ensure only admin defined by IAC are enabled in freeipa.
An administrator account created in GUI must be disabled during puppet run.
Only, administrators accounts defined by IAC must be enabled in freeipa node.
Perhaps the lib python-freeipa can be used as programmatic interface between Puppet and FreeIPA