How to Install FreeIPA Server with Docker on Debian 12

FreeIPA is an open-source identity management solution for Linux/Unix operating systems. It's an upstream project from the RedHat Identity Management System, which provides authentication and authorization solutions for Linux/Unix systems.

FreeIPA is built on top of multiple components, including the Directory Server, DNS, Kerberos, PKI, Certmonger, NTP Server, web administration UI, etc. It provides a centralized source of user credentials and access control. Using FreeIPA allows administrators to manage identity in a centralized environment easily, and also provides user monitoring, authentication, and access control.

In this guide, you will install and set up the FreeIPA server on Debian 12 machine via Docker. You will install Docker CE (Community Edition), build a FreeIPA Server Docker image, install FreeIPA Server, then you will learn the basic management of the FreeIPA server. In addition to that, you will also learn how to add a Linux client machine as the FreeIPA client to the FreeIPA server that runs as a Docker container.

Prerequisites

For this guide, you will need a Linux server running Debian 12 or Debian 11 with a minimum of 4 GB of memory. You will also need a root user or non-root user with administrator privileges. As for the client, you can use any Linux distribution, but for this example, you will be using Ubuntu as the FreeIPA client machine.

Setup FQDN and Timezone

Before installing Docker and FreeIPA, you must first ensure that you have the proper fqdn (fully qualified domain name), correct '/etc/hosts' file, and also the proper timezone. In this first step, you will set up the fqdn, /etc.hosts file, and timezone on your Debian server.

To start, set up the fqdn of your FreeIPA server by entering the following command.

sudo hostnamectl set-hostname ipa.hwdomain.lan

Now open the '/etc/hosts' file using the following nano editor command.

sudo nano /etc/hosts

Add details of IP address, fqdn, and the hostname of your system.

192.168.5.10 ipa.hwdomain.lan  ipa

Save and close the file when finished.

Now type the following command to verify the fqdn of your system and ensure that the fqdn is pointed to the correct internal IP address.

sudo hostname -f
sudo ping -c3 ipa.hwdomain.lan

Next, enter the following command to set up the timezone on your system. Be sure to change the timezone in the following command with your server timezone.

sudo timedatectl set-timezone Europe/Stockholm

Enter the following command to set up the localtime for your system.

sudo unlink /etc/localtime
sudo ln -s /usr/share/timezone/Europe/Stockholm /etc/localtime

Now go to the next step to start the Docker CE installation.

Installing Docker CE

FreeIPA Server can be installed in many ways, as for Debian-based distributions, you can use Docker. In this section, you will install Docker CE (Community Edition) via the official Docker repository, Then you will also set up your user to allow for executing and running Docker containers.

First, input the following apt command to install basic dependencies. When prompted, input y to confirm and press ENTER to proceed.

sudo apt install ca-certificates \
    curl \
    gnupg \
    git \
    lsb-release

install dependencies

Next, add and download the GPG key of the Docker CE repository.

sudo mkdir -m 0755 -p /etc/apt/keyrings
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg

Once the GPG key is added, enter the following command to add the Docker CE repository.

echo \
  "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu \
  $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null

setup repo

Now run the 'apt update' command below to update and refresh your Debian package index.

sudo apt update

update repo

Then, install the Docker CE packages by entering the 'apt install' command below. Input y to confirm when prompted and press ENTER to proceed.

sudo apt install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin

install docker

With the Docker CE installed, it's also automatically running and enabled. execute the 'systemctl' command below to verify the Docker service.

sudo systemctl is-enabled docker
sudo systemctl status docker

You should see the output 'enabled', meaning the Docker service will automatically run at system startup. The output 'active (running)' confirms that the current Docker service is running.

verify docker

Lastly, if you plan to run your Docker application via a non-root user, then you must add your user to the group 'docker'. Type the following command to add your user to the group 'docker'. In this example, you will add a user 'bob' to the 'docker' group.

sudo usermod -aG docker bob

Now log in as the user 'bob' and type the docker command below to run the 'hello-world' container. if successful, you should see the welcome message from the container printed out on your terminal screen.

su - bob
docker run hello-world

setup docker non-root

With this, you have now successfully executed and run the Docker container as a non-root user with the user called 'bob'. As for the rest of this guide, you will execute commands within the user 'bob'.

Building FreeIPA Docker Image

In this section, you will build the Docker image for the FreeIPA server. To do that, you can easily download the FreeIPA container repository from the official FreeIPA GitHub page. After that, you can choose any Linux distribution for the base image.

