Open-source Identity Management: Hi, FreeIPA!

We used AI while writing this content.

FreeIPA?

Advantages

• Centralized user management across all devices
• Single Sign-On (SSO) via Kerberos
• Integrated DNS and Certificate Authority
• Web-based management interface
• Native Linux solution (no Active Directory needed)
• LDAP-compatible for third-party integrations
• Host-based access control & sudo policies
• Free and open-source

Platforms supported

*FreeIPA server is most mature on Fedora/RHEL/CentOS, but can be installed on Ubuntu/Debian with some additional configuration.

**macOS can authenticate via LDAP but lacks full Kerberos SSO integration.

***Windows clients can authenticate using third-party tools or via SSSD on WSL, but native integration is limited.

Case for FreeIPA

If you manage more than one Linux desktop or server in a small to medium-sized organization, you face the challenge of user account management.

Solutions there are plenty:

The Problem with Local Accounts

The simplest solution is creating local user accounts on each machine. This works fine when you have 1-2 machines, but quickly becomes a maintenance nightmare as you scale:

• Password synchronization: When Alice changes her password on one machine, she has to manually change it on all other machines.
• User provisioning: Adding a new employee means manually creating accounts on every machine they need access to.
• Deprovisioning: When someone leaves, you must remember to delete their accounts from all machines.
• Inconsistent UIDs/GIDs: User and group IDs may differ across machines, causing file permission issues on shared storage.

Why Not Active Directory?

Active Directory (AD) is the industry standard for identity management, but it has significant drawbacks for Linux-centric environments:

• Cost: Requires Windows Server licenses ($500-$1000+ per server)
• Windows dependency: Running Windows servers just for authentication feels wasteful in a Linux shop
• Integration complexity: While Linux can authenticate against AD, the experience is not as seamless as native solutions
• Bloat: AD includes many Windows-specific features you don't need in a pure Linux environment

Why FreeIPA?

FreeIPA is the native Linux alternative to Active Directory. It combines several mature open-source technologies into a cohesive identity management solution:

• LDAP (389 Directory Server) for storing user accounts, groups, and policies
• Kerberos (MIT Kerberos) for Single Sign-On authentication
• DNS (BIND) for service discovery and hostname resolution
• Certificate Authority (Dogtag) for issuing and managing SSL/TLS certificates
• NTP for time synchronization (critical for Kerberos)

The beauty of FreeIPA is that these components work together seamlessly. You don't need to manually configure LDAP schemas, Kerberos realms, DNS records, or certificate chains—FreeIPA handles all the integration for you.

Workflow: How FreeIPA Works

┌────────────────────────────────────────────────────────┐
│                    FreeIPA Server                      │
│  ┌──────────┐  ┌──────────┐  ┌──────────┐  ┌────────┐  │
│  │   LDAP   │  │ Kerberos │  │   DNS    │  │   CA   │  │
│  │(Users,   │  │  (SSO)   │  │(Service  │  │ (Certs)│  │
│  │ Groups)  │  │          │  │Discovery)│  │        │  │
│  └──────────┘  └──────────┘  └──────────┘  └────────┘  │
└────────────────────────────────────────────────────────┘
                         ▲
                         │
          ┌──────────────┼──────────────┐
          │              │              │
          ▼              ▼              ▼
  ┌──────────────┐ ┌──────────────┐ ┌──────────────┐
  │ Linux Mint   │ │ Linux Mint   │ │ Ubuntu       │
  │ Desktop 1    │ │ Desktop 2    │ │ Server       │
  │              │ │              │ │              │
  │ (SSSD client)│ │ (SSSD client)│ │ (SSSD client)│
  └──────────────┘ └──────────────┘ └──────────────┘

When a user logs into a Linux Mint workstation enrolled in FreeIPA:

1. User enters credentials at the login screen
2. SSSD contacts FreeIPA server to verify the credentials via Kerberos
3. Kerberos issues a ticket valid for several hours (default: 24h)
4. SSSD caches the ticket locally for offline authentication
5. User can now access other FreeIPA-enrolled services without re-entering credentials (Single Sign-On)

Real-World Benefits

For a small organization with 5 employees and ~10 machines:

• Time savings: Add a new user once in FreeIPA web UI instead of 10 times manually
• Security: Enforce password complexity policies centrally, revoke access instantly
• Convenience: Users sign in once and access all resources without re-authentication
• Professionalism: Acts as a stepping stone if you later need to integrate with enterprise partners using AD

Limitations

FreeIPA is not a perfect solution for everyone:

• Linux-centric: Windows and macOS support is limited. If you have a mixed environment, AD might be better.
• Complexity: Setting up FreeIPA requires understanding DNS, Kerberos, and LDAP concepts.
• Small team overhead: For very small teams (1-3 people), FreeIPA may be overkill.
• Single point of failure: Without replication, FreeIPA server downtime means no logins (though SSSD caching mitigates this).

