For those having issues with errors and failed installs, here is what finally worked for me... Create VM and go through everything as usual until you get to: ipa-server-install --mkhomedir Before running that command, I opened up the web interface on :9090 and ran the software updates for everything. Rebooted to get everything up-to-date. Finally ran: ipa-server-install --mkhomedir and it worked... 5th times the charm for me. Good Luck! BTW, I used F35 (the latest) and had over 200 updates within the software before continuing with the install.
Actually you dont have to go through all that, opening web interface etc... Just do following command before: ipa-server-install --mkhomedir sudo yum update thats all
Thanks much for this! Just set it up using Fedora Server 37 (Feb 2023) and working great! This is fantastic! And what a great add-on to your Authelia setup video. You all rock!
@@IBRACORP Now that I watched it. Does this work/integrate with the LDAP interface of Nextcloud/Emby/Jellyfin.... If yes could you go over an example as I'm really new to LDAP or AD.
Thanks for being complete and explaining things clearly. I've been exploring using this over AD for our test lab and this seem to be what I'm looking for. THANK YOU AGAIN!!!!
I am still stuck on the certificate, a normal cert from lets encrypt will not work. I have my own that I purchased but nginx requires a key file which I do not have and never had. How would I either just use a lets encrypt cert or find the key file for my cer?
Using a ssh key pair would have been a much better idea than allowing login to root with a password other than that nice video, the basic Auth could be something in nginx proxy manager
@@IBRACORP ok after a lot of digging, i think i finallly found a fix for the basicAuth box its apparently FreeIPA trying to use single sign on and chrome/edge apparently does not have a clue about what is going on so they just pop up a login box edit sudo nano /etc/httpd/conf.d/ipa-rewrite.conf dump this at the bottom of the file and restart httpd service RewriteCond %{HTTP_COOKIE} !ipa_session RewriteCond %{HTTP_REFERER} ^(.+)/ipa/ui/$ RewriteRule ^/ipa/session/json$ - [R=401,L] RedirectMatch 401 ^/ipa/session/login_kerberos sudo /sbin/service httpd restart this fixed the problem for me
The biggest problems with most of these videos is losing track of the essentials. Can I use LDAP as a user database seperately from Kerberos? That's the main and very first question to be answered, that sadly remains unanswered before we get to the installation and I gave up... 😢. One thing I do appreciate in this video is actually the honesty, and also the mention that FreeIPA is very badly documented.
For anyone having issues with not being able to edit the hosts file with "sudo nano /etc/hosts", you might not have the nano text editor installed, type "yum install nano" and it should fix the problem.
Great video, had it running at on point but then redid it and now i cannot get it to install. I keep getting the following. The IPA Server Hostname cannot be a CNAME, only A and AAAA names are allowed. The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information Hostname is set as ipa.myserver.xyz (obviously myserver is replaced with my actual domain. Using a fedora 33 server vm on unraid. cname set in cloudflare and nginx proxy manager
What about configuring it so that you can authenticate an application like Authelia or Keycloak using LDAPS instead of just LDAP. I need to authenticate applications that are on different servers at different locations and want to do it securely.
Been a subscriber for a while and love your stuff. Just a small request, can you use a diff resolution or your videos? It’s hard to make out all the details with my mobile device... maybe it’s just me.
Thank you Dave much appreciated. You know what you're not the only one to mention it so I'll look into how to make things nice and big in future. Still learning editing!
Again a very good video, thank you! I have only, once again a problem... I did everything as you explained and then wanted to include LDAP/LDAPS in my Nextcloud. Unfortunately, no matter what I do, it doesn't work. Either it hangs in an infinite loop while checking or nothing happens. Can you maybe make a video about this too (basically embedding in NC and other interesting apps), SSO would also be very awesome? You explain it with Authelia but on local/internal level, not from WEB :(. Would be really awesome if you could support here :)! Oh and thanks for your last answer, has helped me a lot unnd solved the problem ;)
This is a bug with nextcloud we've been waiting for them to fix to do our next video on it :) I'm glad you're enjoying the content and thank you for the suggestions!
