Installing FreeIPA server on supported platforms is a matter of couple minutes, especially when following Quick Start Guide. However, for people eager to just try the looks and feel of the most recent FreeIPA or just to test their web application with LDAP or Kerberos authentication it may just not be fast enough. For these users, we have prepared a free public instance of FreeIPA server!
The FreeIPA server is running on a Red Hat's OpenStack instance, on the latest stable Fedora. The server controls a DNS domain named demo1.freeipa.org and the correspondiong Kerberos realm DEMO1.FREEIPA.ORG. the server itself is named
The FreeIPA demo server is just a sandbox and is wiped clean every day at 05:00 UTC. In case you had a testing FreeIPA client enrolled, the easiest recovery is to uninstall your client (ipa-client-install --uninstall and install it again). In case you are interested in a more persistent testing environment, try downloading a FreeIPA server on a personal virtual machine.
The FreeIPA domain is configured with the following users (the password is Secret123 for all of them):
- admin: The FreeIPA main administrator account, has all the privileges
- helpdesk: A regular user with the helpdesk role allowing it to modify other users or change their group membership
- employee: A regular user with no special privileges
- manager: A regular user, set as manager of the employee user
To allow testing group-based authentication we created additional groups in addition to the default FreeIPA ones:
- employees: contains users employee and manager
- managers: contains user manager
Besides core FreeIPA services (Directory Server, Kerberos, PKI), the server is also configured with a DNS service and a publicly accessible domain demo1.freeipa.org to allow both testing the DNS management interface and DNS dynamic updates.
To test the Web UI, simply go to the hostname link above, log in and click around! To test integration with a personal system, follow a few easy steps:
1. Install required packages
# yum install freeipa-client
2. Configure FreeIPA client
Given that the server owns a publicly accessible DNS domain, client can autodiscover all required information by itself if it knows the right domain:
# ipa-client-install --domain demo1.freeipa.org -p admin -w Secret123 Discovery was successful! Hostname: mytestclient.demo1.freeipa.org Realm: DEMO1.FREEIPA.ORG DNS Domain: demo1.freeipa.org IPA Server: ipa.demo1.freeipa.org BaseDN: dc=demo1,dc=freeipa,dc=org Continue to configure the system with these values? [no]: y Synchronizing time with KDC... Successfully retrieved CA cert Subject: CN=Certificate Authority,O=DEMO1.FREEIPA.ORG Issuer: CN=Certificate Authority,O=DEMO1.FREEIPA.ORG Valid From: Tue Apr 22 06:42:34 2014 UTC Valid Until: Sat Apr 22 06:42:34 2034 UTC Enrolled in IPA realm DEMO1.FREEIPA.ORG Created /etc/ipa/default.conf New SSSD config will be created Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm DEMO1.FREEIPA.ORG trying https://ipa.demo1.freeipa.org/ipa/xml Forwarding 'ping' to server 'https://ipa.demo1.freeipa.org/ipa/xml' Forwarding 'env' to server 'https://ipa.demo1.freeipa.org/ipa/xml' Hostname (mytestclient.demo1.freeipa.org) not found in DNS DNS server record set to: mytestclient.demo1.freeipa.org -> 22.214.171.124 Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub Forwarding 'host_mod' to server 'https://ipa.demo1.freeipa.org/ipa/xml' SSSD enabled Configured /etc/openldap/ldap.conf NTP enabled Configured /etc/ssh/ssh_config Configured /etc/ssh/sshd_config Client configuration complete.
Client is now enrolled in FreeIPA realm and can "see" all it's users:
$ getent passwd employee employee:*:1120000003:1120000003:Test Employee:/home/employee:/bin/sh $ getent group employees employees:*:1120000005:employee,manager
3. Try to log in as FreeIPA user
$ host mytestclient.demo1.freeipa.org mytestclient.demo1.freeipa.org has address 126.96.36.199 $ ssh firstname.lastname@example.org email@example.com's password: -sh-4.2$ klist Ticket cache: KEYRING:persistent:1658800007:krb_ccache_keVNyW5 Default principal: employee@DEMO1.FREEIPA.ORG Valid starting Expires Service principal 06/04/2014 04:33:25 06/05/2014 04:33:25 krbtgt/DEMO1.FREEIPA.ORG@DEMO1.FREEIPA.ORG
4. Try other features
FreeIPA team also recommends testing advanced integration of your web application with identity management system like FreeIPA and thus having web application with central user management, Kerberos and authorization, either group based or HBAC based.
In case the demo instance is out of order or you would like to ask for an enhancement, please contact the FreeIPA team.
We would also like to invite you test our Docker FreeIPA server images, they should be easy to set up and run on your host without a need to configure all the virtual machine machinery.