FreeIPA Failover with Keepalived


For this guide, we shall be looking at how to make use of the FreeIPA replica feature to set up high availability in FreeIPA. We shall then configure Keepalived to facilitate failover between any number of FreeIPA instances. In this guide, only two FreeIPA instances will be used, one being the master server and the other the replica.

This setup procedure is intended for system administrators running a single FreeIPA server and are afraid of a single point of failure.

Therefore, you should have a FreeIPA server already installed and fully functioning – with test accounts.

This guide starts with the setup of a FreeIPA server, followed by the setup of one replica node.

Part 1: Installation of the FreeIPA server

Consider the following FreeIPA minimum requirements:

  • Server with 4GB RAM – Installations on 1GB and 2GB were failing
  • CentOS server – can be CentOS 7.x
  • 2 vCPUs
  • Port 443 and 80 not used by another application
  • FQDN – resolvable over Public or Private DNS
  • 10GB Free disk space

The installation procedure is outlined in the steps below:

Step 1: Update the system

Add the epel-release repository and update all the packages on the system.

sudo yum -y install epel-release

sudo yum -y update

sudo yum  install bind-utils vim

Once the system is updated, proceed to install FreeIPA server packages.

Step 2: Install the FreeIPA server packages

The packages you install depend on which services you need IPA to provide. If you don’t need DNS service, just install ipa-server  package:

sudo yum -y install ipa-server

Step 3: Set up IPA server

Configuring FreeIPA server is a straightforward process, you only need to answer a few questions and everything will be configured. If you don’t have a DNS server to resolve server hostname, modify the /etc/hosts file to include hostname and IP address.

$ sudo vim /etc/hosts

Configure server hostname to match above name:

sudo hostnamectl set-hostname

Then run ipa-server-install command to configure the IPA server. You need to execute this as root user:

sudo ipa-server-install

You will be prompted to provide answers to a number of questions:

For questions with default answers in square brackets ([]) e.g. Server host name []:, just press enter to confirm if the value in the brackets is correct. If it’s not, type the correct value and then press enter.

$ sudo ipa-server-install 

The log file for this installation can be found in /var/log/ipaserver-install.log


This program will set up the IPA Server.

This includes:

* Configure a stand-alone CA (dogtag) for certificate management

* Configure the Network Time Daemon (ntpd)

* Create and configure an instance of Directory Server

* Create and configure a Kerberos Key Distribution Center (KDC)

* Configure Apache (httpd)

* Configure the KDC to enable PKINIT

To accept the default shown in brackets, press the Enter key.

WARNING: conflicting time&date synchronization service \’chronyd\’ will be disabled

in favor of ntpd

Do you want to configure integrated DNS (BIND)? [no]: no

Enter the fully qualified domain name of the computer

on which you\’re setting up server software. Using the form



Server host name []: <Press Enter to confirm>

The domain name has been determined based on the host name.

Please confirm the domain name []: <Press Enter to confirm>

The kerberos protocol requires a Realm name to be defined.

This is typically the domain name converted to uppercase.

Please provide a realm name [RENU.AC.UG]: <Press Enter to confirm>

Certain directory server operations require an administrative user.

This user is referred to as the Directory Manager and has full access

to the Directory for system management tasks and will be added to the

instance of directory server created for IPA.

The password must be at least 8 characters long.

Directory Manager password:

Password (confirm):

The IPA server requires an administrative user, named \’admin\’.

This user is a regular system account used for IPA server administration.

IPA admin password:

Password (confirm):

The IPA Master Server will be configured with:


IP address(es):

Domain name:

Realm name:     RENU.AC.UG

Continue to configure the system with these values? [no]: yes

The following operations may take some minutes to complete.

Please wait until the prompt is returned.

Configuring NTP daemon (ntpd)

[1/4]: stopping ntpd

[2/4]: writing configuration

[3/4]: configuring ntpd to start on boot

[4/4]: starting ntpd

Done configuring NTP daemon (ntpd).

Configuring directory server (dirsrv). Estimated time: 30 seconds


Client configuration complete.

