Installing FreeIPA on Rocky Linux

I have been using Univention Corporate Server. Now, I am in a process of switching to FreeIPA. This post is how I installed FreeIPA on Rocky Linux. This post assumption is there is a fresh Rocky Linux installed. I am planning to use FreeIPA solely for LDAP purposes, so I am skipping the DNS part of the installation.

First, update the Rocky Linux

dnf update -y

Install the epel-release and needed tools

dnf install -y epel-release
dnf install -y vim htop

FreeIPA requires a fully qualified domain name. If you have not changed the hostname during the installation, use the hostnamectl command. We also need to add a line to /etc/hosts.

hostnamectl set-hostname ipa.example.local 
echo " ipa.example.local ipa" >> /etc/hosts

Enable the Identity Management appstream repo.

dnf install -y @idm:DL1

The ipa-server is not available to be installed. Install the ipa-server via the dnf

dnf install -y ipa-server

As I mentioned earlier, I would use the FreeIPA for LDAP only. I am using Adguard Home as my local DNS, so I do not have to install the following packages ipa-server-dns and bind-dyndb-ldap. If you need the FreeIPA to be your DNS, then install those two packages.

To set-up the FreeIPA, run the comand ipa-server-install. This is an interactive installation and you will need to answer some needed information.

[root@ipa ~]# ipa-server-install 

The log file for this installation can be found in /var/log/ipaserver-install.log
This program will set up the IPA Server.
Version 4.9.6

This includes:
  * Configure a stand-alone CA (dogtag) for certificate management
  * Configure the NTP client (chronyd)
  * Create and configure an instance of Directory Server
  * Create and configure a Kerberos Key Distribution Center (KDC)
  * Configure Apache (httpd)
  * Configure SID generation
  * Configure the KDC to enable PKINIT

To accept the default shown in brackets, press the Enter key.

Do you want to configure integrated DNS (BIND)? [no]: 

Enter the fully qualified domain name of the computer
on which you're setting up server software. Using the form

Server host name [ipa.example.local]: 

The domain name has been determined based on the host name.

Please confirm the domain name [example.local]: 

The kerberos protocol requires a Realm name to be defined.
This is typically the domain name converted to uppercase.

Please provide a realm name [EXAMPLE.LOCAL]: 
Certain directory server operations require an administrative user.
This user is referred to as the Directory Manager and has full access
to the Directory for system management tasks and will be added to the
instance of directory server created for IPA.
The password must be at least 8 characters long.

Directory Manager password: 
Password (confirm): 

The IPA server requires an administrative user, named 'admin'.
This user is a regular system account used for IPA server administration.

IPA admin password: 
Password (confirm): 

Trust is configured but no NetBIOS domain name found, setting it now.
Enter the NetBIOS name for the IPA domain.
Only up to 15 uppercase ASCII letters, digits and dashes are allowed.
Example: EXAMPLE.

NetBIOS domain name [EXAMPLE]: 

Do you want to configure chrony with NTP server or pool address? [no]: 

The IPA Master Server will be configured with:
Hostname:       ipa.example.local
IP address(es):
Domain name:    example.local
Realm name:     EXAMPLE.LOCAL

The CA will be configured with:
Subject DN:   CN=Certificate Authority,O=EXAMPLE.LOCAL
Subject base: O=EXAMPLE.LOCAL
Chaining:     self-signed

Continue to configure the system with these values? [no]: yes

The following operations may take some minutes to complete.
Please wait until the prompt is returned.

Once done, the following ports needs to be opened

TCP Ports:
  * 80, 443: HTTP/HTTPS
  * 389, 636: LDAP/LDAPS
  * 88, 464: kerberos
UDP Ports:
  * 88, 464: kerberos
  * 123: ntp

At this point, you can access the web UI via the https://<ip-addr>. The username is admin and the password is the password you setup during the installation in line 49 and 50.


Notify of

Inline Feedbacks
View all comments
Would love your thoughts, please comment.x