FreeIPA
Draft version. Content is hallucinated. Do not use!

Getting Started with FreeIPA

This guide will help you deploy your first FreeIPA server and enroll client systems. Within minutes, you'll have a functional identity management infrastructure.

Prerequisites

Before installing FreeIPA, ensure you have:

  • Operating System - RHEL, CentOS, Fedora, or compatible Linux distribution
  • Hostname - Fully qualified domain name (FQDN) configured
  • DNS - Properly configured DNS or plan to use FreeIPA's integrated DNS
  • Network - Static IP address for the server
  • Firewall - Required ports opened (see below)
  • Resources - Minimum 2GB RAM, 10GB disk space

Required Firewall Ports

Open these ports on your FreeIPA server:

  • HTTP/HTTPS: 80, 443
  • LDAP/LDAPS: 389, 636
  • Kerberos: 88 (TCP/UDP), 464 (TCP/UDP)
  • DNS: 53 (TCP/UDP) - if using integrated DNS
  • NTP: 123 (UDP)

Server Installation

Step 1: Install Packages

For RHEL/CentOS/Fedora:

# Install FreeIPA server package
sudo dnf install ipa-server ipa-server-dns

# For Debian/Ubuntu:
sudo apt install freeipa-server freeipa-server-dns

Step 2: Configure Hostname

Ensure your server has a proper FQDN:

# Set hostname
sudo hostnamectl set-hostname ipa.example.com

# Verify
hostname -f
# Should output: ipa.example.com

Step 3: Run the Installer

Launch the interactive FreeIPA installer:

sudo ipa-server-install --setup-dns

The installer will prompt for:

  • DNS forwarders - IP addresses of upstream DNS servers (e.g., 8.8.8.8)
  • Server hostname - Verify it's correct
  • Domain name - DNS domain (e.g., example.com)
  • Kerberos realm - Usually uppercase domain (e.g., EXAMPLE.COM)
  • Directory Manager password - Admin password for LDAP
  • IPA admin password - Password for the 'admin' user

Step 4: Wait for Installation

The installer will:

  • Configure directory server (389 DS)
  • Set up Kerberos KDC
  • Configure Apache HTTP server
  • Install certificate authority (Dogtag)
  • Set up DNS server (if --setup-dns used)
  • Configure firewall rules

Installation typically takes 5-15 minutes.

Verify Installation

After installation completes, verify everything works:

# Get Kerberos ticket
kinit admin
# Enter the IPA admin password

# Check status
ipa user-find admin

# Verify services
ipactl status

Access the Web UI

Open a web browser and navigate to:

https://ipa.example.com

Login with:

  • Username: admin
  • Password: [IPA admin password you set]

Client Enrollment

Now enroll client systems to use FreeIPA for authentication.

Step 1: Install Client Package

# On client system
sudo dnf install ipa-client

# For Debian/Ubuntu
sudo apt install freeipa-client

Step 2: Enroll Client

sudo ipa-client-install \
  --domain=example.com \
  --realm=EXAMPLE.COM \
  --server=ipa.example.com \
  --principal=admin \
  --password=YourAdminPassword \
  --mkhomedir

The --mkhomedir option automatically creates home directories for FreeIPA users on first login.

Step 3: Test Client Authentication

# Create a test user (on server or client)
ipa user-add testuser --first=Test --last=User \
  --password

# SSH to client as the FreeIPA user
ssh testuser@client.example.com

Basic Administration

User Management

# Create user
ipa user-add jsmith --first=John --last=Smith \
  --email=jsmith@example.com

# Set password
ipa passwd jsmith

# Find users
ipa user-find

# Delete user
ipa user-del jsmith

Group Management

# Create group
ipa group-add developers --desc="Development Team"

# Add members
ipa group-add-member developers --users=jsmith,testuser

# Show group
ipa group-show developers

Host-Based Access Control

# Disable default allow_all rule
ipa hbacrule-disable allow_all

# Create specific rule
ipa hbacrule-add developers_ssh \
  --desc="Allow developers SSH access"

# Add users and hosts
ipa hbacrule-add-user developers_ssh --groups=developers
ipa hbacrule-add-host developers_ssh --hosts=dev-server.example.com
ipa hbacrule-add-service developers_ssh --hbacsvcs=sshd

Next Steps

Now that you have FreeIPA running:

  1. Explore Features - Review our features documentation
  2. Set Up Replication - Deploy additional servers for high availability
  3. Configure Policies - Define password policies, sudo rules, SELinux mappings
  4. Enable Certificates - Set up automated certificate management
  5. Integrate Services - Connect applications to FreeIPA

Troubleshooting

Installation Failed

# Check logs
sudo journalctl -xe

# Verify DNS resolution
dig ipa.example.com
dig _ldap._tcp.example.com SRV

# Check services
sudo ipactl status

Client Enrollment Failed

# Verify connectivity
ping ipa.example.com
nc -zv ipa.example.com 389

# Check DNS
dig _ldap._tcp.example.com SRV

# Try enrollment with debug
sudo ipa-client-install --debug

Authentication Issues

# Check time synchronization
timedatectl status

# Verify Kerberos
kinit admin
klist

# Test LDAP
ldapsearch -x -H ldap://ipa.example.com -b "dc=example,dc=com"

Resources

Need Help?

Join the FreeIPA community for support and discussions.

  • Mailing List: freeipa-users@lists.fedorahosted.org
  • IRC: #freeipa on irc.libera.chat
  • Matrix: #freeipa:fedoraproject.org