The ipa-server-install command was successful


Setup complete

Next steps:

  1. You must make sure these network ports are open:

TCP Ports:

* 80, 443: HTTP/HTTPS

* 389, 636: LDAP/LDAPS

* 88, 464: kerberos

UDP Ports:

* 88, 464: kerberos

* 123: ntp

  1. You can now obtain a kerberos ticket using the command: \’kinit admin\’

This ticket will allow you to use the IPA tools (e.g., ipa user-add)

and the web user interface.

Be sure to back up the CA certificates stored in /root/cacert.p12

These files are required to create replicas. The password for these

files is the Directory Manager password

Step 4: Configure Firewalld for FreeIPA

If you have firewall service running – Firewalld for CentOS 7.x, you need to Open some ports required by FreeIPA services. The ports to open are:

TCP Ports:

* 80, 443: HTTP/HTTPS

* 389, 636: LDAP/LDAPS

* 88, 464: kerberos

UDP Ports:

* 88, 464: kerberos

* 123: ntp

Use the following commands to configure firewalld:

sudo firewall-cmd –add-service={dns,freeipa-ldap,freeipa-ldaps} –permanent

sudo firewall-cmd –reload

Step 5: Access FreeIPA web interface

Having opened firewall ports and configured FreeIPA server, you can access its admin web interface for administering. All IPA tasks can be done on the web interface or using the ipa command line tool. Access admin dashboard using Replace with your hostname.


After logging in, you should see an interface like the one below.


To use ipa command, you need to first get a Kerberos ticket.

# kinit admin

Password for admin@RENU.AC.UG:

Check ticket expiry information using klist.

# klist

Ticket cache: KEYRING:persistent:0:0

Default principal: admin@RENU.AC.UG

Valid starting       Expires              Service principal

18/08/2022 18:45:49  18/08/2022 18:43:44  krbtgt/RENU.AC.UG@RENU.AC.UG

Test by adding a user account and listing accounts present:

# ipa user-add jmutai  \\

–first=Josphat –last=Mutai \\

–  \\

–shell=/bin/bash –password


Enter Password again to verify:


Added user jmutai


User login: jmutai

First name: Josphat

Last name: Mutai

Full name: Josphat Mutai

Display name: Josphat Mutai

Initials: JM

Home directory: /home/jmutai

GECOS: Josphat Mutai

Login shell: /bin/bash

Principal name: jmutai@RENU.AC.UG

Principal alias: jmutai@RENU.AC.UG

Email address:

UID: 839400001

GID: 839400001

Password: True

Member of groups: ipausers

Kerberos keys available: True

Get User Accounts:

# ipa user-find


2 users matched


User login: admin

Last name: Administrator

Home directory: /home/admin

Login shell: /bin/bash

Principal alias: admin@RENU.AC.UG

UID: 839400000

GID: 839400000

Account disabled: False

User login: jmutai

First name: Josphat

Last name: Mutai

Home directory: /home/jmutai

Login shell: /bin/bash

Principal name: jmutai@RENU.AC.UG

Principal alias: jmutai@RENU.AC.UG

Email address:

UID: 839400001

GID: 839400001

Account disabled: False


Number of entries returned 2


On your first login using LDAP account, you’ll be asked to change your password:

$ ssh jmutai@localhost

The authenticity of host \’localhost (<no hostip for proxy command>)\’ can\’t be established.

ECDSA key fingerprint is SHA256:ZlUOPuCJMftjMABxBWAWX/CXWZEtolp2Mv84nzKDV+4.

ECDSA key fingerprint is MD5:03:61:e8:e5:21:17:98:db:96:d5:75:cb:38:c2:0a:34.

Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added \’localhost\’ (ECDSA) to the list of known hosts.


Password expired. Change your password now.

Current Password:

New password:

Retype new password:

Could not chdir to home directory /home/jmutai: No such file or directory

Step 6: Secure FreeIPA server with Let’s Encrypt SSL Certificate

After installation, you can secure your FreeIPA Server using SSL. See this link for guidelines.

Part 2: Configuring FreeIPA Replication on CentOS

Once you have FreeIPA server installed and configured, there is no other prerequisite required. You can start FreeIPA Replication.

