Red Hat IdM

Red Hat IdM (Identity Management) provides a centralized and unified way to manage identity stores, authentication, policies, and authorization policies in a Linux-based domain.

This document explains how to plan the Identity Management deployment and how to install Identity Management server, client, and replicas.

Info

FreeIPA is the upstream project for Red Hat IdM. Thus the commands for IdM is still ipa.

Tested Environment

Role	Specs	Operating System	IdM Version	Hostname	IP Address
IdM Server	4 vCPU / 8 GB RAM / 32 GB Disk	Red Hat Enterprise Linux 10 (Coughlan)	VERSION: 4.12.2, API_VERSION: 2.254	idm1.aadya.tech	10.12.20.5
IdM Server	4 vCPU / 8 GB RAM / 32 GB Disk	Red Hat Enterprise Linux 10 (Coughlan)	VERSION: 4.12.2, API_VERSION: 2.254	idm2.aadya.tech	10.12.20.6
Linux Host	1 vCPU / 1 GB RAM / 8 GB Disk	Ubuntu 24.04 Server (Noble Numbat)	4.11.1, API_VERSION: 2.253	srv1.aadya.tech	10.12.20.51

Tip

Alternatively, for server you can use "AlmaLinux 10 (Purple Lion)" or "Rocky Linux 10.0 (Red Quartz)"

IdM Environment Topology

flowchart TB
 subgraph idm1["idm1.aadya.tech"]
        A["Domain Suffix"]
        B["CA Suffix"]
  end
 subgraph idm2["idm2.aadya.tech"]
        C["Domain Suffix"]
        D["CA Suffix"]
  end
 subgraph idm["IdM Servers"]
        idm1
        idm2
  end
 subgraph client["srv1.aadya.tech<br>(Linux Host)"]
  end
    A <-. replication .-> C
    B <-. replication .-> D
    client --> idm

    A@{ shape: rounded}
    B@{ shape: rounded}
    C@{ shape: rounded}
    D@{ shape: rounded}
    style idm stroke-dasharray: 5 5, stroke-width:2px

Prerequisites

A domain you own such as aadya.tech.
Two RedHat 10 servers setup as below:
- Login as root to update the system and install some essential tools.
  Bash
```
dnf update -y
dnf install -y bind-utils traceroute wireshark-cli
```
- By default IdM uses a very high UID and GID value to avoid conflicts with local user accounts and groups. This works in most cases, but can cause issues with unprivileged LXC containers. So you set a lower value of 4000 for UID_MAX and GID_MAX.
  Bash
```
sed -i 's/^$UID_MAX[ \t]*$[0-9]\+/\14000/' /etc/login.defs
sed -i 's/^$GID_MAX[ \t]*$[0-9]\+/\14000/' /etc/login.defs
```
- Install IdM.
  Bash
```
dnf install -y ipa-server ipa-server-dns
```
- Open required ports on the server firewall.
  Bash
```
firewall-cmd --permanent --add-service={freeipa-ldap,freeipa-ldaps,dns}
firewall-cmd --reload
```
- Define IdM parameters as variables accordingly to your installation.
  Bash
```
REALM=AADYA.TECH
DOMAIN=aadya.tech
IDM1HOSTNAME=idm1.aadya.tech
IDM2HOSTNAME=idm2.aadya.tech
IDM1IP=10.12.20.5
IDM2IP=10.12.20.6
SUBNET=10.12.20.0/24
DSPASSWD=DinoP@ss1
ADMINPASSWD=D*noP2ss
```
- Update DNS on the server to IP addresses of the IdM servers you are going to deploy and reload network. Make sure to use the right interface name, in your case it's ens18.
  Bash
```
nmcli con mod ens18 ipv4.dns "$IDM1IP $IDM2IP"
nmcli device reapply ens18
```

Application Deployment

First IdM Server Deployment

Setup first IdM server.

