Managing users, hosts, and authentication policies across multiple Linux servers is a real operational challenge. Without a centralized identity system, you end up manually managing /etc/passwd entries, SSH keys, and sudoers files on every single machine. That scales poorly and creates security gaps that are hard to track. FreeIPA solves this by giving you a unified platform for authentication, access control, and certificate management across your entire Linux infrastructure.
This guide walks you through a complete FreeIPA on AlmaLinux 10 setup from scratch. You will configure DNS and hostname resolution, install packages from the AppStream repository, run the interactive installer, open firewall ports, create users and groups, enroll a client machine, and set up HBAC and sudo policies. Everything here is tested on AlmaLinux 10 with FreeIPA 4.12.2, which ships directly from the AppStream repository with no module streams required.
By the end of this guide, you will have a production-ready FreeIPA server with a Web UI, a Kerberos realm, centralized sudo, and at least one enrolled client.
What Is FreeIPA and Why Use It on AlmaLinux 10
FreeIPA (Free Identity, Policy, and Audit) is an open-source centralized identity management platform sponsored by Red Hat. It is the upstream project for Red Hat Identity Manager (IdM), which means it follows the same development path as the enterprise product but ships freely as part of RHEL-compatible distributions.
FreeIPA is not just an LDAP server. It bundles six core components into one integrated system:
- 389 Directory Server – Multi-master LDAPv3 directory serving as the central data store for all users, hosts, and policies.
- MIT Kerberos KDC – Handles single sign-on (SSO) authentication across all enrolled systems.
- Dogtag Certificate System – A full certificate authority (CA) and registration authority (RA) for certificate lifecycle management.
- ISC BIND – DNS server with an LDAP backend for automatic SRV record management.
- Apache httpd – Hosts the FreeIPA Web UI and JSON-RPC API.
- SSSD – System Security Services Daemon, installed on client machines for caching and local authentication.
AlmaLinux 10 is a 1:1 binary-compatible RHEL 10 rebuild, which means it ships the same packages and receives the same upstream support. FreeIPA 4.12.2 is available directly from the AlmaLinux 10 AppStream repository without any module stream activation. That makes installation straightforward compared to AlmaLinux 8 or 9, where module streams were required.
Prerequisites
Before you install FreeIPA on AlmaLinux 10, verify your environment meets all of the following requirements. Missing any of these is the leading cause of failed installations:
- OS: AlmaLinux 10 with a fresh minimal installation
- RAM: At least 4 GB (the Dogtag CA setup regularly fails on machines with less than 4 GB)
- CPU: 2 or more vCPUs
- Disk: Minimum 10 GB free space for logs and directory databases
- FQDN: A fully qualified domain name (e.g.,
ipa.example.com) that resolves to the server’s real network IP address, not127.0.0.1or::1 - Static IP: Required for consistent DNS resolution across enrolled clients
- Ports free: TCP 80, 443, 389, 636, 88, 464, 53 and UDP 88, 464, 53, 123 must not be in use by other services
- Root or sudo access on the server
Step 1: Set the Hostname and Configure DNS Resolution
FreeIPA is extremely sensitive to hostname configuration. The installer checks that the FQDN resolves to a real network IP and will abort if it resolves to the loopback address. Fix this before touching any packages.
Set the FQDN using hostnamectl:
sudo hostnamectl set-hostname ipa.example.comVerify the hostname was applied:
hostnamectl --staticExpected output:
ipa.example.comIf you do not have a DNS server handling this domain yet, add the server’s IP and FQDN to /etc/hosts. Replace 10.0.1.10 with your actual server IP address:
echo "10.0.1.10 ipa.example.com ipa" | sudo tee -a /etc/hostsConfirm the FQDN resolves to the correct IP:
ping -c 2 ipa.example.comExpected output:
PING ipa.example.com (10.0.1.10) 56(84) bytes of data.
64 bytes from ipa.example.com (10.0.1.10): icmp_seq=1 ttl=64 time=0.031 msCritical warning: If the FQDN resolves to 127.0.0.1, the installer will fail during certificate generation. Always verify this before running the installer.
