Skip to content

haniayasserr/FreeIPA

BranchesTags
 
 

Repository files navigation

FreeIPA HPC Lab with Ansible

A quick note regarding provisioning:

The Vagrantfile is configured so that all VMs are created first, and then Ansible runs once at the end with limit = "all".

This means provisioning happens in parallel across all nodes, rather than sequentially, which speeds up the setup .

alt text

alt text

🎯 What This Project Does

This project automates the deployment of a FreeIPA identity management cluster consisting of:

  • 1 Management Node (mgmt) - FreeIPA server with integrated DNS
  • 2 Compute Nodes (compute1, compute2) - FreeIPA clients
  • Centralized User Management - HPC users and groups
  • Kerberos Authentication - Single sign-on across all nodes
  • Integrated DNS - Custom domain resolution (hpc.lab)
  • SSSD Integration - Seamless user lookup and authentication

Key Features

Automated Infrastructure - VMs provisioned with Vagrant
Modular Ansible Roles - Reusable and maintainable code
Production-Ready - Proper firewall, DNS, and security configuration
HPC Focused - Pre-configured users and groups for compute clusters
Cross-Node Authentication - Users can login to any node
Integrated Testing - Comprehensive test suite included

🏗️ Project Structure

FreeIPA/
├── Vagrantfile                     # VM definitions and provisioning
├── ansible.cfg                     # Ansible configuration
├── site.yml                        # Main playbook orchestrating all roles
├── requirements.yml                 # Ansible collection dependencies
├── test_freipa.sh                  # Simple authentication test script
├── README.md                       # This documentation
│
├── inventory/
│   └── hosts                       # Ansible inventory file
│
├── group_vars/                     # Group-specific variables
│   ├── all.yml                     # Variables for all hosts
│   ├── ipa_server.yml              # FreeIPA server configuration
│   └── ipa_clients.yml             # FreeIPA client configuration
│
└── roles/                          # Ansible roles directory
    ├── common/                     # Base system configuration
    │   ├── tasks/main.yml          # Common setup tasks
    │   ├── handlers/main.yml       # Service restart handlers
    │   ├── vars/main.yml           # Common package definitions
    │   └── templates/hosts.j2      # /etc/hosts template
    │
    ├── freeipa-server/             # FreeIPA server role
    │   ├── tasks/
    │   │   ├── main.yml            # Main server tasks
    │   │   ├── install.yml         # IPA server installation
    │   │   └── dns.yml             # DNS records configuration
    │   ├── handlers/main.yml       # IPA service handlers
    │   ├── vars/main.yml           # Server package definitions
    │   └── defaults/main.yml       # Default configuration values
    │
    ├── freeipa-client/             # FreeIPA client role
    │   ├── tasks/
    │   │   ├── main.yml            # Main client tasks
    │   │   └── join.yml            # Domain join operations
    │   ├── handlers/main.yml       # SSSD service handlers
    │   ├── vars/main.yml           # Client package definitions
    │   └── defaults/main.yml       # Default client configuration
    │
    └── freeipa-users/              # User management role
        ├── tasks/
        │   ├── main.yml            # Main user management tasks
        │   ├── groups.yml          # Group creation tasks
        │   └── users.yml           # User creation tasks
        └── vars/main.yml           # User and group definitions

🚀 Quick Start

Prerequisites

  • VirtualBox installed
  • Vagrant installed
  • Ansible installed (2.9+)
  • At least 8GB RAM available for VMs

1. Clone and Setup

git clone <repository-url>
cd FreeIPA

2. Install Ansible Dependencies

ansible-galaxy collection install -r requirements.yml # ansible-galaxy collection install freeipa.ansible_freeipa

3. Deploy the Cluster

vagrant up

This will:

  • Create 3 VMs (1 server + 2 clients)
  • Install and configure FreeIPA server with DNS
  • Enroll clients to the domain
  • Create HPC users and groups