Bash

ipa-server-install --realm $REALM --domain $DOMAIN \
--hostname=$IDM1HOSTNAME --idstart=5000 --idmax=70535 \
--ds-password $DSPASSWD --admin-password $ADMINPASSWD \
--setup-dns --forwarder 8.8.8.8 --forwarder 9.9.9.9 \
--auto-reverse --allow-zone-overlap --no-ntp --unattended

Command Output

Bash

The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will set up the IPA Server.
Version 4.12.2

This includes:
  * Configure a stand-alone CA (dogtag) for certificate management
  * Create and configure an instance of Directory Server
  * Create and configure a Kerberos Key Distribution Center (KDC)
  * Configure Apache (httpd)
  * Configure DNS (bind)
  * Configure SID generation
  * Configure the KDC to enable PKINIT

Excluded by options:
  * Configure the NTP client (chronyd)

Warning: skipping DNS resolution of host idm1.aadya.tech
Checking DNS domain aadya.tech., please wait ...
Checking DNS forwarders, please wait ...
Reverse zone 20.12.10.in-addr.arpa. will be created
Using reverse zone(s) 20.12.10.in-addr.arpa.
Trust is configured but no NetBIOS domain name found, setting it now.

The IPA Master Server will be configured with:
Hostname:       idm1.aadya.tech
IP address(es): 10.12.20.5
Domain name:    aadya.tech
Realm name:     AADYA.TECH

The CA will be configured with:
Subject DN:   CN=Certificate Authority,O=AADYA.TECH
Subject base: O=AADYA.TECH
Chaining:     self-signed

BIND DNS server will be configured to serve IPA domain with:
Forwarders:       8.8.8.8, 9.9.9.9
Forward policy:   only
Reverse zone(s):  20.12.10.in-addr.arpa.

