diff --git a/ansible/roles/freeipa/README.md b/ansible/roles/freeipa/README.md
index 4247a7d1d..5f2f377b6 100644
--- a/ansible/roles/freeipa/README.md
+++ b/ansible/roles/freeipa/README.md
@@ -62,7 +62,7 @@ These role variables are only required when using `freeipa_server`:
 - `freeipa_server_ip`: Optional, IP address of freeipa_server host. Default is `ansible_host` of the `freeipa_server` host. Default `false`. 
 - `freeipa_setup_dns`: Optional bool, whether to configure the FreeIPA server as an integrated DNS server and define a zone and records. NB: This also controls whether `freeipa_client` hosts use the `freeipa_server` host for name resolution. Default `true` when `freeipa_server` contains a host.
 - `freeipa_client_ip`: Optional, IP address of FreeIPA client. Default is `ansible_host`.
-- `freeipa_users`: A list of dicts as per parameters for [community.general.ipa_user](https://docs.ansible.com/ansible/latest/collections/community/general/ipa_user_module.html). Note that:
+- `freeipa_users`: A list of dicts defining users to add, with keys/values as for [community.general.ipa_user](https://docs.ansible.com/ansible/latest/collections/community/general/ipa_user_module.html): Note that:
   - `name`, `givenname` (firstname) and `sn` (surname) are required.
-  - `ipa_pass` and `ipa_user` are automatically supplied.
+  - `ipa_host`, `ipa_port`, `ipa_prot`, `ipa_user`, `validate_certs` are automatically provided and cannot be overridden.
   - If `password` is set, the value should *not* be a hash (unlike `ansible.builtin.user` as used by the `basic_users` role), and it must be changed on first login. `krbpasswordexpiration` does not appear to be able to override this.
diff --git a/ansible/roles/freeipa/tasks/users.yml b/ansible/roles/freeipa/tasks/users.yml
index a6be8392c..bd1cacad3 100644
--- a/ansible/roles/freeipa/tasks/users.yml
+++ b/ansible/roles/freeipa/tasks/users.yml
@@ -1,4 +1,27 @@
 - name: Add users to freeipa
   # This uses DNS to find the ipa server, which works as this is running on the enrolled ipa server
-  community.general.ipa_user: "{{ freeipa_user_defaults | combine(item) }}"
+  community.general.ipa_user:
+    displayname: "{{ item.displayname | default(omit) }}"
+    gidnumber: "{{ item.gidnumber | default(omit) }}"
+    givenname: "{{ item.givenname }}"
+    #ipa_host
+    ipa_pass: "{{ freeipa_admin_password | quote }}"
+    #ipa_port
+    #ipa_prot
+    ipa_timeout: "{{ item.ipa_timeout | default(omit) }}"
+    #ipa_user
+    krbpasswordexpiration: "{{ item.krbpasswordexpiration | default(omit) }}"
+    loginshell: "{{ item.loginshell | default(omit) }}"
+    mail: "{{ item.mail | default(omit) }}"
+    password: "{{ item.password | default(omit) }}"
+    sn: "{{ item.sn }}"
+    sshpubkey: "{{ item.sshpubkey | default(omit) }}"
+    state: "{{ item.state | default(omit) }}"
+    telephonenumber: "{{ item.telephonenumber | default(omit) }}"
+    title: "{{ item.title | default(omit) }}"
+    uid: "{{ item.name | default(item.uid) }}"
+    uidnumber: "{{ item.uidnumber | default(omit) }}"
+    update_password: "{{ item.update_password | default(omit) }}"
+    userauthtype: "{{ item.userauthtype | default(omit) }}"
+    #validate_certs
   loop: "{{ freeipa_users }}"