FreeIPA HPC Lab with Ansible

A quick note regarding provisioning:

The Vagrantfile is configured so that all VMs are created first, and then Ansible runs once at the end with limit = "all".

This means provisioning happens in parallel across all nodes, rather than sequentially, which speeds up the setup .

🎯 What This Project Does

This project automates the deployment of a FreeIPA identity management cluster consisting of:

• 1 Management Node (mgmt) - FreeIPA server with integrated DNS
• 2 Compute Nodes (compute1, compute2) - FreeIPA clients
• Centralized User Management - HPC users and groups
• Kerberos Authentication - Single sign-on across all nodes
• Integrated DNS - Custom domain resolution (hpc.lab)
• SSSD Integration - Seamless user lookup and authentication

Key Features

✅ Automated Infrastructure - VMs provisioned with Vagrant
✅ Modular Ansible Roles - Reusable and maintainable code
✅ Production-Ready - Proper firewall, DNS, and security configuration
✅ HPC Focused - Pre-configured users and groups for compute clusters
✅ Cross-Node Authentication - Users can login to any node
✅ Integrated Testing - Comprehensive test suite included

🏗️ Project Structure

FreeIPA/
├── Vagrantfile                     # VM definitions and provisioning
├── ansible.cfg                     # Ansible configuration
├── site.yml                        # Main playbook orchestrating all roles
├── requirements.yml                 # Ansible collection dependencies
├── test_freipa.sh                  # Simple authentication test script
├── README.md                       # This documentation
│
├── inventory/
│   └── hosts                       # Ansible inventory file
│
├── group_vars/                     # Group-specific variables
│   ├── all.yml                     # Variables for all hosts
│   ├── ipa_server.yml              # FreeIPA server configuration
│   └── ipa_clients.yml             # FreeIPA client configuration
│
└── roles/                          # Ansible roles directory
    ├── common/                     # Base system configuration
    │   ├── tasks/main.yml          # Common setup tasks
    │   ├── handlers/main.yml       # Service restart handlers
    │   ├── vars/main.yml           # Common package definitions
    │   └── templates/hosts.j2      # /etc/hosts template
    │
    ├── freeipa-server/             # FreeIPA server role
    │   ├── tasks/
    │   │   ├── main.yml            # Main server tasks
    │   │   ├── install.yml         # IPA server installation
    │   │   └── dns.yml             # DNS records configuration
    │   ├── handlers/main.yml       # IPA service handlers
    │   ├── vars/main.yml           # Server package definitions
    │   └── defaults/main.yml       # Default configuration values
    │
    ├── freeipa-client/             # FreeIPA client role
    │   ├── tasks/
    │   │   ├── main.yml            # Main client tasks
    │   │   └── join.yml            # Domain join operations
    │   ├── handlers/main.yml       # SSSD service handlers
    │   ├── vars/main.yml           # Client package definitions
    │   └── defaults/main.yml       # Default client configuration
    │
    └── freeipa-users/              # User management role
        ├── tasks/
        │   ├── main.yml            # Main user management tasks
        │   ├── groups.yml          # Group creation tasks
        │   └── users.yml           # User creation tasks
        └── vars/main.yml           # User and group definitions

🚀 Quick Start

Prerequisites

• VirtualBox installed
• Vagrant installed
• Ansible installed (2.9+)
• At least 8GB RAM available for VMs

1. Clone and Setup

git clone <repository-url>
cd FreeIPA

2. Install Ansible Dependencies

ansible-galaxy collection install -r requirements.yml # ansible-galaxy collection install freeipa.ansible_freeipa

3. Deploy the Cluster

vagrant up

This will:

• Create 3 VMs (1 server + 2 clients)
• Install and configure FreeIPA server with DNS
• Enroll clients to the domain
• Create HPC users and groups

4. Test the Deployment

chmod +x test_freipa.sh
./test_freipa.sh

🔧 Configuration

Default Settings

Component	Value
Domain	hpc.lab
Realm	HPC.LAB
Admin Password	Admin123!
Directory Manager Password	Directory123!
Test Users	hpcuser1, hpcuser2
Test Password	TempPass123

VM Resources

Node	IP Address	RAM	Purpose
mgmt	192.168.56.10	4GB	FreeIPA Server + DNS
compute1	192.168.56.11	2GB	Compute Node / Client
compute2	192.168.56.12	2GB	Compute Node / Client

Customization

Edit these files to customize your deployment:

• group_vars/all.yml - Domain, passwords, IP addresses
• roles/freeipa-users/vars/main.yml - Users and groups
• Vagrantfile - VM resources and network settings

🧪 Testing

Simple Test Script

./test_freipa.sh

Tests:

• ✅ User existence on all nodes
• ✅ Valid password authentication
• ✅ Invalid password rejection
• ✅ User login capability
• ✅ Group membership

Manual Testing

# SSH to compute node
vagrant ssh compute1

# Test user lookup
getent passwd hpcuser1

# Test authentication
kinit hpcuser1
# Password: TempPass123

# Test login
sudo su - hpcuser1

📁 Key Files Explained

Vagrantfile

• Defines 3 VMs with Rocky Linux 9
• Sets up private network (192.168.56.0/24)
• Triggers Ansible provisioning on last VM

site.yml

• Main playbook orchestrating all roles
• Applies roles in correct order: common → server → clients → users

ansible.cfg

• Disables host key checking for lab environment
• Sets inventory location and output format

roles/common/

• Base system configuration (timezone, hostname, packages)
• Firewall and time synchronization setup
• /etc/hosts file generation

roles/freeipa-server/

• FreeIPA server installation with integrated DNS
• Firewall port configuration
• DNS A and PTR record creation

roles/freeipa-client/

• Client enrollment to IPA domain
• SSSD configuration for user lookup
• Kerberos configuration

roles/freeipa-users/

• Creates HPC-specific users and groups
• Configures group membership
• Sets initial passwords

🔒 Security Features

• Kerberos Authentication - Strong authentication protocol
• TLS/SSL Encryption - All communications encrypted
• Firewall Configuration - Only necessary ports opened
• Certificate Management - Automated CA and certificate handling
• SSSD Integration - Secure user/group lookup caching

🛠️ Management Commands

Vagrant Operations

# Start all VMs
vagrant up

# Provision only (re-run Ansible)
vagrant provision

# SSH to specific node
vagrant ssh mgmt
vagrant ssh compute1

# Stop all VMs
vagrant halt

# Destroy all VMs
vagrant destroy -f

IPA Administration

# SSH to management node
vagrant ssh mgmt

# Authenticate as admin
kinit admin

# List users
ipa user-find

# List groups
ipa group-find

# Add new user
ipa user-add testuser --first Test --last User

# Check service status
sudo ipactl status

🐛 Troubleshooting

Common Issues

DNS Resolution Problems

# Check DNS on server
vagrant ssh mgmt -c "dig @localhost mgmt.hpc.lab"

# Verify DNS service
vagrant ssh mgmt -c "sudo systemctl status named"

Client Enrollment Failures

# Check client enrollment
vagrant ssh compute1 -c "sudo ipa-client-install --uninstall"
vagrant provision

Authentication Issues

# Check SSSD status
vagrant ssh compute1 -c "sudo systemctl status sssd"

# Clear Kerberos cache
vagrant ssh compute1 -c "kdestroy -A"

Service Issues

# Restart all IPA services
vagrant ssh mgmt -c "sudo ipactl restart"

# Check logs
vagrant ssh mgmt -c "sudo journalctl -u ipa"