How to Install and Configure FreeIPA on RHEL 7
FreeIPA is an integrated identity and authentication solution that combines LDAP (via 389 Directory Server), Kerberos, DNS, a certificate authority (Dogtag PKI), and a web-based management interface into a single coherent platform. It is Red Hat’s upstream open-source project that underpins Red Hat Identity Management (IdM), making it a natural fit for RHEL 7 environments that need enterprise-grade centralized identity management without the cost of Active Directory. With FreeIPA you can manage users, groups, hosts, sudo rules, and host-based access control policies from a single interface, and enroll client machines so they authenticate against the IPA server automatically. This guide covers the full installation of both the IPA server and DNS service, initial configuration, user and group management, client enrollment, and key policy features including sudo rules and HBAC.
Prerequisites
- RHEL 7 server with at minimum 2 GB RAM and 10 GB disk space dedicated to the IPA server role
- A static IP address and a fully qualified hostname that resolves correctly in both forward and reverse DNS
- Root or sudo access
- An unoccupied DNS domain for the IPA realm — do not install IPA on a machine already running a conflicting DNS, LDAP, or Kerberos service
- Ports open: TCP/UDP 53 (DNS), TCP/UDP 88 (Kerberos), TCP 389/636 (LDAP/LDAPS), TCP 443 (web UI), TCP 8443 (Dogtag), UDP 123 (NTP)
- A properly set hostname:
hostnamectl set-hostname ipa.example.com
Step 1: Set the Hostname and Configure /etc/hosts
FreeIPA is extremely sensitive to hostname and DNS configuration. Ensure the server hostname resolves to the correct IP before running the installer.
sudo hostnamectl set-hostname ipa.example.com
# Add a static /etc/hosts entry as a fallback
echo "192.168.1.10 ipa.example.com ipa" | sudo tee -a /etc/hosts
# Verify resolution
hostname -f
ping -c 2 ipa.example.comStep 2: Install the IPA Server Packages
Install ipa-server along with the integrated DNS server package. The DNS integration is optional but strongly recommended because FreeIPA can manage DNS records for enrolled hosts automatically.
# Install IPA server with DNS support
sudo yum install -y ipa-server ipa-server-dns
# If you do not want integrated DNS:
sudo yum install -y ipa-serverThe installation pulls in 389 Directory Server, MIT Kerberos, Dogtag Certificate System, BIND (if DNS is included), and numerous dependencies. This may take several minutes.
Step 3: Run the IPA Server Installation Wizard
The ipa-server-install command launches an interactive wizard that configures all components. You can also pass flags to run it non-interactively in scripts.
sudo ipa-server-install --setup-dnsThe wizard prompts for the following values:
- Server hostname — auto-detected from
hostname -f; confirm it is correct - Domain name — e.g.,
example.com - Kerberos realm name — e.g.,
EXAMPLE.COM(uppercase) - Directory Manager password — administrative password for the 389 DS instance
- IPA admin password — password for the
adminIPA account - DNS forwarders — upstream DNS servers (e.g.,
8.8.8.8) ornofor a root-resolving server - Reverse zone — whether to configure a reverse DNS zone
For a fully unattended installation:
sudo ipa-server-install
--hostname=ipa.example.com
--domain=example.com
--realm=EXAMPLE.COM
--ds-password=DirectoryManagerPassword
--admin-password=AdminPassword
--setup-dns
--forwarder=8.8.8.8
--auto-reverse
--unattendedInstallation takes 5–15 minutes. When complete, the installer prints a summary of services started and the URL of the web UI.
Step 4: Configure Firewall Rules
sudo firewall-cmd --permanent --add-service=freeipa-ldap
sudo firewall-cmd --permanent --add-service=freeipa-ldaps
sudo firewall-cmd --permanent --add-service=freeipa-replication
sudo firewall-cmd --permanent --add-service=http
sudo firewall-cmd --permanent --add-service=https
sudo firewall-cmd --permanent --add-service=kerberos
sudo firewall-cmd --permanent --add-service=kpasswd
sudo firewall-cmd --permanent --add-service=dns
sudo firewall-cmd --permanent --add-service=ntp
sudo firewall-cmd --reload
sudo firewall-cmd --list-servicesStep 5: Authenticate and Access the Web UI
Obtain a Kerberos ticket for the IPA admin account and access the web interface.
# Obtain admin ticket
kinit admin
# Verify ticket
klistOpen a browser and navigate to https://ipa.example.com/ipa/ui. Log in with the admin account. The web UI provides access to all management functions covered in the following steps.
