DEPLOY-2026-02-15 FreeIPA Identity Management

Executive Summary

Deployment Type: Identity Infrastructure

Problem Statement: Need centralized identity management (LDAP/Kerberos) for Linux hosts, service accounts, and ISE integration.

Solution: FreeIPA IdM on Rocky Linux 9 with Kerberos realm, LDAP directory, and PKI - without integrated DNS (separate BIND deployment).

Environment

Production (Home Lab)

Runbook

FreeIPA Server Deployment

Risk Level

Medium (identity infrastructure)

Deployment Information

Field Value

Deployment Date

2026-02-15

Previous State

Local accounts, no centralized identity

Target State

FreeIPA with LDAP/Kerberos/PKI

Deployment Window

3 hours (planned), 2.5 hours (actual)

Rollback Plan

VM deletion, local account fallback

Affected Systems

Linux hosts joining realm

Infrastructure Deployed

Component Value

Hostname

ipa-01.inside.domusdigitalis.dev

IP Address

10.50.1.51

Hypervisor

kvm-01

OS

Rocky Linux 9 (cloud image)

Realm

INSIDE.DOMUSDIGITALIS.DEV

Domain

inside.domusdigitalis.dev

Architecture Decision

Decision Rationale

No Integrated DNS

Separation of concerns - DNS on dedicated BIND servers

Cloud Image Deployment

Enterprise pattern (AWS/Azure/GCP standard)

Headless Installation

No GUI overhead, SSH-only management

Certificate Authority

FreeIPA CA for host certificates

Services Deployed

Service Port Function

Kerberos KDC

88/TCP, 88/UDP

Authentication

LDAP

389/TCP

Directory services

LDAPS

636/TCP

Secure directory

Kerberos Admin

749/TCP

Kadmin operations

HTTP/HTTPS

80, 443/TCP

Web UI, API

DNS

(disabled)

Delegated to BIND