First, install 'git' to your Debian server via the apt command below. When prompted, input y to confirm, then press ENTER.

sudo apt install git

install git

Now run the following git command to download the 'freeipa-container repository to your system. Then, move your working directory into it.

git clone https://github.com/freeipa/freeipa-container.git
cd freeipa-container

clone freeipa repository

Now run the 'ls' command below to verify the list of files and directories on the 'freeipa-container' repository. You should see multiple files of Dockerfile that you can use to set up the FreeIPA server on your Debian system.

ls

list dockerfiles

Next, enter the following command to build a new FreeIPA server Docker image. In this example, you will create a FreeIPA server Docker image based on the 'AlmaLinux 9' and will be called 'freeipa-almalinux9'.

docker build -t freeipa-almalinux9 -f  Dockerfile.almalinux-9 .

Once the 'docker build' command is executed, you should see the building process of the Docker image for the FreeIPA server.

build docker images

When the process is finished, you should see the output such as 'naming to .../.../freeipa-almalinux9'.

build finished

Run the following command to verify the list of Docker images that are available on your system. You should see the Docker image called 'freeipa-almalinux9' created and available on your system.

docker images

verify images

With the FreeIPA Docker image created, you will install the FreeIPA server and configuration via Docker.

Creating FreeIPA Server Container

In this section, you will install and configure the FreeIPA server via the Docker container. You will run a new container with the base image 'freeipa-almalinux9' that you have created, then you will start the configurations of the FreeIPA server. Once configurations are finished, you will next set up the port mapping of the FreeIPA server container to the Docker host machine.

First, type the following command to create a new data directory '/var/lib/freeipa-data'. This will be used as the FreeIPA server data directory.

sudo mkdir -p /var/lib/freeipa-data

Now run the following 'docker run' command to create and run the FreeIPA server container. In this example, you will create a new FreeIPA container called 'freeipa-server-almalinux9' and store FreeIPA server data to the host machine on the '/var/lib/freeipa-data' directory.

docker run --name freeipa-server-almalinux9 -ti \
    -h ipa.hwdomain.lan --read-only --sysctl net.ipv6.conf.all.disable_ipv6=0 \
    -v /sys/fs/cgroup:/sys/fs/cgroup:ro \
    -v /var/lib/freeipa-data:/data:Z freeipa-almalinux9

During the installation, you should be asked for some configurations of the FreeIPA server.

create container freeipa server

When asked to set up integrated DNS via BIND, press ENTER or input no.

no dns setup

Now input the server hostname, the domain name, and the REALM for your FreeIPA server.

setup realm and domain

Now type a new password and repeat for the Directory manager and IPA admin user.

ipa admin and manager

For the NetBIOS name, leave it as default and press ENTER. As for NTP configuration, input no or just press ENTER.

netbios name

Now check and verify the configuration of your FreeIPA server installation. When finished, type 'yes' and press ENTER to confirm. With this, the FreeIPA server configuration should be running and take time.

verify settings

When the FreeIPA server configuration is finished, you should receive an output such as 'Setup complete' and the instructions for the next steps.

setup finished

Now open a new terminal session and connect to your Debian server. Then, log in as the user 'bob' and enter the following docker command to verify the running container on your system.

docker ps

You should see the container called 'freeipa-server-almalinux9' with the status 'Up'.

freeipa container running

At this point, the FreeIPA server is running with data that is now stored in the '/var/lib/freeipa-data' directory. In the next step, you must add port mapping for the FreeIPA server.

Enter the following command to stop the container 'freeipa-server-almalinux9' and remove it. This will remove the container, but not for the data directory '/var/lib/freeipa-data'.

docker stop freeipa-server-almalinux9
docker rm freeipa-server-almalinux9

Then run the following command to create a new container with port mapping for the FreeIPA server. This will create a new version of container 'freeipa-server-almalinux9' with specific ports mapping to the host machine and using the same data as the previous FreeIPA server.

docker run --name freeipa-server-almalinux9 -ti \
    -h ipa.hwdomain.lan -p 53:53/udp -p 53:53 -p 80:80 -p 443:443 -p 389:389 -p 636:636 -p 88:88 -p 464:464 -p 88:88/udp -p 464:464/udp -p 123:123/udp \
    --read-only --sysctl net.ipv6.conf.all.disable_ipv6=0 \
    -v /sys/fs/cgroup:/sys/fs/cgroup:ro \
    -v /var/lib/freeipa-data:/data:Z freeipa-almalinux9

Move again to another terminal session and run the following command to stop and start again the container 'freeipa-server-almalinux9'. This will ensure that the container 'freeipa-server-almalinux9' is running in the background.

docker stop freeipa-server-almalinux9
docker start freeipa-server-almalinux9

Check again the list of running containers on your system you should see the container 'freeipa-server-almalinux9' is running with new ports mapped to the host machine.

docker ps

check container ports

With this, the deployment of the FreeIPA Server via Docker is finished. Your FreeIPA server is now accessible from clients and also you've configured the administrator password for both IPA admin and Directory Manager.

