Installing FreeIPA server on supported platforms is a matter of couple minutes, especially when following Quick Start Guide. However, for people eager to just try the looks and feel of the most recent FreeIPA or just to test their web application with LDAP or Kerberos authentication it may just not be fast enough. For these users, we have prepared a free public instance of FreeIPA server!


The FreeIPA server is running on a Red Hat’s OpenStack instance, on the latest stable Fedora. The server controls a DNS domain named and the correspondiong Kerberos realm DEMO1.FREEIPA.ORG. the server itself is named


The FreeIPA demo server is just a sandbox and is wiped clean every day at 05:00 UTC. In case you had a testing FreeIPA client enrolled, the easiest recovery is to uninstall your client (ipa-client-install --uninstall and install it again). In case you are interested in a more persistent testing environment, try downloading a FreeIPA server on a personal virtual machine.


The FreeIPA domain is configured with the following users (the password is Secret123 for all of them):

  • admin: The FreeIPA main administrator account, has all the privileges

  • helpdesk: A regular user with the helpdesk role allowing it to modify other users or change their group membership

  • employee: A regular user with no special privileges

  • manager: A regular user, set as manager of the employee user


To allow testing group-based authentication we created additional groups in addition to the default FreeIPA ones:

  • employees: contains users employee and manager

  • managers: contains user manager


Besides core FreeIPA services (Directory Server, Kerberos, PKI), the server is also configured with a DNS service and a publicly accessible domain to allow both testing the DNS management interface and DNS dynamic updates.

Quick Start#

To test the Web UI, simply go to the hostname link above, log in and click around! To test integration with a personal system, follow a few easy steps:

1. Install required packages#

# yum install freeipa-client

2. Configure FreeIPA client#

Given that the server owns a publicly accessible DNS domain, client can autodiscover all required information by itself if it knows the right domain:

# ipa-client-install --domain -p admin -w Secret123
Discovery was successful!
DNS Domain:
IPA Server:
BaseDN: dc=demo1,dc=freeipa,dc=org

Continue to configure the system with these values? [no]: y
Synchronizing time with KDC...
Successfully retrieved CA cert
    Subject:     CN=Certificate Authority,O=DEMO1.FREEIPA.ORG
    Issuer:      CN=Certificate Authority,O=DEMO1.FREEIPA.ORG
    Valid From:  Tue Apr 22 06:42:34 2014 UTC
    Valid Until: Sat Apr 22 06:42:34 2034 UTC

Enrolled in IPA realm DEMO1.FREEIPA.ORG
Created /etc/ipa/default.conf
New SSSD config will be created
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm DEMO1.FREEIPA.ORG
Forwarding 'ping' to server ''
Forwarding 'env' to server ''
Hostname ( not found in DNS
DNS server record set to: ->
Adding SSH public key from /etc/ssh/
Adding SSH public key from /etc/ssh/
Forwarding 'host_mod' to server ''
SSSD enabled
Configured /etc/openldap/ldap.conf
NTP enabled
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Client configuration complete.

Client is now enrolled in FreeIPA realm and can “see” all it’s users:

$ getent passwd employee
employee:*:1120000003:1120000003:Test Employee:/home/employee:/bin/sh
$ getent group employees

3. Try to log in as FreeIPA user#

$ host has address

$ ssh's password:
-sh-4.2$ klist
Ticket cache: KEYRING:persistent:1658800007:krb_ccache_keVNyW5
Default principal: employee@DEMO1.FREEIPA.ORG

Valid starting       Expires              Service principal
06/04/2014 04:33:25  06/05/2014 04:33:25  krbtgt/DEMO1.FREEIPA.ORG@DEMO1.FREEIPA.ORG

4. Try other features#

Knock yourself out! Try SUDO, automount, SELinux user role integration, certificates or any other client features.

FreeIPA team also recommends testing advanced integration of your web application with identity management system like FreeIPA and thus having web application with central user management, Kerberos and authorization, either group based or HBAC based.


In case the demo instance is out of order or you would like to ask for an enhancement, please contact the FreeIPA team.

Other Options#

We would also like to invite you test our Docker FreeIPA server images, they should be easy to set up and run on your host without a need to configure all the virtual machine machinery.