If you have a Linux-heavy environment and want centralized identity management without vendor lock-in, FreeIPA is THE solution.

Setup

Prerequisites

Before installing FreeIPA, ensure you have:

• A dedicated server (physical or virtual) with at least:

• 2 CPU cores
• 4 GB RAM
• 20 GB disk space
• Static IP address

• Properly configured hostname and DNS:

• FQDN must resolve correctly: ipa.corp.example.com → 192.168.1.10
• Reverse DNS must work: 192.168.1.10 → ipa.corp.example.com
• Use /etc/hosts if you don't have external DNS yet

• Open firewall ports (if firewall is enabled):

# For FreeIPA services
sudo firewall-cmd --permanent --add-service={http,https,dns,ntp,freeipa-ldap,freeipa-ldaps,freeipa-replication}
sudo firewall-cmd --reload

⚠️ Critical: Kerberos is extremely sensitive to DNS and time synchronization. Ensure NTP is configured and hostname resolution works correctly before proceeding.

Server Installation (Fedora/RHEL/CentOS)

FreeIPA is most mature on Red Hat-based distributions.

# Update system
sudo dnf update -y

# Install FreeIPA server with integrated DNS
sudo dnf install -y freeipa-server freeipa-server-dns

# Run the installation wizard
sudo ipa-server-install --setup-dns

The installer will ask several questions:

• Hostname: Should be FQDN (e.g., ipa.corp.example.com)
• Domain name: Your DNS domain (e.g., corp.example.com)
• Kerberos realm: Uppercase version of domain (e.g., CORP.EXAMPLE.COM)
• Directory Manager password: For LDAP admin access
• IPA admin password: For FreeIPA administrative tasks
• DNS forwarders: IP addresses of upstream DNS servers (e.g., 8.8.8.8, 1.1.1.1)
• Reverse zone: Automatically detected from your IP address

The installation takes 5-15 minutes. Once complete, you'll see:

The ipa-server-install command was successful

Server Installation (Ubuntu/Debian)

FreeIPA on Debian-based systems requires more manual configuration.

# Update system
sudo apt update && sudo apt upgrade -y

# Install FreeIPA server packages
sudo apt install -y freeipa-server freeipa-server-dns

# Set hostname to FQDN
sudo hostnamectl set-hostname ipa.corp.example.com

# Verify hostname resolution
hostname -f  # Should output: ipa.corp.example.com
getent hosts $(hostname -f)  # Should show correct IP

# Run installation wizard
sudo ipa-server-install --setup-dns

Follow the same prompts as Fedora/RHEL installation above.

📝 Note: On Ubuntu/Debian, you may encounter AppArmor conflicts. If so, temporarily disable AppArmor for named:

sudo ln -s /etc/apparmor.d/usr.sbin.named /etc/apparmor.d/disable/
sudo apparmor_parser -R /etc/apparmor.d/usr.sbin.named

Verify Server Installation

After installation, verify FreeIPA is running:

# Check service status
sudo ipactl status

# Should show all services as RUNNING:
# Directory Service: RUNNING
# krb5kdc Service: RUNNING
# kadmin Service: RUNNING
# named Service: RUNNING
# httpd Service: RUNNING
# ipa-custodia Service: RUNNING
# pki-tomcatd Service: RUNNING
# ipa-otpd Service: RUNNING

Access the web UI:

• URL: https://ipa.corp.example.com (or https://192.168.1.10)
• Username: admin
• Password: The IPA admin password you set during installation

If you see the FreeIPA web interface, congratulations—your server is up!

