New FreeIPA Servers

In an effort to modernise our FreeIPA infrastructure, there is a new set of FreeIPA servers which use a better domain and have a better failover setup.

The new servers use rather than and as their internal domain names and run a much more modern version of FreeIPA.

Due to the age and state of our FreeIPA master server (over ten years old!), A direct migration was impossible, so accounts are being re-created in the new domain. Accounts that ‘talk’ to FreeIPA for authentication will work with both backends (so both logins will work during the transition).

Migration Strategy

To avoid disruption, old servers will remain on the old FreeIPA infrastructure; as replacements for the CentOS 7 infrastructure are rolled out, new servers will be enrolled in the replacement servers.


I have rebuilt the single-sign-on service, FOSSGalaxy SSO, and will integrate services with it (hooking up to the new services).

At the moment, the following services are using this as an option:

  • Matrix
  • These forums

I’m rolling out this option to Gitlab and a new webmail service to replace our existing one. As their replacements are brought online, these services will be enrolled in our new infrastructure.

Once all services have been migrated, the old ( FreeIPA servers will be turned off, and we will use only the domains. Be aware this also means the internal server names will change (

External service names will not change (e.g., the,, and services).

Direct logins

Until the FreeIPA services are decommissioned, the services that talk directly to them will continue to work as they always have - logins will not change to your new credentials.

Any new services will use new credentials.