FreeIPA utilizes 389-ds Directory Server as its core component:
cn=users,cn=accounts,$SUFFIX
cn=groups,cn=accounts,$SUFFIX
cn=computers,cn=accounts,$SUFFIX
cn=services,cn=accounts,$SUFFIX
userPassword attribute is used to represent a password
multivalued attribute, may represent multiple password forms (different hashes, clear text)
In standard LDAP schemas many object classes can have passwords:
organization, person, organizationalUnit, domain, simpleSecurityObject, posixAccount, shadowAccount, posixGroup, ipHost
Thanks!