banners
From Free IPA
About FreeIPA
What is Free IPA?
FreeIPA is an integrated security information management solution combining Linux (Fedora), Fedora Directory Server, MIT Kerberos, NTP, DNS. It consists of a web interface and command-line administration tools. Currently it supports identity management with plans to support policy and auditing management.
Resources
- Roadmap: You may view FreeIPA's current roadmap for future features here.
- Requirements Documents:
- News: View the latest news on and announcements about FreeIPA here.
- Changelog: List of changes per version
Frequently Asked Questions
What's Available in FreeIPA Now? What's in the Pipeline?
FreeIPA (so far) is an integrated solution combining
- Linux (currently Fedora)
- Fedora Directory Server
- MIT Kerberos
- NTP
- DNS
- Web and commandline provisioning and administration tools
Version 1 will focus on
- Allowing an administrator to quickly install, setup, and administer one or more IPA servers for centralized authentication and user identity management.
Version 2 will focus on
- Adding DNS and Certificate Authority to the IPA core
- Allowing an admin to join a machine to an IPA realm
- Providing kerberos principal and cert to the joined machine
- Providing service keytabs and service certificates to services
- Managing the keytabs and certificates once provided
- Plug-in architecture for IPA extensibility. freeRADIUS as a first plugin.
- IPA Client code for managing authentication, authorization, caching, connection
- Policy. Centrally managed sudoers/netgroups, SELinux role based access
- Audit. Centrally collected audit logs from IPA servers and from IPA clients
Look for more detailed roadmap information at Roadmap
Why Use FreeIPA?
For efficiency, compliance and risk mitigation, organizations need to centrally manage and correlate vital security information including:
- Identity (machine, user, virtual machines, groups, authentication credentials)
- Policy (configuration settings, access control information)
- Audit (events, logs, analysis thereof)
Because of its vital importance and the way it is interrelated, we think identity, policy, and audit information should be open, interoperable, and manageable. Our focus is on making identity, policy, and audit easy to centrally manage for the Linux and Unix world. Of course, we will need to interoperate well with Windows and much more.
We are looking to take concrete and useful steps and so have chosen initially to focus on Identity solutions for the Unix/Linux world
We intend to tackle centralized management of policy and audit information next.
What are the problems freeIPA is trying to solve?
For efficiency, compliance and risk mitigation, organizations need to centrally manage and correlate vital security information including
- Identity (machine, user, virtual machines, groups, authentication credentials)
- Policy (configuration settings, access control information)
- Audit (events, logs, analysis thereof)
Since these are not new problems. there exist many approaches and products focused on addressing them. However, these tend to have the following weaknesses:
- Focus on solving identity management across the enterprise has meant less focus on policy and audit.
- Vendor focus on Web identity management problems has meant less well developed solutions for central management of the Linux and Unix world's vital security info. Organizations are forced to maintain a hodgepodge of internal and proprietary solutions at high TCO.
- Proprietary security products don't easily provide access to the vital security information they collect or manage. This makes it difficult to synchronize and analyze effectively.
What are the values behind the freeIPA project?
Identity, policy, and audit information is vitally important and interrelated. Therefore, we think it should be open, interoperable, and manageable.
- Open means the information is not held back as a proprietary value add, but is instead available to vendors and applications through standards wherever possible but always through well-documented and openly available protocols. It also means developing open source solutions and an open source community.
- Interoperable means that systems storing or managing identity, policy, and audit information should provide backwards compatibility with existing systems and protocols, assume that infrastructure and systems will always be heterogeneous, and provide solutions that help heterogeneous systems work together rather than forcing migration to a single platform or technology.
- Manageable means that systems managing this information should be easy to manage both centrally and locally (i.e a central server is not required) and should follow the principle of subsidiarity empowering individuals by enabling the delegation of administration to rights to the lowest level possible in an organization.
What will be freeIPA's first steps around Identity?
We are looking to take concrete and useful steps, and so have chosen to focus our first efforts on centralized Identity Management and Authentication for Linux and Unix
- This solution will initially consist of an MIT Kerberos 5 server using a Fedora Directory Server backend. The goal is to make it easy for developers and administrators to set up centralized identity management for their world using the directory as the central username and password store and kerberos as the means of authentication and single sign on.
- Our version 1 plan for making things easier includes providing: a fixed schema, simple configuration tools to easily set up an IPA server and replication, and command line tools and an intuitive GUI for user and group management.
- We want to make sure this solution can manage identity and authentication well for Linux and Unix boxes and we hope our efforts inspire upstream package owners to kerberize a lot more packages.
What is freeIPA looking to do for audit and policy?
Centralized audit and policy management will be a second focus after our initial work on identity.
Centralized Audit Collection and Analysis
- Organizations need to be able to gather and analyze log and audit data and they need to meaningfully parse that data without getting overwhelmed.
- Today, in the Unix/Linux world, some OSs have pretty good features for this on a particular machine but require a proprietary or homegrown tool for aggregating this data across multiple machines.
- We are interested in enabling Unix and Linux machines to send key audit information to a central audit collection and analysis solution with some smarts around parsing the volume of data received.
Centralized Policy Management
- Policy means a broad set of things including: access control policy, SE Linux policy, security configuration settings, which packages and patches are applied and running, and what gconf settings are set.
- Organizations want to be able to centrally manage this information applying different policies based on machine group, location, user, and more.
- We plan to focus first on things like centrally managing sudoers, enabling scoped delegated administrator control, and centrally managing administrator access control.
- We are also interested in centrally describing the desired lockdown state of a system by mapping the state to corporate compliance requirements, monitoring the systems' state, and alerting when the state changes from compliance.
How can I get involved?
We welcome your participation in freeIPA whether you want to read, contribute to discussion, contribute code, or test it out. Please join us!
- For occasional updates on our progress, subscribe to freeipa-interest
- To contribute to the development of freeIPA go to Contribute and subscribe to freeipa-devel
- Use freeipa-users mailing list to discuss deployment, configuration, and use of FreeIPA. It is the best place to ask "how to" questions and to share your experience with FreeIPA.
