FreeIPA Identity Management Installation

FreeIPA is an integrated identity management solution that combines LDAP, Kerberos, DNS, and certificate management into a single platform, providing enterprise-grade centralized authentication and authorization for Linux environments. This guide covers installing the FreeIPA server, enrolling client machines, managing users and groups, configuring host-based access control (HBAC), and managing SSL certificates.

Prerequisites

  • CentOS/Rocky Linux 9 (recommended) or Ubuntu 22.04
  • Static IP address on the server
  • Fully qualified domain name (FQDN), e.g., ipa.example.com
  • Minimum 2 CPU cores, 4GB RAM, 10GB disk
  • Forward and reverse DNS entries for the server
  • Ports open: 80, 443, 389, 636, 88 (Kerberos), 464, 53 (DNS)

Note: FreeIPA requires a dedicated hostname — do not install on a server running other web services on port 80/443.

Installing the FreeIPA Server

CentOS/Rocky Linux 9

# Set hostname and update hosts file
sudo hostnamectl set-hostname ipa.example.com
echo "192.168.1.10 ipa.example.com ipa" | sudo tee -a /etc/hosts

# Update system
sudo dnf update -y

# Install FreeIPA server
sudo dnf install -y ipa-server ipa-server-dns

# Optional: install AD trust support
sudo dnf install -y ipa-server-trust-ad

Ubuntu 22.04

sudo hostnamectl set-hostname ipa.example.com
echo "192.168.1.10 ipa.example.com ipa" | sudo tee -a /etc/hosts

sudo apt-get update
sudo apt-get install -y freeipa-server freeipa-server-dns

Initial Server Configuration

# Run the installer (interactive or unattended)
sudo ipa-server-install \
  --domain=example.com \
  --realm=EXAMPLE.COM \
  --ds-password="Directory_Manager_Password" \
  --admin-password="Admin_Password" \
  --hostname=ipa.example.com \
  --ip-address=192.168.1.10 \
  --setup-dns \
  --forwarder=8.8.8.8 \
  --auto-reverse \
  --unattended

# The installer takes 10-20 minutes and configures:
# - 389 Directory Server (LDAP)
# - MIT Kerberos KDC and kadmin
# - Apache HTTP Server (web UI)
# - Let's Encrypt or self-signed CA
# - NTP synchronization

After installation:

# Get a Kerberos ticket for the admin user
kinit admin
# Enter Admin_Password

# Verify the ticket
klist

# Access the web UI
# https://ipa.example.com/ipa/ui/

Enrolling Client Machines

On each client server:

CentOS/Rocky Linux

sudo dnf install -y ipa-client

sudo ipa-client-install \
  --server=ipa.example.com \
  --domain=example.com \
  --principal=admin \
  --password="Admin_Password" \
  --mkhomedir \
  --unattended

Ubuntu/Debian

sudo apt-get install -y freeipa-client

sudo ipa-client-install \
  --server=ipa.example.com \
  --domain=example.com \
  --principal=admin \
  --password="Admin_Password" \
  --mkhomedir \
  --unattended

Verify Enrollment

# On the client — test user resolution
id admin
getent passwd admin

# Test Kerberos authentication
kinit jsmith
klist

User and Group Management

CLI User Management

# First, get an admin ticket
kinit admin

# Add a user
ipa user-add jsmith \
  --first=John \
  --last=Smith \
  [email protected] \
  --shell=/bin/bash \
  --homedir=/home/jsmith

# Set initial password
ipa passwd jsmith

# Show user details
ipa user-show jsmith

# List all users
ipa user-find

# Disable a user
ipa user-disable jsmith

# Enable a user
ipa user-enable jsmith

# Delete a user
ipa user-del jsmith

Group Management

# Create a user group
ipa group-add sysadmins --desc "System Administrators"

# Add users to a group
ipa group-add-member sysadmins --users=jsmith,anotheruser

# Remove a user from a group
ipa group-remove-member sysadmins --users=jsmith

# List group members
ipa group-show sysadmins

# Nested groups (group of groups)
ipa group-add-member infrastructure --groups=sysadmins

Host-Based Access Control

HBAC rules control which users can log into which hosts:

