FreeIPA: centralized identity management for Linux [LWN.net]

December 11, 2012

This article was contributed by Marko Myllynen and Simo Sorce

It is well understood that centralized management of user identity information offers numerous benefits for networks of almost any size, but Linux has traditionally lacked an "out of the box" solution in this area. This article will examine the FreeIPA system, which is meant to provide that solution using well-established free software components.

A workable solution for the problem of central identity management (IdM) necessarily consists of integrated components and interfaces to store and manage authentication, identity, and policy information as well as allowing delegation of various tasks to different stakeholders as appropriate. And in today's cloudy atmosphere, a plain user identity and authentication management solution would fall flat without addressing, among other, the needs of secure computer-to-computer and service-to-service communications.

While in the Windows world our cousins have long enjoyed a coherent solution in the form of Active Directory (AD) to tackle these issues, no such integrated, free solution has been available for Linux. From a technical perspective it has been possible to set up a centralized IdM server on Linux by configuring multiple services and components individually. However a comparison between the deployment of standards like LDAP and Kerberos for IdM on Linux and Windows is illustrative: both are ubiquitous in the Windows world while still far from the norm in the Linux world. If we reject the idea that this disparity is due to the superior skills of Windows administrators compared to their Linux counterparts, the most convincing explanation must be the lack of proper tools on Linux. And quite often what is hard to deploy is hard to manage; in other words, the real question is not whether something can be done (it can) but whether it can be effectively and reliably maintained (it depends).

Enter FreeIPA

FreeIPA (Free Identity, Policy, and Audit) builds on existing components and services to create a coherent and easy-to-deploy identity management system.

Manually configuring services such as certificate management, DNS, LDAP and Kerberos on a Linux server (which represent only a subset of FreeIPA functionality) would be a significant task even for a skilled administrator, especially considering that, in the case of IdM, securing and tuning the services according to best practices is a necessity. And the follow-up task of making all this work fault tolerant does not exactly sound like a pleasure cruise either. However, with FreeIPA all this can be achieved in a matter of minutes by answering a few simple questions (such as domain name or administrator passwords) asked by the ipa-server-install tool, which will then configure, secure, and integrate all the needed IdM components and services.

In addition to this server configuration capability, FreeIPA provides a web UI and a unified command-line tool which can be used to manage data and services. For FreeIPA clients, a configuration tool, called ipa-client-install, is provided which will enroll a Linux system into the IPA domain and enable services like SSSD (although using traditional client-side components to certain extent is also possible) with the needed certificates and Kerberos keys to enable secure client-to-server communications.

Features and use cases

FreeIPA does not try to reinvent the wheel when providing IdM features, instead it adds integration and functionality between production-hardened services like the MIT Kerberos, 389 LDAP Directory, Certificate System, Apache, BIND DNS, NTPD, and certain Samba components.

The use of Kerberos for authentication and LDAP for account and information management should be unsurprising; these standards are very widely established so it makes perfect sense to put them at the heart of FreeIPA. While the standards themselves are in wide use already, details often differ when deployment is done manually by different administrators. This is where FreeIPA comes to the rescue by providing predefined configurations, freeing up administrators to concentrate on higher-level aspects of IdM and also providing consistency across deployments. Together with SSSD, IPA also easily allows using LDAP for host-based authentication control (HBAC), SSH host key management, and sudo rules. Using Kerberos authentication with services like Apache, CIFS file shares, and SSH allows single sign-on (SSO) for users and provides strong security in the form of mutual authentication.

On the IPA server side, the Dogtag Certificate System is used to manage certificates, including certificate issuance and revocation. On the client side, certmonger can be used track and renew client certificates. With these two components as part of a FreeIPA deployment, certificate management becomes a lot easier than with running homemade scripts and manually transferring the certificate files around, usually in haste after getting complaints that a certificate is expired and blocking a production system. This should also make users, at least in an ideal world, less likely to blindly ignore certificate related warnings when they become a very rare occurrence. With certificates and Kerberos principals for servers and services in place, FreeIPA enables reliable service-to-service and computer-to-computer communications.

DNS integration can be used as an example of how administrators are provided with flexibility when deploying FreeIPA. BIND, configured with the bind-dyndb-ldap plugin, can, optionally, be set up as the domain DNS during deployment, but whether it makes sense to use it for controlling a delegated DNS domain or take control of the entire DNS infrastructure depends on the environment. The FreeIPA managed DNS setup automatically provides SRV records for autodiscovery and IPA clients canalso be configured to update their current IP addresses using GSS-TSIG secured DNS Updates.

In addition to integrating components on a FreeIPA server, with the recently released FreeIPA version 3 it is now also possible to integrate FreeIPA itself with an existing Active Directory-based IdM infrastructure by using the new IPA-AD trust feature. This means that once a trust between FreeIPA and AD domains has been established by administrators, users from the trusted AD domain are allowed SSO- and password-based access to services in the FreeIPA domain. And this of course works the other way around: FreeIPA users are able to access services in the Windows domain with their Kerberos credentials obtained from the FreeIPA domain. At this point the platform of any given service becomes irrelevant for users as any service is seamlessly accessible, lowering the barriers of Linux and Windows integration considerably.

