled. The fewer accounts that can log in interactively, the better. You can set the Time & Date here if you wish. Leave the Software Selection screen at Fedora Server Edition and do not add any additional packages at this time. If you're having issues getting Begin Installation clickable, make sure your user account is set as an administrator.

This video playlist does a great job of walking you through FreeIPA installation on Fedora:

https://www.youtube.com/watch?v=lH7I-omZ4PA&list=RDCMUCwFpzG5MK5Shg_ncAhrgr9g&index=2

I'll be writing out the instructions for quicker reference. The main difference between my setup and his is that I'm doing a server OS, while his is Desktop.