= IPA Infrastructure SOP

== Contact Information

Owner::
  Fedora Infrastructure Team

Contact::
  https://matrix.to/#/#admin:fedoraproject.org

Primary upstream contact::
  Alexander Bokovoy - FAS: abbra

Servers::
* ipa01.rdu3.fedoraproject.org
* ipa02.rdu3.fedoraproject.org
* ipa03.rdu3.fedoraproject.org
* ipa01.stg.rdu3.fedoraproject.org
* ipa02.stg.rdu3.fedoraproject.org
* ipa03.stg.rdu3.fedoraproject.org

URL::
* link:https://id.fedoraproject.org/ipa/ui[]
* link:https://id.stg.fedoraproject.org/ipa/ui[]

Purpose::
  IPA is used as Identity management server for Fedora users. It serves as backend for
  Fedora Account System.

== Description

link:https://www.freeipa.org/[IPA] is used as a backend LDAP database for handling the
user authentication inside Fedora Infrastructure.

== Known issues

Most issues regarding user data could be solved through web interface.

=== Web UI redirects to internal name

If web UI starts redirecting to internal name instead of link:https://id.fedoraproject.org/ipa/ui[]
you need to either run `ipa.yml` playbook or fix that in `/etc/httpd/conf.d/ipa-rewrite.conf` on the
machine that the redirection is going to.

== Checking status

To check status of IPA cluster you simply need to ssh to any of the servers and run
`ipactl status`.

== Restarting

To restart the IPA service you simply need to ssh to any of the servers and issue an
`ipactl restart`.

== Configuration

Configuration is handled by the
link:https://pagure.io/fedora-infra/ansible/blob/5ad386ed6fb30484348848a354d4dfa6b7393f74/f/playbooks/groups/ipa.yml[ipa.yml]
playbook in Ansible. This playbook could also be used to reconfigure application,
if that becomes necessary.

== Common actions

This section describes some common actions done on IPA.

* xref:howtos:groups_in_fedora.adoc#_how_to_create_a_group[Creating group]
* xref:2-factor.adoc[Two factor authentication]