FreeIPA is a freely available open source directory service that is simple to install and manage. It runs on Linux and runs primarily on CentOS or Red Hat Enterprise Linux (RHEL), though client support is readily available on Ubuntu and other Linux platforms. Integration with Windows AD is even possible, though is in no way required.
If you are building a purely Linux environment, it makes sense to look at FreeIPA, as opposed to putting in a proprietary solution such as Microsoft AD.
As with the previous section on Microsoft AD, the design and deployment of a FreeIPA infrastructure are beyond the scope of this book. Directory services are core services on your network—imagine if you only built a single directory server, and then had to shut it down for maintenance. Even a simple reboot would leave users unable to log in to all machines joined to it for the duration the services were down. For these reasons, it is vitally important that you design your directory service infrastructure to take account of redundancy and disaster recovery. It is also important that you have well-secured local accounts in case your directory infrastructure does fail, as discussed earlier in this chapter, in the section entitled Performing user account management tasks.
Once you have designed a suitably redundant infrastructure for your FreeIPA installation, there are a series of playbooks and roles available on GitHub, created by the FreeIPA team, to install your server and clients, and you can explore these further here: https://github.com/freeipa/ansible-freeipa
This book leaves the task of installing your FreeIPA infrastructure to you—however, let's take a look at the use of the freely available FreeIPA roles, to install clients on your infrastructure. After all, this is one of the key benefits of open source software—the sharing of knowledge, information, and code.
- First of all, we clone the ansible-freeipa repository to our local machine, and change into the directory to make use of it, as follows:
$ cd ~
$ git clone https://github.com/freeipa/ansible-freeipa
$ cd ansible-freeipa
- Next, create symbolic links to roles and modules we just cloned into our local Ansible environment, as follows:
$ ln -s ~/ansible-freeipa/roles/ ~/.ansible/
$ mkdir ~/.ansible/plugins
$ ln -s ~/ansible-freeipa/plugins/modules ~/.ansible/plugins/
$ ln -s ~/ansible-freeipa/plugins/module_utils/ ~/.ansible/plugins/
- Once that is done, we must create a simple inventory file that includes appropriate variables, to define the FreeIPA realm and domain, and also, the password of the admin user (which is required to join a new server to the IPA realm). The following example is shown, but be sure to customize it to your requirements:
[ipaclients]
centos-testhost
[ipaclients:vars]
ipaadmin_password=password
ipaserver_domain=example.com
ipaserver_realm=EXAMPLE.COM
- With the appropriate variables set and the inventory compiled, we can then run the playbooks provided, with the code downloaded from GitHub. An example of this FreeIPA client installation playbook running is shown, as follows:
The preceding output shown is truncated but shows the FreeIPA client installation in process. As usual for examples in this book, we have kept it simple, but this could just as easily be run against 100, or even 1,000, servers.
As these playbooks and roles are provided by the official FreeIPA project, they are a trustworthy source for installing both servers and clients, and although it is highly recommended to test and review any code you download, these should serve well for building up your FreeIPA-based infrastructure.
In the next section, we will take a look at the ways in which Ansible can help with enforcing and auditing user accounts and configuration.