Stjepan Groš


FreeIPA is a identity solution analogous to ActiveDirectory. Well, almost. The point is that it's still in the development but it's already usable. Here you'll find some tips about FreeIPA and it's use.

Different clients



This is relatively good software from the user's stand point, but absolutely horrible when it comes to the administration. This software doesn't support external user database. The best you can achieve is to connect it to the LDAP database that is copied to some local/internal store of the O3Spaces. Thus, you can freely forget on Kerberos and Single Sign On.

Additional inconvenience is that you have to create account for O3Spaces that will be used to synchronize LDAP database with O3Spaces' database. Furthermore, O3Spaces will do a simple bind to the LDAP database.


Some random notes how I integrated Samba 3 with FreeIPA. I'll organize this better as soon as I find some free time:

# ipa-adduser testuser
First name: Test
Last name: User
A database error occurred: Object class violation: missing attribute "sambaSID" required by object class "sambaSamAccount"

In case you need additional information look 389 project documentation since this is a directory server behind FreeIPA and Samba talks directly to it.

To debug samba connection to LDAP you can use pdbedit tool. It's something like getent for NSS.

Misc stuff

Accessing LDAP

To access LDAP you have to options: simple bind or using a kerberos ticket.

  1. Using simple bind

    To access LDAP you can try the following command:

    ldapsearch -x -D 'uid=<username>,cn=users,cn=accounts,<base DN>' -W -h <FreeIPA host> -b '<base DN>'

    base DN you can find by looking into /etc/ldap.conf on the FreeIPA host. There will be line that starts with base. The argument to this keyword is base DN you should use.

    In case you get an error ldap_bind: No such object (32) then you probably use wrong base DN.

  2. Using Kerberos ticket

    There is another way to access LDAP in a sense that you can use Kerberos ticket for authentication. First, you need to obtain Kerberos ticket for admin user by issuing command kinit admin. To check if you have a ticket use the command klist.

    Search operation is now very easy:

    ldapsearch -h <FreeIPA host> -b '<base DN>' -Y GSSAPI
  3. As a directory manager

    Some attributes and parts of the directory tree are not accessible to admin user. In that case you have to access LDAP as a directory manager. For example, to access configuration part of the tree (not accessible to admin user) use the following command:

    ldapsearch -W -h <FreeIPA host> -b 'cn=config' -D 'cn=Directory Manager'

    Note that you have to provide password defined during the installation phase.

Maximum username length

Default maximum length of the username is 8 characters which is quite low. So, you need to change this value. The change is easy in case you are using Web interface, but to change it in command line you have to use ldapmodify command as follows:

ldapmodify -h <FreeIPA host> -Y GSSAPI << EOF
dn: cn=ipaConfig,cn=etc,<base DN>
changetype: modify
replace: ipaMaxUsernameLength
ipaMaxUsernameLength: 12 

In case you get the following error message:

ldap_modify: Invalid syntax (21)
	additional info: ipaMaxUsernameLength: value #0 invalid per syntax

Then there is probably some space around number 12 so it's best that you copy and edit those line in some temporary file and redirect the content of this file to ldapmodify command.

Default user shell

The default user shell is /bin/sh. You can change it using the same procedure as for the maximum username lenght, i.e.

ldapmodify -h <FreeIPA host> -Y GSSAPI << EOF
dn: cn=ipaConfig,cn=etc,<base DN>
changetype: modify
replace: ipaDefaultLoginShell
ipaDefaultLoginShell: /bin/bash 

Again, be carefull with spaces around the new value.

Specifying UID for new users

The command ipa-addgroup allows the group ID to be specified on the command line, but ipa-adduser does not, at least not in the obvious way. So to achieve this, use the following switch:


Replace NNNN with the number you wish to be the UID for a new user.

Promoting replica into master

Document how to move/promote a master server

Error messages

Here is the list of error messages I encountered while working with FreeIPA along with the solutions.

The following error message appears when for some reason ipa-replica-prepare tries to access wrong directory server with successful authentication. This happened to me because I was messing up with IP addresses and my IPA server thought that it had different IP address that it really did.

preparation of replica failed: {'desc': 'No such object'}
{'desc': 'No such object'}
  File "/usr/sbin/ipa-replica-prepare", line 284, in 

  File "/usr/sbin/ipa-replica-prepare", line 209, in main

  File "/usr/lib/python2.6/site-packages/ipaserver/", line 323, in do_simple_bind
    self.simple_bind_s(binddn, bindpw)

  File "/usr/lib/python2.6/site-packages/ipaserver/", line 171, in inner
    return f(*args, **kargs)

  File "/usr/lib64/python2.6/site-packages/ldap/", line 207, in simple_bind_s
    return self.result(msgid,all=1,timeout=self.timeout)

  File "/usr/lib/python2.6/site-packages/ipaserver/", line 148, in inner
    result_type, data = f(*args, **kargs)

  File "/usr/lib64/python2.6/site-packages/ldap/", line 436, in result
    res_type,res_data,res_msgid = self.result2(msgid,all,timeout)

  File "/usr/lib/python2.6/site-packages/ipaserver/", line 171, in inner
    return f(*args, **kargs)

  File "/usr/lib64/python2.6/site-packages/ldap/", line 440, in result2
    res_type, res_data, res_msgid, srv_ctrls = self.result3(msgid,all,timeout)

  File "/usr/lib/python2.6/site-packages/ipaserver/", line 171, in inner
    return f(*args, **kargs)

  File "/usr/lib64/python2.6/site-packages/ldap/", line 446, in result3
    ldap_result = self._ldap_call(self._l.result3,msgid,all,timeout)

  File "/usr/lib/python2.6/site-packages/ipaserver/", line 171, in inner
    return f(*args, **kargs)

  File "/usr/lib64/python2.6/site-packages/ldap/", line 96, in _ldap_call
    result = func(*args,**kwargs)