This blog post is about FreeIPA, a very useful open source centralized user management solution from Red Hat. I had the opportunity of installing FreeIPA in a virtualized environment. I want to share my experience in this blog post.
FreeIPA can be considered as the Linux equivalent of Active Directory. IPA stands for Identity, Policy and Audit. FreeIPA is actually a lot more than a centralized user management system. Along with user management it also provides integrated DNS, Certificate Authority and Access Control.
FreeIPA is a collection of the following open source tools: A Linux (Fedora), 389 Directory Server (LDAP), MIT Kerberos, NTP, DNS, Dogtag (Certificate System). It also supports Active Directory sync. FreeIPA uses LDAP for storing its data which includes DNS, host and user information.
Why would you want to use FreeIPA?. Well if you have hundreds of Linux based servers, for example in a virtualized environment, it would be really useful to manage users for all your servers from one place. FeeIPA lets you do that. FreeIPA provides a web interface and command line tools to manage users all from one place. Since FreeIPA uses LDAP for user management you can connect it to any LDAP client. Most open source tools support LDAP.
Installation of FreeIPA has to be done once on the server and once for each client to be managed. Both client and server installations are easy and take less than 15 minutes. In less than 15 minutes you can have a centralized user management solution for free !. And it comes with a nice GUI as well !. Of course customizing and learning about FreeIPA will take some time. Red Hat has a useful guide titled “Linux Domain Identity, Authentication, and Policy Guide”, that explains all aspects of FreeIPA including installation and administration.
Red Hat derived operating systems, e.g Centos and Fedora have FreeIPA in the default package repositories. Installing FreeIPA is as simple as entering the command :
yum install ipa-clienton Centos. The following command should be entered on Fedora
yum install freeipa-clientTo install FreeIPA on other Linux systems you will have to install from source.
After installation the command:
ipa-server-installhas to be run. This starts the FreeIPA installer, which configures the FreeIPA. The configuration can be run interactively or silently by passing command line options. Installing an IDM Server, describes the complete configuration steps.
To install the FreeIPA client on Centos you have to run:
yum install ipa-clientOn Fedora run:
yum install freeipa-clientOn other Linux operating systems you will have to follow the manual installation steps given in the Red Hat documentation.
After installation run the command:
ipa-client-installto start the configuration. The client side of FreeIPA is based on SSSD Linux Daemon. SSSD is a caching daemon that sits between services such as Linux authentication service and the authentication storage. SSSD intercepts the request sent by the service and can return a cached response or it can send the request to another service such as a FreeIPA server. See Setting up systems as IDM clients for complete information on installing the FreeIPA client.
Once the client installation is complete, you can manage all your users, DNS, hosts, certificates and more from the FreeIPA web interface. FreeIPA is a great tool that combines several well known Linux solutions into an integrated identity management platform. It is very easy to install and configure. You don’t have to know the workings of the tools that are internally used by FreeIPA such as bind, open LDAP, DogTag. But learning about these tools will give you a better idea of how the FreeIPA works.