FreeIPA Cheat Sheet
Overview
FreeIPA is an integrated identity management solution that combines LDAP directory (389 Directory Server), Kerberos KDC (MIT Kerberos), DNS (BIND), certificate authority (Dogtag PKI), and NTP into a unified platform with a web UI and command-line tools. It provides centralized authentication, authorization, and account information for Linux/UNIX environments, equivalent to what Active Directory provides for Windows. FreeIPA supports HBAC (Host-Based Access Control), sudo rules, SELinux user mapping, and two-factor authentication.
FreeIPA uses a multi-master replication topology where multiple servers can accept writes simultaneously, providing high availability and geographic distribution. Clients are enrolled using ipa-client-install, which automatically configures SSSD for authentication, Kerberos for SSO, and certmonger for automated certificate management. FreeIPA integrates with Active Directory through cross-realm Kerberos trusts, enabling users in AD forests to access Linux resources seamlessly. The platform is the upstream project for Red Hat Identity Management (IdM).
Installation
Server Installation (RHEL/CentOS/Fedora)
# Install FreeIPA server packages
sudo dnf install freeipa-server freeipa-server-dns freeipa-server-trust-ad
# Set hostname (FQDN required)
sudo hostnamectl set-hostname ipa.example.com
# Ensure DNS resolution works
echo "192.168.1.10 ipa.example.com ipa" | sudo tee -a /etc/hosts
# Run interactive installer
sudo ipa-server-install --setup-dns
# Or non-interactive installation
sudo ipa-server-install \
--realm EXAMPLE.COM \
--domain example.com \
--ds-password 'DirectoryManagerPass' \
--admin-password 'AdminPass' \
--setup-dns \
--forwarder 8.8.8.8 \
--no-reverse \
--unattendedClient Installation
# Install client packages
sudo dnf install freeipa-client
# Enroll client (interactive)
sudo ipa-client-install --mkhomedir
# Non-interactive enrollment
sudo ipa-client-install \
--server=ipa.example.com \
--domain=example.com \
--realm=EXAMPLE.COM \
--principal=admin \
--password='AdminPass' \
--mkhomedir \
--unattended
# Verify enrollment
ipa env
id adminReplica Installation
# On the existing IPA server, prepare the replica
ipa hostgroup-add-member ipaservers --hosts=replica.example.com
# On the replica server
sudo dnf install freeipa-server freeipa-server-dns
# Install replica
sudo ipa-replica-install \
--setup-dns \
--forwarder 8.8.8.8 \
--no-reverseCore Commands
Authentication
| Command | Description |
|---|---|
kinit admin | Obtain Kerberos ticket for admin |
kinit -k -t /etc/krb5.keytab host/$(hostname) | Authenticate using host keytab |
klist | List current Kerberos tickets |
kdestroy | Destroy Kerberos tickets |
ipa whoami | Show current authenticated user |
User Management
# Add a user
ipa user-add jdoe \
--first=John \
--last=Doe \
--email=jdoe@example.com \
--shell=/bin/bash \
--password
# Find users
ipa user-find --all
ipa user-find "john"
# Show user details
ipa user-show jdoe --all
# Modify user
ipa user-mod jdoe --title="Senior Engineer" --department="IT"
# Disable/Enable user
ipa user-disable jdoe
ipa user-enable jdoe
# Delete user
ipa user-del jdoe
# Unlock locked account
ipa user-unlock jdoe
# Set password expiration
ipa user-mod jdoe --setattr=krbPasswordExpiration=20271231000000ZGroup Management
# Create group
ipa group-add developers --desc="Development team"
# Add members
ipa group-add-member developers --users=jdoe,jsmith
# Nested groups
ipa group-add-member engineering --groups=developers,qa
# List group members
ipa group-show developers
# Remove member
ipa group-remove-member developers --users=jdoeHost Management
# Add host
ipa host-add server01.example.com --ip-address=192.168.1.20
# Show host info
ipa host-show server01.example.com --all
# Add host to hostgroup
ipa hostgroup-add webservers --desc="Web server pool"
ipa hostgroup-add-member webservers --hosts=server01.example.comAccess Control
Host-Based Access Control (HBAC)
# Create HBAC rule
ipa hbacrule-add allow_developers_webservers \
--desc="Allow developers to access web servers"
# Add users/groups
ipa hbacrule-add-user allow_developers_webservers --groups=developers
