FreeIPA
February 22, 2026
What it is
FreeIPA is an integrated identity and access management solution for Linux: LDAP, Kerberos, DNS, PKI (CA), and host-based access control. It gives you a central place for users, groups, sudo rules, and machine identity in Linux environments.
Usage
- Linux domain / directory — Central users, groups, and sudo for servers.
- Kerberos SSO — Single sign-on for SSH, NFS, and Kerberized apps.
- Internal DNS and PKI — Host records and certificate authority for internal services.
- Host-based access control (HBAC) — Restrict which hosts users can access.
Pros and cons
| Pros | Cons |
|---|---|
| All-in-one: LDAP, Kerberos, DNS, PKI | Linux-focused; not for cloud-only IdP |
| Web UI and CLI for management | Setup and replication are non-trivial |
| Replication for HA | Not a replacement for OIDC/SAML app SSO |
| Strong for traditional Linux shops |
Alternatives
- Keycloak + LDAP — Keycloak can use FreeIPA/LDAP as user store and expose OIDC/SAML for apps.
- Active Directory — Windows-centric; FreeIPA is Linux-native.
Why choose FreeIPA
Best when you need centralized Linux identity (users, hosts, sudo, DNS, PKI) and optionally Kerberos SSO, not when you only need browser-based app SSO (use Keycloak/Authentik for that).
Suggested tech stack
- Platform: RHEL, CentOS, Fedora, or other supported Linux.
- Integration: Use with Keycloak or Authentik as IdP that connects to FreeIPA LDAP for app SSO.
When to use it
- You manage many Linux servers and want one directory and policy store.
- You need Kerberos, internal DNS, or a private CA.
- You can invest in setup and replication.
Links
- Homepage: https://www.freeipa.org/
- Documentation: https://www.freeipa.org/page/Documentation
- Source: https://github.com/freeipa/freeipa