Ansible Role freeipa_server

This role installs and configures FreeIPA as a server.

Runs on

  • RHEL 8 (and compatible)

Ideally, the FreeIPA should be installed on a separate server. If that is not possible, you could group it with DNS and NTP on an infrastructure server. As a last resort you can install it on the central firewall / gateway server.

Mandatory Requirements

  • At least 2 GB RAM are required.

  • The IPA installer is quite picky about the DNS configuration. The following checks are done by installer:

    • The hostname cannot be localhost or localhost6.

    • The hostname must be fully-qualified (server.ipa.test). Use two-level domain names. Otherwise you’ll get error messages like Invalid realm name: single label realms are not supported.

    • The hostname must be resolvable.

    • The reverse lookup of the FreeIPA IP server address must match the hostname of the FreeIPA server. Otherwise you’ll get error messages like In unattended mode you need to provide at least -r, -p and -a options or The host name "ipa.example" does not match the value "myipa" obtained by reverse lookup on IP address

    • If neither the domain nor the realm being set, you’ll get error messages like In unattended mode you need to provide at least -r, -p and -a options.

  • Do not use an existing domain or hostname unless you own the domain. It’s a common mistake to use We recommend to use a reserved top level domain from RFC2606 for private test installations, e.g. ipa.test.

  • Install the ansible-freeipa Ansible Collection on the Ansible control node. This can be done by calling ansible-galaxy collection install freeipa.ansible_freeipa.



What it does


Installs and configures FreeIPA as a server

Mandatory Role Variables




The password for the Directory Manager. This is the superuser that needs to be used to perform rare low level tasks.


The password for the FreeIPA admin. This user is a regular system account used for IPA server administration. Set this in the group_vars so that the linuxfabrik.lfops.freeipa_client role can use it.


# mandatory
freeipa_server__directory_manager_password: 'linuxfabrik'
freeipa_server__ipa_admin_password: 'linuxfabrik'

Optional Role Variables



Default Value


The default shell for the users in FreeIPA.



When the password expiration notification for FreeIPA users should be sent, in days.



The primary DNS domain. Typically this should be the domain part of FQDN of the server.

'{{ ansible_facts["domain"] | lower }}'


The kerberos protocol requires a Realm name to be defined. This is typically the domain name converted to uppercase.

'{{ ansible_facts["domain"] | upper }}'


# optional
freeipa_server__config_default_shell: '/bin/bash'
freeipa_server__config_password_expiration_notification: 10
freeipa_server__domain: ''
freeipa_server__realm: 'EXAMPLE.COM'


The Unlicense

Author Information

Linuxfabrik GmbH, Zurich