@@IBRACORP That explains a lot xD.Then I'm curious and thank you for the answer ;). I have Unraid longer at home in use but am not so deep in the matter of knowledge. Professionally I have to do more with Microsoft...but I should really deal with it more deeply (if time would be) ^^''. Since your videos come among other things just right :).
This is a great video, but the font size in the PuTTY terminal is so tiny that one can barely read it. Could you please use a bigger font in the future videos?
I did exactly as the video is showing, but when I try to access my domain a got a NET::ERR_CERT_AUTHORITY_INVALID error. Did anyone experienced the same? ipa**** uses encryption to protect your information. When Microsoft Edge tried to connect to ipa.***** this time, the website sent back unusual and incorrect credentials. This may happen when an attacker is trying to pretend to be ipa.*****, or a Wi-Fi sign-in screen has interrupted the connection. Your information is still secure because Microsoft Edge stopped the connection before any data was exchanged. You can't visit ipa.***** right now because the website uses HSTS. Network errors and attacks are usually temporary, so this page will probably work later.
I have gone through this video several times now and continuous get stuck on updating the hosts file with nano. I get an error each time that says nano is not installed. Any suggestions?
@@dylansteil7325 Did you ever get this to work? I downloaded 33 but got some error about metadata. The closest I've gotten is getting the same errors as the poster named AJ down below.
Hey wondering was setting this up. I set up the encryption in fedora as you mentioned. But note that if I were to restart the VM would need to manually punch in the password.. thoughts about this given desire to have VM autostart in array start.
@@IBRACORP Ya I was having difficulty with this.. as it doesn't allow for a more seamless autostart of the VM and the dockers... so won't use the encryption for now
For those having issues with errors and failed installs, here is what finally worked for me...
Create VM and go through everything as usual until you get to: ipa-server-install --mkhomedir
Before running that command, I opened up the web interface on :9090 and ran the software updates for everything. Rebooted to get everything up-to-date.
Finally ran: ipa-server-install --mkhomedir and it worked...
5th times the charm for me.
Good Luck!
BTW, I used F35 (the latest) and had over 200 updates within the software before continuing with the install.
I didn't know you posted it on here as well.
@@Norkz i figured that I might as well... some people don't do Reddit.
Glad it worked out.
Thanks for the solution! I have pinned this comment for future users to find.
@@joshjones1289 Thanks man! I was breaking my head trying to figure this out... Life saver!
Actually you dont have to go through all that, opening web interface etc...
Just do following command before: ipa-server-install --mkhomedir
sudo yum update
thats all
This was an absolutely terrific run through the FreeIPA stuff. I need to get back to freeiPA and now I'm feeling inspired to make some time.
Thank you mate you inspired this one, appreciate the support
Thanks much for this! Just set it up using Fedora Server 37 (Feb 2023) and working great! This is fantastic! And what a great add-on to your Authelia setup video. You all rock!
Cheers for watching today's video! Do you like FreeIPA? Do you think it's a worthy opponent to Active Directory? Let us know in the comments
Fantastic, I've been waiting for this. Thank you very much!
My pleasure mate thanks for coming back and checking it out!
@@IBRACORP Now that I watched it.
Does this work/integrate with the LDAP interface of Nextcloud/Emby/Jellyfin.... If yes could you go over an example as I'm really new to LDAP or AD.
Yes it does. I use it with Nextcloud, Organizr, Jellyfin and more. I will do a follow up video with configuring those apps
@@IBRACORP Amazing. Thanks again for the great tutorials!
Yes do one on Active Directory to see the difference between FreeIPA and Windows Server.
Thanks for the demo and info. The network map is awesome, have a great day
Thank you mate same to you!
