Deploy IPA with Ansible FreeIPA

Overview

This tutorial demonstrates how to deploy a complete FreeIPA infrastructure using the ansible-freeipa collection. You’ll automate the installation of a FreeIPA server, configure a replica for high availability, and enroll client systems—all through Ansible playbooks.

The ansible-freeipa collection provides idempotent, declarative configuration management for FreeIPA, making it ideal for production deployments and infrastructure-as-code workflows.

Architecture

In this tutorial, you’ll deploy:

IPA Server (ipaserver.example.com) - Primary identity management server
IPA Replica (ipareplica.example.com) - Replica for redundancy
IPA Client(s) (client1.example.com) - Enrolled client system(s)

Prerequisites Check

Ensure you have:

Control Node: System with Ansible 2.9+ installed
Target Servers:
- 1x server (RHEL/CentOS 8+, 2GB RAM, 10GB disk)
- 1x replica (RHEL/CentOS 8+, 2GB RAM, 10GB disk)
- 1+ clients (RHEL/CentOS 7+)
Network: All hosts can reach each other via FQDN
DNS: Either existing DNS or planning to use IPA integrated DNS
SSH Access: Ansible can connect to all hosts with sudo

Verify Ansible version:

ansible --version

Step 1: Install ansible-freeipa Collection

Install the ansible-freeipa collection from Ansible Galaxy:

ansible-galaxy collection install freeipa.ansible_freeipa

Verify installation:

ansible-galaxy collection list | grep freeipa

You should see freeipa.ansible_freeipa version 1.x or higher.

Step 2: Create Inventory File

Create an Ansible inventory file inventory/hosts.ini:

[ipaserver]
ipaserver.example.com

[ipareplicas]
ipareplica.example.com

[ipaclients]
client1.example.com
client2.example.com

[ipacluster:children]
ipaserver
ipareplicas

[ipacluster:vars]
ipaadmin_password=SecureAdminPassword123
ipadm_password=SecureDMPassword123
ipaserver_domain=example.com
ipaserver_realm=EXAMPLE.COM

Security Note: In production, use Ansible Vault to encrypt sensitive passwords.

Step 3: Configure Ansible Variables

Create a variables file group_vars/all.yml:

---
# FreeIPA Server Configuration
ipaserver_setup_dns: yes
ipaserver_auto_forwarders: yes
ipaserver_no_host_dns: yes
ipaserver_no_dnssec_validation: yes

# Firewall Configuration
ipaserver_setup_firewalld: yes

# Replica Configuration
ipareplica_setup_dns: yes
ipareplica_setup_ca: yes

# Client Configuration
ipaclient_mkhomedir: yes
ipaclient_configure_dns_resolver: yes

For custom DNS forwarders, add to group_vars/all.yml:

ipaserver_forwarders:
  - 8.8.8.8
  - 8.8.4.4
ipaserver_no_forwarders: no

Step 4: Deploy the IPA Server

Create a playbook deploy-server.yml:

---
- name: Deploy FreeIPA Server
  hosts: ipaserver
  become: yes

  roles:
    - role: freeipa.ansible_freeipa.ipaserver
      state: present

Run the playbook:

ansible-playbook -i inventory/hosts.ini deploy-server.yml

This will:

Install FreeIPA server packages
Configure DNS (if enabled)
Set up Directory Server and Kerberos
Configure the Certificate Authority
Open firewall ports
Start all IPA services

Duration: 10-15 minutes for server installation.

Step 5: Verify Server Installation

After deployment, verify the server:

ansible ipaserver -i inventory/hosts.ini -m shell -a "ipactl status" -b

You should see all services running (Directory Server, KDC, DNS, HTTP, CA).

Step 6: Deploy the IPA Replica

Create a playbook deploy-replica.yml:

---
- name: Deploy FreeIPA Replica
  hosts: ipareplicas
  become: yes

  roles:
    - role: freeipa.ansible_freeipa.ipareplica
      state: present

Run the playbook:

ansible-playbook -i inventory/hosts.ini deploy-replica.yml

This will:

Enroll the replica as a client
Install replica components
Configure replication agreements
Set up DNS and CA replication
Start replica services

Duration: 10-15 minutes for replica installation.

Step 7: Verify Replication

Check replication status from the control node:

ansible ipaserver -i inventory/hosts.ini -m shell \
  -a "echo 'SecureAdminPassword123' | kinit admin && ipa-replica-manage list" -b

You should see the replica listed with replication agreements.

Step 8: Enroll IPA Clients

Create a playbook deploy-clients.yml:

---
- name: Enroll FreeIPA Clients
  hosts: ipaclients
  become: yes

  roles:
    - role: freeipa.ansible_freeipa.ipaclient
      state: present

Run the playbook:

ansible-playbook -i inventory/hosts.ini deploy-clients.yml

This will:

Install client packages
Discover IPA server via DNS
Configure Kerberos and SSSD
Create home directories on login
Update DNS resolver settings

Duration: 2-3 minutes per client.

Step 9: Verify Client Enrollment

Test client authentication:

ansible ipaclients -i inventory/hosts.ini -m shell \
  -a "echo 'SecureAdminPassword123' | kinit admin && klist" -b

You should see a valid Kerberos ticket for admin@EXAMPLE.COM.

