Here’s a frequently asked questions (FAQ) section about FreeIPA, including information about the latest version 4.13.1 and its new features.
FreeIPA (Identity, Policy, Audit) is an integrated security information management solution combining Linux (Fedora), 389 Directory Server, MIT Kerberos, NTP, DNS, Dogtag certificate system, SSSD and others. It provides centralized identity, policy, and audit (IPA) capabilities for Linux/UNIX domain environments. The latest version is 4.13.1, featuring Modern WebUI beta, DNS over TLS/HTTPS support, and LDAP system accounts.
- Identity management: Manage Linux users and client hosts in your realm from one central location
- Authentication & Authorization: Centralized SSO, 2FA/MFA, Kerberos and LDAP integration
- DNS Services: Integrated DNS with dynamic updates and DNSSEC support
- Certificate Authority: Integrated Dogtag CA for certificate management
- Modern WebUI: Beta version available with responsive React-based interface
- Management Interfaces: CLI, Web UI, XMLRPC, JSONRPC API, and Python SDK
- Trust Relationships: Integration with Microsoft Active Directory via Cross Forest Trusts
- Policy Management: Define Kerberos authentication and authorization policies
FreeIPA 4.13.x introduces several new features:
- Modern WebUI (Beta): First beta version of the new modern WebUI with responsive design
- DNS over TLS/HTTPS (DoT/DoH): Support for encrypted DNS queries and responses for zero-trust environments
- LDAP System Accounts: Support for LDAP-based system accounts via a dedicated sysaccount plugin
- ID Range Fix Tool: New
ipa-idrange-fix tool to detect and fix issues with IPA ID ranges
- Random Serial Numbers (RSN): Changed default CA serial number algorithm to random serial numbers (RSNv3)
FreeIPA is primarily designed for Linux-based systems:
- RHEL: 8, 9, and newer
- CentOS Stream: 8, 9
- Fedora: 35 and newer
- Ubuntu: 20.04 LTS, 22.04 LTS (with appropriate repositories)
- Debian: 10, 11, 12
¶ Installation and Setup
FreeIPA can be installed on supported Linux distributions using package managers:
- On RHEL/CentOS/Fedora:
sudo dnf install ipa-server ipa-server-dns
- On Ubuntu/Debian:
sudo apt install freeipa-server freeipa-server-dns
Then run the setup: sudo ipa-server-install --setup-dns --forwarder=8.8.8.8
For automated deployment, see the Setup Guide for detailed instructions.
- At least 4GB RAM (8GB recommended for production)
- 2 CPU cores minimum
- At least 20GB disk space
- Fully qualified domain name (FQDN) for the server
- Network connectivity to download packages
- Time synchronization (NTP) enabled
- Firewall ports 80, 443, 389, 636, 88, 464, 53 (TCP/UDP) open
¶ User and Group Management
Users can be managed through multiple interfaces:
- Web UI: Accessible via browser at
https://ipa.example.com
- Command Line: Using the
ipa command (e.g., ipa user-add, ipa user-mod)
- API: Using JSON-RPC API or Python SDK
- Bulk Operations: Import users from CSV or sync from external sources
Administrators can create, edit, delete users, and manage attributes such as group memberships and permissions.
Groups can be managed similarly to users:
- Web UI: Through the Groups section
- Command Line: Using
ipa group-* commands
- API: Through the JSON-RPC API
FreeIPA supports nested groups and role-based access control.
¶ Security and Integration
¶ 9. What is the difference between FreeIPA and Active Directory?
Both systems provide identity management, but:
- FreeIPA is open-source and focuses on Linux/Unix environments
- Active Directory is a Microsoft solution optimized for Windows environments
- FreeIPA integrates DNS, CA, and other services in a single solution
- FreeIPA supports trust relationships with Active Directory for hybrid environments
Yes, FreeIPA can establish trust relationships with Active Directory for cross-platform identity management. This allows users in AD to authenticate to services that use FreeIPA and vice versa. The trust relationship enables single sign-on across both domains.
Yes, FreeIPA implements multiple security measures:
- Kerberos for authentication
- SSL/TLS for secure communications
- Fine-grained access control policies
- Certificate-based authentication
- DNS over TLS/HTTPS (4.13.x+) for encrypted DNS queries
- Random serial numbers for certificates (4.13.x+) to prevent enumeration
Follow the security best practices outlined in the Security Guide, including:
- Enforcing TLS policies
- Protecting admin and host enrollment workflows
- Using role-based delegation instead of broad admin access
- Restricting web UI and API access to trusted networks
- Keeping CA and key material protected and backed up
- Monitoring replication health and failed authentication patterns
¶ 13. Can FreeIPA manage both users and machines?
Yes, FreeIPA can manage both:
- User identities: Users, groups, roles, and permissions
- Host identities: Client systems enrolled in the domain
- Service principals: Services registered with Kerberos
- System accounts: (4.13.x+) LDAP-based system accounts via sysaccount plugin
You can customize the FreeIPA web UI using themes:
- Create a custom theme directory:
/usr/share/ipa/ui/themes/custom_theme/
- Copy default templates:
sudo cp -r /usr/share/ipa/ui/templates/* /usr/share/ipa/ui/themes/custom_theme/
- Modify templates as needed
- Activate the theme by editing
/etc/ipa/default.conf and setting dogtag_theme = custom_theme
- Restart the service:
sudo ipactl restart
Note: With FreeIPA 4.13.x, consider using the new Modern WebUI instead of customizing the classic interface.
- Always backup your installation before upgrading:
ipa-backup --data
- Update packages using your distribution’s package manager
- Run
ipa-server-upgrade to perform any necessary data migrations
- Check the release notes for any specific upgrade instructions
- Test functionality after upgrade
The Modern WebUI is a new interface introduced in FreeIPA 4.13.0 featuring:
- Built with React and Patternfly 6
- More intuitive design and improved workflows
- Responsive layout for mobile and tablet access
- Runs alongside the classic WebUI for gradual transition
- Accessible via the login page alongside the classic interface
Common troubleshooting steps include:
- Check service status:
sudo ipactl status
- Review logs in
/var/log/ (Apache, Directory Server, Kerberos, etc.)
- Run health checks:
ipa-healthcheck --all
- Verify network connectivity and DNS resolution
- Check time synchronization across servers
- Review certificate validity
If you lose admin access:
- Use the Directory Manager account to reset admin password
- Access via
kinit -p <directory-manager-account> and then reset admin password
- If all else fails, restore from a recent backup
Monitor FreeIPA using:
- Built-in health checks:
ipa-healthcheck
- Standard system monitoring tools
- Log analysis for authentication success/failure rates
- Performance metrics for LDAP, Kerberos, and DNS services
- Certificate expiration alerts
To configure DNS over TLS (DoT):
ipa dnsconfig-mod --forwarder="dot://8.8.8.8:853"
This feature enhances security for DNS queries in zero-trust environments.
LDAP System Accounts allow for system-level accounts:
# Add a system account
ipa sysaccount-add --desc="Service account for backup" backup_service
# Disable a system account
ipa sysaccount-disable backup_service
# Find system accounts
ipa sysaccount-find
These accounts are intended for services and system operations rather than human users.