In this setup, there’s  a Primary FreeIPA server with hostname (set up in part 1), and the replica will be configured with hostname

The IP addresses for the two servers are as below:

Step 1: Configure DNS local hosts file

On both servers, ensure you have hostnames for each server configured. This is important if you don’t have active DNS service in your Infrastructure.

sudo vim /etc/hosts

Ensure you have lines like below, replace hostnames with your corresponding IPs. ipa-master ipa-rep1

Ensure hostname is configured correctly:

sudo hostnamectl set-hostname

Step 2: Install FreeIPA Client on Replica Server

First update the packages on the system before beginning the install.

sudo yum -y update

If you get kernel updates, consider rebooting the server for changes to take place.

FreeIPA client is available on repositories for CentOS Linux. Install it using the command:

$ sudo yum install ipa-client

$ sudo ipa-client-install –hostname=`hostname -f` \\

–mkhomedir \\

– \\

–domain \\

–realm RENU.AC.UG

When prompted to provide a Kerberos realm for the server, just skip by pressing the <Enter> key.

Step 3: Install FreeIPA server on Replica

Once the FreeIPA client has been installed and configured, the next step is to install FreeIPA Server on a replica.

sudo yum -y install ipa-server

Test by requesting for a Kerberos ticket on the replica:

[root@ipa-rep1 ~]# kinit admin

Password for admin@RENU.AC.UG:

[root@ipa-rep1 ~]# klist

Ticket cache: KEYRING:persistent:0:0

Default principal: admin@RENU.AC.UG

Valid starting Expires Service principal

08/18/2022 11:58:58 08/18/2022 11:58:56 krbtgt/RENU.AC.UG@RENU.AC.UG

Step 4: Add Replica server to the ipaservers group on the FreeIPA master server

Login to FreeIPA Server (ipa-master) and add replica server to the ipaservers group:

[root@ipa-master ~]# kinit admin

Password for admin@RENU.AC.UG

[root@ipa-master ~]# ipa hostgroup-add-member ipaservers –hosts

Host-group: ipaservers

Description: IPA server hosts

Member hosts:,


Number of members added 1


You can see that we now have two member hosts, ipa-master & ipa-rep1.

On the FreeIPA master server, open freeipa-replication on Firewalld if you have an active firewalld service:

sudo firewall-cmd –add-service=freeipa-replication –permanent

sudo firewall-cmd –reload

Step 5: Run the ipa-replica-install on the replica server

To this point, you only have to run  ipa-replica-install command on the replica server to sync FreeIPA Server configurations and get the server ready for clients to connect to.

[root@ipa-rep1 ~]# ipa-replica-install

WARNING: conflicting time&date synchronization service \’chronyd\’ will

be disabled in favor of ntpd

Run connection check to master

Connection check OK

Configuring NTP daemon (ntpd)

[1/4]: stopping ntpd

[2/4]: writing configuration

[3/4]: configuring ntpd to start on boot

[4/4]: starting ntpd

Done configuring NTP daemon (ntpd).

Configuring directory server (dirsrv). Estimated time: 30 seconds

[1/42]: creating directory server instance

[2/42]: enabling ldapi

[3/42]: configure autobind for root

[4/42]: stopping directory server

[5/42]: updating configuration in dse.ldif

[6/42]: starting directory server

[7/42]: adding default schema

[8/42]: enabling memberof plugin

[9/42]: enabling winsync plugin

[10/42]: configuring replication version plugin

[11/42]: enabling IPA enrollment plugin

[12/42]: configuring uniqueness plugin

[13/42]: configuring uuid plugin

[14/42]: configuring modrdn plugin

[15/42]: configuring DNS plugin

[16/42]: enabling entryUSN plugin

[17/42]: configuring lockout plugin

[18/42]: configuring topology plugin

[19/42]: creating indices

[20/42]: enabling referential integrity plugin

[21/42]: configuring certmap.conf

[22/42]: configure new location for managed entries

[23/42]: configure dirsrv ccache

[24/42]: enabling SASL mapping fallback

[25/42]: restarting directory server

[26/42]: creating DS keytab

[27/42]: ignore time skew for initial replication

[28/42]: setting up initial replication

Starting replication, please wait until this has completed.

