SYSADMIN
Identity Management

Installing FreeIPA
on RHEL/Rocky Linux

📅 March 2026 ⏱ ~20 min read 🐧 Rocky Linux 9 / RHEL 9

FreeIPA is the de-facto open-source Identity, Policy, and Audit solution for Linux. This guide walks you through a complete server and client installation — from DNS prerequisites to enrolling your first machine.

Table of Contents
  1. Prerequisites
  2. Prepare the Server
  3. Install Packages
  4. Run the Installer
  5. Firewall Rules
  6. Verify Installation
  7. Enroll a Client
  8. Post-Install Tasks

01 Prerequisites

Before touching a package manager, make sure your environment meets these baseline requirements. Skipping any of these is the #1 cause of failed installs.

OS
Rocky / RHEL 9+
RAM
≥ 2 GB (4 GB rec.)
Disk
≥ 10 GB free
Static IP
Required
FQDN
Required
SELinux
Enforcing ✓
⚠️

Do not use a hostname like localhost or a single-label name. FreeIPA demands a fully-qualified domain name (e.g. ipa.corp.example.com).

02 Prepare the Server

Set a static hostname

bash
$ hostnamectl set-hostname ipa.corp.example.com

Configure /etc/hosts

Make sure the server can resolve its own FQDN to its static IP — even before DNS is live:

/etc/hosts
# Replace with your actual IP and domain
192.168.1.10  ipa.corp.example.com  ipa

Verify forward and reverse DNS

bash
$ hostname -f
ipa.corp.example.com

$ dig +short ipa.corp.example.com A
192.168.1.10

$ dig +short -x 192.168.1.10
ipa.corp.example.com.

Sync time with Chrony

Kerberos is extremely time-sensitive. A clock skew of more than 5 minutes will break authentication.

bash
$ dnf install -y chrony
$ systemctl enable --now chronyd
$ chronyc tracking

03 Install Packages

Enable the module stream

bash
$ dnf module enable -y idm:DL1

Install the server package

bash
$ dnf install -y ipa-server ipa-server-dns
ℹ️

The ipa-server-dns package is optional but strongly recommended — it lets FreeIPA manage its own DNS zone, which simplifies SRV record management significantly.

04 Run the Installer

The ipa-server-install script handles the heavy lifting — it configures 389-DS, Kerberos KDC, Dogtag CA, and Apache.

Interactive install (recommended for first-timers)

bash
# Run as root
$ ipa-server-install

The wizard will prompt you through each setting. Alternatively, pass all arguments for an unattended install:

Unattended install

bash
$ ipa-server-install \
    --domain=corp.example.com \
    --realm=CORP.EXAMPLE.COM \
    --ds-password='DirMgrP@ssw0rd!' \
    --admin-password='AdminP@ssw0rd!' \
    --setup-dns \
    --forwarder=8.8.8.8 \
    --auto-reverse \
    --unattended
🔴

Avoid passing passwords as CLI arguments in production — they will appear in shell history and ps aux. Use a Vault or the interactive wizard instead.

Installation typically takes 5–10 minutes. A successful run ends with:

output
The ipa-server-install command was successful

05 Firewall Rules

FreeIPA uses a wide range of services. Open them all with the pre-built firewalld service definitions:

bash
$ firewall-cmd --permanent --add-service={freeipa-ldap,freeipa-ldaps,freeipa-replication,dns,ntp,http,https,kerberos,kpasswd}
$ firewall-cmd --reload
$ firewall-cmd --list-services
ℹ️

If you skipped the integrated DNS, you can omit the dns and ntp services from the command above.

06 Verify Installation

Obtain a Kerberos ticket

bash
$ kinit admin
Password for admin@CORP.EXAMPLE.COM: ***

$ klist
Ticket cache: KCM:0
Default principal: admin@CORP.EXAMPLE.COM

Valid starting     Expires            Service principal
03/06/26 10:00:01  03/07/26 10:00:01  krbtgt/CORP.EXAMPLE.COM@CORP.EXAMPLE.COM

Test the IPA CLI

bash
$ ipa user-find admin
--------------
1 user matched
--------------
  User login: admin
  Last name: Administrator
  ...

Access the Web UI

Open a browser and navigate to https://ipa.corp.example.com. Log in with the admin credentials you set during installation.

If the UI loads and ipa user-find returns results, your FreeIPA server is healthy and ready for clients.

07 Enroll a Client

Run these steps on each Linux machine you want to join to the FreeIPA domain.

  1. Install the client package: dnf install -y ipa-client
  2. Point the machine's DNS at the IPA server
  3. Run the enrollment command shown below
  4. Verify with id someuser@corp.example.com
bash — client machine
$ dnf install -y ipa-client

$ ipa-client-install \
    --domain=corp.example.com \
    --server=ipa.corp.example.com \
    --realm=CORP.EXAMPLE.COM \
    --principal=admin \
    --password='AdminP@ssw0rd!' \
    --mkhomedir \
    --unattended

08 Post-Install Tasks

Create your first user

bash
$ ipa user-add jdoe \
    --first=John \
    --last=Doe \
    --email=jdoe@corp.example.com \
    --password

Enable sudo rules

bash
$ ipa sudorule-add allow_all
$ ipa sudorule-add-option allow_all --sudooption='!authenticate'
$ ipa sudorule-add-user allow_all --groups=admins
$ ipa sudorule-add-host allow_all --hostgroups=ipaservers

Set up replica (HA)

bash — on replica host
$ dnf install -y ipa-server ipa-server-dns
$ ipa-replica-install \
    --principal=admin \
    --admin-password='AdminP@ssw0rd!' \
    --setup-dns \
    --forwarder=8.8.8.8
🎉

You're done! Your FreeIPA domain is live. Next steps: configure Host-Based Access Control (HBAC), set up OTP two-factor auth, and integrate with your existing Active Directory via a Cross-Forest Trust.

Useful Resources

FreeIPA Official Documentation · Red Hat IdM Guide · Source on Pagure