FreeIPA on Docker

FreeIPA is an Identity Management System, its the upstream open-source project for Red Hat Identity Manager. the tools for FreeIPA are included in all recent versions of Fedora and CentOS. FreeIPA gives us the ability to be able to unify users across multiple platforms, so you can have a bunch of users under one domain having the same credentials across many applications, such as Owncloud, Nextcloud, Gitlab, LibreOffice Online and many more which support the use of LDAP. Here i am installing this on an Atomic Fedora server, we need to create the directories for the data from the container to be stored to on our host system and clone the freeipa-container repository from github, so first thing is to create the root directory :


mkdir /srv/ldap

change to the root directory


cd /srv/ldap

then clone the freeipa-container repository with git :


git clone https://github.com/freeipa/freeipa-container.git

change into the freeipa-container repo


cd /srv/ldap/freeipa-container

build the latest freeipa-server base package


docker build -f Dockerfile.fedora-27 -t freeipa-server .

create the data directory :


mkdir /srv/ldap/data

you might need to set the SELinux access control rights for containers managing cgroup :


setsebool -P container_manage_cgroup 1

if you have problems running the command with the :z operand you might have to change SELinux context on the directory


chcon -t svirt_sandbox_file_t /srv/ldap/data

To feed data into the FreeIPA server installation such as domain name and password you can create files in the data directory with your config, so we want to open a new file :


nano /srv/ldap/data/ipa-server-install-options

--realm=EXAMPLE.COM
--ds-password=This-Is-The-Directory-Server-Password
--admin-password=This-Is-The-Admin-Password

You can also add a replica by adding another file in the directory ipa-replica-install-options and appending the docker run command with ipa-replica-install


use the docker run command to create the service, freeipa requires the use of both port 433 and port 80. before running this you also need to make sure your domain name is set up using an A record and the traffic is directed at the correct ports from the IP otherwise it will fail


docker run --name freeipa-server -ti \
 -h ipa.example.com \
--restart always \
-v /sys/fs/cgroup:/sys/fs/cgroup:ro \
-v /srv/ldap/data:/data:Z \
--tmpfs /run --tmpfs /tmp \
--cap-add=SYS_TIME \
-p 53:53/udp \
-p 53:53 \
-p 80:80 \
-p 443:443 \
-p 389:389 \
-p 636:636 \
-p 88:88 \
-p 464:464 \
-p 123:123 \
freeipa-server


This should give you a working version of freeipa-server, you may need to give it some signed ssl certs to get everything working properly, i will give you an example of how you can use letsencrypt :


sudo docker exec -i -t freeipa-server /bin/bash

We need to initialize kerberos before it will allow us to add any root certificate authorities


kinit admin

To add letsencrypt there is a shell script that FreeIPA provide on github, the following line will install dependencies and then clone the repository into the right directory structure


dnf install git -y && git clone https://github.com/freeipa/freeipa-letsencrypt.git /root/ipa-le

then change into the directory and run the setup script


cd /root/ipa-le && ./setup-le.sh

Add a Comment

Your email address will not be published. Required fields are marked *

account_circle