FreeIPA and Ipsilon on a single machine

Jan Pazdziora

2015-08-25

Table of Contents

Installing and configuring FreeIPA
Installing and configuring Ipsilon
Resolving the conflict

Abstract

FreeIPA is an identity management solution. It can be used to manage information about users, groups, hosts, or services. Ipsilon is an identity proxy solution for single sign-on on the Web via protocols like SAML or OpenID. Ipsilon itself does not store information about users, it needs to use separate identity management solution, like FreeIPA. We will look at installing FreeIPA and Ipsilon server on the same machine.

Installing and configuring FreeIPA

The FreeIPA server is typically installed using

ipa# yum install -y freeipa-server

ipa# yum install -y ipa-server

― package names on Fedora and RHEL/CentOS are different.

It then gets configured using

ipa# ipa-server-install [ various options ]

which will set up multiple services, including Apache HTTP server (httpd service) for both WebUI and API access. After configuration finishes, we can access the WebUI at https://ipa.example.test/, which redirects to https://ipa.example.test/ipa/ui/ where the WebUI actually lives.

Installing and configuring Ipsilon

Installation of the Ipsilon server is very similar:

ipa# yum install -y ipsilon [other ipsilon-* packages]

installs the packages and

ipa# ipsilon-server-install [ various options ]

then configures the server.

The ipsilon-server-install command will end with

Installation complete.
Please restart HTTPD to enable the IdP instance.

and if Ipsilon was installed on separate machine, restarting httpd would work fine. However, if we've installed Ipsilon on the same machine as FreeIPA, restart will fail with

ipa# systemctl restart httpd.service
Job for httpd.service failed because the control process exited with error code. See "systemctl status httpd.service" and "journalctl -xe" for details.

and checking status of the service or error_log will reveal

(98)Address already in use: AH00072: make_sock: could not bind to address [::]:443

Resolving the conflict

The reason for this error stems from the fact that FreeIPA uses mod_nss and Ipsilon uses and configures mod_ssl. When we install and configure both on one machine, we will get

Listen 443

directive in both /etc/httpd/conf.d/nss.conf for FreeIPA and in /etc/httpd/conf.d/ssl.conf for Ipsilon.

Since FreeIPA already created valid SSL configuration with mod_nss, let's just move the mod_ssl configuration aside:

# mv /etc/httpd/conf.d/ssl.conf /etc/httpd/conf.d/ssl.conf.orig

Now restarting the httpd service passes but accessing Ipsilon at https://ipa.example.test/idp yields

Forbidden
You don't have permission to access /idp on this server.

It's because in Ipsilon's /etc/ipsilon/idp/idp.conf (linked from /etc/httpd/conf.d/ipsilon-idp.conf), use of mod_ssl is required by SSLRequireSSL. That module is still loaded (with current Apache HTTP server module packaging style, loading the module happens in /etc/httpd/conf.modules.d/00-ssl.conf) but is not configured.

The second part of the solution is to use the mod_nss configuration by replacing the SSLRequireSSL with NSSRequireSSL, either manually or with

ipa# sed -i 's/\<SSL/NSS/' /etc/ipsilon/idp/idp.conf

After restarting http.service, we have working FreeIPA on https://ipa.example.test/ and working Ipsilon (presumably configured to use that same FreeIPA) on https://ipa.example.test/idp.