FreeIPA is worlds easier than OpenLDAP


I’ve been able to get FreeIPA up and running in far less time and with far less frustration than OpenLDAP.

The notes here were particularly helpful.

I’ve set this up in a CentOS KVM zone with very little trouble.

Be sure to set the IP address, gateway, and DNS resolvers manually. If you rely on DHCP and the configuration from the global zone, dhclient will clobber the changes FreeIPA depends on.

Here is an abridged VM .json file and an abridged installation script.

  "brand": "kvm",
  "ram": "512",
  "vcpus": 1,
  "alias": "ipa01",
  "hostname": "",
  "resolvers": [
  "dns_domain": "",
  "nics": [
      "nic_tag": "admin",
      "ip": "",
      "netmask": "",
      "gateway": "",
      "model": "virtio"
  "disks": [
      "image_uuid": "5becfd74-a70d-11e4-93a6-470507be237c",
      "boot": true,
      "model": "virtio"
  "customer_metadata": {
    "root_authorized_keys": "<my ssh public key>",
    "user-script": "/usr/sbin/mdata-get root_authorized_keys > ~root/.ssh/authorized_keys ; /usr/sbin/mdata-get root_authorized_keys > ~admin/.ssh/authorized_keys"

Installation script:

yum update -y
yum install -y ipa-server bind bind-dyndb-ldap
echo "" >> /etc/hosts
ipa-server-install -a <password> -n -p <password> -r MYDOMAIN.NET --setup-dns --forwarder= --forwarder=
service sshd restart

Remember to make your IP address, gateway, and especially resolvers static.