How to Install FreeIPA Server on Fedora 29/Fedora 28/CentOS 7

Hello there. Today we are going to learn how to install FreeIPA server on Fedora 29/Fedora 28/CentOS 7 or any other RHEL derivative. According to their About page, FreeIPA is an opensource integrated Identity and authentication management solution for Linux/UNIX environments. It provides centralized authentication, authorization and account information by storing data about users, groups, hosts and other relevant information necessary for managing the security aspects of a network of computers. It is build atop a number of opensource solutions such as 389 Directory Server, MIT Kerberos, NTP, DNS, Dogtag (Certificate System). FreeIPA can be managed via web interface or command line.

How to Install FreeIPA Server on Fedora/CentOS


To ensure a smooth FreeIPA installation, ensure that the following prerequisites are met.

Set static IP address on your server.

ip add
1: lo:  mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host noprefixroute 
       valid_lft forever preferred_lft forever
2: enp1s0:  mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 52:54:00:08:8c:21 brd ff:ff:ff:ff:ff:ff
    inet brd scope global dynamic noprefixroute enp1s0
       valid_lft 3447sec preferred_lft 3447sec
    inet6 fe80::2a79:62fd:eb27:1e0a/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever

So my address is and is set statically using the NMCLI command;

nmcli con add \
	type ethernet \
	ifname enp1s0 \
	con-name enp1s0 \
	ipv4.addresses \
	ipv4.gateway \
	ipv4.dns \
	ipv4.method manual \
	connection.autoconnect yes
nmcli con up enp1s0

Set a fully qualified hostname

hostnamectl set-hostname

Your hostname must be resolvable. If you don’t have a DNS server, you can use /etc/hosts file.

echo " freeipa"  >> /etc/hosts

Ensure both forward and reverse DNS resolution;

dig +short
dig -x +short

Ensure that your package repository is up to date

dnf update

Check if your server needs a reboot;

dnf install dnf-utils


need-restarting -r
No core libraries or services have been updated since boot-up.
Reboot should not be necessary.

If a restart is required, then do so.

Install FreeIPA on Fedora/CentOS

Once the above requirements are met, install FreeIPA packages as shown below;

dnf -y install freeipa-server

In this guide, we are going to set up basic FreeIPA server without integrated DNS. If you would like to include DNS integration, install these additional packages;

dnf install -y bind-dyndb-ldap freeipa-server-dns

Setup FreeIPA Server on Fedora/CentOS

Once the installation is done, run the command below to launch basic FreeIPA setup.


To perform FreeIPA setup with DNS integration, run the command below;

ipa-server-install --setup-dns

In this guide, we are going to perform FreeIPA basic setup without DNS integration.

When you launched the installation setup command, the first thing you are prompted to do is choose whether to setup integrated DNS.

If you want to accept the default settings shown in brackets, press the Enter key.


In this guide, we are not configuring DNS integration.

The log file for this installation can be found in /var/log/ipaserver-install.log
This program will set up the IPA Server.
Version 4.11.1

This includes:
  * Configure a stand-alone CA (dogtag) for certificate management
  * Configure the NTP client (chronyd)
  * Create and configure an instance of Directory Server
  * Create and configure a Kerberos Key Distribution Center (KDC)
  * Configure Apache (httpd)
  * Configure SID generation
  * Configure the KDC to enable PKINIT

To accept the default shown in brackets, press the Enter key.

Do you want to configure integrated DNS (BIND)? [no]: no

Next, you are required to setup the server FQDN and the domain as well as the Kerberos realm. Kerberos realm is an authentication protocol for FreeIPA. You can press ENTER to accept the defaults.

The server hostname and domain should already be auto-detected. If that is the case, just press enter to proceed.

Enter the fully qualified domain name of the computer
on which you're setting up server software. Using the form

Server host name []: ENTER

The domain name has been determined based on the host name.

Please confirm the domain name []: ENTER

The kerberos protocol requires a Realm name to be defined.
This is typically the domain name converted to uppercase.

Please provide a realm name [KIFARUNIX.COM]: ENTER

Next, set the Directory manager (LDAP) password

Certain directory server operations require an administrative user.
This user is referred to as the Directory Manager and has full access
to the Directory for system management tasks and will be added to the
instance of directory server created for IPA.
The password must be at least 8 characters long.

Directory Manager password: password
Password (confirm): password

Set the IPA administrator password

The IPA server requires an administrative user, named 'admin'.
This user is a regular system account used for IPA server administration.

IPA admin password: password2
Password (confirm): password2

Accept defaults for NetBIOS and NTP server.