Authenticate against FreeIPA Server

After installing the FreeIPA server via Docker, you will now verify the installation by authenticating to the Kerberos FreeIPA server from the Docker host server. To do that, you must ensure that the domain name of your FreeIPA server is pointed to the correct server, and you must have the Kerberos client utilities installed.

Before you start, open the '/etc/hosts' file on your Debian system using the following nano editor command.

sudo nano /etc/hosts

Add the following lines to the file and be sure to change the IP address and the domain name with your FreeIPA Server host.

192.168.5.10 ipa.hwdomain.lan

Save and close the file when you are done.

Next, install the 'krb5-user' package to your system via the apt command below. This will install some Kerberos utilities that can be used to connect to your FreeIPA server.

sudo apt install krb5-user

Input y when prompted and press ENTER to proceed.

install kinit

When asked for the default REALM configuration, input the REALm for your FreeIPA server - In this example, the REALM is 'HWDOMAIN.LAN'.

default realm

As for the Kerberos server, input the domain name of your FreeIPA server such as 'ipa.hwdomain.lan'.

default domain

Use the same value for the administrative server for the Kerberos realm - 'ipa.hwdomain.lan'.

default domain

Now the installation should be finished and new settings are generated at the '/etc/krb5.conf' file.

With the Kerberos utilities installed, enter the following command to test the authentication to the Kerberos server that running as a Docker container. When prompted, input the admin password for your FreeIPA server.

kinit admin

Enter the following command to verify your authentication to the Kerberos server. When successful, you should get the details of the tickets for your Kerberos authentication.

klist

authetication against Kebreros server

Lastly, you can also visit your FreeIPA server web administration dashboard. Be sure that the domain name of your FreeIPA server is added to the '/etc/hosts' file on your local machine.

Open your web browser and visit the FreeIPA server domain name (i.e: https://ipa.hwdomain.lan/). When successful, you should see the FreeIPA server login page.

Input the user admin and your password, then click Log in.

freeipa login page

When authentication is successful, you should see the web administration dashboard of your FreeIPA server.

freeipa admin dashboard

Adding FreeIPA User and Group Via Command Linux

There are different methods for managing the FreeIPA server that runs as a Docker container, you can manage it via a web administration dashboard or managing directory from the FreeIPA server container. In this section, you will manage the FreeIPA user and group via the 'ipa' command utility from the FreeIPA server container.

First, enter the following command to log in to the 'freeipa-server-almalinux9' container.

docker exec -it freeipa-server-almalinux9 /bin/bash

Once logged in, authenticate yourself against the Kerberos server via the user 'admin'. Then, verify the Kerberos ticket details. When prompted for the password, input the password for your Directory Manager.

kinit admin
klist

login freeipa container

After being authenticated to Kerberos, you can now start configuring the FreeIPA server.

Enter the following 'ipa config-mod' command to set up the default shell for FreeIPA users to '/bin/bash'.

ipa config-mod --defaultshell=/bin/bash

You should see the detail of user configurations for the FreeIPA server.

default user settings

Next, enter the following command to create a new FreeIPA user called 'ubuntu'. Also, input a new password when prompted and repeat.

ipa user-add ubuntu --first=Ubuntu --last=Linux --password

Once added, you should get an output such as 'Added user "ubuntu"'.

create user

Now enter the following command to find the user 'ubuntu' on your FreeIPA server. When the user is available, you should get an output such as '1 user matched'. Also, you can see the details of the user 'ubuntu'.

ipa user-find ubuntu

verify user

You can also get the details of available users on FreIPA by entering the following command.

ipa user-show --raw ubuntu

Below is a similar output you will get.

show user

Next, create a new group 'development' using the command 'ipa group-add' and verify the group to ensure that new is added and available.

ipa group-add --desc='Development Team' development
ipa group-find development

create group

Now run the following 'ipa group-add-member' command to add the FreeIPA user 'ubuntu' to the group 'development'.

ipa group-add-member --user=ubuntu development

Verify the detail of group 'development' using the following command. You should see the user 'ubuntu' added to the group 'development'.

ipa group-show development

add user to group

Adding Hosts to FreeIPA Server

FreeIPA provides the easiest way for adding a new host to the FreeIPA server, which can be done via the FreeIPA client package that provides the 'ipa-client-install' utility. In this section, you will add an Ubuntu machine to the FreeIPA server 'ipa.hwdomain.lan' that runs as a container.