Thanks for being complete and explaining things clearly. I've been exploring using this over AD for our test lab and this seem to be what I'm looking for. THANK YOU AGAIN!!!!
Can confirm, August 2022 got it working on Fedora 36.
What a fantastic video
Thank you!
I am still stuck on the certificate, a normal cert from lets encrypt will not work. I have my own that I purchased but nginx requires a key file which I do not have and never had. How would I either just use a lets encrypt cert or find the key file for my cer?
That popup at around 30 mins was because it was looking for Kerberos creds.
You are a legend! Thanks so much. Will dive right in after work
My pleasure thank you for watching mate
And a big thank you for your donation, really appreciate it.
Brilliant.... buzzing that it all works........ now I just need to go and find a reason to have it!
Good luck with that one Paul, that's we all try to tell ourselves :)
Using a ssh key pair would have been a much better idea than allowing login to root with a password other than that nice video, the basic Auth could be something in nginx proxy manager
That's a fair point and I was not aware. Thanks for teaching something new and watching
@@IBRACORP ok after a lot of digging, i think i finallly found a fix for the basicAuth box its apparently FreeIPA trying to use single sign on and chrome/edge apparently does not have a clue about what is going on so they just pop up a login box
edit sudo nano /etc/httpd/conf.d/ipa-rewrite.conf dump this at the bottom of the file and restart httpd service
RewriteCond %{HTTP_COOKIE} !ipa_session
RewriteCond %{HTTP_REFERER} ^(.+)/ipa/ui/$
RewriteRule ^/ipa/session/json$ - [R=401,L]
RedirectMatch 401 ^/ipa/session/login_kerberos
sudo /sbin/service httpd restart
this fixed the problem for me
Mate you are a legend! That stupid box was driving me crazy. I will try this when I get home later today, thanks for coming back with a solution!
@@strongyp Would you mind sharing briefly if you could how you fixed it?
@@strongyp unfortunately, this did not seem to work for me.
The biggest problems with most of these videos is losing track of the essentials. Can I use LDAP as a user database seperately from Kerberos? That's the main and very first question to be answered, that sadly remains unanswered before we get to the installation and I gave up... 😢. One thing I do appreciate in this video is actually the honesty, and also the mention that FreeIPA is very badly documented.
For anyone having issues with not being able to edit the hosts file with "sudo nano /etc/hosts", you might not have the nano text editor installed, type "yum install nano" and it should fix the problem.
Great video, had it running at on point but then redid it and now i cannot get it to install.
I keep getting the following.
The IPA Server Hostname cannot be a CNAME, only A and AAAA names are allowed.
The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
Hostname is set as ipa.myserver.xyz (obviously myserver is replaced with my actual domain.
Using a fedora 33 server vm on unraid.
cname set in cloudflare and nginx proxy manager
Really, who wouldn't like a free IPA???
Cheers!
Cheers!
FYI as of writing, both "freeipa-ldap" and "freeipa-ldaps" are depricated and can both be replaced with "freeipa-4"
Very informative! Thanks, and great job!
Thank you so much for preparing this tutorial. Really helpful.
What about configuring it so that you can authenticate an application like Authelia or Keycloak using LDAPS instead of just LDAP. I need to authenticate applications that are on different servers at different locations and want to do it securely.
Hello sir, can you tell us that how to setup freeipa with https without invalid certificate error on cloud server
Can you please make a video how to certificate authority ? to FreeIPA ?
Been a subscriber for a while and love your stuff. Just a small request, can you use a diff resolution or your videos? It’s hard to make out all the details with my mobile device... maybe it’s just me.
Thank you Dave much appreciated. You know what you're not the only one to mention it so I'll look into how to make things nice and big in future. Still learning editing!
@@IBRACORP the content is fantastic and really appreciated!
