DEPLOY-2026-02-15 FreeIPA Identity Management

1. Executive Summary

Deployment Type: Identity Infrastructure

Problem Statement: Need centralized identity management (LDAP/Kerberos) for Linux hosts, service accounts, and ISE integration.

Solution: FreeIPA IdM on Rocky Linux 9 with Kerberos realm, LDAP directory, and PKI - without integrated DNS (separate BIND deployment).

Environment	Production (Home Lab)
Runbook	FreeIPA Server Deployment
Risk Level	Medium (identity infrastructure)

Environment

Production (Home Lab)

Runbook

FreeIPA Server Deployment

Risk Level

Medium (identity infrastructure)

2. Deployment Information

Field	Value
Deployment Date	2026-02-15
Previous State	Local accounts, no centralized identity
Target State	FreeIPA with LDAP/Kerberos/PKI
Deployment Window	3 hours (planned), 2.5 hours (actual)
Rollback Plan	VM deletion, local account fallback
Affected Systems	Linux hosts joining realm

Field

Value

Deployment Date

2026-02-15

Previous State

Local accounts, no centralized identity

Target State

FreeIPA with LDAP/Kerberos/PKI

Deployment Window

3 hours (planned), 2.5 hours (actual)

Rollback Plan

VM deletion, local account fallback

Affected Systems

Linux hosts joining realm

3. Infrastructure Deployed

Component	Value
Hostname	ipa-01.inside.domusdigitalis.dev
IP Address	10.50.1.51
Hypervisor	kvm-01
OS	Rocky Linux 9 (cloud image)
Realm	INSIDE.DOMUSDIGITALIS.DEV
Domain	inside.domusdigitalis.dev

Component

Value

Hostname

ipa-01.inside.domusdigitalis.dev

IP Address

10.50.1.51

Hypervisor

kvm-01

Rocky Linux 9 (cloud image)

Realm

INSIDE.DOMUSDIGITALIS.DEV

Domain

inside.domusdigitalis.dev

4. Architecture Decision

Decision	Rationale
No Integrated DNS	Separation of concerns - DNS on dedicated BIND servers
Cloud Image Deployment	Enterprise pattern (AWS/Azure/GCP standard)
Headless Installation	No GUI overhead, SSH-only management
Certificate Authority	FreeIPA CA for host certificates

Decision

Rationale

No Integrated DNS

Separation of concerns - DNS on dedicated BIND servers

Cloud Image Deployment

Enterprise pattern (AWS/Azure/GCP standard)

Headless Installation

No GUI overhead, SSH-only management

Certificate Authority

FreeIPA CA for host certificates

5. Services Deployed

Service	Port	Function
Kerberos KDC	88/TCP, 88/UDP	Authentication
LDAP	389/TCP	Directory services
LDAPS	636/TCP	Secure directory
Kerberos Admin	749/TCP	Kadmin operations
HTTP/HTTPS	80, 443/TCP	Web UI, API
DNS	(disabled)	Delegated to BIND

Service

Port

Function

Kerberos KDC

88/TCP, 88/UDP

Authentication

LDAP

389/TCP

Directory services

LDAPS

636/TCP

Secure directory

Kerberos Admin

749/TCP

Kadmin operations

HTTP/HTTPS

80, 443/TCP

Web UI, API

DNS

(disabled)

Delegated to BIND

6. Deployment Phases

Phase Description Key Steps

Phase	Description	Key Steps
1	Download Cloud Image	Rocky 9 GenericCloud, SHA256 verification
2	KVM Network Architecture	Bridge configuration verification
3	cloud-init Configuration	meta-data, user-data, network-config
4-5	VM Creation	Disk resize, virt-install
6	VM Verification	SSH connectivity, hostname
7	Pre-Installation Setup	Firewall, SELinux, DNS resolution
8	Install FreeIPA	`ipa-server-install --no-dns` (standalone)
9	Verify Installation	kinit, ipa user-find, web UI
10	Service Accounts	Printer service account for ISE
11	ISE LDAP Integration	Configure ISE to use FreeIPA LDAP

Download Cloud Image

Rocky 9 GenericCloud, SHA256 verification

KVM Network Architecture

Bridge configuration verification

cloud-init Configuration

meta-data, user-data, network-config

4-5

VM Creation

Disk resize, virt-install

VM Verification

SSH connectivity, hostname

Pre-Installation Setup

Firewall, SELinux, DNS resolution

Install FreeIPA

ipa-server-install --no-dns (standalone)

Verify Installation

kinit, ipa user-find, web UI

Service Accounts

Printer service account for ISE

ISE LDAP Integration

Configure ISE to use FreeIPA LDAP

7. Validation Results

Test Result Evidence

Test	Result	Evidence
Kerberos authentication	✅ PASS	`kinit admin` successful
LDAP queries	✅ PASS	`ipa user-find` returns users
Web UI access	✅ PASS	ipa-01 accessible
Certificate issuance	✅ PASS	Host certificates issued
ISE LDAP binding	✅ PASS	ISE connected to FreeIPA

Kerberos authentication

✅ PASS

kinit admin successful

LDAP queries

✅ PASS

ipa user-find returns users

Web UI access

✅ PASS

ipa-01 accessible

Certificate issuance

✅ PASS

Host certificates issued

ISE LDAP binding

✅ PASS

ISE connected to FreeIPA

8. Lessons Learned

Category Lesson

Category	Lesson
DNS Separation	Using `--no-dns` requires pre-existing DNS records for IPA hostname before installation.
Firewall	FreeIPA installer manages firewalld rules automatically with `--setup-firewall`.
SELinux	Keep enforcing - FreeIPA is fully SELinux compatible.
Service Accounts	Use `ipa service-add` for printers, applications needing bind accounts.
ISE Integration	FreeIPA LDAP works with ISE for 802.1X user lookup.

DNS Separation

Using --no-dns requires pre-existing DNS records for IPA hostname before installation.

Firewall

FreeIPA installer manages firewalld rules automatically with --setup-firewall.

SELinux

Keep enforcing - FreeIPA is fully SELinux compatible.

Service Accounts

Use ipa service-add for printers, applications needing bind accounts.

ISE Integration

FreeIPA LDAP works with ISE for 802.1X user lookup.

9. Post-Deployment Status

Item	Status
ipa-01	Operational, primary IdM server
ipa-02	Planned (HA replica on kvm-02)
DNS	A/PTR records in BIND
ISE	LDAP integration configured
Documentation	11-phase runbook + service account guide

Item

Status

ipa-01

Operational, primary IdM server

ipa-02

Planned (HA replica on kvm-02)

DNS

A/PTR records in BIND

ISE

LDAP integration configured

Documentation

11-phase runbook + service account guide