FreeIPA Identity Management Roadmap

Overview

Deploy FreeIPA (Red Hat Identity Management) as the enterprise Linux identity platform. Provides LDAP, Kerberos, PKI, DNS, and AD trust capabilities for Linux-native authentication.

Architecture

FreeIPA Architecture
Figure 1. FreeIPA Components and Integration
Component Purpose

389 Directory Server

LDAP user/host/service store

MIT Kerberos (KDC)

SSO authentication

Dogtag CA

Certificate authority

Integrated DNS

Dynamic DNS updates

SSSD

Linux client integration

HBAC

Host-based access control

Sudo rules

Centralized sudo management

AD Trust

Cross-forest trust with AD

Milestones

Phase 1: Server Deployment

  • Provision RHEL 9 VM (4 vCPU, 8GB RAM, 50GB disk)

  • Configure static IP and DNS resolution

  • Install FreeIPA server packages

  • Run interactive installer with DNS

  • Verify admin console access

Server Installation
# RHEL 9 / Rocky 9 / Alma 9
sudo dnf install -y freeipa-server freeipa-server-dns

# Interactive setup
sudo ipa-server-install --setup-dns
Scripted Installation
sudo ipa-server-install \
  --realm=INSIDE.DOMUSDIGITALIS.DEV \
  --domain=inside.domusdigitalis.dev \
  --ds-password='<directory-manager-password>' \
  --admin-password='<admin-password>' \
  --setup-dns \
  --forwarder=10.50.1.1 \
  --no-ntp \
  --unattended

Phase 2: Base Configuration

  • Create admin users

  • Configure password policies

  • Set up host groups

  • Configure HBAC rules

  • Create sudo rules

Create Service Account for Printers
# Add printer service account
ipa user-add brother-mfc \
  --first=Brother \
  --last=Printer \
  --shell=/sbin/nologin \
  --password

# Add to printer group
ipa group-add printers --desc="Network Printers"
ipa group-add-member printers --users=brother-mfc

Phase 3: AD Trust (Optional)

  • Configure DNS forwarding to AD

  • Establish AD trust relationship

  • Map AD groups to FreeIPA

  • Test cross-realm authentication

Establish AD Trust
# Install trust packages
sudo dnf install -y freeipa-server-trust-ad

# Configure trust
ipa-adtrust-install --add-sids

# Create trust
ipa trust-add inside.domusdigitalis.dev \
  --admin=Administrator \
  --password

Phase 4: ISE Integration

  • Add FreeIPA as LDAP identity source in ISE

  • Configure bind credentials

  • Test authentication

  • Create authorization policies

Table 1. ISE LDAP Configuration
Setting Value

Name

FreeIPA-LDAP

Host

ipa-01.inside.domusdigitalis.dev

Port

389 (LDAP) / 636 (LDAPS)

Base DN

dc=inside,dc=domusdigitalis,dc=dev

Bind DN

uid=admin,cn=users,cn=accounts,dc=inside,dc=domusdigitalis,dc=dev

User Object Class

posixAccount

User Name Attribute

uid

Group Object Class

groupOfNames

Group Name Attribute

cn

Phase 5: Client Enrollment

  • Install SSSD on Linux clients

  • Join clients to FreeIPA domain

  • Test Kerberos authentication

  • Verify sudo rules

Enroll Linux Client
# Install client packages
sudo dnf install -y freeipa-client

# Join domain
sudo ipa-client-install \
  --domain=inside.domusdigitalis.dev \
  --realm=INSIDE.DOMUSDIGITALIS.DEV \
  --server=ipa-01.inside.domusdigitalis.dev \
  --mkhomedir \
  --unattended

Components

Component Purpose Port

389 Directory Server

LDAP directory

389/636

MIT Kerberos

Authentication/SSO

88/464

Dogtag CA

Certificate authority

8080/8443

DNS

Name resolution

53

HTTP/HTTPS

Web UI, API

80/443

Security Considerations

  • Dogtag CA can integrate with or replace Vault PKI

  • LDAPS (port 636) recommended for ISE integration

  • Kerberos provides SSO across Linux hosts

  • HBAC rules control which users access which hosts

  • AD Trust enables Windows users to access Linux resources

Alternatives Considered

Solution Notes Decision

OpenLDAP

Lightweight, no Kerberos/DNS

Too minimal

Authentik

Modern, no Kerberos

Not enterprise RHEL

Keycloak

SSO focused, not host management

Complementary, not replacement

FreeIPA

Full AD equivalent for Linux

Selected

References