Another notable benefit is that administrators will be able to enroll their Linux systems into their FreeIPA domain instead of joining them directly to Microsoft AD — something that is known to cause slight organizational challenges every now and then. Naturally, though, operating system specific characteristics provided by FreeIPA and AD, such as SELinux policies and Windows group policies (GPOs), are only applicable to the respective client systems.

Using FreeIPA

After the initial installation, it is possible to use both the web UI and command-line interface for administration. An experienced administrator might prefer using the command-line approach but the browser-based web UI makes delegating certain tasks — such as user and group creation and management — to less seasoned operators feasible. Both interfaces utilize the same internal framework so, apart from a few seldom-used tasks provided only by the command-line interface, both interfaces can be used to achieve the same results.

Depending on a single server for IdM in an entire organization would of course be asking for serious trouble. Although the offline caching features provided by SSSD mitigate this risk, the ipa-replica-install command can be used to easily setup IdM server replicas as appropriate in a given environment. Replication topology can also be later adjusted to allow for optimized configurations when multiple geographical locations are involved.

Although the full benefits of FreeIPA are available only when using SSSD on clients, tools are available to make migration from existing solutions like NIS easier. A plugin that will serve data over the NIS protocol from the LDAP database is available, and also a compatibility plugin that provides the same LDAP data using the older RFC2307 schema is available for those older LDAP clients that can't use RFC2307bis extensions. The same plugin also provides netgroup maps built from the internal grouping model available in FreeIPA. So the rather typical use case of NIS to manage users, netgroups, and automounter maps can be migrated to FreeIPA-controlled domains on a system-by-system basis as feasible.

Conclusions and Future

FreeIPA offers an integrated solution built on proven components for centralized identity management. It provides a wide range of features and also allows for Windows domain integration in mixed environments. The approach taken by FreeIPA — integrating existing, proven components and greatly facilitating setup and management — makes FreeIPA an appealing IdM solution for small and larger on-site and cloud-based environments alike. The full server and client packaging is already available for distributions like Fedora and included in RHEL 6. Client packages are available in varying states of maturity for Ubuntu, Debian, and Arch Linux, with the server side expected to follow a bit later.

What the future holds for FreeIPA is, of course, open to user needs and community feedback. The 'A' part (audit) of IPA is currently not being actively worked on but it might be another case of integrating a proven component into FreeIPA. Other notable areas of future work include, for example, DHCP integration and support for two-factor authentication with one-time passwords, smart cards, and user certificates.

Compared to the manual configuration approach of a large number of individual components FreeIPA already offers many benefits for administrators and users. As the scale of computing environments keeps growing, the need for a centralized IdM solution is getting more and more important and FreeIPA is being actively developed to allow Linux administrators to scale with their ever-increasing responsibilities.

(Log in to post comments)

Deployments out in the wild?

Posted Dec 13, 2012 10:39 UTC (Thu) by janfrode (subscriber, #244) [Link]

I'm in the process of migrating into IPA (the Red Hat version), coming from a (Sun Identity Managed) LDAP/389ds directory hosting users, groups, netgroups, sudorules and distributing pam_access configs for HBAC. IPA is a perfect fit for this, and IPA provided scripts for migrating users/groups from LDAP to IPA easily, and IPA will also convert LDAP passwords to kerberos on first login. Quite nice.

We don't use NTP or DNS from IPA, as we have other systems for that. We've copied all users, groups, netgroups and created HBAC rules to replace the pam_access system we use on non-IPA servers. We haven't converted the LDAP sudo-rules to IPA yet, but that should be easy enough.

Most of our servers are running RHEL5 and RHEL6, but not many are migrated into IPA yet. Mostly because of lack of time / other priorities, but also because we've been hitting some problems with SSSD crashing on the RHEL5 clients (have a hot fix for it from RH now).

So, currently we use IPA for doing plain LDAP bind() authentication on some systems (works just the same as our old LDAP directory), full IPA clients on some RHEL6 servers, IPA is the authentication system for our RHEV installation. We're also looking into replicating between IPA and Active Directory, so that we can have the same userdatabase on both Windows and Linux servers.

I'm very much looking forward to killing the Sun Identity Managed LDAP directory, and have a complete kerberized environment with managed by IPA.

Deployments out in the wild?

Posted Dec 13, 2012 17:39 UTC (Thu) by drag (subscriber, #31333) [Link]

I <3 FreeIPA

On numerous different occasions I have attempted to setup LDAP + Kerberos systems using the older approach of using OpenLDAP, MIT Krb5, and that sort of thing. Done it semi-successfully a few times.

And it's, generally speaking, terrible. Nscd sucks, OpenLDAP requires too much configuration to get it working, no client side caching, and adding new nodes to the domain was irritating and not to mention the almost complete lack of end-user tools for routine administrative tasks like adding new users and such things.

FreeIPA solves all those problems. It 'just works' with a sane and workable configuration out of the box. It has SSSD now, which is fantastic. It has some halfway decent GUI tools for routine admin tasks. Adding nodes to the domain is a breeze. Got NFSv4 working with it very easily.

In addition the standardization around Mozilla's NSS and integration of tools to automatically generate and manage certificates promises to help resolve that mess, too. Not quite there, but standardizing the libraries and utilities helps a lot.

It's not up to par with Active Directory, but it's a _MASSIVE_ step forward.