FreeIPA is a popular open-source identity management solution that centralizes user, host, and service authentication for Linux environments. It combines LDAP, Kerberos, DNS, and certificate management into a single platform, making it easier to manage large Linux deployments securely.
In this article, we’ll cover how to install FreeIPA on a Linux server, perform initial configuration, and start using it for basic user management.
Prerequisites
- A clean Linux server (CentOS, RHEL, Fedora, or similar)
- Root or sudo access
- A fully qualified domain name (FQDN) for your server (e.g., ipa.example.com)
- Proper DNS setup (recommended but can be configured during installation)
1. Update system to the latest
Start by updating your system to ensure all packages are current.
# dnf update -y
2. Install FreeIPA Server Packages
Install the FreeIPA server and its dependencies:
# dnf install -y ipa-server ipa-server-dns
- ipa-server-dns is optional but recommended if you want FreeIPA to manage DNS for your domain.
3. Configure FreeIPA server
Run the FreeIPA installation script to configure the server. Replace ipa.example.com with your actual server hostname.
sudo ipa-server-install
You will be prompted for:
- Realm name: Usually uppercase of your domain, e.g., EXAMPLE.COM
- Directory Manager password: LDAP admin password
- IPA admin password: FreeIPA admin user password
- DNS configuration: Enable if you want FreeIPA to manage DNS
Sample configuration flow:
Realm name: EXAMPLE.COM
DNS domain name: example.com
Server host name: ipa.example.com
Directory Manager password: [choose a strong password]
IPA admin password: [choose a strong password]
Do you want to configure integrated DNS (BIND)? [yes/no]: yes
The installer will set up Kerberos, LDAP, the CA, DNS (if chosen), and the Web UI.
4. Start and Enable FreeIPA Services
The installer usually starts services automatically, but you can verify with:
# systemctl status ipa
Enable the service to start on boot:
# systemctl enable ipa
5. Access FreeIPA Web Interface
Open your browser and navigate to:
https://ipa.example.com/ipa/ui/
Log in using the admin username and the password you set during installation.
6. Add Users and Groups
You can manage users and groups either via the Web UI or the CLI.
Using the CLI:
Add a new user:
# ipa user-add johndoe –first=John –last=Doe –email=johndoe@example.com
Set a password for the new user:
# ipa passwd johndoe
Add a new group:
# ipa group-add developers –desc="Development Team"
Add user to the group:
# ipa group-add-member developers –users=johndoe
7. Join Client Machines to the FreeIPA Domain
On a client machine, install the client packages:
# dnf install -y ipa-client
Run the client setup:
# ipa-client-install –mkhomedir
Follow the prompts to join the client to the FreeIPA domain.
8. Test Authentication
Try logging into the client machine with the FreeIPA user you created:
# ssh username@client-machine-host.com
You should be able to authenticate using the FreeIPA credentials.
Conclusion
You now have a basic FreeIPA server up and running, managing users and authentication across your Linux network. FreeIPA simplifies identity management by providing a centralized, secure, and integrated solution. From here, you can explore advanced features like role-based access control, host-based access control, and certificate management.
Here's a practical example of how FreeIPA can be used in a real-world Linux environment.
Scenario: Centralized Authentication in a DevOps Environment
Tech Problem
Lets say you are managing a growing team of DevOps engineers and developers across multiple Linux servers (e.g., for CI/CD, staging, and production). Manually creating and maintaining user accounts, SSH keys, and sudo permissions on each server is:
- Time-consuming
- Error-prone
- A security risk (inconsistent policies, orphaned accounts)
Solution: Use FreeIPA to Centralize Identity & Access Management
By deploying FreeIPA, you can:
- Create user accounts once and manage them centrally
- Enforce SSO across servers using Kerberos
- Automatically apply sudo rules, group permissions, and access control policies
- Easily revoke access for offboarded employees
- Use host-based access control (HBAC) to control who can log in to what
Solution Walkthrough
1. Set up FreeIPA server
- Installed on: ipa.internal.example.com
- Domain: internal.example.com
- Realm: INTERNAL.EXAMPLE.COM
2. Add User Accounts
Let's add two users: alice (developer) and bob (DevOps).
# ipa user-add alice –first=Alice –last=Smith –email=alice@internal.example.com
# ipa user-add bob –first=Bob –last=Jones –email=bob@internal.example.com
# ipa passwd alice
# ipa passwd bob
3. Create Groups and Roles necessery
Create functional groups for managing permissions.
# ipa group-add developers –desc="Developers Team"
# ipa group-add devops –desc="DevOps Team"
# ipa group-add-member developers –users=alice
# ipa group-add-member devops –users=bob
4. Configure Sudo Rules
Let’s allow DevOps team members to use sudo on all servers:
# ipa sudorule-add devops-sudo –cmdcat=all
# ipa sudorule-add-user devops-sudo –groups=devops
# ipa sudorule-add-host devops-sudo –hostgroups=all
5. Control Access with HBAC Rules
Let’s say:
- Developers can access dev and staging servers
- DevOps can access all servers
# Create host groups
# ipa hostgroup-add dev-servers –desc="Development Servers"
# ipa hostgroup-add staging-servers –desc="Staging Servers"
# Add hosts to groups
# ipa hostgroup-add-member dev-servers –hosts=dev1.internal.example.com
# ipa hostgroup-add-member staging-servers –hosts=staging1.internal.example.com
# HBAC rule for developers
# ipa hbacrule-add allow-developers
# ipa hbacrule-add-user allow-developers –groups=developers
# ipa hbacrule-add-host allow-developers –hostgroups=dev-servers
# ipa hbacrule-add-host allow-developers –hostgroups=staging-servers
# ipa hbacrule-add-service allow-developers –hbacsvcs=sshd
# HBAC rule for DevOps (all access)
# ipa hbacrule-add allow-devops
# ipa hbacrule-add-user allow-devops –groups=devops
# ipa hbacrule-add-host allow-devops –hostgroups=all
# ipa hbacrule-add-service allow-devops –hbacsvcs=sshd
6. Join Client Servers to FreeIPA
On each Linux server (e.g., dev1, staging1, prod1), run:
# ipa-client-install –mkhomedir –server=ipa.internal.example.com –domain=internal.example.com
Now, user alice can log in to dev1 and staging1, but not prod1. bob can log in to all servers and use sudo.
7. What Happens When Alice Leaves the Company?
Just disable the user in FreeIPA:
# ipa user-disable alice
This immediately revokes her access across all servers — no need to touch individual machines.
Benefits in This Example
| Feature | Outcome |
|---|---|
| Centralized user management | No need to manually create accounts on every server |
| Group-based sudo | DevOps has privileged access, others don’t |
| Access control | Developers only access dev/staging, not prod |
| Kerberos SSO | Secure, passwordless SSH with ticketing |
| Auditing | Central logs of who accessed what and when |
| Quick offboarding | Instant account disablement from a single location |
Summary
FreeIPA is not just a replacement for LDAP — it's a full-blown identity and access management solution tailored for Linux systems. In this practical example, it brings enterprise-grade access control, authentication, and user management to a DevOps workflow with minimal friction.
More helpful Articles
Tags: Add User Accounts, Configure Sudo Rules, DNS, example, flow, installation, internal, linux?, Open, Quick, recommended, Scenario Centralized Authentication, Set, setup, ssh, SSO, Start, Tech Problem
