FreeIPA
Draft version. Content is hallucinated. Do not use!
getting-started

Installing FreeIPA Server

Step-by-step guide to installing and configuring your first FreeIPA server on RHEL/CentOS/Fedora.

beginner 45 minutes
RHEL CentOS Fedora systemd

Prerequisites

  • RHEL 8+, CentOS Stream 8+, or Fedora 35+ server
  • At least 2GB RAM and 10GB disk space
  • Fully qualified domain name (FQDN) configured
  • Root or sudo access

Overview

This tutorial will guide you through the installation and initial configuration of a FreeIPA server. By the end of this tutorial, you’ll have a fully functional identity management system ready for use.

Prerequisites Check

Before starting, ensure your system meets these requirements:

  1. Operating System: RHEL 8+, CentOS Stream 8+, or Fedora 35+
  2. Hostname: Properly configured FQDN (e.g., ipa.example.com)
  3. Network: Static IP address with DNS resolution
  4. Resources: Minimum 2GB RAM, 10GB disk space

Verify your hostname:

hostname -f

Step 1: Prepare the System

Update your system packages:

sudo dnf update -y

Set the correct hostname if needed:

sudo hostnamectl set-hostname ipa.example.com

Step 2: Install FreeIPA Packages

Install the FreeIPA server packages:

sudo dnf install -y freeipa-server freeipa-server-dns

This will install:

  • FreeIPA server core components
  • Integrated DNS server (optional but recommended)
  • Required dependencies (389 Directory Server, MIT Kerberos, etc.)

Step 3: Run the Installation

Run the FreeIPA installation wizard:

sudo ipa-server-install

You’ll be prompted for several configuration options:

  1. Configure integrated DNS: Yes (recommended)
  2. Server hostname: (should auto-detect your FQDN)
  3. Domain name: example.com
  4. Kerberos realm: EXAMPLE.COM (uppercase by convention)
  5. Directory Manager password: Choose a strong password
  6. IPA admin password: Choose a strong password
  7. DNS forwarders: Add your network’s DNS servers

Example non-interactive installation:

sudo ipa-server-install \
  --realm EXAMPLE.COM \
  --domain example.com \
  --ds-password StrongDMPassword123 \
  --admin-password StrongAdminPassword123 \
  --hostname ipa.example.com \
  --setup-dns \
  --forwarder 8.8.8.8 \
  --forwarder 8.8.4.4 \
  --unattended

Step 4: Configure Firewall

Open the required ports:

sudo firewall-cmd --add-service={freeipa-ldap,freeipa-ldaps,dns} --permanent
sudo firewall-cmd --reload

Step 5: Verify Installation

Check that all services are running:

sudo ipactl status

You should see services like:

  • Directory Server
  • Certificate Authority
  • DNS Server
  • HTTP Server
  • Kerberos KDC

Test the admin authentication:

kinit admin
klist

Step 6: Access the Web UI

Open your browser and navigate to:

https://ipa.example.com

Log in with:

  • Username: admin
  • Password: (the admin password you set during installation)

Next Steps

Now that you have FreeIPA installed, you can:

  1. Add users and groups: Start managing identities
  2. Enroll client systems: Join Linux/Unix systems to the domain
  3. Configure DNS: Add DNS records and zones
  4. Set up certificates: Issue and manage SSL/TLS certificates
  5. Create policies: Define access control and authentication policies

Troubleshooting

DNS Resolution Issues

If you encounter DNS problems, verify:

dig ipa.example.com
dig -t SRV _kerberos._tcp.example.com

Service Startup Failures

Check service logs:

sudo journalctl -u ipa
sudo tail -f /var/log/ipaserver-install.log

Port Conflicts

Ensure required ports are not in use:

sudo ss -tulpn | grep -E ':(80|443|389|636|88|464)'

Conclusion

Congratulations! You’ve successfully installed FreeIPA. Your identity management infrastructure is now ready to centralize authentication and authorization across your environment.