FOSDEM 2025 is behind us. We ran Identity and Access Management devroom at FOSDEM. At the devroom, my team did few talks and demos about FreeIPA and Kerberos. While preparing to those talks, we tried to create demonstrations that could be repeated by others as well. First, this was an attempt to help ourselves, as we need to communicate our advances to others in the teams. Then we started to look at how to show our progress to folks outside of the development groups.

We iterated over our tools and finally ended up with something that is based on what we use in upstream CIs: we use podman containers to run what ends up being ephemeral VMs hosting the software. This doesn’t give ability to handle all possible scenarios. It is not a way to run actual production environments as well. Yet, it allows us a quick reuse and share:

  • descriptive definition of the deployment configuration

  • standard tooling to provision the configuration as containers with podman-compose

  • use of Ansible playbooks to run repeatable actions against the hosts, with inventory taken from the podman-compose integration

The tool, ipalab-config, quickly became flexible enough to be used in multiple scenarios. It powers ansible-freeipa’s own upstream CI, we aim to reuse it for new FreeIPA Web UI development and for the FreeIPA workshop.

For the demos at FOSDEM IAM devroom we put a separate repository that has all the scenarios and even recording files to reproduce the demos: freeipa-local-tests. You can try yourself how local authentication hub or IPA-IPA trust or IPA-IPA migration do work.

This project demonstrates how complex multi-system FreeIPA deployments can be tested locally or in your CI/CD. The test environment is built with the help of podman and orchestrated with ipalab-config and podman-compose tools. FreeIPA environment is deployed with the help of ansible-freeipa. Upstream, we run these tests in Github Actions as well.

Demo labs

Following configurations provided as ‘labs’ that can be reproduced using ipalab-config tool and the configurations from this project:

Demo recordings

Some of the demo labs have automated recording of the operations that could be performed on them. Video recording is built upon excellent VHS tool. A pre-built version for Fedora is provided in COPR abbra/vhs. This build also includes a fix from the upstream PR#551.

Minimal deployment demo

This demo recording includes a minimal use of FreeIPA command line:

  • an administrator logs into a client system over SSH using a password
  • Kerberos ticket is obtained automatically by the SSSD
  • IPA command line tool can authenticate to IPA server using Kerberos

Local KDC demo

The local KDC demo is more evolved:

  • a user logs into their own machine over SSH using a password
  • Kerberos ticket is obtained automatically by the SSSD from the local KDC which is activated on demand
  • User then uses a Kerberos ticket to authenticate to SUDO and obtain root privileges
  • The user also uses the Kerberos ticket to authenticate to Samba server running locally
  • Finally, the user authenticates with Kerberos IAKerb extension to a remotely running Samba server, removing completely a need for NTLM authentication protocol

IPA to IPA trust demo

This is a minimalistic demo of how users and groups from one IPA environment can be resolved in the other IPA environment. There is a trust agreement established between both IPA environments, similarly how IPA can establish a forest level trust with Active Directory.