- 1 What is FreeIPA?
- 2 General FAQ
- 3 Technical FAQ
- 3.1 Does FreeIPA support cached logins, for example, for laptops at home?
- 3.2 Can FreeIPA replace my Active Directory Server?
- 3.3 Why are passwords expired after reset?
- 3.4 Why FreeIPA does not provide a self-service password reset page?
- 3.5 What are the recommendations for FreeIPA deployment?
- 3.6 Why is a FreeIPA client not backwards compatible?
What is FreeIPA?
FreeIPA is an integrated security information management solution combining Linux (Fedora), 389 Directory Server, MIT Kerberos, NTP, DNS, Dogtag (Certificate System). It consists of a web interface and command-line administration tools.
FreeIPA is an integrated Identity and Authentication solution for Linux/UNIX networked environments. A FreeIPA server provides centralized authentication, authorization and account information by storing data about user, groups, hosts and other objects necessary to manage the security aspects of a network of computers.
FreeIPA is built on top of well known Open Source components and standard protocols with a very strong focus on ease of management and automation of installation and configuration tasks.
Multiple FreeIPA servers can easily be configured in a FreeIPA Domain in order to provide redundancy and scalability. The 389 Directory Server is the main data store and provides a full multi-master LDAPv3 directory infrastructure. Single-Sign-on authentication is provided via the MIT Kerberos KDC. Authentication capabilities are augmented by an integrated Certificate Authority based on the Dogtag project. Optionally Domain Names can be managed using the integrated ISC Bind server.
- Roadmap: You may view FreeIPA's current roadmap for future features here.
- Most of our activity happens on the freeipa-devel and freeipa-user mailing lists as well as on the #freeipa IRC channel on the irc.freenode.net.
- Our tasks, goals and milestones are tracked via freeipa trac instance.
FreeIPA takes advantage of different technologies:
- MIT KDC - core of the FreeIPA's authentication.
- 389 Directory Server - back end where FreeIPA keeps all data.
- Dogtag Certificate System - FreeIPA includes CA & RA for certificate management functions.
- SSSD - client side component that integrates FreeIPA as a authentication and identity provider in a better way than traditional NSS & PAM.
What's Available in FreeIPA Now? What's in the Pipeline?
FreeIPA (so far) is an integrated solution combining
- Linux (currently Fedora or Red Hat Enterprise Linux)
- 389 Directory Server
- MIT Kerberos
- Web and command line provisioning and administration tools
- Dogtag Certificate System
- Active Directory Integration
Version 1 focused on
- Allowing an administrator to quickly install, setup, and administer one or more FreeIPA servers for centralized authentication and user identity management.
Version 2 focused on
- Adding DNS and Certificate Authority to the FreeIPA core
- Allowing an admin to join a machine to an FreeIPA realm
- Providing kerberos principal and cert to the joined machine
- Providing service keytabs and service certificates to services
- Managing the keytabs and certificates once provided
- Plug-in architecture for FreeIPA extensibility
- FreeIPA Client code for managing authentication, authorization, caching, connection
- Centrally managed netgroups and automount
Version 3 focuses on
- Active Directory Integration in form of Kerberos cross-realm trusts, allowing SSO from AD to Linux resources and vice versa
- Integration with Dogtag 10 or CA-less installation
Look for more detailed roadmap information at Roadmap
Why Use FreeIPA?
For efficiency, compliance and risk mitigation, organizations need to centrally manage and correlate vital security information including:
- Identity (machine, user, virtual machines, groups, authentication credentials)
- Policy (host based access control)
- Audit (this component is deferred)
Because of its vital importance and the way it is interrelated, we think identity, policy, and audit information should be open, interoperable, and manageable. Our focus is on making identity, policy, and audit (some day) easy to centrally manage for the Linux and Unix world. Of course, we will need to interoperate well with Windows and much more.
We are looking to take concrete and useful steps and so have chosen initially to focus on Identity solutions for the Unix/Linux world.
For policy we focus on the host based access control management and enforcement. As for other aspects of the policy management related to systems management and configuration management, after serious evaluation we decided not to address these segments for now. There are other projects that are working in this direction. We will closely monitor those projects and integrate with them as interfaces become available.
We did a lot of research and evaluation in the audit area and realized that this is a significant effort and might require a project of its own. For now we decided not to disperse our energy and work more on improving the identity and authentication aspects of the system. But we will continue to monitor open source projects in the audit related space. One of such projects that was created as a result of our evaluation is ELAPI. Another recent project is Centralized Logging. We will continue investing into these directions.
What are the problems FreeIPA is trying to solve?
- Focus on solving identity management across the enterprise providing a reliable open source alternative to existing solutions
- Vendor focus on Web identity management problems has meant less well developed solutions for central management of the Linux and Unix world's vital security info. Organizations are forced to maintain a hodgepodge of internal and proprietary solutions at high TCO.
- Proprietary security products don't easily provide access to the vital security information they collect or manage. This makes it difficult to synchronize and analyze effectively.
What are the values behind the FreeIPA project?
Identity, policy, and audit information is vitally important and interrelated. Therefore, we think it should be open, interoperable, and manageable.
- Open means the information is not held back as a proprietary value add, but is instead available to vendors and applications through standards wherever possible but always through well-documented and openly available protocols. It also means developing open source solutions and an open source community.
- Interoperable means that systems storing or managing identity, policy, and audit information should provide backwards compatibility with existing systems and protocols, assume that infrastructure and systems will always be heterogeneous, and provide solutions that help heterogeneous systems work together rather than forcing migration to a single platform or technology.
- Manageable means that systems managing this information should be easy to manage both centrally and locally (i.e a central server is not required) and should follow the principle of subsidiarity empowering individuals by enabling the delegation of administration to rights to the lowest level possible in an organization.
What License does FreeIPA use?
See the License page for more details
Does FreeIPA support cached logins, for example, for laptops at home?
This is supported by FreeIPA's sister project, sssd
Can FreeIPA replace my Active Directory Server?
No. But with FreeIPA v2, you can replicate users and passwords from an AD server to FreeIPA server.
With FreeIPA v3, you can create a trust with Active Directory and SSO (single sign on) from a Windows machine to Linux machine.
Why are passwords expired after reset?
This is a security feature. For more information on the topic, see New Passwords Expired.
Why FreeIPA does not provide a self-service password reset page?
This is a security feature. For more information on the topic, see Self-Service Password Reset.
What are the recommendations for FreeIPA deployment?
Why is a FreeIPA client not backwards compatible?
See Client compatibility article.