FreeIPA: centralized identity management for Linux

A workable solution for the problem of central identity management (IdM) necessarily consists of integrated components and interfaces to store and manage authentication, identity, and policy information as well as allowing delegation of various tasks to different stakeholders as appropriate. And in today's cloudy atmosphere, a plain user identity and authentication management solution would fall flat without addressing, among other, the needs of secure computer-to-computer and service-to-service communications.

While in the Windows world our cousins have long enjoyed a coherent solution in the form of Active Directory (AD) to tackle these issues, no such integrated, free solution has been available for Linux. From a technical perspective it has been possible to set up a centralized IdM server on Linux by configuring multiple services and components individually. However a comparison between the deployment of standards like LDAP and Kerberos for IdM on Linux and Windows is illustrative: both are ubiquitous in the Windows world while still far from the norm in the Linux world. If we reject the idea that this disparity is due to the superior skills of Windows administrators compared to their Linux counterparts, the most convincing explanation must be the lack of proper tools on Linux. And quite often what is hard to deploy is hard to manage; in other words, the real question is not whether something can be done (it can) but whether it can be effectively and reliably maintained (it depends).

Enter FreeIPA

FreeIPA (Free Identity, Policy, and Audit) builds on existing components and services to create a coherent and easy-to-deploy identity management system.

Manually configuring services such as certificate management, DNS, LDAP and Kerberos on a Linux server (which represent only a subset of FreeIPA functionality) would be a significant task even for a skilled administrator, especially considering that, in the case of IdM, securing and tuning the services according to best practices is a necessity. And the follow-up task of making all this work fault tolerant does not exactly sound like a pleasure cruise either. However, with FreeIPA all this can be achieved in a matter of minutes by answering a few simple questions (such as domain name or administrator passwords) asked by the ipa-server-install tool, which will then configure, secure, and integrate all the needed IdM components and services.

In addition to this server configuration capability, FreeIPA provides a web UI and a unified command-line tool which can be used to manage data and services. For FreeIPA clients, a configuration tool, called ipa-client-install, is provided which will enroll a Linux system into the IPA domain and enable services like SSSD (although using traditional client-side components to certain extent is also possible) with the needed certificates and Kerberos keys to enable secure client-to-server communications.

Features and use cases

FreeIPA does not try to reinvent the wheel when providing IdM features, instead it adds integration and functionality between production-hardened services like the MIT Kerberos, 389 LDAP Directory, Certificate System, Apache, BIND DNS, NTPD, and certain Samba components.

The use of Kerberos for authentication and LDAP for account and information management should be unsurprising; these standards are very widely established so it makes perfect sense to put them at the heart of FreeIPA. While the standards themselves are in wide use already, details often differ when deployment is done manually by different administrators. This is where FreeIPA comes to the rescue by providing predefined configurations, freeing up administrators to concentrate on higher-level aspects of IdM and also providing consistency across deployments. Together with SSSD, IPA also easily allows using LDAP for host-based authentication control (HBAC), SSH host key management, and sudo rules. Using Kerberos authentication with services like Apache, CIFS file shares, and SSH allows single sign-on (SSO) for users and provides strong security in the form of mutual authentication.

On the IPA server side, the Dogtag Certificate System is used to manage certificates, including certificate issuance and revocation. On the client side, certmonger can be used track and renew client certificates. With these two components as part of a FreeIPA deployment, certificate management becomes a lot easier than with running homemade scripts and manually transferring the certificate files around, usually in haste after getting complaints that a certificate is expired and blocking a production system. This should also make users, at least in an ideal world, less likely to blindly ignore certificate related warnings when they become a very rare occurrence. With certificates and Kerberos principals for servers and services in place, FreeIPA enables reliable service-to-service and computer-to-computer communications.

DNS integration can be used as an example of how administrators are provided with flexibility when deploying FreeIPA. BIND, configured with the bind-dyndb-ldap plugin, can, optionally, be set up as the domain DNS during deployment, but whether it makes sense to use it for controlling a delegated DNS domain or take control of the entire DNS infrastructure depends on the environment. The FreeIPA managed DNS setup automatically provides SRV records for autodiscovery and IPA clients canalso be configured to update their current IP addresses using GSS-TSIG secured DNS Updates.

In addition to integrating components on a FreeIPA server, with the recently released FreeIPA version 3 it is now also possible to integrate FreeIPA itself with an existing Active Directory-based IdM infrastructure by using the new IPA-AD trust feature. This means that once a trust between FreeIPA and AD domains has been established by administrators, users from the trusted AD domain are allowed SSO- and password-based access to services in the FreeIPA domain. And this of course works the other way around: FreeIPA users are able to access services in the Windows domain with their Kerberos credentials obtained from the FreeIPA domain. At this point the platform of any given service becomes irrelevant for users as any service is seamlessly accessible, lowering the barriers of Linux and Windows integration considerably.

Another notable benefit is that administrators will be able to enroll their Linux systems into their FreeIPA domain instead of joining them directly to Microsoft AD — something that is known to cause slight organizational challenges every now and then. Naturally, though, operating system specific characteristics provided by FreeIPA and AD, such as SELinux policies and Windows group policies (GPOs), are only applicable to the respective client systems.

Using FreeIPA

After the initial installation, it is possible to use both the web UI and command-line interface for administration. An experienced administrator might prefer using the command-line approach but the browser-based web UI makes delegating certain tasks — such as user and group creation and management — to less seasoned operators feasible. Both interfaces utilize the same internal framework so, apart from a few seldom-used tasks provided only by the command-line interface, both interfaces can be used to achieve the same results.

Depending on a single server for IdM in an entire organization would of course be asking for serious trouble. Although the offline caching features provided by SSSD mitigate this risk, the ipa-replica-install command can be used to easily setup IdM server replicas as appropriate in a given environment. Replication topology can also be later adjusted to allow for optimized configurations when multiple geographical locations are involved.

Although the full benefits of FreeIPA are available only when using SSSD on clients, tools are available to make migration from existing solutions like NIS easier. A plugin that will serve data over the NIS protocol from the LDAP database is available, and also a compatibility plugin that provides the same LDAP data using the older RFC2307 schema is available for those older LDAP clients that can't use RFC2307bis extensions. The same plugin also provides netgroup maps built from the internal grouping model available in FreeIPA. So the rather typical use case of NIS to manage users, netgroups, and automounter maps can be migrated to FreeIPA-controlled domains on a system-by-system basis as feasible.

Conclusions and Future

FreeIPA offers an integrated solution built on proven components for centralized identity management. It provides a wide range of features and also allows for Windows domain integration in mixed environments. The approach taken by FreeIPA — integrating existing, proven components and greatly facilitating setup and management — makes FreeIPA an appealing IdM solution for small and larger on-site and cloud-based environments alike. The full server and client packaging is already available for distributions like Fedora and included in RHEL 6. Client packages are available in varying states of maturity for Ubuntu, Debian, and Arch Linux, with the server side expected to follow a bit later.

What the future holds for FreeIPA is, of course, open to user needs and community feedback. The 'A' part (audit) of IPA is currently not being actively worked on but it might be another case of integrating a proven component into FreeIPA. Other notable areas of future work include, for example, DHCP integration and support for two-factor authentication with one-time passwords, smart cards, and user certificates.

Compared to the manual configuration approach of a large number of individual components FreeIPA already offers many benefits for administrators and users. As the scale of computing environments keeps growing, the need for a centralized IdM solution is getting more and more important and FreeIPA is being actively developed to allow Linux administrators to scale with their ever-increasing responsibilities.