FreeIPA is a collection of Tools and a Web- GUI for managing an AD (Active Directory). As docker Image, it delivers LDAP for central storing of Users, Hosts and Keys. The bind- DNS will serve Hostnames to IP- Adresses and the Kerberos will deliver SSO attached to the Users.

This chapter will describe, how to install FreeIPA in a rootless Docker- Environement, use letsencrypt Crtificates for SSL and TLS and how to setup central user- management with it.

You will need a Docker- Host, that is rechable from the Internet wil its fully qualifierd Domain- Name (FQDN) as described before. The given Ports must be reachable from the clients.

FreeIPA will not use a Database - all needed informations are stored into the Docker Data- Volume.

Frst, create a Directory in your Docker-Compose directry that you chose before in http://obel1x.de/doku.php?id=content:serverbasics:docker#create_a_place_for_yamls

Then, create your docker-compsoe.yml like this:

services:
  freeipa:
    image: freeipa/freeipa-server:almalinux-9
    restart: unless-stopped
    hostname: [FQDN_HOSTNAME]
#For dns setup:
#    read_only: true
    environment:
      IPA_SERVER_HOSTNAME: [FQDN_HOSTNAME]
      TZ: "Europe/Berlin"
      PASSWORD: 'NEWPASSWORD'
#      DEBUG_NO_EXIT: 1
    tty: true
    stdin_open: true
    cgroup: host
    cap_add:
      - NET_ADMIN
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - ipa_data:/data
      - ipa_journal:/var/log/journal
      - /run/user/[UID_OF_DOCKERUSER]/docker.sock:/var/run/docker.sock
      - /sys/fs/cgroup:/sys/fs/cgroup:rw
    tmpfs:
      - /run
      - /tmp
    sysctls:
      - net.ipv6.conf.all.disable_ipv6=0
      - net.ipv6.conf.lo.disable_ipv6=0
    security_opt:
      - "seccomp:unconfined"
    command:
      - -U
      - --domain=clients.[FQDN_HOSTNAME]
# Must match the last part of the Domain-Name and must be upper case and routed to the domain
      - --realm=[DOMAINPART_OF_HOSTNAME]
      - --http-pin=[NEWHTTPDPIN]
      - --dirsrv-pin=[NEWDIRSRVPIN]
      - --setup-dns
#      - --no-host-dns
#NTP - not needed, this is the server which time is taken from /etc/localtime see volumes
#This server has also a chrony-daemon running here to sync time
      - --no-ntp
#      - --ntp-server=172.0.0.11
      - --auto-forwarders
#      - --forwarder=192.168.178.1
#Error: Unable to determine the amount of available RAM
      - --skip-mem-check
    ports:
#HTTP(s): Will be proxiesd by Caddy
#      - "8082:80"
#      - "8443:443"
#LDAP (needed)
      - "389:389"
#LDAPs (needed)
      - "636:636"
#Kerberos (needed)
      - "88:88"
      - "464:464"
      - "88:88/udp"
      - "464:464/udp"
#DNS (needed)
      - "53:53"
      - "53:53/udp"
#NTP - not needed, takes chronyd of the host
#      - "123:123/udp"
#Unknown:
#      - "7389:7389"
#      - "9443:9443"
#      - "9444:9444"
#      - "9445:9445"
volumes:
ipa_data:
ipa_journal:

Caddy wil be used for Proxy, so in your Caddyfile (see https://obel1x.de/dokuwiki/doku.php?id=content:serverbasics:docker-caddy#caddy_configuration) use this:

# FreeIPA
http://[FQDN_HOSTNAME]:80 {
        reverse_proxy serverpc-freeipa-1:80
}
https://[FQDN_HOSTNAME]:443 {
        header Strict-Transport-Security max-age=31536000;
        reverse_proxy https://serverpc-freeipa-1:443 {
            transport http {
                tls
                tls_insecure_skip_verify
            }
        }
}

Coming soon…