A comprehensive solution for deploying FreeIPA/Red Hat Identity Management Server across multiple infrastructure providers (AWS, DigitalOcean, kcli) using Terraform and Ansible.
- Operating System: RHEL 9.5 (Primary supported platform)
- Memory: Minimum 4GB RAM (8GB recommended)
- CPU: 2+ cores recommended
- Storage: 20GB+ available storage
- Network Ports:
- 22 (SSH)
- 53 (DNS)
- 80/443 (HTTP/HTTPS)
- 389/636 (LDAP/LDAPS)
- 88/464 (Kerberos)
- 123 (NTP)
- git
- curl
- wget
- unzip
- python3
- python3-pip
- firewalld
- ansible-core
- dnspython
- netaddr
- Terraform (v0.13.4)
- AWS CLI, DigitalOcean CLI, or kcli
# Clone the repository
git clone https://github.com/yourusername/freeipa-workshop-deployer.git
cd freeipa-workshop-deployer
# Run bootstrap script (requires root/sudo)
sudo ./bootstrap.shThe bootstrap script:
- Verifies RHEL 9.5
- Installs required packages
- Sets up Terraform
- Configures Python dependencies
- Sets up firewall rules
- Creates initial configuration
# Run validation script
sudo ./validate.shThe validation script checks:
- RHEL 9.5 compatibility
- Required packages and tools
- Python dependencies
- Firewall configuration
- Infrastructure provider requirements
Common variables:
- DOMAIN: Custom domain name (default: example.com)
- DNS_FORWARDER: Custom DNS forwarder (default: 1.1.1.1)
- IDM_HOSTNAME: Custom IdM hostname (default: idm)
Provider-specific variables:
# AWS
AWS_REGION=us-east-2
AWS_VPC_ID=vpc-xxx
# DigitalOcean
DO_DATA_CENTER=nyc3
DO_VPC_CIDR=10.42.0.0/24
DO_NODE_IMAGE=centos-8-x64
DO_NODE_SIZE=s-1vcpu-2gb
# kcli
KCLI_NETWORK=default
COMMUNITY_VERSION=false # Set to true for CentOSIf you prefer the traditional deployment method:
- Copy
example.vars.shtovars.sh - Configure your provider credentials and settings
- Run
./total_deployer.sh
The deployment includes basic monitoring capabilities. For production environments, it's recommended to:
- Set up performance metrics collection
- Configure health checks
- Implement alert notifications
- Monitor service availability
- Track resource utilization
For enhanced monitoring, consider integrating with cloud provider monitoring solutions.
Implement proper backup procedures for production deployments:
- Regular automated backups
- Point-in-time recovery options
- Backup validation
- Disaster recovery planning
Refer to the documentation for detailed backup configuration.
The project includes comprehensive testing covering:
- Environment validation
- Infrastructure deployment
- Service configuration
- DNS management
- Integration testing
For detailed testing information, see the testing documentation.
- Download the CA Cert from
/etc/ipa/ca.crtor via the IPA Web Console at Authentication > Certificates > 1 > Actions > Download Certificate - Configure a new OAuth Identity Provider with these settings:
- email: mail
- id: dn
- name: cn
- preferredUsername: uid
- bindDN: 'uid=admin,cn=users,cn=accounts,dc=example,dc=com'
- bindPassword: (your password)
- ca: fromDownloadedFile
- url: ldaps://idm.example.com:636/cn=users,cn=accounts,dc=example,dc=com?uid?sub?(uid=*)
- name: LDAP
For YAML configuration example:
apiVersion: config.openshift.io/v1
kind: OAuth
metadata:
annotations:
release.openshift.io/create-only: 'true'
name: cluster
spec:
identityProviders:
- ldap:
attributes:
email:
- mail
id:
- dn
name:
- cn
preferredUsername:
- uid
bindDN: 'uid=admin,cn=users,cn=accounts,dc=example,dc=com'
bindPassword:
name: ldap-bind-password
ca:
name: ldap-ca
insecure: false
url: >-
ldaps://idm.example.com:636/cn=users,cn=accounts,dc=example,dc=com?uid?sub?(uid=*)
mappingMethod: claim
name: WorkshopLDAP
type: LDAP- Technical Setup
- Deployment Guide
- Architecture Overview
- DNS Profiles
- Dynamic DNS Management
- Testing Guide
- Fork the repository
- Create your feature branch
- Submit a pull request
See LICENSE file for details.