Client Installation (Linux Mint/Ubuntu)

On each Linux Mint or Ubuntu desktop/server that needs to authenticate against FreeIPA:

# Install client packages
sudo apt update
sudo apt install -y freeipa-client sssd-tools realmd

# Join the FreeIPA domain
sudo ipa-client-install --mkhomedir

# Or use realmd (simpler):
sudo realm discover corp.example.com
sudo realm join corp.example.com -U admin

The client installer will:

• Discover FreeIPA server via DNS SRV records
• Configure SSSD for authentication
• Set up Kerberos client
• Configure NSS and PAM
• Create home directories automatically (--mkhomedir)

After enrollment, verify:

# Check SSSD status
sudo systemctl status sssd

# Verify you can resolve FreeIPA users
getent passwd admin@corp.example.com

# Test authentication (optional)
kinit admin@CORP.EXAMPLE.COM
klist  # Should show Kerberos ticket

Client Installation (Fedora/RHEL/CentOS)

# Install client packages
sudo dnf install -y freeipa-client

# Join the domain
sudo ipa-client-install --mkhomedir

Same verification steps as Ubuntu/Mint above.

After Installation

Add Users and Groups

You can manage users via the Web UI or CLI.

Via Web UI:

1. Navigate to https://ipa.corp.example.com
2. Log in as admin
3. Go to Identity → Users → Add
4. Fill in user details (username, first name, last name, password)
5. Click Add

Via CLI:

# Add a user
ipa user-add alice --first=Alice --last=Smith --password

# Add a group
ipa group-add developers --desc="Software Developers"

# Add user to group
ipa group-add-member developers --users=alice

# Verify
ipa user-show alice
ipa group-show developers

Configure Sudo Rules

Grant sudo privileges to specific users or groups:

# Create a sudo rule
ipa sudorule-add developers_sudo --desc="Allow developers to run Docker"

# Add the developers group
ipa sudorule-add-user developers_sudo --groups=developers

# Allow sudo for Docker commands on all hosts
ipa sudorule-add-allow-command developers_sudo --sudocmds="/usr/bin/docker"
ipa sudorule-mod developers_sudo --hostcat=all

# Enable the rule
ipa sudorule-enable developers_sudo

Configure Host-Based Access Control (HBAC)

Restrict which users can log into which machines:

# Create an HBAC rule
ipa hbacrule-add allow_admins_production --desc="Allow admins to access production servers"

# Add admin group
ipa hbacrule-add-user allow_admins_production --groups=admins

# Add production host group (create it first)
ipa hostgroup-add production-servers
ipa hostgroup-add-member production-servers --hosts=server1.corp.example.com
ipa hbacrule-add-host allow_admins_production --hostgroups=production-servers

# Enable the rule
ipa hbacrule-enable allow_admins_production

⚠️ Important: By default, FreeIPA has a rule allow_all that permits all users to access all hosts. Disable it once you've created your custom rules:

ipa hbacrule-disable allow_all

Set Password Policies

Enforce password complexity requirements:

# View current global policy
ipa pwpolicy-show

# Modify global policy
ipa pwpolicy-mod global_policy \
  --minlength=12 \
  --minclasses=3 \
  --maxlife=90 \
  --minlife=1 \
  --history=5 \
  --maxfail=3 \
  --failinterval=300 \
  --lockouttime=600

# Create a policy for a specific group (e.g., admins)
ipa pwpolicy-add admins_policy \
  --minlength=16 \
  --minclasses=4 \
  --maxlife=60 \
  --priority=1

Test User Login

On a client machine, test logging in with a FreeIPA user:

# Switch to FreeIPA user
su - alice@corp.example.com

# Or log out and log in at the graphical login screen
# Username: alice@corp.example.com
# Password: (user's password)

If successful, you'll be logged in with a home directory automatically created.

Configure DNS (If Not Using Integrated DNS)

If you chose not to use FreeIPA's integrated DNS during setup, you must manually configure DNS records on your external DNS server:

A Record (forward lookup)

ipa.corp.example.com.   IN A   192.168.1.10

PTR Record (reverse lookup)

10.1.168.192.in-addr.arpa. IN PTR ipa.corp.example.com.

SRV Records (service discovery)

_kerberos._udp.corp.example.com.  IN SRV 0 100 88 ipa.corp.example.com.
_kerberos._tcp.corp.example.com.  IN SRV 0 100 88 ipa.corp.example.com.
_ldap._tcp.corp.example.com.      IN SRV 0 100 389 ipa.corp.example.com.
_kerberos-master._udp.corp.example.com. IN SRV 0 100 88 ipa.corp.example.com.
_kpasswd._udp.corp.example.com.   IN SRV 0 100 464 ipa.corp.example.com.