Step 2: Sync the System Timezone and Apply Updates
Kerberos authentication uses time-based ticket validation. A clock skew of more than 5 minutes between the server and clients causes authentication failures. Set the correct timezone before installation:
sudo timedatectl set-timezone Asia/JakartaReplace Asia/Jakarta with your own timezone. If you are unsure of the exact timezone string, list all options:
timedatectl list-timezonesApply all pending system updates:
sudo dnf update -yIf a new kernel was installed, reboot before proceeding:
sudo systemctl rebootStep 3: Install FreeIPA Server Packages on AlmaLinux 10
On AlmaLinux 10, FreeIPA packages install directly from the AppStream repository. No module stream activation is needed, which is a notable improvement over AlmaLinux 8 and 9.
Install the base FreeIPA server:
sudo dnf install -y freeipa-serverInstall the integrated DNS component (recommended for most deployments):
sudo dnf install -y freeipa-server-dnsIf you need Active Directory trust support, add this package as well:
sudo dnf install -y freeipa-server-trust-adVerify the installed version:
ipa --versionExpected output:
VERSION: 4.12.2, API_VERSION: 2.262Step 4: Run the FreeIPA Server Installation Script
The ipa-server-install command is the interactive setup that configures all FreeIPA components in a single pass. This is the most important step in the entire process.
Option A: Install with Integrated DNS (Recommended)
Use this option if you want FreeIPA to manage DNS for your domain. This is the recommended choice for most new deployments:
sudo ipa-server-install --setup-dnsOption B: Install Without DNS
Use this option only if an external DNS server already manages your domain zone:
sudo ipa-server-installInteractive Prompts and Recommended Answers
The installer asks a series of configuration questions. Here are the prompts and what to enter:
Server host name [ipa.example.com]: # Press Enter to confirm
Please confirm the domain name [example.com]: # Press Enter to confirm
Please provide a realm name [EXAMPLE.COM]: # Press Enter to confirm
Directory Manager password: # Enter a strong password (LDAP admin)
IPA admin password: # Enter a strong password (Web UI admin)
Do you want to configure DNS forwarders? [yes]: yes
Enter an IP address for a DNS forwarder: 8.8.8.8
Enter an IP address for a DNS forwarder: 1.1.1.1
Enter an IP address for a DNS forwarder (empty to skip):
Do you want to search for missing reverse zones? [yes]: # Press Enter
Do you want to create reverse zone for 1.0.10.in-addr.arpa.? [yes]: # Press Enter
Continue to configure the system with these values? [no]: yesThe installation runs for 5 to 15 minutes depending on your hardware. It sets up the 389 Directory Server, Kerberos KDC, Dogtag CA, Apache httpd, BIND DNS, and chronyd. A successful run ends with this output:
==============================================================================
Setup complete
Next steps:
1. You must make sure these network ports are open:
TCP Ports:
* 80, 443: HTTP/HTTPS
* 389, 636: LDAP/LDAPS
* 88, 464: kerberos
* 53: bind
UDP Ports:
* 88, 464: kerberos
* 53: bind
* 123: ntp
2. You can now obtain a kerberos ticket using the command: 'kinit admin'
==============================================================================If the installer fails, open /var/log/ipaserver-install.log for the full error trace. The three most common failure causes are incorrect hostname resolution, less than 4 GB RAM, and port conflicts with existing services.
