- 1 What is FreeIPA?
- 2 General FAQ
- 3 Technical FAQ
- 3.1 Does FreeIPA support cached logins, for example, for laptops at home?
- 3.2 Can FreeIPA replace my Active Directory Server?
- 3.3 Why are passwords expired after reset?
- 3.4 Why FreeIPA does not provide a self-service password reset page?
- 3.5 What are the recommendations for FreeIPA deployment?
- 3.6 Why is a FreeIPA client not backwards compatible?
- 3.7 When will we implement FreeIPA to FreeIPA trusts?
- 3.8 Active Directory deprecated Identity Management for Unix (IDMU), what should I do?
What is FreeIPA?
FreeIPA is an integrated security information management solution combining Linux (Fedora), 389 Directory Server, MIT Kerberos, NTP, DNS, Dogtag (Certificate System). It consists of a web interface and command-line administration tools.
FreeIPA is an integrated Identity and Authentication solution for Linux/UNIX networked environments. A FreeIPA server provides centralized authentication, authorization and account information by storing data about user, groups, hosts and other objects necessary to manage the security aspects of a network of computers.
FreeIPA is built on top of well known Open Source components and standard protocols with a very strong focus on ease of management and automation of installation and configuration tasks.
Multiple FreeIPA servers can easily be configured in a FreeIPA Domain in order to provide redundancy and scalability. The 389 Directory Server is the main data store and provides a full multi-master LDAPv3 directory infrastructure. Single-Sign-on authentication is provided via the MIT Kerberos KDC. Authentication capabilities are augmented by an integrated Certificate Authority based on the Dogtag project. Optionally Domain Names can be managed using the integrated ISC Bind server.
- Roadmap: You may view FreeIPA's current roadmap for future features here.
- Most of our activity happens on the freeipa-devel and freeipa-user mailing lists as well as on the #freeipa IRC channel on the irc.freenode.net.
- Our tasks, goals and milestones are tracked via freeipa trac instance.
FreeIPA takes advantage of different technologies:
- MIT KDC - core of the FreeIPA's authentication.
- 389 Directory Server - back end where FreeIPA keeps all data.
- Dogtag Certificate System - FreeIPA includes CA & RA for certificate management functions.
- SSSD - client side component that integrates FreeIPA as a authentication and identity provider in a better way than traditional NSS & PAM.
What's Available in FreeIPA Now? What's in the Pipeline?
FreeIPA (so far) is an integrated solution combining
- Linux (currently Fedora or Red Hat Enterprise Linux)
- 389 Directory Server
- MIT Kerberos
- Web and command line provisioning and administration tools
- Dogtag Certificate System
- Active Directory Integration
- Integration with Weblogic server
Version 1 focused on
- Allowing an administrator to quickly install, setup, and administer one or more FreeIPA servers for centralized authentication and user identity management.
Version 2 focused on
- Adding DNS and Certificate Authority to the FreeIPA core
- Allowing an admin to join a machine to an FreeIPA realm
- Providing kerberos principal and cert to the joined machine
- Providing service keytabs and service certificates to services
- Managing the keytabs and certificates once provided
- Plug-in architecture for FreeIPA extensibility
- FreeIPA Client code for managing authentication, authorization, caching, connection
- Centrally managed netgroups and automount
Version 3 focused on
- Active Directory Integration in form of Kerberos cross-realm trusts, allowing SSO from AD to Linux resources
- Integration with Dogtag 10 or CA-less installation
Version 4 focuses on
- [[V4/OTP|2FA Kerberos Authenication], Better Control Access, Trusts enhancements
Look for more detailed roadmap information at Roadmap
Why Use FreeIPA?
For efficiency, compliance and risk mitigation, organizations need to centrally manage and correlate vital security information including:
- Identity (machine, user, virtual machines, groups, authentication credentials)
- Policy (host based access control)
- Audit (this component is deferred)
Because of its vital importance and the way it is interrelated, we think identity, policy, and audit information should be open, interoperable, and manageable. Our focus is on making identity, policy, and audit (some day) easy to centrally manage for the Linux and Unix world. Of course, we will need to interoperate well with Windows and much more.
We are looking to take concrete and useful steps and so have chosen initially to focus on Identity solutions for the Unix/Linux world.
For policy we focus on the host based access control management and enforcement. As for other aspects of the policy management related to systems management and configuration management, after serious evaluation we decided not to address these segments for now. There are other projects that are working in this direction. We will closely monitor those projects and integrate with them as interfaces become available.