# Add target hosts
ipa hbacrule-add-host allow_developers_webservers --hostgroups=webservers
# Add allowed services
ipa hbacrule-add-service allow_developers_webservers --hbacsvcs=sshd
# Disable default allow_all rule
ipa hbacrule-disable allow_all
# Test HBAC rules
ipa hbactest --user=jdoe --host=server01.example.com --service=sshd
# List HBAC rules
ipa hbacrule-findSudo Rules
# Create sudo rule
ipa sudorule-add developers_restart_services \
--desc="Allow developers to restart services"
# Add users
ipa sudorule-add-user developers_restart_services --groups=developers
# Add hosts
ipa sudorule-add-host developers_restart_services --hostgroups=webservers
# Add allowed commands
ipa sudocmd-add "/usr/bin/systemctl restart httpd"
ipa sudocmd-add "/usr/bin/systemctl restart nginx"
ipa sudorule-add-allow-command developers_restart_services \
--sudocmds="/usr/bin/systemctl restart httpd"
ipa sudorule-add-allow-command developers_restart_services \
--sudocmds="/usr/bin/systemctl restart nginx"
# Add run-as user
ipa sudorule-add-runasuser developers_restart_services --users=rootConfiguration
Password Policy
# Set global password policy
ipa pwpolicy-mod \
--maxlife=90 \
--minlife=1 \
--history=12 \
--minclasses=3 \
--minlength=14 \
--maxfail=5 \
--failinterval=60 \
--lockouttime=600
# Create group-specific policy
ipa pwpolicy-add developers \
--maxlife=60 \
--minlength=16 \
--priority=10
# Show current policy
ipa pwpolicy-showCertificate Management
# Request a certificate for a service
ipa cert-request server.csr --principal=HTTP/www.example.com
# List certificates
ipa cert-find
# Show certificate details
ipa cert-show 12
# Revoke certificate
ipa cert-revoke 12 --revocation-reason=4
# Setup certmonger for auto-renewal
ipa-getcert request \
-K HTTP/www.example.com \
-f /etc/pki/tls/certs/www.pem \
-k /etc/pki/tls/private/www.key \
-D www.example.com
# Check certificate tracking
ipa-getcert listAdvanced Usage
Active Directory Trust
# Prepare IPA server for trust
sudo ipa-adtrust-install --netbios-name=LINUX
# Create trust with AD
ipa trust-add ad.example.com \
--admin Administrator \
--password \
--type=ad \
--two-way=true
# Verify trust
ipa trust-show ad.example.com
# Find AD users
ipa user-find --all --pkey-only --preserved=false
# Create external group for AD mapping
ipa group-add ad_admins --external
ipa group-add-member ad_admins --external "AD\\Domain Admins"
# Map external group to POSIX group
ipa group-add linux_admins
ipa group-add-member linux_admins --groups=ad_adminsTwo-Factor Authentication
# Enable OTP for a user
ipa user-mod jdoe --user-auth-type=otp
# Add OTP token
ipa otptoken-add --owner=jdoe --type=totp
# Set OTP globally required
ipa config-mod --user-auth-type=otp
# Allow password+OTP or password only
ipa config-mod --user-auth-type=otp --user-auth-type=password
# Show OTP configuration
ipa otptoken-find --owner=jdoeDNS Management
# Add DNS zone
ipa dnszone-add internal.example.com
# Add DNS records
ipa dnsrecord-add example.com server01 --a-rec=192.168.1.20
ipa dnsrecord-add example.com mail --mx-rec="10 mail.example.com."
ipa dnsrecord-add example.com @ --txt-rec="v=spf1 mx -all"
# Add reverse zone
ipa dnszone-add 1.168.192.in-addr.arpa
ipa dnsrecord-add 1.168.192.in-addr.arpa 20 --ptr-rec=server01.example.com.Troubleshooting
| Issue | Solution |
|---|---|
ipa: ERROR: cannot connect to server | Check that ipactl status shows all services running |
| Kerberos ticket issues | Verify time sync with chronyc sources, clock skew must be < 5 min |
| Client enrollment fails | Ensure DNS resolves the IPA server FQDN, check firewall ports 88, 389, 636, 443 |
| Replication not working | Check ipa-replica-manage list and ipa-csreplica-manage list |
| HBAC denying access | Test with ipa hbactest, ensure allow_all is disabled only after custom rules are in place |
| Certificate request fails | Verify CA is running: ipa-certupdate, check Dogtag logs in /var/log/pki/ |
| SSSD cache issues | Clear with sss_cache -E and restart: systemctl restart sssd |
| AD trust failures | Verify DNS conditional forwarders and firewall rules for AD ports |