From Free IPA

Contents 1 IPA Technical FAQ 1.1 General Queries 1.2 IPA and Directory Server 1.3 IPA and Kerberos 1.4 IPA and NIS 1.5 IPA Policy 1.6 Operating System Support 1.6.1 IPA and Solaris

IPA Technical FAQ

This FAQ page is an attempt to collate information provided in response to questions raised in various forums, including mailing lists and IRC channels. As it is formalized, some of this information will be integrated into the official IPA documentation.

This document focuses on the technical aspects of IPA. For product-related questions, please refer to:

• Red Hat Enterprise IPA Product FAQ
• freeIPA Product FAQ

The information provided here refers to freeIPA. The features and functionality provided by Red Hat Enterprise IPA, available from the Red Hat Network download site, may differ slightly from the community version. Consequently, some of the information provided here may not apply to the Enterprise version.

General Queries

1. Q: Does freeIPA support cached logins, for example, for laptops at home?

   A: This is currently under development, but has not yet been implemented.

2. Q: Does freeIPA support /home directories on the network and on (e.g.,) a laptop at the same time, with synchronization between the two locations?

   A: No, this is not supported. The freeIPA project focuses only on Identity, Policy and Audit, and to date storage management is not a priority.

IPA and Directory Server

1. Q: Can I access the DS Admin Console from within IPA to work on the LDAP server at a lower level?

   A: No, this is not supported.

IPA and Kerberos

1. Q: Can I integrate my existing Kerberos environment with IPA?

   A: For IPA 1.0, for existing Kerberos environments, you need to establish a Kerberos Trust between any existing realms and the IPA realm.

2. Q: Can I use pkinit with IPA?

   A: While it is possible to use this and related tools (e.g., kadmin), it is not recommended.

IPA and NIS

1. Q: Does freeIPA offer a migration path from NIS that will maintain the same UIDs and GIDs?

   A: No tools currently exist for such a migration. It should be possible to migrate the user and group information over using the IPA administration tools. You can use these tools to set UID and GID values after the user or group has been added.

2. Q: Can the freeIPA server also function as a NIS server, using the same UIDs and GIDs, for clients that cannot join freeIPA domain (for example, NAS devices)?

   A: Yes. A plugin, slapi-nis, has been developed for the Fedora Directory Server that can act as a NIS server.

We are initially focusing on the "Schema Compatibility" plugin also provided in this package so that Solaris nss_ldap will work out-of-the-box, removing the need to use the PADL version. This will make it easier for workstations to join without having to install and configure additional software. Solaris doesn't support the memberOf attribute so we will use this plugin to map memberOf to memberUid.

IPA Policy

1. Q: Can I specify different policies for different groups?

   A: No. The current release of IPA supports one policy for all.

The PRD for v2 does not explicitly list this requirement. There is, however, some requirement to improve password policies but not to that scope. This will be added to a future feature set.

1. Q: Why are passwords expired after reset?

   A: This is a security feature. For more information, see this article.

Operating System Support

IPA and Solaris

1. Q: Does freeIPA support OpenSolaris as a client?

   A: OpenSolaris has not been specifically tested as a client, but Solaris 8, 9, and 10 have all been tested and function as expected, and so it is reasonable to assume that OpenSolaris will function equally well as a freeIPA client.