Step 5: Open Required Firewall Ports for FreeIPA
FreeIPA uses predefined firewalld service names, which keeps the firewall commands clean. Open all required services in one command:
sudo firewall-cmd --add-service={http,https,dns,ntp,freeipa-ldap,freeipa-ldaps,kerberos,kpasswd} --permanent
sudo firewall-cmd --reloadVerify the services are active:
sudo firewall-cmd --list-servicesExpected output:
cockpit dhcpv6-client dns freeipa-ldap freeipa-ldaps http https kerberos kpasswd ntp sshHere is a quick reference table of all ports FreeIPA requires:
| Port | Protocol | Service |
|---|---|---|
| 80, 443 | TCP | HTTP / HTTPS (Web UI) |
| 389, 636 | TCP | LDAP / LDAPS |
| 88, 464 | TCP/UDP | Kerberos authentication |
| 53 | TCP/UDP | DNS |
| 123 | UDP | NTP (Chronyd) |
Step 6: Verify IPA Services and Authenticate with Kerberos
After opening the firewall, verify all FreeIPA services are running with ipactl:
sudo ipactl statusExpected output:
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successfulNow get a Kerberos ticket for the admin user. You need this ticket before you can run any ipa CLI commands:
kinit adminVerify the ticket was issued:
klistExpected output:
Ticket cache: KCM:0:58115
Default principal: admin@EXAMPLE.COM
Valid starting Expires Service principal
04/06/2026 09:15 04/07/2026 09:15 krbtgt/EXAMPLE.COM@EXAMPLE.COMSet the default shell for all new IPA users to /bin/bash:
ipa config-mod --defaultshell=/bin/bashStep 7: Log In to the FreeIPA Web Interface
Open a browser and navigate to:
https://ipa.example.comThe Web UI uses the internal CA certificate generated during installation. Your browser will show a certificate warning on first visit. To avoid this going forward, import the IPA CA certificate directly into your browser trust store:
https://ipa.example.com/ipa/config/ca.crtLog in with username admin and the IPA admin password you set during installation. The dashboard gives you full navigation across four main areas:
- Identity – Users, groups, hosts, services
- Policy – HBAC rules, sudo rules, password policies
- Authentication – Certificates, OTP tokens, Kerberos settings
- Network Services – DNS zones, records, and automount maps
Step 8: Create Users and Groups From the CLI
The FreeIPA CLI is faster than the Web UI for creating multiple users and groups. Here is how to add a user and assign them to a group.
Add a New User
ipa user-add jdoe \
--first=John --last=Doe \
--email=jdoe@example.com --passwordExpected output shows the auto-assigned UID and GID:
Added user "jdoe"
User login: jdoe
First name: John
Last name: Doe
UID: 1201400001
GID: 1201400001
Password: True
Member of groups: ipausers
Kerberos keys available: TrueNote: Passwords set by an admin are marked expired by default. The user must change their password on first login. This is intentional security behavior, not a bug.
Create a Group and Add Members
ipa group-add engineering --desc="Engineering team"
ipa group-add-member engineering --users=jdoe
ipa group-show engineeringExpected output:
Group name: engineering
Description: Engineering team
GID: 1201400002
Member users: jdoeStep 9: Enroll an AlmaLinux 10 Client Into the FreeIPA Domain
Run these commands on a separate AlmaLinux 10 machine, not the IPA server.
Install the FreeIPA client package:
sudo dnf install -y freeipa-clientIf you are not using integrated DNS, add the IPA server to the client’s /etc/hosts:
echo "10.0.1.10 ipa.example.com ipa" | sudo tee -a /etc/hostsSet the client hostname to a domain-joined FQDN:
sudo hostnamectl set-hostname client1.example.comRun the enrollment command. The --mkhomedir flag creates home directories for IPA users automatically on first login:
sudo ipa-client-install --mkhomedir --server=ipa.example.com --domain=example.comThe installer prompts for the IPA admin credentials to authorize the enrollment. After completion, test SSH access as an IPA user:
ssh jdoe@client1.example.comOn first login, the user must change the admin-set password. After the change, run id to verify group memberships came through correctly:
idExpected output:
uid=1201400001(jdoe) gid=1201400001(jdoe) groups=1201400001(jdoe),1201400002(engineering)Step 10: Configure Host-Based Access Control (HBAC) Policies
By default, FreeIPA has an allow_all HBAC rule that lets any enrolled user log into any enrolled host. In production, that is a security risk. Disable it and create targeted access rules.
Create an Admin Safety Rule First
Before disabling allow_all, create a rule that keeps admin access intact. Skipping this step will lock you out of all enrolled hosts:
ipa hbacrule-add allow_admin_all --desc="Admin access to all hosts"
ipa hbacrule-add-user allow_admin_all --users=admin
ipa hbacrule-mod allow_admin_all --hostcat=all --servicecat=allDisable the Default Rule
ipa hbacrule-disable allow_allCreate a Targeted HBAC Rule
Allow the engineering group to access client1.example.com via SSH and console login:
ipa hbacrule-add allow_engineering_client1 --desc="Engineering access to client1"
ipa hbacrule-add-user allow_engineering_client1 --groups=engineering
ipa hbacrule-add-host allow_engineering_client1 --hosts=client1.example.com
ipa hbacrule-add-service allow_engineering_client1 --hbacsvcs=sshd
ipa hbacrule-add-service allow_engineering_client1 --hbacsvcs=loginTest the Rule Before Going Live
FreeIPA has a built-in HBAC test command. Always test before trusting the rule in production:
ipa hbactest --user=jdoe --host=client1.example.com --service=sshdExpected output:
--------------------
Access granted: True
--------------------
Matched rules: allow_engineering_client1Step 11: Manage Sudo Permissions Centrally with FreeIPA
Centralized sudo means you manage all sudo permissions from the IPA server. No editing /etc/sudoers on individual hosts. SSSD on each enrolled client pulls sudo rules automatically from IPA.
