Make Identity, Policy and Audit centrally and more easily managed.
- Name: RobCrittenden
- Targeted release: Fedora 9
- Last updated: 2008-04-07
- Percentage of completion: 100%
freeIPA 1.0 is feature complete and gone through some QA and the documentation is started but not complete.
For efficiency, compliance and risk mitigation, organizations need to centrally manage and correlate vital security information including
- Identity (machine, user, virtual machines, groups, authentication credentials)
- Policy (configuration settings, access control information)
- Audit (events, logs, analysis thereof)
Because of its vital importance and the way it is interrelated, we think identity, policy, and audit information should be open, interoperable, and manageable. The focus is on making identity, policy, and audit easy to centrally manage for the Linux and Unix world.
Version 1.0 provides just centralized authentication and identity management. Future versions will add the Policy and Audit capabilities.
Benefit to Fedora
Centralized authentication and identity management.
freeIPA rpms currently exist but have not gone through the Fedora package review process.
1. Install the freeIPA packages on a server 1. Run the IPA installation setup program (/usr/sbin/ipa-install-server) 1. kinit admin 1. /usr/sbin/ipa-adduser -f Test -l User test 1. kinit test 1. setup another machine as a client and install the client package(s) 1. log into that client as the test user
For any machine joined to the freeIPA server users will have:
- Centralized password policy
- Local-account not needed on machines they want to log into
- Single-sign on for many services
Already in Fedora:
- Fedora DS 1.1
- MIT Kerberos 5
- Apache 2.2.x
- openldap clients
- NSS and NSPR
New to Fedora:
- python-tgexpandingformwidget submitted as a Fedora package but not reviewed yet.
- python-kerberos accepted as a Fedora package
- N/A since freeIPA is a new addition to Fedora
The IPA server installer assumes a relatively 'clean' system and will install and configure several servers:
- A Fedora Directory Server instance
Some effort is made to be able to roll back the changes made but they are not guaranteed.
Similarly the ipa-client-install tool will overwrite your PAM (/etc/pam.conf) and Kerberos (/etc/krb5.conf) configurations.
IPA does not support other instances of Fedora Directory Server on the same machine at install time, even listening on different ports. In order to install IPA other instances will need to be removed (IPA can do this for you).
There is currently no mechanism for migrating existing users into an IPA server.
The server self-configures to be a client of itself. If the Directory Server or KDC fail to start on bootup, boot into single-user mode in order to resolve the issue.