The FreeIPA system offers similar services as Microsoft's Active Directory but with additional features and services. There is no Windows licensing or Windows Server required. For more information about FreeIPA check out the documentation.

This installation will be deployed using Ansible. The playbooks and roles are provided in the ClusterApp repository and replicated to GitHub. Please note that additional roles and prerequisites may be needed from Anisble Galaxy.

The FreeIPA system can be deployed in an existing environment or be used to create a new infrastructure.


  • LDAP Server - based on the 389 project
  • KDC -  MIT Kerberos implementation
  • PKI based on Dogtag
  • Samba  for Active Directory integration
  • DNS Server based on BIND


  • Multiple servers can easily be configured in a domain in order to provide redundancy and scalability. Multiple domain can be deployed.
  • The LDAP server is the main data store and provides a full multi-master  infrastructure.
  • Single-Sign-on authentication is provided via the MIT Kerberos KDC.  
  • Domain Names can be  managed using the integrated DNS server.
  • Security aspects related to access control, delegation of  administration tasks are fully centralized and managed via a Web UI or command line.


Deploy machines:

Deploy a master server and a replica. Be sure that these machines are at Baseline. There will eventually be a more servers as the system grows with a minimum of two in each site. There is also a plan to join a trust with Active Directory later.

Download the playbooks:

Clone or download the playbook repository. Copy the inventory.example file and edit for your environment. Many of the settings are safe defaults. Detailed installation examples are located at the repo. After the installation is complete, add users and groups to be used for service authentication.

First run the deploy-freeipa playbook.

Login to the primary server and verify the install.

kinit admin Enter the Directory Admin password specified in the playbook

klist View the Kerberos ticket  

Check the web UI at https://master.fqdn

Now run the deploy-freeipa-replica playbook.

Create Users and Groups

Create the user group for DevOps.

ipa group-add --desc='Development' devops

Create a new user and add to the DevOps group.

ipa user-add user1 --first=User --last=One --password

ipa group-add-member --users=user1 development