Name : freeipa Category : service Type : docker Channel : community

Installs FreeIPA LDAP server and Web UI. LDAP service is later on used in WAF to authentificate and authorize users. LDAP users and groups can be managed via Web UI available via https://ipa-<owner>-<env>.route53domain (for example: or via athena-users command


athena-services freeipa

Infrastructure requirements


athena-infrastructure backoffice


athena-infrastructure vpc

Service Requirements


athena-services common,gitolite


athena-services gateway


  • vpc_name,vpc_env,route53_domain - will create realm IPA-{{vpc_name|upper}}-{{vpc_env|upper}}.{{route53_domain|upper}}


Please see platform secrets for more details.

  • passwords/users/<owner>-<env>-ipa.admin - IPA admin user password (for example ~/git/athena/ansible-data-nft/passwords/users/athena-nft-ipa.admin)
  • passwords/users/<owner>-<env>-ipa.ds - Directory Manager user password (for example ~/git/athena/ansible-data-nft/passwords/users/athena-nft-ipa.ds)


Service user

Create LDAP user for a particular consumer (for example: gateway) via ldap-sysaccount role

Service endpoint

  • host - ldap.service.consul
  • port - {{ipa_ldap_port}} variable (20389 by default)
  • bind DN - directory name of LDAP system user uid={{<service>_ldap_user}},cn=sysaccounts,cn=etc,dc={{route53_domain.split('.')[0]}},dc={{route53_domain.split('.')[1]}}, where <service> is actual service name (for example: gateway)
  • bind password - LDAP service password {{lookup('password' ,lookup('env','ANSIBLE_DATA')+'/passwords/users/'+vpc_name|lower+'-'+vpc_env|lower+'-'+<service>_ldap_user|lower)}}, where <service> is actual service name (for example: gateway)

Search path

  • user search - directory, where users are cn=users,cn=accounts,dc={{route53_domain.split('.')[0]}},dc={{route53_domain.split('.')[1]}}
  • group matching - directory, where user groups are cn=<group_name>,cn=groups,cn=accounts,dc={{route53_domain.split('.')[0]}},dc={{route53_domain.split('.')[1]}}, where <group_name> is dynamically inserted group to match