Use FreeIPA for Kerberos

FreeIPA is a free open source identity management system for Linux/UNIX environments. FreeIPA relies on Linux (Fedora), 389 Directory Server, MIT Kerberos, NTP, DNS, Dogtag (certificate system) and its main purpose is to provide centralized account management and authentication.

To ensure security, ADQM uses Kerberos, LDAP, SSL certificates/keys, and other related technologies. For such set of tools, FreeIPA is a good fit as an identity management system.

To enable FreeIPA for an ADQM cluster, use ADCM. During kerberization, ADCM installs IPA clients on each cluster node and connects clients to the FreeIPA server using the provided FreeIPA Kerberos parameters.

In this tutorial, a sample single-noded FreeIPA server is used to demonstrate an example. It is deployed on the host with the CentOS operating system. This is a basic FreeIPA installation (yum install ipa-server) with default installation parameters.

Start FreeIPA on ADQM cluster

To kerberize a cluster using FreeIPA, follow the steps below:

  1. On the Clusters page of the ADCM interface, select the installed and prepared ADQM cluster.

  2. Enable Kerberos for the cluster — click the Actions actions default dark actions default light icon and select the Manage Kerberos action.

    Manage Kerberos action
    Manage Kerberos action
  3. Turn on the Existing FreeIPA option and specify FreeIPA Kerberos parameters.

    FreeIPA parameters
    FreeIPA parameters
  4. Click Run and wait for the cluster kerberization to complete. On the Jobs page, you can monitor the progress and result of the Manage Kerberos task execution.

After Kerberos is successfully installed on the ADQM cluster, the corresponding settings appear on the cluster configuration page (in the Kerberos section) and on the ADQMDB service configuration page (in the Kerberos configuration section).

FreeIPA Kerberos parameters

The following parameters are required to kerberize an ADQM cluster with FreeIPA. To obtain actual values for these parameters, you can run ipa user-find <ipa_admin> on your FreeIPA server, where <ipa_admin> is the IPA Admin username.

Parameter Description

KDC hosts

One or more KDC hosts with running FreeIPA server(s)


Kerberos realm to connect to the FreeIPA server


One or more domains associated with FreeIPA

Kadmin server

Host where kadmin is running

Kadmin principal

Principal name used to connect via kadmin, for example admin@RU-CENTRAL1.INTERNAL

Kadmin password

IPA Admin password

IpaClient No NTP Autoconf

Disables the NTP configuration during the IPA client installation

IpaClient No DNS Lookup

Disables the DNS lookup for FreeIPA server during the IPA client installation

Check FreeIPA integration

After a successful kerberization, ADQM commands can only run on cluster nodes after getting a Kerberos ticket. Below is an example that demonstrates how to access the cluster kerberized with FreeIPA:

  1. Create an ADQM user that matches an account existing in the FreeIPA domain. To do this, use the IDENTIFIED WITH kerberos clause in the CREATE USER query:

    CREATE USER adqm_kerb_freeipa IDENTIFIED WITH kerberos;
  2. Create a Kerberos ticket for the user principal:

    $ kinit adqm_kerb_freeipa@RU-CENTRAL1.INTERNAL

    Enter a password:

    Password for adqm_kerb_freeipa@RU-CENTRAL1.INTERNAL:

    The kinit article of the MIT Kerberos documentation describes all available options of the kinit command.

  3. Check the ticket:

    $ klist
    Ticket cache: FILE:/tmp/krb5cc_1000
    Default principal: adqm_kerb_freeipa@RU-CENTRAL1.INTERNAL
    Valid starting       Expires              Service principal
    05/10/2023 10:20:30  05/11/2023 10:20:30  krbtgt/RU-CENTRAL1.INTERNAL@RU-CENTRAL1.INTERNAL
  4. To test authentication via Kerberos, send some command to ADQM using the curl utility version that supports the SPNEGO mechanism:

    $ echo "select currentUser()" | curl --negotiate -u : http://<host_name>:8123/ --data-binary @-

    In case of successful authentication, the command should return the kerberized user name:

Found a mistake? Seleсt text and press Ctrl+Enter to report it