Trust is configured but no NetBIOS domain name found, setting it now.
Enter the NetBIOS name for the IPA domain.
Only up to 15 uppercase ASCII letters, digits and dashes are allowed.
Example: EXAMPLE.

NetBIOS domain name [KIFARUNIX]: 

Do you want to configure chrony with NTP server or pool address? [no]:

Next, you are prompted on whether to configure the IPA server with the above configuration options you have provided.

The IPA Master Server will be configured with:
IP address(es):
Domain name:
Realm name:     KIFARUNIX.COM

The CA will be configured with:
Subject DN:   CN=Certificate Authority,O=KIFARUNIX.COM
Subject base: O=KIFARUNIX.COM
Chaining:     self-signed

Continue to configure the system with these values? [no]: yes

If you are satisfied with what you have provided, accept and proceed.

The configuration will take quite some minutes to complete depending on the swiftness of your server. If all is well, you should see such an output.

Client configuration complete.
The ipa-client-install command was successful

Please add records in this file to your DNS system: /tmp/ipa.system.records.d6sgeix0.db
Setup complete

Next steps:
	1. You must make sure these network ports are open:
		TCP Ports:
		  * 80, 443: HTTP/HTTPS
		  * 389, 636: LDAP/LDAPS
		  * 88, 464: kerberos
		UDP Ports:
		  * 88, 464: kerberos
		  * 123: ntp

	2. You can now obtain a kerberos ticket using the command: 'kinit admin'
	   This ticket will allow you to use the IPA tools (e.g., ipa user-add)
	   and the web user interface.

Be sure to back up the CA certificates stored in /root/cacert.p12
These files are required to create replicas. The password for these
files is the Directory Manager password
The ipa-server-install command was successful

Open FreeIPA Services Ports on Firewall

Next, you need to open the FreeIPA services ports through the firewall if it is running.

First check the state of firewall;

firewall-cmd --state

If it is running, output should be, running. Thus, proceed to open the ports.

for i in 80 443 389 636 88 464; do firewall-cmd --add-port=$i/tcp --permanent; done
for i in 88 464 123; do firewall-cmd --add-port=$i/udp --permanent; done

You can even use the service name instead;

firewall-cmd --add-service={freeipa-ldap,freeipa-ldaps,dns,ntp} --permanent

Then reload the firewall;

firewall-cmd --reload

Check Status of FreeIPA Services

To confirm if all the FreeIPA services are running, execute the command;

ipactl status

Sample output;

Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa: INFO: The ipactl command was successful

Obtain Kerberos Ticket for IPA Adminstration

Now that the installation is done, you need to authenticate to FreeIPA server. During installation two users were created, the Directory manager and the admin manager.

To authenticate to FreeIPA manager as an admin and even be able to use the IPA command line tools as well as the Web interface, you need to generate the Kerberos ticket by running the command below;

Use the password for IPA admin user.

kinit admin
Password for [email protected]: <IPA admin user password>

Using IPA Command Line tools

Once you obtain a Kerberos ticket, you can try to use the IPA command line tools. For example, to find the information about admin user, run the command ipa user-find admin.

ipa user-find admin
1 user matched
  User login: admin
  Last name: Administrator
  Home directory: /home/admin
  Login shell: /bin/bash
  Principal alias: [email protected], [email protected]
  UID: 1152000000
  GID: 1152000000
  Account disabled: False
Number of entries returned 1

Access FreeIPA Web Interface

To login to your FreeIPA server via the browser, enter the FQDN on the browser address bar.

In case you get an SSL exception prompt, just accept it and proceed to login.

freeipa web login page

Authenticate using IPA Admin user credentials.

When you successfully authenticate, you should see FreeIPA’s Identity Users page as shown in the screenshot below;

freeipa users dashboard page

You have successfully setup your basic FreeIPA server. In our next article, we will learn how to add and configure FreeIPA users. Stay connected.

Adding Users to FreeIPA Server

Follow the link below to add FreeIPA server users.

Add FreeIPA User Accounts via CLI or Web Interface


We're passionate about sharing our knowledge and experiences with you through our blog. If you appreciate our efforts, consider buying us a virtual coffee. Your support keeps us motivated and enables us to continually improve, ensuring that we can provide you with the best content possible. Thank you for being a coffee-fueled champion of our work!

Photo of author
I am the Co-founder of, Linux and the whole FOSS enthusiast, Linux System Admin and a Blue Teamer who loves to share technological tips and hacks with others as a way of sharing knowledge as: "In vain have you acquired knowledge if you have not imparted it to others".

Leave a Comment