Installing FreeIPA With Replication

Do you need a single point to add users within your organization for authenticating to multiple backends like your Linux servers? You've probably looked at OpenLDAP and found the same problem a lot of other users have: bad documentation and ridiculously hard to configure. Having done some installations of OpenLDAP in the past, the search was on to find a good alternative and more importantly, one that is far easier to do and has a good gui and CLI for adding users and groups.


About FreeIPA

FreeIPA is a project backed by RedHat, so it's no suprise that this article is about an installation on this platform. Installing FreeIPA is really fast and easy, but some things that you should have in mind are noted below.


Some notes

This installation is done on a RedHat Enterprise Linux 6 system, keep in mind that configurations may differ to earlier versions of your operating system. I will be doing an installation with replication, so if you were looking for that, you're in luck! My example machines will be named and, make sure your DNS is working properly, because the FreeIPA installer really checks the DNS (or if you want to be quick and dirty, put the machines in your hosts file).


Installing FreeIPA

Installing FreeIPA is done in a few steps, noted below. I will be adding the hostnames in the hosts file, just to be certain:


Step 1:

yum -y install ipa-server


Step 2:

Note: For some reason, the installation of memcached failed while installing the ipa-server package, so reinstall it just to be sure.
yum -y install memcached


Step 3:

echo "<ip>" >> /etc/hosts
echo "<ip>" >> /etc/hosts


Step 4:

Note: For some reason the init script for ipa_memcached (/etc/init.d/memcached) tries to start the wrong memcached during installation, change the following line:

daemon --pidfile ${pidfile} /usr/bin/memcached -d -s ${SOCKET_PATH} -u ${USER} -m ${CACHESIZE} -c ${MAXCONN} -P ${pidfile} ${OPTIONS}


daemon --pidfile ${pidfile} /usr/local/bin/memcached -d -s ${SOCKET_PATH} -u ${USER} -m ${CACHESIZE} -c ${MAXCONN} -P ${pidfile} ${OPTIONS}


Step 5:

On the first machine ( we hit the following command:


You will be asked a few questions afterwards, this is an example output:

Server host name []:
Please confirm the domain name []: 
Please provide a realm name [EXAMPLE.COM]: 

After that you will get a question for the Directory Manager password (which is used when using the FreeIPA CLI), and for the password for the IPA admin (which is for the web-gui). After those steps the installer will have you look at the information one more time, if you confirm the installation will start. Be patient, it can take a while depending on how fast your machine is. You may run into an error while generating the CA certificate server (error: Unable to find in /var/lib/pki-ca/conf/CS.cfg. Is your CA already configured?). If you do get this error try uninstalling the ipa-server (ipa-server-install --uninstall) and restart the pki-ca service (/etc/init.d/pki-ca stop/start).


Setting up replication

Believe it or not, setting up replication for FreeIPA just consists of three commands:


Step 1:

From the master server ( execute the following command:



Step 2:

Secure Copy the gpg key generated in step 1 to

scp /var/lib/ipa/ [email protected]:/var/lib/ipa/


Step 3:

On execute the following command, note that on we don't have to execute a ipa-server-install, the replication process does that for us.

ipa-replica-install /var/lib/ipa/

Enter the Directory Manager password and voila, replication is setup. That's all there is to it, just start up your IPA (/etc/init.d/ipa start) and surf to your gui and login ( should redirect you to the gui if this is the only website installed on your server).

Want more howto's and interesting interviews? Check out and signup, discuss and meet others!

Share this page:

10 Comment(s)