https://github.com/freeipa/freeipa-container/blob/master/README
https://github.com/freeipa/freeipa-container#running-freeipa-server-container
https://hub.docker.com/r/freeipa/freeipa-server/
https://www.altlinux.org/FreeIPA/%D0%A3%D1%81%D1%82%D0%B0%D0%BD%D0%BE%D0%B2%D0%BA%D0%B0_%D1%81%D0%B5%D1%80%D0%B2%D0%B5%D1%80%D0%B0_FreeIPA
https://docs.altlinux.org/ru-RU/domain/10.2/html/freeipa/ch01s08.html
https://freeipa.readthedocs.io/en/latest/workshop/1-server-install.html

Docker run

docker run --name freeipa-server -ti \
-h ipa.workgroup.test --read-only \
--cgroupns=host -v /sys/fs/cgroup:/sys/fs/cgroup:rw \
--sysctl net.ipv6.conf.all.disable_ipv6=0 \
-v ~/volumes/freeipa/data:/data freeipa/freeipa-server:rocky-9 ipa-server-install --skip-mem-check

Docker compose (cgroups2, без DNS)

---
services:
  freeipa:
    image: freeipa/freeipa-server:rocky-9
    container_name: freeipa-server
    restart: unless-stopped
    ports:
      - 123:123/udp
      - 389:389
      - 443:443
      - 464:464
      - 464:464/udp
      - 636:636
      - 80:80
      - 88:88
      - 88:88/udp
    tty: true
    stdin_open: true
    cgroup: host
    environment:
      IPA_SERVER_HOSTNAME: ipa.workgroup.test
      IPA_SERVER_INSTALL_OPTS: "-n workgroup.test -r WORKGROUP.TEST --skip-mem-check -U"
      PASSWORD: "123456Qwerty"
      TZ: "Europe/Moscow"
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /sys/fs/cgroup:/sys/fs/cgroup:rw
      - ~/volumes/freeipa/data:/data
    sysctls:
      - net.ipv6.conf.all.disable_ipv6=0

Останов и чистка данных в случае неудачной установки

docker rm -f freeipa-server
sudo rm -rf ~/volumes/freeipa/data/*

Результат установки

he IPA Master Server will be configured with:
Hostname:       ipa.workgroup.test
IP address(es): 172.17.0.2
Domain name:    workgroup.test
Realm name:     WORKGROUP.TEST

The CA will be configured with:
Subject DN:   CN=Certificate Authority,O=WORKGROUP.TEST
Subject base: O=WORKGROUP.TEST
Chaining:     self-signed

1. You must make sure these network ports are open:
        TCP Ports:
          * 80, 443: HTTP/HTTPS
          * 389, 636: LDAP/LDAPS
          * 88, 464: kerberos
        UDP Ports:
          * 88, 464: kerberos
          * 123: ntp

2. You can now obtain a kerberos ticket using the command: 'kinit admin'
   This ticket will allow you to use the IPA tools (e.g., ipa user-add)
   and the web user interface.
3. Kerberos requires time synchronization between clients
   and servers for correct operation. You should consider enabling chronyd.

Be sure to back up the CA certificates stored in /root/cacert.p12
These files are required to create replicas. The password for these
files is the Directory Manager password
The ipa-server-install command was successful

При первоначальной установке

Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
  [1/30]: configuring certificate server instance
Failed to configure CA instance
See the installation logs and the following files/directories for more information:
  /var/log/pki/pki-tomcat
  [error] RuntimeError: CA configuration failed.
CA configuration failed.

Надо прописывать правильный hostname в команде запуска.