We did a lot of research and evaluation in the audit area and realized that this is a significant effort and might require a project of its own. For now we decided not to disperse our energy and work more on improving the identity and authentication aspects of the system. But we will continue to monitor open source projects in the audit related space. One of such projects that was created as a result of our evaluation is ELAPI. Another recent project is Centralized Logging. We will continue investing into these directions.
What are the problems FreeIPA is trying to solve?
- Focus on solving identity management across the enterprise providing a reliable open source alternative to existing solutions
- Vendor focus on Web identity management problems has meant less well developed solutions for central management of the Linux and Unix world's vital security info. Organizations are forced to maintain a hodgepodge of internal and proprietary solutions at high TCO.
- Proprietary security products don't easily provide access to the vital security information they collect or manage. This makes it difficult to synchronize and analyze effectively.
What are the values behind the FreeIPA project?
Identity, policy, and audit information is vitally important and interrelated. Therefore, we think it should be open, interoperable, and manageable.
- Open means the information is not held back as a proprietary value add, but is instead available to vendors and applications through standards wherever possible but always through well-documented and openly available protocols. It also means developing open source solutions and an open source community.
- Interoperable means that systems storing or managing identity, policy, and audit information should provide backwards compatibility with existing systems and protocols, assume that infrastructure and systems will always be heterogeneous, and provide solutions that help heterogeneous systems work together rather than forcing migration to a single platform or technology.
- Manageable means that systems managing this information should be easy to manage both centrally and locally (i.e a central server is not required) and should follow the principle of subsidiarity empowering individuals by enabling the delegation of administration to rights to the lowest level possible in an organization.
What License does FreeIPA use?
See the License page for more details
Does FreeIPA support cached logins, for example, for laptops at home?
This is supported by FreeIPA's sister project, sssd
Can FreeIPA replace my Active Directory Server?
No. But with FreeIPA v2, you can replicate users and passwords from an AD server to FreeIPA server.
With FreeIPA v3, you can create a trust with Active Directory and SSO (single sign on) from a Windows machine to Linux machine.
Why are passwords expired after reset?
This is a security feature. For more information on the topic, see New Passwords Expired.
Why FreeIPA does not provide a self-service password reset page?
This is a security feature. For more information on the topic, see Self-Service Password Reset.
What are the recommendations for FreeIPA deployment?
Why is a FreeIPA client not backwards compatible?
See Client compatibility article.
When will we implement FreeIPA to FreeIPA trusts?
This is a feature in development (tracked in ticket 4867). FreeIPA to FreeIPA trusts can be implemented right after we complete the second leg of the Active Directory Trusts, i.e. Active Directory trusting FreeIPA users to access it's resources or log in. FreeIPA to FreeIPA trusts will leverage the same interfaces (Global Catalog, which is tracked in ticket 3125.
Until the feature is implemented, it would be technically possible to create a Kerberos-only trust between two IPA realms in FreeIPA 4.2+, but this is not supported with any native interface yet. There is a hacky procedure described in Red Hat Bugzilla 1035494 or ticket 4059. Such trust would have no support from IPA tools and no ability to resolve users, groups, support HBAC rules, sudo, etc. One could add additional SSSD domains on IPA clients to represent other realms but this is not tested by upstream and majority of features will may not work in the intended ways.
It is important to understand, that Kerberos trust is only about authentication. Authorization decisions are application-specific and mapping of Kerberos-authenticated identities to POSIX application-visible identities has to happen somewhere (this is part missing). Additionally, enforcement of IPA-specific rules (RBAC or HBAC) is not ready for FreeIPA to FreeIPA trust yet.
We welcome any help with these engineering efforts! See Contribute page for ways how to contact us.
Active Directory deprecated Identity Management for Unix (IDMU), what should I do?
With Windows Server 2012 R2, Microsoft announced the deprecation of the Identity Management for Unix (IDMU) and NIS Server role which will not be included starting with Windows Server 2016 Technical Preview (more information on TechNet Blog).
This means that there will no longer be a UI to set POSIX attributes for Active Directory users. Such users will no longer be able to authenticate to FreeIPA clients, if FreeIPA ID Range is not configured to automatically generate UID and GID for the AD users.
There are multiple options how to solve this issue on the FreeIPA side:
- Generate POSIX attributes (especially UID, GID) automatically for AD users, based on their RID (recommended, especially for green field deployments)
- Leverage FreeIPA ID Views to assign POSIX attributes for the AD users
More information about user ID attributes mapping is for example in the RHEL Guide.