From Free IPA

About FreeIPA

What is Free IPA?

FreeIPA is an integrated security information management solution combining Linux (Fedora), Fedora Directory Server, MIT Kerberos, NTP, DNS, Dogtag (Certificate System). It consists of a web interface and command-line administration tools.

Resources

• Roadmap: You may view FreeIPA's current roadmap for future features here.
• Requirements Documents:
  • Requirements document for FreeIPA v. 1.0
  • Requirements document for FreeIPA v. 2.0.
  • Wish list for FreeIPA v. 3.0.
• News: View the latest news on and announcements about FreeIPA here.
• Changelog: List of changes per release

State of Development

• High level architectural diagram
• Design documentation

References

IPA takes advantage of different technologies:

• MIT KDC - core of the IPA's authentication.
• 389 Directory Server - back end where IPA keeps all data.
• Dogtag Certificate System - IPA includes CA & RA for certificate management functions.
• SSSD - client side component that integrates IPA as a authentication and identity provider in a better way than traditional NSS & PAM.

Frequently Asked Questions

What's Available in FreeIPA Now? What's in the Pipeline?

FreeIPA (so far) is an integrated solution combining

• Linux (currently Fedora)
• 389 Directory Server
• MIT Kerberos
• NTP
• DNS (IPA v2)
• Web and command line provisioning and administration tools
• Dogtag Certificate System (IPA v2)

Version 1 focused on

• Allowing an administrator to quickly install, setup, and administer one or more IPA servers for centralized authentication and user identity management.

Version 2 focuses on

• Adding DNS and Certificate Authority to the IPA core
• Allowing an admin to join a machine to an IPA realm
• Providing kerberos principal and cert to the joined machine
• Providing service keytabs and service certificates to services
• Managing the keytabs and certificates once provided
• Plug-in architecture for IPA extensibility
• IPA Client code for managing authentication, authorization, caching, connection
• Centrally managed netgroups and automount

Look for more detailed roadmap information at Roadmap

Why Use FreeIPA?

For efficiency, compliance and risk mitigation, organizations need to centrally manage and correlate vital security information including:

• Identity (machine, user, virtual machines, groups, authentication credentials)
• Policy (host based access control)
• Audit (this component is deferred)

Because of its vital importance and the way it is interrelated, we think identity, policy, and audit information should be open, interoperable, and manageable. Our focus is on making identity, policy, and audit (some day) easy to centrally manage for the Linux and Unix world. Of course, we will need to interoperate well with Windows and much more.

We are looking to take concrete and useful steps and so have chosen initially to focus on Identity solutions for the Unix/Linux world.

For policy we focus on the host based access control management and enforcement. As for other aspects of the policy management related to systems management and configuration management, after serious evaluation we decided not to address these segments for now. There are other projects that are working in this direction. We will closely monitor those projects and integrate with them as interfaces become available.

We did a lot of research and evaluation in the audit area and realized that this is a significant effort and might require a project of its own. For now we decided not to disperse our energy and work more on improving the identity and authentication aspects of the system. But we will continue to monitor open source projects in the audit related space. One of such projects that was created as a result of our evaluation is ELAPI. We will continue investing into that project.

What are the problems freeIPA is trying to solve?

• Focus on solving identity management across the enterprise providing a reliable open source alternative to existing solutions
• Vendor focus on Web identity management problems has meant less well developed solutions for central management of the Linux and Unix world's vital security info. Organizations are forced to maintain a hodgepodge of internal and proprietary solutions at high TCO.
• Proprietary security products don't easily provide access to the vital security information they collect or manage. This makes it difficult to synchronize and analyze effectively.

What are the values behind the freeIPA project?

Identity, policy, and audit information is vitally important and interrelated. Therefore, we think it should be open, interoperable, and manageable.

• Open means the information is not held back as a proprietary value add, but is instead available to vendors and applications through standards wherever possible but always through well-documented and openly available protocols. It also means developing open source solutions and an open source community.

• Interoperable means that systems storing or managing identity, policy, and audit information should provide backwards compatibility with existing systems and protocols, assume that infrastructure and systems will always be heterogeneous, and provide solutions that help heterogeneous systems work together rather than forcing migration to a single platform or technology.

• Manageable means that systems managing this information should be easy to manage both centrally and locally (i.e a central server is not required) and should follow the principle of subsidiarity empowering individuals by enabling the delegation of administration to rights to the lowest level possible in an organization.

What will be freeIPA's first steps around Identity?

We are looking to take concrete and useful steps, and so have chosen to focus our first efforts on centralized Identity Management and Authentication for Linux and Unix

• This solution will initially consist of an MIT Kerberos 5 server using a Fedora Directory Server backend. The goal is to make it easy for developers and administrators to set up centralized identity management for their world using the directory as the central username and password store and kerberos as the means of authentication and single sign on.

• In version 1 we provided: a fixed schema, simple configuration tools to easily set up an IPA server and replication, and command line tools and an intuitive GUI for user and group management.

• In version 2 we are working on: integrating Dogtag Certificate Server, DNS server, added support for hosts, centrally managed netgroups, different automount maps for different locations, extensible UI/CLI framework, host based access control and more.

• We want to make sure this solution can manage identity and authentication well for Linux and Unix boxes and we hope our efforts inspire upstream package owners to kerberize a lot more packages.

How can I get involved?

We welcome your participation in freeIPA whether you want to read, contribute to discussion, contribute code, or test it out. Please join us!

• For occasional updates on our progress, subscribe to freeipa-interest
• To contribute to the development of freeIPA go to Contribute and subscribe to freeipa-devel
• Use freeipa-users mailing list to discuss deployment, configuration, and use of FreeIPA. It is the best place to ask "how to" questions and to share your experience with FreeIPA.

What License does FreeIPA use?

See the License page for more details