TXT Record (Kerberos realm)

_kerberos.corp.example.com. IN TXT "CORP.EXAMPLE.COM"

💡 Tip: If using FreeIPA's integrated DNS, these records are created automatically.

Practical Tips

Backups

FreeIPA server is your single source of truth. Back it up regularly:

# Create a full backup
sudo ipa-backup

# Backups are stored in /var/lib/ipa/backup/
ls -lh /var/lib/ipa/backup/

# To restore from backup:
sudo ipa-restore /var/lib/ipa/backup/ipa-full-YYYY-MM-DD-HH-MM-SS

Schedule automated backups via cron:

# Add to /etc/cron.weekly/ipa-backup
#!/bin/bash
/usr/sbin/ipa-backup
find /var/lib/ipa/backup/ -type d -mtime +30 -exec rm -rf {} \;

Scaling and Replication

For your ~10 machines and 5 employees, one FreeIPA server is sufficient. However, if uptime is critical or you're planning to grow beyond 50 users, consider setting up FreeIPA replication:

# On a second server, install FreeIPA as a replica
sudo ipa-replica-install --setup-ca --setup-dns

Replicas provide:
• High availability: If one server goes down, clients failover to another
• Load balancing: Distribute authentication requests across multiple servers
• Geographic distribution: Place replicas in different locations for faster local access

Integration with Other Services

FreeIPA can act as the authentication backend for many services:

Nextcloud

Configure Nextcloud to use LDAP:
• LDAP Host: ipa.corp.example.com
• Base DN: cn=users,cn=accounts,dc=corp,dc=example,dc=com
• Bind DN: uid=admin,cn=users,cn=accounts,dc=corp,dc=example,dc=com

Samba (File Sharing)

Join Samba to FreeIPA for centralized Windows file share authentication.

SSH Key Management

FreeIPA can distribute SSH public keys, eliminating manual .ssh/authorized_keys management.

Troubleshooting

Issue: "Unable to resolve hostname" during client enrollment
Solution: Check /etc/hosts has the FQDN mapped correctly, or configure DNS properly.

Issue: "Kerberos authentication failed"
Solution: Ensure clocks are synchronized via NTP. Kerberos requires time differences <5 minutes.

Issue: "SSSD is not running"
Solution: Check logs in /var/log/sssd/ and restart: sudo systemctl restart sssd

Offline Authentication

SSSD caches credentials locally, so users can log in even when the FreeIPA server is unreachable. The default cache timeout is 7 days.

To adjust:

# Edit /etc/sssd/sssd.conf
[pam]
offline_credentials_expiration = 7

sudo systemctl restart sssd

Conclusion

FreeIPA provides enterprise-grade identity management for Linux environments without the cost and complexity of Active Directory. For small to medium Linux-centric organizations, it's an excellent solution for:

✅ Centralized user and group management
✅ Single Sign-On (SSO) across all services
✅ Automated home directory creation
✅ Fine-grained access control (HBAC, sudo rules)
✅ Integrated DNS and certificate authority

For your specific use case (~10 machines, 5 employees, Linux Mint desktops), FreeIPA offers the perfect balance of features and simplicity. The initial setup takes a few hours, but the long-term time savings and security benefits are substantial.

Happy authenticating! 🎉

Copyleft Statement

Renoncé du droit d'auteur

Much of our content is freely available under the Creative Commons BY-NC-ND 4.0 licence, which allows free distribution and republishing of our content for non-commercial purposes, as long as Ronzz.org is appropriately credited and the content is not being modified materially to express a different meaning than it is originally intended for. It must be noted that some images on Ronzz.org are the intellectual property of third parties. Our permission to use those images may not cover your reproduction. This does not affect your statutory rights.

Nous mettons la plupart de nos contenus disponibles gratuitement sous la licence Creative Commons By-NC-ND 4.0, qui permet une distribution et une republication gratuites de notre contenu à des fins non commerciales, tant que Ronzz.org est correctement crédité et que le contenu n'est pas modifié matériellement pour exprimer un sens différent que prévu à l'origine.Il faut noter que certaines images sur Ronzz.org sont des propriétés intellectuelles de tiers. Notre autorisation d'utiliser ces images peut ne pas couvrir votre reproduction. Cela n'affecte pas vos droits statutaires.