The official FreeIPA container image requires a one-time installation process before running. For installation, a file containing ipa-server-install options should be provided, and Docker command should be ipa-server-install -U.
To complete this one-time process, create a docker-compose YAML file:
Then start the process by docker-compose -f install.yml up. After installation is success, start the FreeIPA server container with docker-compose -f run.yml up:
LDAP Service Account
There are some LDAP clients that need a pre-configured account. Do not use the Directory Manager account to authenticate remote services to the IPA LDAP server. A service account could be created like this:
The reason to use an account like this rather than creating a normal user account in IPA and using that is that the system account exists only for binding to LDAP. It is not a real POSIX user, can’t log into any systems and doesn’t own any files.
This use also has no special rights and is unable to write any data in the IPA LDAP server, only read.
Allow Anonymous to Read mail Attribute
By default only bound (or authenticated) users are allowed to read mail attribute. For internal usage, querying the attribute anonymously is safe.
theoretically, after image is changed, FreeIPA container will start upgrade process automatically. But there was some common issues during the upgrade.
DIRSRV Failed to Start
So if an instance was created with early 8.5 builds, a plugin entry (dn: cn=GOST_YESCRYPT,cn=Password Storage Schemes,cn=plugins,cn=config) was created. Then the upgrade removed the init callback and startup fails.
A quick relief is by editing dse.ldif and removing cn=GOST_YESCRYPT,cn=Password Storage Schemes,cn=plugins,cn=config.
SSSD Failed to Start
SSSD will fail to start if the permission and owner of configuration file at/etc/sssd/sssd/.conf isn't set properly.
Then we will create a sakuragawa-sso.env to store all authentication backed related environment variables. Since there is still issues with Keycloak backend, we will turn to use OpenID Connect (OIDC) backend here.
Then create an orchestration file which includes global settings: