The FreeIPA system offers similar services as Microsoft's Active Directory but with additional features and services. There is no Windows licensing or Windows Server required. For more information about FreeIPA check out the documentation.
This installation will be deployed using Ansible. The playbooks and roles are provided in the ClusterApp repository and replicated to GitHub. Please note that additional roles and prerequisites may be needed from Anisble Galaxy.
The FreeIPA system can be deployed in an existing environment or be used to create a new infrastructure.
COMPONENTS
- LDAP Server - based on the 389 project
- KDC - MIT Kerberos implementation
- PKI based on Dogtag
- Samba for Active Directory integration
- DNS Server based on BIND
CAPABILITIES
- Multiple servers can easily be configured in a domain in order to provide redundancy and scalability. Multiple domain can be deployed.
- The LDAP server is the main data store and provides a full multi-master infrastructure.
- Single-Sign-on authentication is provided via the MIT Kerberos KDC.
- Domain Names can be managed using the integrated DNS server.
- Security aspects related to access control, delegation of administration tasks are fully centralized and managed via a Web UI or command line.
Installation
Deploy machines:
Deploy a master server and a replica. Be sure that these machines are at Baseline. There will eventually be a more servers as the system grows with a minimum of two in each site. There is also a plan to join a trust with Active Directory later.
Download the playbooks:
Clone or download the playbook repository. Copy the inventory.example file and edit for your environment. Many of the settings are safe defaults. Detailed installation examples are located at the repo. After the installation is complete, add users and groups to be used for service authentication.
First run the deploy-freeipa playbook.
Login to the primary server and verify the install.
kinit admin
Enter the Directory Admin password specified in the playbook
klist
View the Kerberos ticket
Check the web UI at https://master.fqdn
Now run the deploy-freeipa-replica playbook.
Create Users and Groups
Create the user group for DevOps.
ipa group-add --desc='Development' devops
Create a new user and add to the DevOps group.
ipa user-add user1 --first=User --last=One --password
ipa group-add-member --users=user1 development