FreeIPA and Ipsilon on a single machine
Table of Contents
FreeIPA is an identity management solution. It can be used to manage information about users, groups, hosts, or services. Ipsilon is an identity proxy solution for single sign-on on the Web via protocols like SAML or OpenID. Ipsilon itself does not store information about users, it needs to use separate identity management solution, like FreeIPA. We will look at installing FreeIPA and Ipsilon server on the same machine.
Installing and configuring FreeIPA
The FreeIPA server is typically installed using
ipa# yum install -y freeipa-server
ipa# yum install -y ipa-server
― package names on Fedora and RHEL/CentOS are different.
It then gets configured using
ipa# ipa-server-install [ various options ]
which will set up multiple services, including Apache HTTP server
httpd service) for both WebUI and API access.
After configuration finishes, we can access the WebUI at
https://ipa.example.test/, which redirects to
https://ipa.example.test/ipa/ui/ where the WebUI actually
Installing and configuring Ipsilon
Installation of the Ipsilon server is very similar:
ipa# yum install -y ipsilon [other ipsilon-* packages]
installs the packages and
ipa# ipsilon-server-install [ various options ]
then configures the server.
ipsilon-server-install command will end with
Installation complete. Please restart HTTPD to enable the IdP instance.
and if Ipsilon was installed on separate machine, restarting
httpd would work fine. However, if we've
installed Ipsilon on the same machine as FreeIPA, restart will
ipa# systemctl restart httpd.service Job for httpd.service failed because the control process exited with error code. See "systemctl status httpd.service" and "journalctl -xe" for details.
and checking status of the service or
error_log will reveal
(98)Address already in use: AH00072: make_sock: could not bind to address [::]:443
Resolving the conflict
The reason for this error stems from the fact that FreeIPA
mod_nss and Ipsilon uses and configures
mod_ssl. When we
install and configure both on one machine, we will get
/etc/httpd/conf.d/nss.conf for FreeIPA
/etc/httpd/conf.d/ssl.conf for Ipsilon.
Since FreeIPA already created valid SSL configuration with
mod_nss, let's just move the
# mv /etc/httpd/conf.d/ssl.conf /etc/httpd/conf.d/ssl.conf.orig
Now restarting the
httpd service passes but accessing
Ipsilon at https://ipa.example.test/idp yields
You don't have permission to access /idp on this server.
It's because in Ipsilon's
/etc/httpd/conf.d/ipsilon-idp.conf), use of
mod_ssl is required by
That module is still loaded (with current Apache HTTP server module
packaging style, loading the module happens in
/etc/httpd/conf.modules.d/00-ssl.conf) but is not
The second part of the solution is to use the
configuration by replacing the
NSSRequireSSL, either manually or with
ipa# sed -i 's/\<SSL/NSS/' /etc/ipsilon/idp/idp.conf
http.service, we have working FreeIPA
on https://ipa.example.test/ and working Ipsilon (presumably
configured to use that same FreeIPA) on https://ipa.example.test/idp.