Step 6: Manage Users with ipa user-add
All IPA management commands are available via the ipa CLI tool after authenticating with kinit admin.
# Add a user
ipa user-add jdoe
--first=John
--last=Doe
[email protected]
--shell=/bin/bash
--password
# List all users
ipa user-find
# Show details for a specific user
ipa user-show jdoe
# Disable a user account
ipa user-disable jdoe
# Delete a user
ipa user-del jdoeStep 7: Manage Groups with ipa group-add
# Create a group
ipa group-add sysadmins --desc="System Administrators"
# Add a user to the group
ipa group-add-member sysadmins --users=jdoe
# Create a group for a project
ipa group-add devteam --desc="Development Team"
# List all groups
ipa group-find
# Show group membership
ipa group-show sysadminsStep 8: Enroll a Client Machine
To enroll a RHEL 7 client so it authenticates against IPA, install the client package and run ipa-client-install. The client must be able to resolve the IPA server hostname in DNS.
# On the client machine:
sudo yum install -y ipa-client
sudo ipa-client-install
--server=ipa.example.com
--domain=example.com
--realm=EXAMPLE.COM
--principal=admin
--password=AdminPassword
--unattendedAfter enrollment, users in IPA can log in to the client via SSH immediately. The client is also registered as a host object in IPA.
# Verify enrollment
ipa host-show client1.example.comStep 9: Configure Sudo Rules via IPA
IPA centrally manages sudo policies that apply to all enrolled hosts. This eliminates the need to maintain /etc/sudoers files on individual machines.
# Create a sudo command
ipa sudocmd-add /usr/bin/yum
# Create a sudo command group
ipa sudocmdgroup-add package-management --desc="Package management commands"
ipa sudocmdgroup-add-member package-management --sudocmds=/usr/bin/yum
# Create a sudo rule allowing sysadmins to run package-management commands on all hosts
ipa sudorule-add allow-pkg-mgmt
--desc="Allow sysadmins to manage packages"
--hostcat=all
--runasusercat=all
ipa sudorule-add-user allow-pkg-mgmt --groups=sysadmins
ipa sudorule-add-allow-command allow-pkg-mgmt --sudocmdgroups=package-managementOn enrolled clients, sssd fetches these sudo rules automatically — no manual /etc/sudoers changes required.
Step 10: Configure Host-Based Access Control (HBAC)
HBAC rules control which users and groups are permitted to log in to which hosts and use which services (SSH, sudo, etc.). By default, IPA ships with an allow_all rule that permits everyone to log in everywhere. In production, disable this rule and create specific HBAC policies.
# Disable the permissive default rule
ipa hbacrule-disable allow_all
# Create an HBAC rule allowing sysadmins to SSH to all hosts
ipa hbacrule-add allow-sysadmin-ssh
--desc="Allow sysadmins to SSH to all hosts"
--usercat=all
--hostcat=all
--servicecat=all
ipa hbacrule-add-user allow-sysadmin-ssh --groups=sysadmins
# Create an HBAC service entry for SSHD
ipa hbacsvc-add sshd
# Add the service to the rule
ipa hbacrule-add-service allow-sysadmin-ssh --hbacsvcs=sshd
# Test HBAC rule evaluation before applying
ipa hbactest --user=jdoe --host=client1.example.com --service=sshdStep 11: Certificates from the IPA CA
FreeIPA includes a Dogtag-based certificate authority. You can issue certificates for services using the ipa cert-request command after generating a CSR.
# Generate a CSR (example using openssl)
openssl req -new -newkey rsa:2048 -nodes
-keyout /etc/pki/tls/private/webserver.key
-out /tmp/webserver.csr
-subj "/CN=webserver.example.com"
# Submit the CSR to the IPA CA
ipa cert-request /tmp/webserver.csr
--principal=HTTP/webserver.example.com
# List certificates issued by the IPA CA
ipa cert-find --subject=webserverThe issued certificate is stored in LDAP and can be retrieved or revoked via the web UI or CLI at any time.
Conclusion
FreeIPA transforms identity management on RHEL 7 from a per-host administrative burden into a centralized, policy-driven service. Once the server is installed and clients are enrolled, user provisioning, group membership, sudo rules, HBAC policies, and certificate issuance all happen in one place — either through the polished web UI at https://ipa.example.com/ipa/ui or the powerful ipa CLI. As your environment grows, you can add replica IPA servers for high availability, integrate with Active Directory through cross-realm Kerberos trusts, and extend the CA to issue certificates for all services in your domain without external dependencies.
