This is the full guide of step by step implementation to launch, prepare and configure the FreeIPA server inside a Podman container. Accessing the FreeIPA web dashboard with HTTPS. Step 1: Allow Web PortsFreeIPA uses normal web ports such as 80 and 443. Sometimes, Linux does not allow normal container processes to use these ports directly, so allow the system to use ports starting from 80. Step 2: Start the ContainerFreeIPA needs some system services like LDAP and Kerberos, which systemd manages, so we start the container with systemd enabled.So when we start the container, we must enable systemd inside it. Step 3: Enter the ContainerTo install and configure FreeIPA it needs to go inside the running container. Step 4: Prepare the ContainerAs said in the previous blog, the AlmaLinux image is very minimal. So for those missing folders and configuration files needed, it should be created those required folders, install packages, restore LDAP schema files, and set some security options Step 5: Install FreeIPA
Then the FreeIPA installer can be run in unattended mode as the container is now ready. Replace YOUR_DS_PASSWORD and YOUR_ADMIN_PASSWORD with your own secure passwords. Step 6: Access the Web Interface If the container is on a local system, add this line to the hosts file: Then open the browser: Remote Access via SSH Tunnel If the container is on a remote server, use an SSH tunnel: Then add the same hosts line locally and open the browser. Inside the container, verify that FreeIPA and Kerberos are working: Step 8: Make Port Change Permanent The earlier port change will reset after a reboot. To keep it: Checking FreeIPA Service Status Testing Kerberos Authentication Templates let you quickly answer FAQs or store snippets for re-use. Hide child comments as well For further actions, you may consider blocking this person and/or reporting abuse
$ -weight: 600;">sudo sysctl -w net.ipv4.ip_unprivileged_port_start=80
-weight: 600;">sudo sysctl -w net.ipv4.ip_unprivileged_port_start=80
-weight: 600;">sudo sysctl -w net.ipv4.ip_unprivileged_port_start=80
podman run -d --name freeipa-server \ --systemd=always \ ---weight: 500;">restart always \ --cap-add=SYS_ADMIN \ -p 443:443 -p 80:80 -p 389:389 -p 636:636 \ -p 88:88 -p 464:464 -p 88:88/udp -p 464:464/udp \ -h ipa.example.edu\ almalinux:9 /usr/sbin/init
podman run -d --name freeipa-server \ --systemd=always \ ---weight: 500;">restart always \ --cap-add=SYS_ADMIN \ -p 443:443 -p 80:80 -p 389:389 -p 636:636 \ -p 88:88 -p 464:464 -p 88:88/udp -p 464:464/udp \ -h ipa.example.edu\ almalinux:9 /usr/sbin/init
podman run -d --name freeipa-server \ --systemd=always \ ---weight: 500;">restart always \ --cap-add=SYS_ADMIN \ -p 443:443 -p 80:80 -p 389:389 -p 636:636 \ -p 88:88 -p 464:464 -p 88:88/udp -p 464:464/udp \ -h ipa.example.edu\ almalinux:9 /usr/sbin/init
podman exec -it freeipa-server /bin/bash
podman exec -it freeipa-server /bin/bash
podman exec -it freeipa-server /bin/bash
# 1. Install foundational packages
-weight: 500;">dnf -weight: 500;">install -y ipa-server ipa-server-dns # 2. Reconstruct missing directory structures
rm -rf /etc/dirsrv /etc/sysconfig /etc/tmpfiles.d /etc/pkcs11
mkdir -p /etc/sysconfig /etc/tmpfiles.d /etc/pkcs11/modules /etc/dirsrv/config
mkdir -p /var/lib/ipa/sysrestore /var/lib/ipa-client/sysrestore /var/log/dirsrv # 3. Restore missing LDAP schemas and configure cryptographic policies
-weight: 500;">dnf reinstall -y 389-ds-base --setopt=tsflags=noscripts --setopt=sslverify=false
echo "module: /usr/lib64/libsofthsm2.so" > /etc/pkcs11/modules/softhsm2.module
-weight: 500;">update-crypto-policies --set LEGACY # 4. Generate necessary Kerberos configuration placeholders
touch /etc/sysconfig/krb5kdc /etc/sysconfig/kadmin
chmod 644 /etc/sysconfig/krb5kdc /etc/sysconfig/kadmin # 5. Map local networking and identity alignment
MY_IP=$(hostname -I | awk '{print $1}')
echo -e "127.0.0.1\tlocalhost\n$MY_IP\tipa.example.edu ipa" > /etc/hosts # 6. Set Java and Certificate Authority environment variables
export JAVA_OPTS="-Djava.security.egd=file:/dev/./urandom -Djava.net.preferIPv4Stack=true"