Update in progress, 3 seconds elapsed

Update succeeded

[29/42]: prevent time skew after initial replication

[30/42]: adding sasl mappings to the directory

[31/42]: updating schema

[32/42]: setting Auto Member configuration

[33/42]: enabling S4U2Proxy delegation

[34/42]: initializing group membership

[35/42]: adding master entry

[36/42]: initializing domain level

[37/42]: configuring Posix uid/gid generation

[38/42]: adding replication acis

[39/42]: activating sidgen plugin

[40/42]: activating extdom plugin

[41/42]: tuning directory server

[42/42]: configuring directory to start on boot

Done configuring directory server (dirsrv).

Configuring Kerberos KDC (krb5kdc)

[1/5]: configuring KDC

[2/5]: adding the password extension to the directory

[3/5]: creating anonymous principal

[4/5]: starting the KDC

[5/5]: configuring KDC to start on boot

Done configuring Kerberos KDC (krb5kdc).

Configuring kadmin

[1/2]: starting kadmin

[2/2]: configuring kadmin to start on boot

Done configuring kadmin.

Configuring directory server (dirsrv)

[1/3]: configuring TLS for DS instance

[2/3]: importing CA certificates from LDAP

[3/3]: restarting directory server

Done configuring directory server (dirsrv).

Configuring the web interface (httpd)

[1/22]: stopping httpd

[2/22]: setting mod_nss port to 443

[3/22]: setting mod_nss cipher suite

[4/22]: setting mod_nss protocol list to TLSv1.0 – TLSv1.2

[5/22]: setting mod_nss password file

[6/22]: enabling mod_nss renegotiate

[7/22]: disabling mod_nss OCSP

[8/22]: adding URL rewriting rules

[9/22]: configuring httpd

[10/22]: setting up httpd keytab

[11/22]: configuring Gssproxy

[12/22]: setting up ssl

[13/22]: configure certmonger for renewals

[14/22]: importing CA certificates from LDAP

[15/22]: publish CA cert

[16/22]: clean up any existing httpd ccaches

[17/22]: configuring SELinux for httpd

[18/22]: create KDC proxy config

[19/22]: enable KDC proxy

[20/22]: starting httpd

[21/22]: configuring httpd to start on boot

[22/22]: enabling oddjobd

Done configuring the web interface (httpd).

Configuring ipa-otpd

[1/2]: starting ipa-otpd

[2/2]: configuring ipa-otpd to start on boot

Done configuring ipa-otpd.

Configuring ipa-custodia

[1/4]: Generating ipa-custodia config file

[2/4]: Generating ipa-custodia keys

[3/4]: starting ipa-custodia

[4/4]: configuring ipa-custodia to start on boot

Done configuring ipa-custodia.

Configuring certificate server (pki-tomcatd)

[1/2]: configure certmonger for renewals

[2/2]: Importing RA key

Done configuring certificate server (pki-tomcatd).

Configuring Kerberos KDC (krb5kdc)

[1/1]: installing X509 Certificate for PKINIT

Done configuring Kerberos KDC (krb5kdc).

Applying LDAP updates

Upgrading IPA:. Estimated time: 1 minute 30 seconds

[1/9]: stopping directory server

[2/9]: saving configuration

[3/9]: disabling listeners

[4/9]: enabling DS global lock

[5/9]: starting directory server

[6/9]: upgrading server

[7/9]: stopping directory server

[8/9]: restoring configuration

[9/9]: starting directory server


Restarting the KDC

If the setup was successful, you should not encounter any error.

Step 7: Removing FreeIPA Replica

To remove FreeIPA, first, uninstall it on the server using:

[root@ipa-rep1 ~]# ipa-server-install –uninstall

Then delete the server from the ipaservers group:

# ipa-replica-manage del –force

# ipa hostgroup-remove-member ipaservers –hosts

Configuring Failover with Keepalived

Keepalived is a software implementation of the Virtual Router Redundancy Protocol (VRRP) in Linux. Keepalived facilitates high availability in simple and advanced failover situations. In this setting, the FreeIPA servers are set up in pairs, with one being active and the other in standby (backup) mode.