Adding [10.12.20.5 idm1.aadya.tech] to your /etc/hosts file
Disabled p11-kit-proxy
Configuring directory server (dirsrv). Estimated time: 30 seconds
  [1/42]: creating directory server instance
Validate installation settings ...
Create file system structures ...
Perform SELinux labeling ...
Create database backend: dc=aadya,dc=tech ...
Perform post-installation tasks ...
  [2/42]: adding default schema
  [3/42]: enabling memberof plugin
  [4/42]: enabling winsync plugin
  [5/42]: configure password logging
  [6/42]: configuring replication version plugin
  [7/42]: enabling IPA enrollment plugin
  [8/42]: configuring uniqueness plugin
  [9/42]: configuring uuid plugin
  [10/42]: configuring modrdn plugin
  [11/42]: configuring DNS plugin
  [12/42]: enabling entryUSN plugin
  [13/42]: configuring lockout plugin
  [14/42]: configuring graceperiod plugin
  [15/42]: configuring topology plugin
  [16/42]: creating indices
  [17/42]: enabling referential integrity plugin
  [18/42]: configuring certmap.conf
  [19/42]: configure new location for managed entries
  [20/42]: configure dirsrv ccache and keytab
  [21/42]: enabling SASL mapping fallback
  [22/42]: restarting directory server
  [23/42]: adding sasl mappings to the directory
  [24/42]: adding default layout
  [25/42]: adding delegation layout
  [26/42]: creating container for managed entries
  [27/42]: configuring user private groups
  [28/42]: configuring netgroups from hostgroups
  [29/42]: creating default Sudo bind user
  [30/42]: creating default Auto Member layout
  [31/42]: adding range check plugin
  [32/42]: creating default HBAC rule allow_all
  [33/42]: adding entries for topology management
  [34/42]: initializing group membership
  [35/42]: adding master entry
  [36/42]: initializing domain level
  [37/42]: configuring Posix uid/gid generation
  [38/42]: adding replication acis
  [39/42]: activating sidgen plugin
  [40/42]: activating extdom plugin
  [41/42]: configuring directory to start on boot
  [42/42]: restarting directory server
Done configuring directory server (dirsrv).
Configuring Kerberos KDC (krb5kdc)
  [1/11]: adding kerberos container to the directory
  [2/11]: configuring KDC
  [3/11]: initialize kerberos container
  [4/11]: adding default ACIs
  [5/11]: creating a keytab for the directory
  [6/11]: creating a keytab for the machine
  [7/11]: adding the password extension to the directory
  [8/11]: creating anonymous principal
  [9/11]: starting the KDC
  [10/11]: configuring KDC to start on boot
  [11/11]: enable PAC ticket signature support
Done configuring Kerberos KDC (krb5kdc).
Configuring kadmin
  [1/2]: starting kadmin 
  [2/2]: configuring kadmin to start on boot
Done configuring kadmin.
Configuring ipa-custodia
  [1/5]: Making sure custodia container exists
  [2/5]: Generating ipa-custodia config file
  [3/5]: Generating ipa-custodia keys
  [4/5]: starting ipa-custodia 
  [5/5]: configuring ipa-custodia to start on boot
Done configuring ipa-custodia.
Forcing random serial numbers to be enabled for the mdb backend
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
  [1/33]: configuring certificate server instance
  [2/33]: stopping certificate server instance to update CS.cfg
  [3/33]: backing up CS.cfg
  [4/33]: Add ipa-pki-wait-running
Set start up timeout of pki-tomcatd service to 90 seconds
  [5/33]: secure AJP connector
  [6/33]: reindex attributes
  [7/33]: exporting Dogtag certificate store pin
  [8/33]: disabling nonces
  [9/33]: set up CRL publishing
  [10/33]: enable PKIX certificate path discovery and validation
  [11/33]: authorizing RA to modify profiles
  [12/33]: authorizing RA to manage lightweight CAs
  [13/33]: Ensure lightweight CAs container exists
  [14/33]: Enable lightweight CA monitor
  [15/33]: Ensuring backward compatibility
  [16/33]: enable certificate pruning
  [17/33]: updating IPA configuration
  [18/33]: starting certificate server instance
  [19/33]: configure certmonger for renewals
  [20/33]: requesting RA certificate from CA
  [21/33]: publishing the CA certificate
  [22/33]: adding RA agent as a trusted user
  [23/33]: configure certificate renewals