@IBRACORRP I'm trying to set up with radius, but can't achieve that. I really like to see The authelia integration with free ipa
Again a very good video, thank you! I have only, once again a problem... I did everything as you explained and then wanted to include LDAP/LDAPS in my Nextcloud. Unfortunately, no matter what I do, it doesn't work. Either it hangs in an infinite loop while checking or nothing happens.
Can you maybe make a video about this too (basically embedding in NC and other interesting apps), SSO would also be very awesome?
You explain it with Authelia but on local/internal level, not from WEB :(.
Would be really awesome if you could support here :)!
Oh and thanks for your last answer, has helped me a lot unnd solved the problem ;)
This is a bug with nextcloud we've been waiting for them to fix to do our next video on it :)
I'm glad you're enjoying the content and thank you for the suggestions!
@@IBRACORP That explains a lot xD.Then I'm curious and thank you for the answer ;). I have Unraid longer at home in use but am not so deep in the matter of knowledge. Professionally I have to do more with Microsoft...but I should really deal with it more deeply (if time would be) ^^''. Since your videos come among other things just right :).
This is a great video, but the font size in the PuTTY terminal is so tiny that one can barely read it. Could you please use a bigger font in the future videos?
Yes most definitely. This was early one for me so some lessons learned. Cheers!
I did exactly as the video is showing, but when I try to access my domain a got a NET::ERR_CERT_AUTHORITY_INVALID error. Did anyone experienced the same?
ipa**** uses encryption to protect your information. When Microsoft Edge tried to connect to ipa.***** this time, the website sent back unusual and incorrect credentials. This may happen when an attacker is trying to pretend to be ipa.*****, or a Wi-Fi sign-in screen has interrupted the connection. Your information is still secure because Microsoft Edge stopped the connection before any data was exchanged.
You can't visit ipa.***** right now because the website uses HSTS. Network errors and attacks are usually temporary, so this page will probably work later.
How would this work out for an Active Directory solution and file sharing with a few windows clients?
Nice video. Keep doing it ! :)
Cheers mate thanks for watching!
Hello, first of all, thank you very much. I get such an error after installation, how can I solve it? (404 Not Found
nginx/1.18.0)
Anyone else experiencing issues on version 36. Upon Installation I don't have the same menu items to add my hostname, adjust network settings.
nevermind downloaded the wrong ISO
I have gone through this video several times now and continuous get stuck on updating the hosts file with nano. I get an error each time that says nano is not installed. Any suggestions?
"dnf up" then "dnf install nano"
Just a note to anyone trying this Fedora 34 is not compatible with IPA in this guide and will fail use 33
I can't seem to be able to find fedora 33, do you have a link?
Yeah I tried to install this multiple times using 34 and then found this comment, pretty frustrating. About to give it a go now with 33.
@@ironwoodoverland Been going on 2 days.... I finally found this comment. Here we go.
@@dylansteil7325 Did you ever get this to work? I downloaded 33 but got some error about metadata. The closest I've gotten is getting the same errors as the poster named AJ down below.
@Ironwood Overland I have not yet. Same errors on my end with metadata. I am considering trying Active Directory instead.
Overall good video, but loses its way around the Authelia integration
Did you try to use nested group with freeipa and have authelia successfully get all groups for a given user?
not yet! any examples?
Hey wondering was setting this up. I set up the encryption in fedora as you mentioned. But note that if I were to restart the VM would need to manually punch in the password.. thoughts about this given desire to have VM autostart in array start.
Interesting point. I guess that is up to you but in my case I wouldn't want to do that.
@@IBRACORP Ya I was having difficulty with this.. as it doesn't allow for a more seamless autostart of the VM and the dockers... so won't use the encryption for now
hello, have we figured out how to disable the browser prompt?
Yep! I have pinned the comment for people to see now.
Very nice video! Is it possible to run freeipa on a docker on unraid?
It is but I don't recommend
My plans are to use the Raspberry Pi that I run my certificate authority on. I figured that it would make sense to do that
Why not?!
That's awesome thanks for sharing. Might do this myself actually