VRRP uses the concept of Virtual IP (VIP) addresses. One or more servers participate in an election to determine the host that will control the shared IP (VIP). Only one host (the master) controls the VIP at a time. If the master fails, VRRP provides mechanisms for detecting that failure and quickly failing over to a standby host.

In this guide, is the master host and is responsible for the VIP address. If ipa-master fails, then ipa-rep1 takes over this IP address.

Step 1: Installation of Keepalived

Keepalived isavailable within the standard package repositories and is easily installed using yum.

[root@ipa-master ~]# yum install -y keepalived

[root@ipa-master ~]# keepalived –version

Keepalived v2.0.10 (11/12,2018)

[root@ipa-master ~]# systemctl status keepalived

keepalived.service – LVS and VRRP High Availability Monitor

Loaded: loaded (/usr/lib/systemd/system/keepalived.service; disabled; vendor preset: disab

Active: inactive (dead)

You should also know how to compile Keepalived from source code. Keepalived is an actively maintained project, and it regularly receives new features and bug fixes that may not be in the package manager version when you need them. There are usually bugs with the current version in the package repositories, therefore following the procedure of installation from the source can enable you to  use the latest version of Keepalived.

As user root:

# Install prerequisites

yum install -y gcc openssl-devel

# Download the latest version of the code. Be sure to check the downloads page for the most recent version:

[root@ipa-master ~]# wget

# Extract the code

[root@ipa-master ~]# tar -xf keepalived-2.0.20.tar.gz

# Run the configure scripts

[root@ipa-master ~]# cd keepalived-2.0.20

[root@ipa-master keepalived-2.0.20]# ./configure

# Build and install keepalived

[root@ipa-master keepalived-2.0.20]# make

[root@ipa-master keepalived-2.0.20]# make install

# Test your installation

[root@ipa-master keepalived-2.0.20]# keepalived –version

Keepalived v2.0.20 (01/22,2020)

Step 2: Configuration of the master and Backup servers

The configuration file for Keepalived is located at /etc/keepalived/keepalived.conf. The most basic Keepalived configuration enables a shared IP address between two servers.

Keepalived offers a number of useful built-in methods to determine the health and subsequent VRRP priority of a host. For this Freeipa environment, a custom health check script was made to monitor the status of the IPA service.

The Freeipa process, on both the master and the backup server, is monitored to determine the health of the host. This helps to trigger a failover in case the Freeipa service on the master stops running.

In this setup, keepalived runs an arbitrary script called to determine the health of the host. When the Freeipa service is up and running, the script writes a value of 10 to a file (/etc/keepalived/ipa-monitor/vrrp_track_file) which is also continuously monitored by keepalived.

Inside the /etc/keepalived path, create a directory called ‘ipa-monitor’ and with the “touch” command, create the vrrp_track_file inside the created ‘ipa-monitor’ directory. Do this on both the master and the replica nodes.

As user root on the master node, run:

[root@ipa-master]# cd /etc/keepalived

[root@ipa-master keepalived]# mkdir ipa-monitor

[root@ipa-master keepalived]# touch vrrp_track_file

As user root on the replica/backup node, run:

[root@ipa-rep1]# cd /etc/keepalived

[root@ipa-rep1 keepalived]# mkdir ipa-monitor

[root@ipa-rep1 keepalived]# touch vrrp_track_file

The script should be saved in the /usr/local/bin folder and made executable :


service ipa status > /dev/null 2>&1

#/usr/bin/ping -c 1 -W 1 > /dev/null 2>&1

#echo $? > /etc/keepalived/ipa-monitor/vrrp_track_file

if [ $? -eq 0 ]


echo 10 > /etc/keepalived/ipa-monitor/vrrp_track_file


echo 0 > /etc/keepalived/ipa-monitor/vrrp_track_file


#/usr/bin/ping -c 1 -W 1

NB: They can be run as a different user besides root. While it was not demonstrated in this guide, take a look at the man page and ensure that you’re using the least privileged user possible to avoid any negative security implications from your check script.

