Features/freeIPA

From FedoraProject

Jump to: navigation, search

Contents

freeIPA

Summary

Make Identity, Policy and Audit centrally and more easily managed.

Owner

  • Name: RobCrittenden

Current status

  • Targeted release: Fedora 9
  • Last updated: 2008-04-07
  • Percentage of completion: 100%

freeIPA 1.0 is feature complete and gone through some QA and the documentation is started but not complete.

Detailed Description

For efficiency, compliance and risk mitigation, organizations need to centrally manage and correlate vital security information including

  • Identity (machine, user, virtual machines, groups, authentication credentials)
  • Policy (configuration settings, access control information)
  • Audit (events, logs, analysis thereof)

Because of its vital importance and the way it is interrelated, we think identity, policy, and audit information should be open, interoperable, and manageable. The focus is on making identity, policy, and audit easy to centrally manage for the Linux and Unix world.

Version 1.0 provides just centralized authentication and identity management. Future versions will add the Policy and Audit capabilities.

http://www.freeipa.org/

Benefit to Fedora

Centralized authentication and identity management.

Scope

freeIPA rpms currently exist but have not gone through the Fedora package review process.

Test Plan

1. Install the freeIPA packages on a server 1. Run the IPA installation setup program (/usr/sbin/ipa-install-server) 1. kinit admin 1. /usr/sbin/ipa-adduser -f Test -l User test 1. kinit test 1. setup another machine as a client and install the client package(s) 1. log into that client as the test user

User Experience

For any machine joined to the freeIPA server users will have:

  • Centralized password policy
  • Local-account not needed on machines they want to log into
  • Single-sign on for many services

Dependencies

Already in Fedora:

  • TurboGears
  • Fedora DS 1.1
  • MIT Kerberos 5
  • Apache 2.2.x
  • ntpd
  • mod_auth_kerb
  • mozldap
  • openldap clients
  • NSS and NSPR
  • libcap
  • OpenSSL
  • krbV

New to Fedora:

  • python-tgexpandingformwidget submitted as a Fedora package but not reviewed yet.
  • python-kerberos accepted as a Fedora package

Contingency Plan

  • N/A since freeIPA is a new addition to Fedora

Documentation

Release Notes

The IPA server installer assumes a relatively 'clean' system and will install and configure several servers:

  • A Fedora Directory Server instance
  • KDC
  • Apache
  • ntpd
  • TurboGears

Some effort is made to be able to roll back the changes made but they are not guaranteed.

Similarly the ipa-client-install tool will overwrite your PAM (/etc/pam.conf) and Kerberos (/etc/krb5.conf) configurations.

IPA does not support other instances of Fedora Directory Server on the same machine at install time, even listening on different ports. In order to install IPA other instances will need to be removed (IPA can do this for you).

There is currently no mechanism for migrating existing users into an IPA server.

The server self-configures to be a client of itself. If the Directory Server or KDC fail to start on bootup, boot into single-user mode in order to resolve the issue.