  [24/33]: Configure HTTP to proxy connections
  [25/33]: enabling CA instance
  [26/33]: importing IPA certificate profiles
  [27/33]: migrating certificate profiles to LDAP
  [28/33]: adding default CA ACL
  [29/33]: adding 'ipa' CA entry
  [30/33]: Recording random serial number state
  [31/33]: Recording HSM configuration state
  [32/33]: configuring certmonger renewal for lightweight CAs
  [33/33]: deploying ACME service
Done configuring certificate server (pki-tomcatd).
Configuring directory server (dirsrv)
  [1/3]: configuring TLS for DS instance
  [2/3]: adding CA certificate entry
  [3/3]: restarting directory server
Done configuring directory server (dirsrv).
Configuring ipa-otpd
  [1/2]: starting ipa-otpd 
  [2/2]: configuring ipa-otpd to start on boot
Done configuring ipa-otpd.
Configuring the web interface (httpd)
  [1/22]: stopping httpd
  [2/22]: backing up ssl.conf
  [3/22]: disabling nss.conf
  [4/22]: configuring mod_ssl certificate paths
  [5/22]: setting mod_ssl protocol list
  [6/22]: configuring mod_ssl log directory
  [7/22]: disabling mod_ssl OCSP
  [8/22]: adding URL rewriting rules
  [9/22]: configuring httpd
Nothing to do for configure_httpd_wsgi_conf
  [10/22]: setting up httpd keytab
  [11/22]: configuring Gssproxy
  [12/22]: setting up ssl
  [13/22]: configure certmonger for renewals
  [14/22]: publish CA cert
  [15/22]: clean up any existing httpd ccaches
  [16/22]: enable ccache sweep
  [17/22]: configuring SELinux for httpd
  [18/22]: create KDC proxy config
  [19/22]: enable KDC proxy
  [20/22]: starting httpd
  [21/22]: configuring httpd to start on boot
  [22/22]: enabling oddjobd
Done configuring the web interface (httpd).
Configuring Kerberos KDC (krb5kdc)
  [1/1]: installing X509 Certificate for PKINIT
Done configuring Kerberos KDC (krb5kdc).
Applying LDAP updates
Upgrading IPA:. Estimated time: 1 minute 30 seconds
  [1/10]: stopping directory server
  [2/10]: saving configuration
  [3/10]: disabling listeners
  [4/10]: enabling DS global lock
  [5/10]: disabling Schema Compat
  [6/10]: starting directory server
  [7/10]: upgrading server
  [8/10]: stopping directory server
  [9/10]: restoring configuration
  [10/10]: starting directory server
Done.
Restarting the KDC
dnssec-validation yes
Configuring DNS (named)
  [1/13]: generating rndc key file
  [2/13]: adding DNS container
  [3/13]: setting up our zone
  [4/13]: setting up reverse zone
  [5/13]: setting up our own record
  [6/13]: setting up records for other masters
  [7/13]: adding NS record to the zones
  [8/13]: setting up kerberos principal
  [9/13]: setting up LDAPI autobind
  [10/13]: setting up named.conf
created new /etc/named.conf
created named user config '/etc/named/ipa-ext.conf'
created named user config '/etc/named/ipa-options-ext.conf'
created named user config '/etc/named/ipa-logging-ext.conf'
  [11/13]: setting up server configuration
  [12/13]: configuring named to start on boot
  [13/13]: changing resolv.conf to point to ourselves
Done configuring DNS (named).
Restarting the web server to pick up resolv.conf changes
Configuring DNS key synchronization service (ipa-dnskeysyncd)
  [1/7]: checking status
  [2/7]: setting up bind-dyndb-ldap working directory
  [3/7]: setting up kerberos principal
  [4/7]: setting up SoftHSM
  [5/7]: adding DNSSEC containers
  [6/7]: creating replica keys
  [7/7]: configuring ipa-dnskeysyncd to start on boot
Done configuring DNS key synchronization service (ipa-dnskeysyncd).
Restarting ipa-dnskeysyncd
Restarting named
Updating DNS system records
Configuring SID generation
  [1/8]: adding RID bases
  [2/8]: creating samba domain object
  [3/8]: adding admin(group) SIDs
  [4/8]: updating Kerberos config
'dns_lookup_kdc' already set to 'true', nothing to do.
  [5/8]: activating sidgen task
  [6/8]: restarting Directory Server to take MS PAC and LDAP plugins changes into account
  [7/8]: adding fallback group
  [8/8]: adding SIDs to existing users and groups
This step may take considerable amount of time, please wait..
Done.
Configuring client side components
This program will set up IPA client.
Version 4.12.2

