What is FreeIPA?
FreeIPA is an integrated security information management solution combining Linux (Fedora), 389 Directory Server, MIT Kerberos, NTP, DNS, Dogtag (Certificate System). It consists of a web interface and command-line administration tools.
FreeIPA is an integrated Identity and Authentication solution for Linux/UNIX networked environments. A FreeIPA server provides centralized authentication, authorization and account information by storing data about user, groups, hosts and other objects necessary to manage the security aspects of a network of computers.
FreeIPA is built on top of well known Open Source components and standard protocols with a very strong focus on ease of management and automation of installation and configuration tasks.
Multiple FreeIPA servers can easily be configured in a FreeIPA Domain in order to provide redundancy and scalability. The 389 Directory Server is the main data store and provides a full multi-master LDAPv3 directory infrastructure. Single-Sign-on authentication is provided via the MIT Kerberos KDC. Authentication capabilities are augmented by an integrated Certificate Authority based on the Dogtag project. Optionally Domain Names can be managed using the integrated ISC Bind server.
- Roadmap: You may view FreeIPA's current roadmap for future features here.
- Most of our activity happens on the freeipa-devel and freeipa-user mailing lists as well as on the #freeipa IRC channel on the irc.freenode.net.
- Our tasks, goals and milestones are tracked via freeipa trac instance.
FreeIPA takes advantage of different technologies:
- MIT KDC - core of the FreeIPA's authentication.
- 389 Directory Server - back end where FreeIPA keeps all data.
- Dogtag Certificate System - FreeIPA includes CA & RA for certificate management functions.
- SSSD - client side component that integrates FreeIPA as a authentication and identity provider in a better way than traditional NSS & PAM.
Frequently Asked Questions
What's Available in FreeIPA Now? What's in the Pipeline?
FreeIPA (so far) is an integrated solution combining
- Linux (currently Fedora)
- 389 Directory Server
- MIT Kerberos
- DNS (FreeIPA v2)
- Web and command line provisioning and administration tools
- Dogtag Certificate System (FreeIPA v2)
Version 1 focused on
- Allowing an administrator to quickly install, setup, and administer one or more FreeIPA servers for centralized authentication and user identity management.
Version 2 focuses on
- Adding DNS and Certificate Authority to the FreeIPA core
- Allowing an admin to join a machine to an FreeIPA realm
- Providing kerberos principal and cert to the joined machine
- Providing service keytabs and service certificates to services
- Managing the keytabs and certificates once provided
- Plug-in architecture for FreeIPA extensibility
- FreeIPA Client code for managing authentication, authorization, caching, connection
- Centrally managed netgroups and automount
Look for more detailed roadmap information at Roadmap
Why Use FreeIPA?
For efficiency, compliance and risk mitigation, organizations need to centrally manage and correlate vital security information including:
- Identity (machine, user, virtual machines, groups, authentication credentials)
- Policy (host based access control)
- Audit (this component is deferred)
Because of its vital importance and the way it is interrelated, we think identity, policy, and audit information should be open, interoperable, and manageable. Our focus is on making identity, policy, and audit (some day) easy to centrally manage for the Linux and Unix world. Of course, we will need to interoperate well with Windows and much more.
We are looking to take concrete and useful steps and so have chosen initially to focus on Identity solutions for the Unix/Linux world.
For policy we focus on the host based access control management and enforcement. As for other aspects of the policy management related to systems management and configuration management, after serious evaluation we decided not to address these segments for now. There are other projects that are working in this direction. We will closely monitor those projects and integrate with them as interfaces become available.
We did a lot of research and evaluation in the audit area and realized that this is a significant effort and might require a project of its own. For now we decided not to disperse our energy and work more on improving the identity and authentication aspects of the system. But we will continue to monitor open source projects in the audit related space. One of such projects that was created as a result of our evaluation is ELAPI. We will continue investing into that project.
What are the problems FreeIPA is trying to solve?
- Focus on solving identity management across the enterprise providing a reliable open source alternative to existing solutions
- Vendor focus on Web identity management problems has meant less well developed solutions for central management of the Linux and Unix world's vital security info. Organizations are forced to maintain a hodgepodge of internal and proprietary solutions at high TCO.
- Proprietary security products don't easily provide access to the vital security information they collect or manage. This makes it difficult to synchronize and analyze effectively.
What are the values behind the FreeIPA project?
Identity, policy, and audit information is vitally important and interrelated. Therefore, we think it should be open, interoperable, and manageable.
- Open means the information is not held back as a proprietary value add, but is instead available to vendors and applications through standards wherever possible but always through well-documented and openly available protocols. It also means developing open source solutions and an open source community.
- Interoperable means that systems storing or managing identity, policy, and audit information should provide backwards compatibility with existing systems and protocols, assume that infrastructure and systems will always be heterogeneous, and provide solutions that help heterogeneous systems work together rather than forcing migration to a single platform or technology.
- Manageable means that systems managing this information should be easy to manage both centrally and locally (i.e a central server is not required) and should follow the principle of subsidiarity empowering individuals by enabling the delegation of administration to rights to the lowest level possible in an organization.
What will be FreeIPA's first steps around Identity?
We are looking to take concrete and useful steps, and so have chosen to focus our first efforts on centralized Identity Management and Authentication for Linux and Unix
- This solution will initially consist of an MIT Kerberos 5 server using a 389 Directory Server backend. The goal is to make it easy for developers and administrators to set up centralized identity management for their world using the directory as the central username and password store and kerberos as the means of authentication and single sign on.
- In version 1 we provided: a fixed schema, simple configuration tools to easily set up an IPA server and replication, and command line tools and an intuitive GUI for user and group management.
- In version 2 we are working on: integrating Dogtag Certificate Server, DNS server, added support for hosts, centrally managed netgroups, different automount maps for different locations, extensible UI/CLI framework, host based access control and more.
- We want to make sure this solution can manage identity and authentication well for Linux and Unix boxes and we hope our efforts inspire upstream package owners to kerberize a lot more packages.
How can I get involved?
We welcome your participation in FreeIPA whether you want to read, contribute to discussion, contribute code, or test it out. Please join us!
- For occasional updates on our progress, subscribe to freeipa-interest
- To contribute to the development of FreeIPA go to Contribute and subscribe to freeipa-devel
- Use freeipa-users mailing list to discuss deployment, configuration, and use of FreeIPA. It is the best place to ask "how to" questions and to share your experience with FreeIPA.
What License does FreeIPA use?
See the License page for more details