What Is FreeIPA?

FreeIPA (Free Identity, Policy, and Audit) is an integrated security information management solution for Linux and UNIX environments. Specifically, it provides centralized authentication using Kerberos, directory services via LDAP, and optional DNS and certificate management through its built-in CA.

Instead of managing users and access policies on each individual server, FreeIPA lets you control everything from one place. For example, when you add a user in FreeIPA, that user can immediately log in to any enrolled Linux machine in your domain — no more editing /etc/passwd on ten servers one by one.

Additionally, FreeIPA integrates tightly with the Fedora Project ecosystem. Since Fedora serves as the upstream for Red Hat Enterprise Linux (RHEL), FreeIPA packages on Fedora are always among the most current and well-tested available anywhere.

Prerequisites and System Requirements to Install FreeIPA on Fedora

Before you install FreeIPA on Fedora, you need to make sure your environment meets several important requirements. In fact, skipping this section is the number one reason why FreeIPA installations fail.

Hardware Requirements

• RAM: Minimum 2 GB; 4 GB recommended for production
• Disk: At least 10 GB of free space
• CPU: 2 vCPUs or more recommended
• Network: Static IP address (dynamic IPs will break Kerberos over time)

Software Requirements

• Fedora 40, 41, 42, or 43 (latest stable release)
• sudo or root access to the server
• A fully configured FQDN (Fully Qualified Domain Name)

Required Open Ports

Your firewall must allow traffic on the following ports before FreeIPA can function correctly:

💡 Pro tip from experience: Always install and test FreeIPA on a VM snapshot first. FreeIPA installs dozens of interdependent services, and if something goes wrong, reverting a snapshot is far faster than trying to manually uninstall everything.

Step 1 — Pre-Installation Configuration

Proper pre-installation setup is critical. Therefore, transition from a bare Fedora server to a FreeIPA-ready system by following these steps in order.

1.1 Set a Fully Qualified Domain Name (FQDN)

FreeIPA’s Kerberos component relies heavily on a correctly configured FQDN. If your hostname is wrong, the entire installation will break — sometimes silently. Consequently, this must be the very first step you take.

Set your hostname with the following command:

sudo hostnamectl set-hostname dlp.ipa.srv.world

Then verify it worked:

hostname -f

The output should return your full FQDN, for example dlp.ipa.srv.world. If it returns only a short name, your /etc/hosts configuration needs fixing first.

1.2 Configure /etc/hosts

This step is commonly overlooked, but it is absolutely essential. Open the hosts file with a text editor:

sudo nano /etc/hosts

Add the following line — make sure your FQDN comes before any short aliases:

10.0.0.43   dlp.ipa.srv.world   dlp

⚠️ Common mistake: Many users accidentally place the FQDN after the localhost entry, like 127.0.0.1 dlp.ipa.srv.world. This causes ipa-server-install to bind to the wrong interface and fail during the Kerberos configuration phase.

1.3 Verify Time Synchronization

Kerberos authentication is extremely sensitive to clock skew. By default, it tolerates a maximum difference of 5 minutes between the server and client clocks. Therefore, if NTP is not running, Kerberos tickets will be rejected.

Check that chronyd is active:

sudo systemctl status chronyd

If it is not running, start and enable it:

sudo systemctl enable --now chronyd

Additionally, force an immediate time sync:

sudo chronyc makestep

1.4 SELinux Considerations

FreeIPA is fully compatible with SELinux in enforcing mode. In fact, the ipa-server-install installer automatically updates the SELinux targeted policy during installation. Therefore, do not disable SELinux in production — it provides important protection for the certificate authority and LDAP directory data.

Verify SELinux is in enforcing mode:

sestatus

Step 2 — Install FreeIPA Packages on Fedora

Now that your system is correctly configured, you can install FreeIPA on Fedora using the dnf package manager. The following command installs the core server, the integrated DNS module, and the client package in a single step:

sudo dnf install -y freeipa-server freeipa-server-dns freeipa-client

Here is what each package does:

• freeipa-server — The core FreeIPA server including Kerberos KDC, 389 Directory Server, Apache web UI, and Dogtag CA
• freeipa-server-dns — Adds the integrated BIND DNS server managed by FreeIPA
• freeipa-client — Tools to enroll this machine or other Fedora systems as FreeIPA domain members

The download size is approximately 200–400 MB depending on what is already installed on your system. After installation completes, reboot the server so that all services start cleanly:

sudo reboot

Step 3 — Run the FreeIPA Server Installer on Fedora

This is the most important step when you install FreeIPA on Fedora. The ipa-server-install command is an interactive wizard that configures all FreeIPA components in the correct sequence.

3.1 Launch the Installer with DNS Support

sudo ipa-server-install --setup-dns

If you prefer not to use the integrated DNS — for instance, because you already have a separate DNS server — you can omit --setup-dns. However, using FreeIPA’s built-in DNS is strongly recommended for simpler Kerberos and service record management.