export NSS_SDB_USE_CACHE=yes
# 1. Install foundational packages
-weight: 500;">dnf -weight: 500;">install -y ipa-server ipa-server-dns # 2. Reconstruct missing directory structures
rm -rf /etc/dirsrv /etc/sysconfig /etc/tmpfiles.d /etc/pkcs11
mkdir -p /etc/sysconfig /etc/tmpfiles.d /etc/pkcs11/modules /etc/dirsrv/config
mkdir -p /var/lib/ipa/sysrestore /var/lib/ipa-client/sysrestore /var/log/dirsrv # 3. Restore missing LDAP schemas and configure cryptographic policies
-weight: 500;">dnf reinstall -y 389-ds-base --setopt=tsflags=noscripts --setopt=sslverify=false
echo "module: /usr/lib64/libsofthsm2.so" > /etc/pkcs11/modules/softhsm2.module
-weight: 500;">update-crypto-policies --set LEGACY # 4. Generate necessary Kerberos configuration placeholders
touch /etc/sysconfig/krb5kdc /etc/sysconfig/kadmin
chmod 644 /etc/sysconfig/krb5kdc /etc/sysconfig/kadmin # 5. Map local networking and identity alignment
MY_IP=$(hostname -I | awk '{print $1}')
echo -e "127.0.0.1\tlocalhost\n$MY_IP\tipa.example.edu ipa" > /etc/hosts # 6. Set Java and Certificate Authority environment variables
export JAVA_OPTS="-Djava.security.egd=file:/dev/./urandom -Djava.net.preferIPv4Stack=true"
export NSS_SDB_USE_CACHE=yes
# 1. Install foundational packages
-weight: 500;">dnf -weight: 500;">install -y ipa-server ipa-server-dns # 2. Reconstruct missing directory structures
rm -rf /etc/dirsrv /etc/sysconfig /etc/tmpfiles.d /etc/pkcs11
mkdir -p /etc/sysconfig /etc/tmpfiles.d /etc/pkcs11/modules /etc/dirsrv/config
mkdir -p /var/lib/ipa/sysrestore /var/lib/ipa-client/sysrestore /var/log/dirsrv # 3. Restore missing LDAP schemas and configure cryptographic policies
-weight: 500;">dnf reinstall -y 389-ds-base --setopt=tsflags=noscripts --setopt=sslverify=false
echo "module: /usr/lib64/libsofthsm2.so" > /etc/pkcs11/modules/softhsm2.module
-weight: 500;">update-crypto-policies --set LEGACY # 4. Generate necessary Kerberos configuration placeholders
touch /etc/sysconfig/krb5kdc /etc/sysconfig/kadmin
chmod 644 /etc/sysconfig/krb5kdc /etc/sysconfig/kadmin # 5. Map local networking and identity alignment
MY_IP=$(hostname -I | awk '{print $1}')
echo -e "127.0.0.1\tlocalhost\n$MY_IP\tipa.example.edu ipa" > /etc/hosts # 6. Set Java and Certificate Authority environment variables
export JAVA_OPTS="-Djava.security.egd=file:/dev/./urandom -Djava.net.preferIPv4Stack=true"
export NSS_SDB_USE_CACHE=yes
ipa-server--weight: 500;">install \ --unattended \ --domain=example.edu \ --realm=EXAMPLE.EDU \ --ds-password=<YOUR_DS_PASSWORD> \ --admin-password=<YOUR_ADMIN_PASSWORD> \ --no-ntp \ --no-host-dns \ --no-pkinit \ --skip-mem-check
ipa-server--weight: 500;">install \ --unattended \ --domain=example.edu \ --realm=EXAMPLE.EDU \ --ds-password=<YOUR_DS_PASSWORD> \ --admin-password=<YOUR_ADMIN_PASSWORD> \ --no-ntp \ --no-host-dns \ --no-pkinit \ --skip-mem-check
ipa-server--weight: 500;">install \ --unattended \ --domain=example.edu \ --realm=EXAMPLE.EDU \ --ds-password=<YOUR_DS_PASSWORD> \ --admin-password=<YOUR_ADMIN_PASSWORD> \ --no-ntp \ --no-host-dns \ --no-pkinit \ --skip-mem-check
127.0.0.1 ipa.example.edu
127.0.0.1 ipa.example.edu
127.0.0.1 ipa.example.edu
https://ipa.example.edu
https://ipa.example.edu
https://ipa.example.edu
ssh -L 443:localhost:443 -L 80:localhost:80 user@remote-server
ssh -L 443:localhost:443 -L 80:localhost:80 user@remote-server
ssh -L 443:localhost:443 -L 80:localhost:80 user@remote-server
kinit admin
ipa user-show admin
kinit admin
ipa user-show admin
kinit admin
ipa user-show admin
echo "net.ipv4.ip_unprivileged_port_start=80" | -weight: 600;">sudo tee -a /etc/sysctl.conf
-weight: 600;">sudo sysctl -p
echo "net.ipv4.ip_unprivileged_port_start=80" | -weight: 600;">sudo tee -a /etc/sysctl.conf
-weight: 600;">sudo sysctl -p
echo "net.ipv4.ip_unprivileged_port_start=80" | -weight: 600;">sudo tee -a /etc/sysctl.conf
-weight: 600;">sudo sysctl -p - --systemd=always allows systemd to run inside the container.
- ---weight: 500;">restart always makes sure the container starts again after a reboot or crash.
- The -p values open the ports needed by FreeIPA. - Username: admin
- Password: YOUR_ADMIN_PASSWORD
