• https://hub.docker.com/r/freeipa/freeipa-server
• https://www.altlinux.org/FreeIPA/Клиент

• Установка сервера FreeIPA в Docker-compose
• Запуск FreeIPA с использованием Docker Compose
• How to set up FreeIPA on docker

# cat /etc/docker/daemon.json
{ "userns-remap": "default" }

# service docker restart

docker run --userns=host ...

cat docker-compose.yml
...
    userns_mode: 'host'
...

docker run --name freeipa-server-container -ti -h ipa.example.test --read-only -v /var/lib/ipa-data:/data:Z freeipa/freeipa-server:centos-9-stream

server.corp13.un:~/freeipa# 
services:
  freeipa:
    image: freeipa/freeipa-server:centos-9-stream
#    read_only: true
#    hostname: server
    hostname: freeipa-server
#    domainname: server.corp13.un
    container_name: freeipa-server
    ports:
      - 80:80
      - 443:443
      - 389:389
      - 636:636
      - 88:88
      - 464:464
      - 88:88/udp
      - 464:464/udp
      - 123:123/udp
      - "53:53/udp" # For DNS
      - "53:53/tcp" # For DNS
    dns:
      - 172.16.1.254
    restart: unless-stopped
    tty: true
    stdin_open: true
    environment:
      IPA_SERVER_HOSTNAME: server.corp13.un
      IPA_SERVER_IP: 192.168.13.10
      DNS: 172.16.1.254
      TZ: "Europe/Moscow"
      IPA_DOMAIN_NAME: corp13.un
      IPA_REALM_NAME: CORP13.UN
      PASSWORD: strongpassword
    command:
      - -U
      - --domain=corp13.un
      - --realm=CORP13.UN
      - --admin-password=strongpassword
      - --http-pin=strongpassword
      - --dirsrv-pin=strongpassword
      - --ds-password=strongpassword
      - --setup-dns
      - --forwarder=172.16.1.254
      - --no-ntp
      - --unattended
    cap_add:
      - SYS_TIME
      - NET_ADMIN
    volumes:
#      - /etc/localtime:/etc/localtime:ro
#      - /sys/fs/cgroup:/sys/fs/cgroup:ro
#      - /sys/fs/cgroup:/sys/fs/cgroup
      - /opt/freeipa-data:/data:Z
#      - /var/lib/ipa-data:/data:Z
    sysctls:
      - net.ipv6.conf.all.disable_ipv6=0
      - net.ipv6.conf.lo.disable_ipv6=0
#    security_opt:
#      - "seccomp:unconfined"

[root@freeipa-server /]# cat /etc/named/ipa-options-ext.conf
server# cat /opt/freeipa-data/etc/named/ipa-options-ext.conf
...
allow-recursion { any; };

[root@freeipa-server /]# systemctl reload named
server# docker exec -ti freeipa-server systemctl reload named

===
gate# ipa-client-install --mkhomedir

client1# hostnamectl hostname client1.corp13.un
client1# ipa-client-install --mkhomedir --enable-dns-updates

---

[root@freeipa-server /]# ipa service-add HTTP/gate.corp13.un

gate.corp13.un:~# ipa-getkeytab -p HTTP/gate.corp13.un -k /etc/krb5.keytab

===
server.corp13.un:~# cat /opt/freeipa-data/etc/ipa/ca.crt

server.corp13.un:~# openssl genrsa -out /etc/gitlab/ssl/$(hostname).key 2048
server.corp13.un:~# openssl req -new -key /etc/gitlab/ssl/$(hostname).key -subj '/CN=server.corp13.un/O=CORP13.UN' -addext 'subjectAltName=DNS:server.corp13.un' -out /opt/freeipa-data/server-gitlab.req

[root@freeipa-server /]# ipa cert-request /data/server-gitlab.req --principal=HTTP/server.corp13.un --certificate-out=/data/server-gitlab.crt

server.corp13.un:~# cp /opt/freeipa-data/server-gitlab.crt -v /etc/gitlab/ssl/$(hostname).crt


gate.corp13.un:~# ipa-getcert request -f /root/gate.crt -k /root/gate.key -K host/gate.corp13.un

###server.corp13.un:~# scp kube1:webd-k8s/webd.req /opt/freeipa-data/
----

ldapsearch -x -b"dc=corp13,dc=un" -H ldap://server "uid=admin"