Complete Deployment Playbook

For a single playbook to deploy everything, create deploy-all.yml:

---
- name: Deploy FreeIPA Server
  hosts: ipaserver
  become: yes
  roles:
    - role: freeipa.ansible_freeipa.ipaserver
      state: present

- name: Deploy FreeIPA Replica
  hosts: ipareplicas
  become: yes
  roles:
    - role: freeipa.ansible_freeipa.ipareplica
      state: present

- name: Enroll FreeIPA Clients
  hosts: ipaclients
  become: yes
  roles:
    - role: freeipa.ansible_freeipa.ipaclient
      state: present

Run the complete deployment:

ansible-playbook -i inventory/hosts.ini deploy-all.yml

Advanced Configuration

Using Ansible Vault for Passwords

Encrypt sensitive variables:

ansible-vault create group_vars/vault.yml

Add passwords:

---
vault_ipaadmin_password: SecureAdminPassword123
vault_ipadm_password: SecureDMPassword123

Update group_vars/all.yml:

ipaadmin_password: "{{ vault_ipaadmin_password }}"
ipadm_password: "{{ vault_ipadm_password }}"

Run with vault:

ansible-playbook -i inventory/hosts.ini deploy-all.yml --ask-vault-pass

Custom DNS Configuration

For specific DNS settings, add to variables:

ipaserver_setup_dns: yes
ipaserver_forwarders:
  - 1.1.1.1
  - 1.0.0.1
ipaserver_reverse_zones:
  - 1.168.192.in-addr.arpa
ipaserver_allow_zone_overlap: yes

Firewall Configuration

Disable automatic firewall setup (if managing separately):

ipaserver_setup_firewalld: no
ipareplica_setup_firewalld: no

Client-Specific Configuration

Configure per-client settings using host variables in host_vars/client1.example.com.yml:

---
ipaclient_mkhomedir: yes
ipaclient_configure_dns_resolver: no
ipaclient_force_join: yes

Managing IPA with Ansible

After deployment, use ansible-freeipa modules to manage IPA:

Add Users

Create manage-users.yml:

---
- name: Manage IPA Users
  hosts: ipaserver[0]
  become: yes

  tasks:
    - name: Ensure user exists
      freeipa.ansible_freeipa.ipauser:
        ipaadmin_password: "{{ ipaadmin_password }}"
        name: jdoe
        first: John
        last: Doe
        email: jdoe@example.com
        password: "TempPassword123"
        state: present

Add Groups

- name: Ensure group exists
  freeipa.ansible_freeipa.ipagroup:
    ipaadmin_password: "{{ ipaadmin_password }}"
    name: developers
    description: Development team
    user:
      - jdoe
    state: present

Configure DNS Records

- name: Add DNS A record
  freeipa.ansible_freeipa.ipadnsrecord:
    ipaadmin_password: "{{ ipaadmin_password }}"
    zone_name: example.com
    name: web
    a_rec: 192.168.1.100
    state: present

Troubleshooting

Server Installation Fails

Check prerequisites:

ansible ipaserver -i inventory/hosts.ini -m shell \
  -a "hostname -f && cat /etc/hosts" -b

Ensure FQDN is properly configured and resolvable.

Replica Connection Issues

Verify network connectivity:

ansible ipareplicas -i inventory/hosts.ini -m shell \
  -a "ping -c 3 ipaserver.example.com" -b

Check firewall rules:

ansible ipaserver -i inventory/hosts.ini -m shell \
  -a "firewall-cmd --list-all" -b

Client Enrollment Fails

Check IPA server discovery:

ansible ipaclients -i inventory/hosts.ini -m shell \
  -a "dig -t SRV _ldap._tcp.example.com" -b

Force client installation with specific server:

ipaclient_servers:
  - ipaserver.example.com
ipaclient_force_join: yes

Idempotency Issues

Re-run playbooks safely—ansible-freeipa roles are idempotent:

ansible-playbook -i inventory/hosts.ini deploy-all.yml

Existing configurations won’t be changed unless explicitly modified.

Best Practices

Use Ansible Vault: Always encrypt passwords and sensitive data
Inventory Management: Use dynamic inventory for cloud environments
Version Control: Store playbooks and inventory in Git
Testing: Test on development environment before production
Backup: Configure automated IPA backups post-deployment
Monitoring: Set up monitoring for IPA services
Documentation: Document custom configurations and variables

Next Steps

Now that your IPA infrastructure is deployed:

Configure HBAC Rules: Define host-based access control
Set Up Sudo Rules: Manage sudo privileges centrally
Issue Certificates: Use IPA CA for SSL/TLS certificates
Integrate Applications: Configure applications to use IPA LDAP/Kerberos
Automate User Provisioning: Create workflows for user lifecycle management
Configure Backup: Set up automated IPA backup using ansible-freeipa

Additional Resources

Conclusion

Congratulations! You’ve successfully deployed a complete FreeIPA infrastructure using Ansible automation. This infrastructure-as-code approach enables repeatable, version-controlled deployments and makes it easy to scale your identity management infrastructure across multiple environments.