This page covers common configuration steps for FreeIPA deployments. FreeIPA 4.13.1 includes enhanced configuration options with Modern WebUI beta and DNS over TLS/HTTPS support.
FreeIPA stores configuration in several locations:
/etc/ipa/default.conf/etc/dirsrv/slapd-REALM//etc/krb5.conf/etc/httpd/conf.d/ipa.conf/etc/pki/pki-tomcat/certs/ca.crtConfigure user and group management:
# Set default shell for new users
ipa config-mod --defaultshell=/bin/bash
# Set home directory base
ipa config-mod --homedirectory=/home
# Configure ID ranges
ipa idrange-show
ipa idrange-mod --name-size=20 default_range
Manage authentication settings:
# Configure password policy
ipa pwpolicy-add global_policy --maxlife=90 --minlife=1 --history=5
# Set up 2FA/HOTP
ipa config-mod --user-otp-cache-enabled=True
# Configure Kerberos policies
ipa config-mod --maxauthtries=3 --lockouttime=600
Configure Single Sign-On settings:
# Set session timeout
ipa config-mod --sessiontimeout=20
# Configure trusted domains
ipa config-mod --add-trusted-domain-search-list=example.com
# Configure authentication indicators
ipa config-mod --add-auth-indicators=pwd,otp
Manage PKI configuration:
# View CA info
ipa ca-show
# Configure certificate profiles
ipa certprofile-find
# Set up CRL publication
ipa-crlgen-manage --add
Configure DNS settings (if DNS is enabled):
# Add DNS zone
ipa dnszone-add example.com --dynamic-update=TRUE
# Configure DNS forwarders
ipa dnsconfig-mod --forwarder=8.8.8.8 --forwarder=8.8.4.4
# Set up DNSSEC
ipa dnsconfig-mod --enable-dnssec-master=TRUE
With FreeIPA 4.13.x, you have access to new configuration options:
Enable and configure the new Modern WebUI:
# The Modern WebUI is available alongside the classic UI
# Access via the login page, look for the Modern WebUI link
# Configuration is handled via the UI itself
Configure encrypted DNS queries:
# Enable DNS over TLS
ipa-dns-install --dns-over-tls
# Configure DoT forwarders
ipa dnsconfig-mod --forwarder="dot://8.8.8.8:853"
Manage system accounts:
# Add a system account
ipa sysaccount-add --desc="Service account for backup" backup_service
# Disable a system account
ipa sysaccount-disable backup_service
# Find system accounts
ipa sysaccount-find
Configure permissions and roles:
# Create a custom role
ipa role-add "User Admins" --desc="Manage users but not groups"
# Assign privileges to role
ipa role-add-privilege "User Admins" --privileges="User Administrators"
# Assign role to user
ipa role-add-member "User Admins" --users=john_doe
Most configuration changes take effect immediately. However, some may require service restarts:
# Restart IPA services if needed
sudo ipactl restart
# Or restart individual services
sudo systemctl restart httpd
sudo systemctl restart dirsrv
Test your configuration:
# Verify configuration
ipa config-show
# Test user authentication
kinit admin
klist
# Test DNS resolution
ipa dnsrecord-find example.com --name=test
# Test certificate operations
ipa cert-request --principal=test/example.com certificate_request.csr
When customizing the FreeIPA web UI, prefer theme overrides over direct core file edits:
/usr/share/ipa/ui/themes/)# Create a custom theme directory
sudo mkdir -p /usr/share/ipa/ui/themes/custom_theme
# Copy default templates
sudo cp -r /usr/share/ipa/ui/templates/* /usr/share/ipa/ui/themes/custom_theme/
# Update configuration to use custom theme
sudo sed -i 's/^#*dogtag_theme.*/dogtag_theme = custom_theme/' /etc/ipa/default.conf
# Restart IPA services
sudo ipactl restart
This keeps branding changes maintainable and reduces upgrade risk.
Use the IPA CLI or API for automated configuration:
# Using the IPA CLI in scripts
ipa user-add john_doe --first=John --last=Doe --email=john@example.com
# Using the JSON-RPC API
curl -X POST -H "Content-Type: application/json" \
-d '{"method":"user_add","params":[["john_doe"],["first":"John","last":"Doe"]]}' \
https://ipa.example.com/ipa/session/json
Squeezing every bit of performance from your FreeIPA installation? Our experts help with:
Optimize your setup: office@linux-server-admin.com | Contact Us