Below are the steps you must do to add a new host to the FreeIPA server:

  • Setup FQDN and Timezone of the Client machine
  • Installing FreeIPA Client packages
  • Verify the FreeIPA Client machine

Now let's start adding the Ubuntu machine to the FreeIPA Server Docker container.

Setup FQDN and Timezone

First, log in to your client machine and set up the fqdn using the following command.

sudo hostnamectl set-hostname client01.hwdomain.lan

Now open the config file '/etc/hosts' using the following nano editor command.

sudo nano /etc/hosts

Add the following lines to the file and be sure to change the details of the IP address, fqdn, and hostname.

192.168.5.10    ipa.hwdomain.lan        ipa
192.168.5.121   client01.hwdomain.lan   client01

Save the file when you're done.

Now enter the following command to ensure that the fqdn of the client machine is pointed to the correct IP address and that the domain name of the FreeIPA server is also pointed to the correct and proper IP address.

ping -c3 ipa.hwdomain.lan
ping -c3 client01.hwdomain.lan

setup cliebnt machine

Next, enter the following command to set up the timezone of your client machine.

sudo timedatectl set-timezone Europe/Stockholm

Lastly, enter the following command to set up the '/etc/localtime' file to the proper timezone settings.

sudo unlink /etc/localtime
sudo ln -s /usr/share/timezone/Europe/Stockholm /etc/localtime

Installing FreeIPA Client

First, update and refresh your Ubuntu package index via the apt command below.

sudo apt update

Now install the FreeIPA client package using the following command. When prompted, input y to confirm and press ENTER to proceed.

sudo apt install freeipa-client oddjob-mkhomedir

install freeipa client

When prompted for the default REALM domain name, input your main domain such as 'HWDOMAIN.LAN'.

default realm

Input the Kerberos realm domain name with the FreeIPA server domain 'ipa.hwdomain.lan'.

default domain

Lastly, input again the domain name of the FreeIPA server 'ipa.hwdomain.lan' as an administrative server for the Kerberos server.

default kerberos realm

Once the FreeIPA client package is installed, run the following command 'ipa-client-install' to add the client machine to the FreeIPA server. Be sure to change the details of the FreeIPA server domain name and realm.

ipa-client-install --hostname=`hostname -f` \
--mkhomedir \
--server=ipa.hwdomain.lan \
--domain hwdomain.lan \
--realm HWDOMAIN.LAN

When asked to use the fixed configurations, input yes to confirm and press ENTER. As for the NTP server, leave it as default to no. Lastly, input yes again to confirm the installation.

add client to freeipa

Below is the output during the installation and configurations.

authenticate

Once finished, the output such as 'The ipa-client-install command was successful' will be prompted to your terminal screen.

client added

Verify Hosts FreeIPA Client

From the FreeIPA server, type the following command to connect to the client machine '192.168.5.121' using the FreeIPA user 'ubuntu'. When prompted, input yes to confirm and add the SSH fingerprint of the client machine, then input the password for the 'ubuntu' FreeIPA user.

ssh [email protected]

Once logged in, you should be asked to change the default current password. So, input the current password and input the new password and repeat.

login to client machine via FreeIPA server

Lastly, enter the following command to identify your current user. You should see that you've logged into the client machine via the user 'ubuntu', which is also part of the group 'development'.

id
whoami

verify user

Conclusion

In this tutorial, you have learned how to install and deploy the FreeIPA server via Docker on a Debian 12 server. You have also learned the basic usage of the 'ipa' command for creating and managing FreeIPA users and groups and also learned how to obtain a Kerberos ticket via the kinit command and log in to the FreeIPA web administration via the admin user and password.

Lastly, you have also added an ubuntu client machine to the FreeIPA server via the FreeIPA client package. You've learned step-by-step how to do it and also verified your settings by logging into the client machine via FreeIPA user.

With this, you can now add more hosts, users, and groups to your FreeIPA server. You can also integrate FreeIPA into your production. To get detailed information, visit the FreeIPA's official documentation.

Share this page:

0 Comment(s)