Using existing certificate '/etc/ipa/ca.crt'.
Client hostname: idm1.aadya.tech
Realm: AADYA.TECH
DNS Domain: aadya.tech
IPA Server: idm1.aadya.tech
BaseDN: dc=aadya,dc=tech

Configured /etc/sssd/sssd.conf
Systemwide CA database updated.
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
SSSD enabled
Configured /etc/openldap/ldap.conf
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config.d/04-ipa.conf
Configuring aadya.tech as NIS domain.
Client configuration complete.
The ipa-client-install command was successful

==============================================================================
Setup complete

Next steps:
    1. You must make sure these network ports are open:
        TCP Ports:
          * 80, 443: HTTP/HTTPS
          * 389, 636: LDAP/LDAPS
          * 88, 464: kerberos
          * 53: bind
        UDP Ports:
          * 88, 464: kerberos
          * 53: bind

    2. You can now obtain a kerberos ticket using the command: 'kinit admin'
        This ticket will allow you to use the IPA tools (e.g., ipa user-add)
        and the web user interface.

Be sure to back up the CA certificates stored in /root/cacert.p12
These files are required to create replicas. The password for these
files is the Directory Manager password
The ipa-server-install command was successful

Disable dnssec-validation.

Bash

sed -i 's/dnssec-validation yes;/dnssec-validation no;/g' /etc/named/ipa-options-ext.conf

Add trusted networks.

Bash

cat > /etc/named/ipa-ext.conf <<EOF
acl "trusted_network" {
  localnets;
  localhost;
  $SUBNET;
};
EOF

Allow recursion.

Bash

echo "allow-recursion { trusted_network; };" >> /etc/named/ipa-options-ext.conf

Restart named service for changes to take effect.
Bash
```
systemctl restart named.service
```
Login to webUI at https://idm1.aadya.tech and verify IdM deployment.

Replica IdM Server Deployment

Add DNS record for idm2 by running below commands on idm1.

Bash

ipa dnsrecord-add $DOMAIN idm2 --a-rec $IDM2IP
ipa dnsrecord-add $(echo "${SUBNET%%/*}" | awk -F. '{print $3 "." $2 "." $1 ".in-addr.arpa."}') $(echo "$IDM2IP" | awk -F. '{print $4}') --ptr-rec $IDM2HOSTNAME.

Install IdM client on replica server by running below command on idm2.

Bash

ipa-client-install --domain=aadya.tech --server=idm1.aadya.tech --realm=AADYA.TECH --mkhomedir --principal=admin --password=D*noP2ss --unattended

Command Output

Bash

This program will set up IPA client.
Version 4.12.2

Client hostname: idm2.aadya.tech
Realm: AADYA.TECH
DNS Domain: aadya.tech
IPA Server: idm1.aadya.tech
BaseDN: dc=aadya,dc=tech

Synchronizing time
No SRV records of NTP servers found and no NTP server or pool address was provided.
Using default chrony configuration.
Attempting to sync time with chronyc.
Time synchronization was successful.
Successfully retrieved CA cert
    Subject:     CN=Certificate Authority,O=AADYA.TECH
    Issuer:      CN=Certificate Authority,O=AADYA.TECH
    Valid From:  2025-07-23 17:51:30+00:00
    Valid Until: 2045-07-23 17:51:30+00:00

Enrolled in IPA realm AADYA.TECH
Created /etc/ipa/default.conf
Configured /etc/sssd/sssd.conf
Systemwide CA database updated.
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
SSSD enabled
Configured /etc/openldap/ldap.conf
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config.d/04-ipa.conf
Configuring aadya.tech as NIS domain.
Configured /etc/krb5.conf for IPA realm AADYA.TECH
Client configuration complete.
The ipa-client-install command was successful

Promote server to replica by running below command on idm1.

Bash

ipa hostgroup-add-member ipaservers --hosts $IDM2HOSTNAME

Finally promote system as replica by running below command on idm2.

Bash

ipa-replica-install --setup-ca --setup-dns --forwarder 8.8.8.8 --forwarder 8.8.4.4 --unattended

Disable dnssec-validation.

Bash

sed -i 's/dnssec-validation yes;/dnssec-validation no;/g' /etc/named/ipa-options-ext.conf

Add trusted networks.

Bash

cat > /etc/named/ipa-ext.conf <<EOF
acl "trusted_network" {
  localnets;
  localhost;
  $SUBNET;
};
EOF

Allow recursion.

Bash

echo "allow-recursion { trusted_network; };" >> /etc/named/ipa-options-ext.conf

Restart named service for changes to take effect.
Bash
```
systemctl restart named.service
```
Login to webUI at https://idm2.aadya.tech and verify IdM deployment.

Usage Guide

Following are instructions for using/maintaining the IdM server you deployed. Ensure you run kinit admin before running any ipa commands. If this is not done, you will be getting an error ipa: ERROR: did not receive Kerberos credentials

Default Password Expiry

Update Password Expiry

Following command updates password expiry. For example following command will set for passwords to expire after 30 days. Users must change them to continue logging in. But at the same time since minlife is 1, it ensures users must wait at least 1 day before changing their password again, preventing immediate re-use.