# List existing HBAC rules (default allows all access)
ipa hbacrule-find

# Disable the default "allow_all" rule (for security)
ipa hbacrule-disable allow_all

# Create a rule allowing sysadmins to access all servers
ipa hbacrule-add allow-sysadmins-all \
  --desc "Allow sysadmins to log into all hosts" \
  --usercat=all \
  --hostcat=all

ipa hbacrule-add-user allow-sysadmins-all --groups=sysadmins

# Create a rule for specific hosts
ipa hbacrule-add allow-developers-webservers \
  --desc "Developers can access web servers"

ipa hbacrule-add-user allow-developers-webservers --groups=developers

# Add specific hosts to the rule
ipa hbacrule-add-host allow-developers-webservers \
  --hosts=web01.example.com,web02.example.com

# Or add a host group
ipa hostgroup-add webservers
ipa hostgroup-add-member webservers --hosts=web01.example.com,web02.example.com
ipa hbacrule-add-host allow-developers-webservers --hostgroups=webservers

# Test HBAC rules
ipa hbactest \
  --user=jsmith \
  --host=web01.example.com \
  --service=sshd

Sudo Rules

Centrally managed sudo rules via FreeIPA:

# Create a sudo command
ipa sudocmd-add /bin/systemctl --desc "Systemctl command"

# Create a sudo command group
ipa sudocmdgroup-add service-management --desc "Service management commands"
ipa sudocmdgroup-add-member service-management --sudocmds=/bin/systemctl,/usr/bin/journalctl

# Create a sudo rule
ipa sudorule-add allow-service-management \
  --desc "Allow sysadmins to manage services"

# Add users/groups to the rule
ipa sudorule-add-user allow-service-management --groups=sysadmins

# Add allowed commands
ipa sudorule-add-allow-command allow-service-management \
  --sudocmdgroups=service-management

# Apply to specific hosts
ipa sudorule-add-host allow-service-management --hostgroups=webservers

# Test sudo rules
ipa sudorule-show allow-service-management

Certificate Management

FreeIPA includes its own CA:

# Request a service certificate
ipa service-add HTTP/web01.example.com

ipa-getcert request \
  -f /etc/pki/tls/certs/web01.crt \
  -k /etc/pki/tls/private/web01.key \
  -K HTTP/web01.example.com \
  -N "CN=web01.example.com,O=EXAMPLE.COM"

# List certificate requests
ipa-getcert list

# Show CA certificates
ipa ca-show ipa

# Trust the FreeIPA CA on clients
ipa-certupdate  # Run on clients to update CA trust

Troubleshooting

Kerberos authentication fails

# Check time sync (Kerberos requires < 5 min skew)
timedatectl

# Sync time
sudo chronyc -a makestep

# Get a fresh ticket
kdestroy
kinit admin

Client enrollment fails

# Verify DNS resolution of IPA server
host ipa.example.com

# Check IPA server is reachable
ping ipa.example.com
curl -k https://ipa.example.com/ipa/json

# Check firewall on IPA server
firewall-cmd --list-all

Users can't log in despite HBAC rule

# Test HBAC from the client
sssctl user-checks -s sshd jsmith

# Check SSSD logs
sudo journalctl -u sssd -f

# Ensure HBAC rule includes the correct service (sshd, sudo, etc.)
ipa hbactest --user=jsmith --host=client.example.com --service=sshd

IPA services won't start

# Check IPA service status
sudo ipactl status

# Restart all IPA services
sudo ipactl restart

# Check individual service logs
sudo journalctl -u krb5kdc
sudo journalctl -u dirsrv@EXAMPLE-COM

Conclusion

FreeIPA delivers a comprehensive identity management platform that consolidates LDAP authentication, Kerberos SSO, DNS, and certificate management into a single solution. Its host-based access control and centralized sudo management provide granular authorization without managing individual server configurations, making it an excellent choice for organizations running multiple Linux servers.