At our company, we manage several Ubuntu web servers with SSH, and we
use ansible scripts to automate some tasks. The web servers are hosted
by a VPS hosting provider. Until now, we have always managed the user
accounts manually for each server, but this is becoming increasingly
cumbersome as we grow. To centralize our identity management, I've been
looking into FreeIPA, but having no prior experience with this, I am
overwhelmed by complexity.
So the first question: is FreeIPA too complex for what we are trying to
accomplish? Should we be looking at a different solution? I do like
some of the advanced things we can supposedly do with FreeIPA: single
identity for everything (SSH on our servers, our Bitbucket accounts,
our Jenkins CI server), but those are currently not hard requirements.
Some technical questions:
We currently manage our TLS certificate manually with a wildcard that
we install on each server every year, but we will soon be moving to the
automated system provided by Letsencrypt. Does this mean we can disable
the Certificate Authority system provided by FreeIPA, or is the CA also
required for other things?
We currently manage our DNS entries through the web interface of our
hosting provider. When we introduce a new server, we simply clone a
special clean 'image' server, change the hostname and add an A and AAAA
record to our ISP's DNS settings. How does this interact with the
FreeIPA DNS system? Should we disable it, or does it provide advantages?
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project