3.2 Walkthrough of the Setup Prompts

The installer presents a series of questions. Here is what to expect and how to answer each one correctly:

1. Server hostname — The installer detects your FQDN automatically. Confirm it is correct, for example dlp.ipa.srv.world.
2. Domain name — Derived from your FQDN. For dlp.ipa.srv.world, the domain is ipa.srv.world. Press Enter to confirm.
3. Kerberos realm — The uppercase version of your domain: IPA.SRV.WORLD. Press Enter to confirm.
4. Directory Manager password — Password for the low-level 389 Directory Server admin account. Use a strong password of at least 8 characters and store it securely.
5. IPA admin password — Password for the admin user in the FreeIPA web UI and CLI. This is your primary day-to-day account.
6. DNS forwarders — Add a public DNS forwarder such as 8.8.8.8 or 1.1.1.1, or use --no-forwarders for isolated environments.
7. Reverse DNS zone — Answer yes to allow FreeIPA to manage reverse DNS lookups (highly recommended).
8. NetBIOS name — Needed only for Samba/Windows client integration. Accept the default in most cases.
9. Final confirmation — Review the complete summary carefully, then type yes to begin installation.

3.3 What Happens During the FreeIPA Installation

The installer takes approximately 5–10 minutes. During this time, it sequentially configures:

1. Dogtag Certificate Authority — Generates root and sub-CA certificates
2. 389 Directory Server — Initializes the LDAP instance and loads the FreeIPA schema
3. MIT Kerberos KDC — Configures the Key Distribution Center and admin services
4. Apache HTTPD — Sets up the FreeIPA web UI on port 443
5. BIND DNS — Creates FreeIPA-specific zones and Kerberos SRV records
6. SELinux policy — Updates policy contexts for all FreeIPA file paths
7. systemd units — Enables and starts all services automatically on boot

🕐 Experience note: The CA initialization step is the longest part. If the installer appears frozen at “Configuring certificate server,” give it at least 3–5 minutes before assuming something is wrong. Entropy gathering for cryptographic key generation can be slow on VMs without a hardware RNG.

Step 4 — Post-Installation Configuration

After the installer completes successfully, a few additional steps ensure your FreeIPA server is both secure and fully accessible.

4.1 Obtain Your First Kerberos Ticket

Verify that the Kerberos authentication system works by obtaining a ticket for the admin user:

kinit admin

Enter your IPA admin password when prompted. Then list your active tickets:

klist

You should see output similar to:

Credentials cache: API:...
        Principal: [email protected]

  Issued                Expires               Principal
Mar  1 13:00:00 2026  Mar  2 13:00:00 2026  krbtgt/[email protected]

If kinit succeeds, your Kerberos configuration is working correctly.

4.2 Open Firewall Ports with firewalld

FreeIPA services will not be reachable from other machines unless you open the required ports. Therefore, run the following commands to configure firewalld:

sudo firewall-cmd --add-service={freeipa-ldap,freeipa-ldaps,dns,ntp,http,https}
sudo firewall-cmd --runtime-to-permanent

Then verify the rules are applied:

sudo firewall-cmd --list-services

4.3 Access the FreeIPA Web UI

Open a browser and navigate to:

https://dlp.ipa.srv.world/ipa/ui

Log in with username admin and your IPA admin password. The web UI provides a clean dashboard where you can manage users, groups, hosts, sudo rules, DNS records, and certificates — all without touching the command line.

4.4 Set the Default User Shell

By default, FreeIPA may assign /bin/sh to new users. To set /bin/bash as the global default, run:

ipa config-mod --defaultshell=/bin/bash

Step 5 — Enroll a Fedora Client Into Your FreeIPA Domain

Installing FreeIPA on Fedora as a server is only the beginning. The real power comes from enrolling other Linux machines as clients in your IPA domain. On the client machine — a separate Fedora system — install the client package:

sudo dnf install -y freeipa-client

Then run the enrollment wizard:

sudo ipa-client-install --domain=ipa.srv.world --server=dlp.ipa.srv.world --mkhomedir

The --mkhomedir flag automatically creates home directories for domain users on first login. After enrollment completes successfully, any FreeIPA domain user can log in to the client machine using their domain credentials.

Troubleshooting Common Issues When You Install FreeIPA on Fedora

Even with careful preparation, you may encounter problems. The following table covers the most frequent issues and their solutions based on real-world experience:

🔍 From real-world experience: The most common issue is the /etc/hosts misconfiguration. Before reinstalling, always double-check that /etc/hosts lists your FQDN with the correct static IP — not 127.0.0.1.

Security Best Practices After You Install FreeIPA on Fedora

Transitioning from a working installation to a hardened, production-ready server requires attention to several key security steps. Moreover, implementing these practices from day one prevents costly security incidents later.

• Back up your CA certificate immediately after install. The PKCS#12 file is located at /root/cacert.p12. Store it in a secure, offline location.
• Use strong, unique passwords for both the Directory Manager account and the IPA admin account — these are your most privileged credentials.
• Plan for replica servers in production. A single FreeIPA server is a single point of failure for all authentication across your domain.
• Keep FreeIPA packages updated regularly: sudo dnf update freeipa-*. Security patches for Kerberos and the CA component are particularly critical.
• Enable DNSSEC if your DNS forwarder supports it, in order to prevent DNS spoofing attacks against your Kerberos realm.
• Restrict web UI access to port 443 using firewalld rich rules, limiting access to trusted administrator networks only.

For deeper configuration topics, the official FreeIPA documentation and the Red Hat Identity Management documentation are both authoritative, well-maintained references.