For the master host (, this will be the keepalived.conf file.

vrrp_script ipa_check {

   script /usr/local/bin/

interval 1

timeout 5

rise 3

fall 3


vrrp_track_file track_ipa_file {

file /etc/keepalived/ipa-monitor/vrrp_track_file


vrrp_instance ipa-master {

track_script {



track_file {


weight 1


state MASTER

interface eth0

virtual_router_id 55

priority 240

advert_int 1


unicast_peer {


authentication {

auth_type PASS

auth_pass clusterpass123


virtual_ipaddress {



For the backup host (, this will be the keepalived.conf file.

vrrp_script ipa_check {

script /usr/local/bin/

interval 1

timeout 5

rise 3

fall 3


vrrp_track_file track_ipa_file {

file /etc/keepalived/ipa-monitor/vrrp_track_file


vrrp_instance ipa-rep1 {

track_script {



track_file {


weight 1


state MASTER

interface eth0

virtual_router_id 55

priority 235

advert_int 1


unicast_peer {


authentication {

auth_type PASS

auth_pass clusterpass123


virtual_ipaddress {



  • vrrp_instance defines an individual instance of the VRRP protocol running on an interface. I have arbitrarily named this instance ipa-master and/or ipa-rep1 for each  instance.
  • vrrp_script defines the script that is to be monitored by keepalived for the health of the application.
  • state defines the initial state that the instance should start in.
  • interface defines the interface that VRRP runs on.
  • virtual_router_id is the unique identifier that you learned about in the first article of this series.
  • priority is the advertised priority that you learned about in the first article of this series. As you will learn in the next article, priorities can be adjusted at runtime.
  • advert_int specifies the frequency that advertisements are sent at (1 second, in this case).
  • authentication specifies the information necessary for servers participating in VRRP to authenticate with each other. In this case, a simple password is defined.
  • virtual_ipaddress defines the IP addresses (there can be multiple) that VRRP is responsible for.
  • vrrp_track_file: Keepalived also has the ability to make priority decisions based on the contents of a file using this setting, which can be useful if you’re running an application that can write values to this file. For example, in this scenario, there is a background script (ipa_check) that periodically performs a health check on the FreeIPA software (on the master) and writes a value of 10 to a file (/etc/keepalived/ipa-monitor/vrrp_track_file) based on the overall health of the application. This configuration will take the numerical value in the file at /etc/keepalived/ipa-monitor/vrrp_track_file and multiply it by 1 (weight).
  • interval: How often the script should be run (1 second).
  • timeout: How long to wait for the script to return (5 seconds).
  • rise: How many times the script must return successfully in order for the host to be considered “healthy.” In this example, the script must return successfully 3 times. This helps to prevent a “flapping” condition where a single failure (or success) causes the Keepalived state to quickly flip back and forth.
  • fall: How many times the script must return unsuccessfully (or time out) in order for the host to be considered “unhealthy.” This functions as the reverse of the rise directive.

Once the above configurations have all been well done, restart keepalived on both instances, and then check the status of the service to ensure that all is well. If the restart was successful, run the ip command to see which host has the VIP.

As user root on master node, run:

[root@ipa-master]# service keepalived restart

[root@ipa-master]# service keepalived status

[root@ipa-master]# ip –brief a

lo           UNKNOWN    ::1/128

eth0       UP     fe80::b895:70f0:7d0:b356/64

As user root on replica/backup node, run:

[root@ipa-rep1]# service keepalived restart

[root@ipa-rep1]# service keepalived status

[root@ipa-rep1]# ip –brief a

lo           UNKNOWN    ::1/128

eth0       UP    fe80::66d3:1b96:d85a:6d51/64

From the results of the ip command, the master node is currently holding the VIP. To test the failover, stop either the keepalived or IPA service on the master and run the ip command again. The expected results should show the VIP now residing on the interface of the replica/backup node.

Errors encountered:

Step 4: Add Replica server to the ipaservers group on the FreeIPA master server:

kinit: Password incorrect while getting initial credentials when running kinit admin command.



kadmin.local: ktadd -k admin.keytab -norandkey admin@RENU.AC.UG

kadmin.local: exit

Securely move this file to a secure directory on the client.

Then, run:

kinit -k -t admin.keytab admin@RENU.AC.UG


