This project demonstrates how complex multi-system FreeIPA deployments can be tested locally. The test environment is built with the help of podman and orchestrated with ipalab-config and podman-compose tools. FreeIPA environment is deployed with the help of ansible-freeipa.
Following configurations provided as 'labs' that can be reproduced using
ipalab-config tool and the configurations from this project:
-
minimal deployment, consisting of a FreeIPA server and a FreeIPA client enrolled into it.
-
local KDC, consisting of two standalone machines, not enrolled into any domain. Each machine runs its own Kerberos KDC exposed to local applications over UNIX domain socket, with socket activation handled by systemd. See "localkdc - local authentication hub" talk at FOSDEM 2025. This is currently a work in progress.
-
FreeIPA deployment migration, demonstrating how IPA data can be migrated between separate test and production deployments. See "FreeIPA-to-FreeIPA Migration: Current Capabilities and Use Cases" talk at FOSDEM 2025.
-
FreeIPA trust, demonstrating how two separate IPA deployments can be set up to trust each other. See "Building Cross-Domain Trust Between FreeIPA Deployments" talk at FOSDEM 2025. This is currently a work in progress.
Some of the demo labs have automated recording of the operations that could be performed on them. Video recording is built upon excellent VHS tool. A pre-built version for Fedora is provided in COPR abbra/vhs. This build also includes a fix from the upstream PR#551.
This demo recording includes a minimal use of FreeIPA command line:
- an administrator logs into a client system over SSH using a password
- Kerberos ticket is obtained automatically by the SSSD
- IPA command line tool can authenticate to IPA server using Kerberos
The local KDC demo is more evolved:
- a user logs into their own machine over SSH using a password
- Kerberos ticket is obtained automatically by the SSSD from the local KDC which is activated on demand
- User then uses a Kerberos ticket to authenticate to SUDO and obtain root privileges
- The user also uses the Kerberos ticket to authenticate to Samba server running locally
- Finally, the user authenticates with Kerberos IAKerb extension to a remotely running Samba server, removing completely a need for NTLM authentication protocol
This is a minimalistic demo of how users and groups from one IPA environment can be resolved in the other IPA environment. There is a trust agreement established between both IPA environments, similarly how IPA can establish a forest level trust with Active Directory.