Create a Full Sudo Rule
ipa sudorule-add sudo_engineering --desc="Sudo for engineering team"
ipa sudorule-add-user sudo_engineering --groups=engineering
ipa sudorule-add-host sudo_engineering --hosts=client1.example.com
ipa sudorule-mod sudo_engineering --cmdcat=allCreate a Restricted Sudo Rule
To limit sudo to a specific command only, register the command first, then reference it in a rule:
ipa sudocmd-add /usr/bin/systemctl
ipa sudorule-add sudo_systemctl_only --desc="Ops can run systemctl"
ipa sudorule-add-user sudo_systemctl_only --groups=engineering
ipa sudorule-add-host sudo_systemctl_only --hosts=client1.example.com
ipa sudorule-add-allow-command sudo_systemctl_only --sudocmds=/usr/bin/systemctlVerify on the Client
On the enrolled client, check that SSSD has pulled the sudo rule from IPA:
sudo sssctl sudo-rules jdoeExpected output:
Rule: sudo_engineering
MatchedStep 12: Keep SELinux Enforcing on AlmaLinux 10
FreeIPA 4.12.2 on AlmaLinux 10 is fully compatible with SELinux in Enforcing mode. Do not disable SELinux in production. If you see permission errors, audit the denials first:
sudo ausearch -m avc -ts recent
sudo sealert -a /var/log/audit/audit.logVerify your current SELinux mode:
getenforceExpected output:
EnforcingDisabling SELinux exposes your server to privilege escalation risks and is not a valid troubleshooting step for FreeIPA issues.
Troubleshooting Common FreeIPA Installation Errors on AlmaLinux 10
Here are the five most common errors you will encounter, with specific fixes for each:
1. FQDN resolves to 127.0.0.1
Symptom: Installation aborts with a certificate or hostname validation error.
Fix: Edit /etc/hosts and ensure your FQDN maps to the real network IP address, not the loopback. Run ping ipa.example.com to confirm resolution before retrying.
2. Dogtag CA setup fails or pki-tomcatd will not start
Symptom: Installer hangs or exits during CA configuration.
Fix: This almost always points to insufficient RAM. FreeIPA requires at least 4 GB. Increase the VM’s memory allocation and re-run the installer.
3. Port conflict prevents installation
Symptom: Installer reports that port 80, 443, 389, or another port is already in use.
Fix: Run ss -tlnp | grep -E '80|443|53|389|636|88' to identify the conflicting process. Stop or remove it before retrying.
4. Client enrollment fails with DNS resolution error
Symptom: ipa-client-install fails with “Unable to resolve IPA server.”
Fix: Verify the client’s /etc/resolv.conf or NetworkManager configuration points to the IPA server’s IP for DNS. Also confirm port 53 is reachable from the client to the server.
5. Kerberos clock skew error
Symptom: kinit fails with “Clock skew too great.”
Fix: Force-sync the system clock immediately:
sudo chronyc makestepThen verify time sync status:
chronyc trackingBackup and Long-Term Maintenance Best Practices
A FreeIPA server holds your entire authentication infrastructure. Back it up regularly:
sudo ipa-backupBackups are written to /var/lib/ipa/backup/. Move them to off-server storage immediately after creation.
Key log files to monitor on an ongoing basis:
/var/log/dirsrv/– 389 Directory Server logs/var/log/krb5kdc.log– Kerberos KDC logs/var/log/ipaserver-install.log– Full installation history/var/log/httpd/– Web UI and API request logs
To restart all FreeIPA services at once:
sudo ipactl restartFor production environments, set up FreeIPA replication across two servers. A single FreeIPA server is a single point of failure for all authentication in your infrastructure.
Congratulations! You have successfully installed FreeIPA. Thanks for using this tutorial for installing FreeIPA on your AlmaLinux OS 10 system. For additional help or useful information, we recommend you check the official FreeIPA website.