4. Test the Deployment

chmod +x test_freipa.sh
./test_freipa.sh

🔧 Configuration

Default Settings

Component Value
Domain hpc.lab
Realm HPC.LAB
Admin Password Admin123!
Directory Manager Password Directory123!
Test Users hpcuser1, hpcuser2
Test Password TempPass123

VM Resources

Node IP Address RAM Purpose
mgmt 192.168.56.10 4GB FreeIPA Server + DNS
compute1 192.168.56.11 2GB Compute Node / Client
compute2 192.168.56.12 2GB Compute Node / Client

Customization

Edit these files to customize your deployment:

  • group_vars/all.yml - Domain, passwords, IP addresses
  • roles/freeipa-users/vars/main.yml - Users and groups
  • Vagrantfile - VM resources and network settings

🧪 Testing

Simple Test Script

./test_freipa.sh

Tests:

  • ✅ User existence on all nodes
  • ✅ Valid password authentication
  • ✅ Invalid password rejection
  • ✅ User login capability
  • ✅ Group membership

Manual Testing

# SSH to compute node
vagrant ssh compute1

# Test user lookup
getent passwd hpcuser1

# Test authentication
kinit hpcuser1
# Password: TempPass123

# Test login
sudo su - hpcuser1

📁 Key Files Explained

Vagrantfile

  • Defines 3 VMs with Rocky Linux 9
  • Sets up private network (192.168.56.0/24)
  • Triggers Ansible provisioning on last VM

site.yml

  • Main playbook orchestrating all roles
  • Applies roles in correct order: common → server → clients → users

ansible.cfg

  • Disables host key checking for lab environment
  • Sets inventory location and output format

roles/common/

  • Base system configuration (timezone, hostname, packages)
  • Firewall and time synchronization setup
  • /etc/hosts file generation

roles/freeipa-server/

  • FreeIPA server installation with integrated DNS
  • Firewall port configuration
  • DNS A and PTR record creation

roles/freeipa-client/

  • Client enrollment to IPA domain
  • SSSD configuration for user lookup
  • Kerberos configuration

roles/freeipa-users/

  • Creates HPC-specific users and groups
  • Configures group membership
  • Sets initial passwords

🔒 Security Features

  • Kerberos Authentication - Strong authentication protocol
  • TLS/SSL Encryption - All communications encrypted
  • Firewall Configuration - Only necessary ports opened
  • Certificate Management - Automated CA and certificate handling
  • SSSD Integration - Secure user/group lookup caching

🛠️ Management Commands

Vagrant Operations

# Start all VMs
vagrant up

# Provision only (re-run Ansible)
vagrant provision

# SSH to specific node
vagrant ssh mgmt
vagrant ssh compute1

# Stop all VMs
vagrant halt

# Destroy all VMs
vagrant destroy -f

IPA Administration

# SSH to management node
vagrant ssh mgmt

# Authenticate as admin
kinit admin

# List users
ipa user-find

# List groups
ipa group-find

# Add new user
ipa user-add testuser --first Test --last User

# Check service status
sudo ipactl status

🐛 Troubleshooting

Common Issues

DNS Resolution Problems

# Check DNS on server
vagrant ssh mgmt -c "dig @localhost mgmt.hpc.lab"

# Verify DNS service
vagrant ssh mgmt -c "sudo systemctl status named"

Client Enrollment Failures

# Check client enrollment
vagrant ssh compute1 -c "sudo ipa-client-install --uninstall"
vagrant provision

Authentication Issues

# Check SSSD status
vagrant ssh compute1 -c "sudo systemctl status sssd"

# Clear Kerberos cache
vagrant ssh compute1 -c "kdestroy -A"

Service Issues

# Restart all IPA services
vagrant ssh mgmt -c "sudo ipactl restart"

# Check logs
vagrant ssh mgmt -c "sudo journalctl -u ipa"

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages

  • Shell 94.9%
  • Jinja 5.1%