From Fedora Project Wiki

Revision as of 20:41, 11 February 2011 by Jlaska (talk | contribs) (Minor wording changes)

Feature Name FreeIPA 2.0

Summary

The FreeIPA project implements an identity server. IPA stands for Identity, Policy and Audit. The first version of IPA was introduced three years ago and was focused on the user identity and authentication. This version is a significant revision of the IPA server adding multiple new features and capabilities.

Owner

The project is owned by the IPA team. I am the manager of the team.
Project home page is: http://www.freeipa.org/page/Main_Page My home page is: http://dpal.fedorapeople.org/

Current status

  • Targeted release: Fedora 15
  • Last updated: 02/03/11
  • Percentage of completion: 90%

Detailed Description

Overview: Machine and Service Identity. Pluggable management, SUDO, Netgorups, Automount, HBAC, NIS compatibility and more.

Components: The release will include:

  • 389 Directory Server
  • MIT Kerberos
  • NTP
  • Tools for installation
  • Pluggable and extensible UI/CLI tools
  • CA & RA (Dogtag Certificate Server)
  • DNS (Bind)

Main Use Cases for FreeIPA v2

  • User Identity Management and Authentication
  • Machine identity
    • Enrollment of the new machines
      • As a result of the enrollment machine principal will be created and machine credentials provisioned to the machine
      • Machine credentials are keytab and machine certificate.
    • Machine authentication
      • Machines coming on the network and requesting services within the IPA realm will be authenticated against that realm
      • Machine authentication credentials will be used to provide mutual authentication/trust, encryption, and SSO capabilities for the services and applications requesting resources and accessing other services within the same IPA realm
  • Machine Management
    • IPA will allow management of individual machines or groups of machines via UI and CLI
    • IPA will provide centralized management of different kinds of machine policies
  • Access Control
    • IPA will provide centrally managed access control respected by SSSD 1.5 and later.

and more...

Compelling Reason to Use

  • Compliance and efficiency are forcing organizations to move off NIS and pushing them to use a better identity management and access control solution for the Linux/Unix world
  • Efficiency is forcing organizations to use a better identity management solution
  • Too expensive to maintain own custom LDAP/Kerberos implementation
  • Have been using services that "assume a security mechanism" and wish to secure connections with kerberos or PKI
  • Compliance and efficiency motivate to centrally manage administrator delegation

Benefit to Fedora

IPA is the first open source domain controller for Linux. Having it in Fedora distribution will make Fedora more attractive for companies to use and adopt.

Scope

FreeIPA v2 is major multi year project. I team of more than a dozen developers have been working on its features at different times. The project backlog is tracked in the following trac instance: https://fedorahosted.org/freeipa. Current plan to address the following issues before the release of the feature into Fedora 15.

How To Test

FreeIPA is a complex project. First ipa package needs to be installed. It will pull all the required dependencies automatically. Then ipa-server-install script should be run to start the installation. There are following major areas that can be tested at any given time:

  • Installation
Installation provides multiple different options. Most significant are installation with embedded certificate system (default) or without and installation with DNS server or without (default). The required parameters can be provided as arguments or installation script will prompt for them.
  • CLI
IPA provides a command executor "ipa". Ipa supports and huge set of commands that allow to manipulate user, host, service, group and other objects in the system.
  • Help system and man pages
Each IPA related script has a man page. IPA command executor provides and embedded help command that describes what commands can be executed and how to use them.
  • Replication
IPA can be deployed in a multi server configuration. Creation and installation of multiple replicas in different topologies and geographies would help to polish best practices around multi server deployment.
  • User interface
IPA provides a feature rich web based graphical user interface. To start it one has to have an account in IPA and be kerberos authenticated against IPA. Starting browser and pointing to the machine where IPA is running will lead to to IPA UI.The browser needs to be configured to use Kerberos and the IPA issued certificated should be accepted by the user. This is one time operation. Once this is done the UI will be accessible as long as the kerberos ticket is valid.
  • DNS integration
IPA can be used as a DNS server. We are very interested to see how IPA with DNS integration fits (or does not fit) into specific environment.
  • Automount
IPA supports central management of the automount maps via CLI only
  • SUDO
IPA supports central management of SUDO rules
  • HBAC (host based access control)
IPA supports central access control management with SSSD 1.5 or later.
  • Netgroups
IPA can manage netgroups and provide netgroup information for LDAP clients and SSSD
  • NIS
For old systems IPA can be configured to deliver different NIS maps over the NIS protocol.
  • Delegated administration
IPA has a complex access control model. The default configuration of the access control might not be sufficient for all deployments so we are open to suggestions.

and more... For the whole outline of the IPA features consult the following page

User Experience

IPA is targeted for the broad audience of Linux administrator making management of the identity, authentication and the other security related infrastructure much easier saving time for other tasks.

Dependencies

IPA depends on multiple external projects:

  • 389 - Directory Server
  • Dogtag - Certificate System
  • MIT Kerberos
  • NSS

All the dependencies are tracked by the team and so far there are no red flags.

No packages depend on IPA.

Contingency Plan

If FreeIPA is not delivered on time for Fedora 15 it will be moved to a later version of Fedora.

The package has been accepted into Fedora and is currently in final stages of preparation for beta 2 release. Should be ready for GA on target with Fedora 15 as of 02/03/11.

Documentation

  • The online documentation is currently under development.
  • Older documentation and feature pages can be found here: http://www.freeipa.org/page/DocumentationPortal
  • There are many man pages that describe how to use IPA and shell commands related to it
  • There is an embedded help system inside CLI.

Release Notes

Current release is FreeIPA v2 beta. The details about this release can be found here.

Comments and Discussion