Bash

ipa pwpolicy-mod --maxlife=30 --minlife=1

Disable Password Expiry

Following command disables password expiry and allows user to change their own password on their own terms. Though convenient, this is not recommended for production use.

Bash

ipa pwpolicy-mod --maxlife=0 --minlife=0

Show Password Expiry

Bash

ipa pwpolicy-show

Change Default Shell

By default IdM sets user's default shell to /bin/sh even though when bash is available. Following command ensures default shell is configured to /bin/bash

Bash

ipa config-mod --defaultshell=/bin/bash

Create Bind Account

Bash

cat <<EOF >>service-account.ldif
dn: uid=ldap.bind,cn=sysaccounts,cn=etc,dc=aadya,dc=tech
changetype: add
objectclass: account
objectclass: simplesecurityobject
objectclass: inetuser
uid: ldap.bind
userPassword: n!cePassword7
passwordExpirationTime: 20380119031407Z
nsIdleTimeout: 0

EOF


ldapadd -H ldap://idm1.aadya.tech -D 'cn=Directory Manager' -W -f service-account.ldif

This will ask for Directory Server that you have defined in Prerequisites

Command Output

Bash

Enter LDAP Password:
adding new entry "uid=ldap.bind,cn=sysaccounts,cn=etc,dc=aadya,dc=tech"

Create User Accounts

Create a regular user account

Following command will create a regular user account on IdM with a random password. Generated password is displayed on the console.

Bash

ipa user-add prasad.manigaradi \
    --first="Prasad" \
    --last="Manigaradi" \
    --random

Command Output

Bash

------------------------------
Added user "prasad.manigaradi"
------------------------------
  User login: prasad.manigaradi
  First name: Prasad
  Last name: Manigaradi
  Full name: Prasad Manigaradi
  Display name: Prasad Manigaradi
  Initials: PM
  Home directory: /home/prasad.manigaradi
  GECOS: Prasad Manigaradi
  Login shell: /bin/bash
  Principal name: prasad.manigaradi@AADYA.TECH
  Principal alias: prasad.manigaradi@AADYA.TECH
  User password expiration: 20250719021234Z
  Email address: prasad.manigaradi@aadya.tech
  Random password: Z-LM65e8ua4x%Se
  UID: 5003
  GID: 5003
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True

Create an admin user account

Creating an admin account will require first creating a regular user account. Once an account is created, run following command to grant the user admin privileges.

Bash

ipa group-add-member admins --users=prasad.manigaradi

Command Output

Bash

Group name: admins
Description: Account administrators group
GID: 5000
Member users: admin, prasad.manigaradi
-------------------------
Number of members added 1
-------------------------

Enrolling Linux host into IdM

Install IdM client on the Linux host.

Bash

apt install -y freeipa-client oddjob-mkhomedir

Configure IdM client on the machine and enable DNS updates. This ensures that when IP of the machine changes due to DHCP, the corresponding DNS entry gets automatically updated.
Bash
```
ipa-client-install --no-ntp --mkhomedir --enable-dns-updates
```

Troubleshooting

Adding SSHFP records for idm1

Sometimes SSFP records of first IdM server aren't added. You can use ssh-keygen -r $IDM1HOSTNAME to print the SSHFP fingerprint resource record for the hostname and then add all records to your IdM server using ipa dnsrecord-add command. Or this can be automated by running following script in bash.

Bash

CMD=(ipa dnsrecord-add "$DOMAIN" "$HOSTNAME")

while read -r line; do
  # Extract the SSHFP values from the line
  set -- $line
  algo=$5
  fptype=$6
  fingerprint=$7
  CMD+=(--sshfp-rec="$algo $fptype $fingerprint")
done < <(ssh-keygen -r "$HOSTNAME.$DOMAIN")

# Run the command
"${CMD[@]}"