This is the full guide of step by step implementation to launch, prepare and configure the FreeIPA server inside a Podman container.
Accessing the FreeIPA web dashboard with HTTPS.
Step 1: Allow Web Ports
FreeIPA uses normal web ports such as 80 and 443. Sometimes, Linux does not allow normal container processes to use these ports directly, so allow the system to use ports starting from 80.
sudo sysctl -w net.ipv4.ip_unprivileged_port_start=80
Step 2: Start the Container
FreeIPA needs some system services like LDAP and Kerberos, which systemd manages, so we start the container with systemd enabled.
So when we start the container, we must enable systemd inside it.
podman run -d --name freeipa-server \
--systemd=always \
--restart always \
--cap-add=SYS_ADMIN \
-p 443:443 -p 80:80 -p 389:389 -p 636:636 \
-p 88:88 -p 464:464 -p 88:88/udp -p 464:464/udp \
-h ipa.example.edu\
almalinux:9 /usr/sbin/init
In here,
- --systemd=always allows systemd to run inside the container.
- --restart always makes sure the container starts again after a reboot or crash.
- The -p values open the ports needed by FreeIPA.
Step 3: Enter the Container
To install and configure FreeIPA it needs to go inside the running container.
podman exec -it freeipa-server /bin/bash
Step 4: Prepare the Container
As said in the previous blog, the AlmaLinux image is very minimal. So for those missing folders and configuration files needed, it should be created those required folders, install packages, restore LDAP schema files, and set some security options
# 1. Install foundational packages
dnf install -y ipa-server ipa-server-dns
# 2. Reconstruct missing directory structures
rm -rf /etc/dirsrv /etc/sysconfig /etc/tmpfiles.d /etc/pkcs11
mkdir -p /etc/sysconfig /etc/tmpfiles.d /etc/pkcs11/modules /etc/dirsrv/config
mkdir -p /var/lib/ipa/sysrestore /var/lib/ipa-client/sysrestore /var/log/dirsrv
# 3. Restore missing LDAP schemas and configure cryptographic policies
dnf reinstall -y 389-ds-base --setopt=tsflags=noscripts --setopt=sslverify=false
echo "module: /usr/lib64/libsofthsm2.so" > /etc/pkcs11/modules/softhsm2.module
update-crypto-policies --set LEGACY
# 4. Generate necessary Kerberos configuration placeholders
touch /etc/sysconfig/krb5kdc /etc/sysconfig/kadmin
chmod 644 /etc/sysconfig/krb5kdc /etc/sysconfig/kadmin
# 5. Map local networking and identity alignment
MY_IP=$(hostname -I | awk '{print $1}')
echo -e "127.0.0.1\tlocalhost\n$MY_IP\tipa.example.edu ipa" > /etc/hosts
# 6. Set Java and Certificate Authority environment variables
export JAVA_OPTS="-Djava.security.egd=file:/dev/./urandom -Djava.net.preferIPv4Stack=true"
export NSS_SDB_USE_CACHE=yes
Step 5: Install FreeIPA
Then the FreeIPA installer can be run in unattended mode as the container is now ready.
ipa-server-install \
--unattended \
--domain=example.edu \
--realm=EXAMPLE.EDU \
--ds-password=<YOUR_DS_PASSWORD> \
--admin-password=<YOUR_ADMIN_PASSWORD> \
--no-ntp \
--no-host-dns \
--no-pkinit \
--skip-mem-check
Replace YOUR_DS_PASSWORD and YOUR_ADMIN_PASSWORD with your own secure passwords.
Step 6: Access the Web Interface
Local Access
If the container is on a local system, add this line to the hosts file:
127.0.0.1 ipa.example.edu
Then open the browser:
https://ipa.example.edu
- Username: admin
- Password: YOUR_ADMIN_PASSWORD
Remote Access via SSH Tunnel
If the container is on a remote server, use an SSH tunnel:
ssh -L 443:localhost:443 -L 80:localhost:80 user@remote-server
Then add the same hosts line locally and open the browser.
Step 7: Verify Setup
Inside the container, verify that FreeIPA and Kerberos are working:
kinit admin
ipa user-show admin
Step 8: Make Port Change Permanent
The earlier port change will reset after a reboot. To keep it:
echo "net.ipv4.ip_unprivileged_port_start=80" | sudo tee -a /etc/sysctl.conf
sudo sysctl -p
Checking FreeIPA Service Status
Testing Kerberos Authentication
Top comments (0)