FreeIPA is Red Hat’s integrated identity management solution that bundles LDAP (389 Directory Server), Kerberos, DNS, NTP, and a certificate authority into a single coherent platform. It is the upstream project for Red Hat Identity Management (IdM) and is fully supported on RHEL 8. FreeIPA dramatically simplifies managing users, groups, hosts, and policies across a Linux environment compared to building those services individually. This tutorial walks through installing the FreeIPA server with integrated DNS, opening the necessary firewall ports, adding users and groups from the CLI, enrolling a client machine, and accessing the web UI.
Prerequisites
- RHEL 8 server with at least 2 GB RAM and 10 GB disk
- A static IP and a fully qualified hostname (e.g.
ipa.example.com) — set withhostnamectl set-hostname ipa.example.com - Forward and reverse DNS resolution working for the server’s hostname before installation
- Root or
sudoaccess - No pre-existing conflicting Kerberos or LDAP services on the server
Step 1 — Install FreeIPA Server Packages
The freeipa-server package pulls in all required dependencies. Include freeipa-server-dns to enable the integrated BIND DNS server.
# Install FreeIPA server and the DNS extension
dnf install -y freeipa-server freeipa-server-dns
# Optional: install the trust AD module for Active Directory integration
dnf install -y freeipa-server-trust-ad
# Verify the installed version
rpm -q freeipa-server
# Confirm the system hostname is correctly set
hostname --fqdnStep 2 — Open Required Firewall Ports
FreeIPA requires multiple services to be reachable. Add them all before running the installer so the installer’s own connectivity checks pass.
# Add FreeIPA services to the permanent firewall configuration
firewall-cmd --permanent --add-service=freeipa-ldap
firewall-cmd --permanent --add-service=freeipa-ldaps
firewall-cmd --permanent --add-service=dns
firewall-cmd --permanent --add-service=ntp
firewall-cmd --permanent --add-service=http
firewall-cmd --permanent --add-service=https
firewall-cmd --permanent --add-service=kerberos
firewall-cmd --permanent --add-port=749/tcp
# Reload to activate changes
firewall-cmd --reload
# Confirm all services are listed
firewall-cmd --list-servicesStep 3 — Run the FreeIPA Server Installer
The ipa-server-install command is interactive. It will prompt for the realm name (e.g. EXAMPLE.COM), Directory Server password, admin password, and DNS forwarder details. The entire installation takes several minutes.
# Run the interactive installer with integrated DNS
ipa-server-install --setup-dns
# Key prompts and example answers:
# Server host name [ipa.example.com]: ipa.example.com
# Please confirm the domain name [example.com]: example.com
# Please provide a realm name [EXAMPLE.COM]: EXAMPLE.COM
# Directory Manager password:
# IPA admin password:
# Do you want to configure DNS forwarders? yes
# Enter an IP address for a DNS forwarder: 8.8.8.8
# Do you want to configure the reverse zone? yes
# After completion, obtain the admin ticket
kinit admin
# Verify the IPA server is functioning
ipa pingStep 4 — Run a Health Check
ipa-healthcheck inspects the server configuration, service status, replication agreements, and certificate validity. Review any warnings before adding users or clients.
# Install the health check tool if not already present
dnf install -y ipa-healthcheck
# Run the full health check
ipa-healthcheck
# Run with JSON output for scripted parsing
ipa-healthcheck --output-type json | python3 -m json.tool | head -60
# Check only certificate-related items
ipa-healthcheck --source ipahealthcheck.ipa.certs
# Verify core services are running
ipactl statusStep 5 — Add Users and Groups
The ipa CLI manages all directory objects. Create a user, set a password, create a group, and add the user as a member.
# Ensure you have a valid admin ticket
kinit admin
# Add a new user
ipa user-add jdoe
--first=John
--last=Doe
[email protected]
--shell=/bin/bash
# Set the user's password (forces reset on first login)
ipa passwd jdoe
# Add a group
ipa group-add devteam --desc="Development Team"
# Add the user to the group
ipa group-add-member devteam --users=jdoe
# Verify the user and group
ipa user-show jdoe
ipa group-show devteamStep 6 — Enroll a Client and Access the Web UI
Install freeipa-client on each machine that should authenticate against the IPA server. The web UI is available on port 443 of the IPA server.
# On the CLIENT machine: install the IPA client package
dnf install -y freeipa-client
# Run the client installer (interactive; provide IPA server hostname and admin credentials)
ipa-client-install --domain=example.com --server=ipa.example.com
--realm=EXAMPLE.COM --principal=admin --mkhomedir
# Verify the client is enrolled (run on client)
ipa whoami
# Test that the user jdoe can be resolved on the client
id jdoe
getent passwd jdoe
# Access the web UI from a browser:
# https://ipa.example.com
# Log in with username "admin" and the IPA admin password set during installationConclusion
You have deployed a fully functional FreeIPA server on RHEL 8 with integrated DNS, Kerberos, LDAP, and a certificate authority. Firewall rules were applied before installation to ensure all IPA services are reachable. You ran a health check to validate the configuration, created users and groups with the ipa CLI, and enrolled a client machine so that IPA accounts are available system-wide. The web UI at https://ipa.example.com provides a graphical interface for ongoing management.
Next steps: How to Configure FreeIPA Host-Based Access Control (HBAC) on RHEL 8, How to Set Up FreeIPA Replication for High Availability on RHEL 8, and How to Integrate FreeIPA with Active Directory Trusts on RHEL 8.
