New Features of IPA v3
The new major release of IPA will have a number of new features:
- trusts to Active Directory domains,
- SE Linux management,
- SSH public keys management,
- Name: Rob Crittenden
- Email: firstname.lastname@example.org
- Name: Sumit Bose
- Email: email@example.com
- please add more, if needed
- Targeted release: Fedora 17
- Last updated: 2012-01-20
- Percentage of completion: 50%
SE Linux management
FreeIPA provides means to store mapping between SE Linux contexts and users on per-host per-user basis. When user logs in into the FreeIPA-enrolled host, appropriate SE Linux context is fetched from FreeIPA server and used to set up proper security context at the host.
SSH public keys management
SSH public keys for users and hosts can be stored in FreeIPA. Upon login, keys are fetched from FreeIPA server by SSSD and cached/used for verification. HBAC rules are used to augment access on per-host per-service bases and FreeIPA tools are used to manage user's public keys and impersonation accounts.
Trust to Active Directory Domains
Currently FreeIPA uses winsync to allow users from an Active Directory domain to access resources in the IPA domain. To achieve this winsync replicates the user and group data from an Active Directory server to the local server and tries to keep them in sync.
With the new trust feature the user and group data is read from the Active Directory server as it is needed. Additionally Kerberos cross realm trust is set up which allows Single-Sign-On between the Active Directory and the IPA domain. I.e. a user from the Active Directory Domain can access kerberized resources from the IPA domain without being asked for a password.
Benefit to Fedora
- Trust to Active Directory Domains will have the following benefits
- Single-Sign-On between the Active Directory and IPA domain
- Allow users from the IPA domain (Linux users) to access resources from the Active Directory domain
- No need to set POSIX attributes in the Active Directory domain
- Trust to Active Directory Domains requires the following changes:
- FreeIPA have to be extended to store and manage the needed data to maintain the trust to the Active Directory domain and have to provide tools to set up the trust
- SSSD needs to be able to query the IPA server to resolve users and groups from the Active Directory domain
- Samba4 have to be updated to a recent version to allow FreeIPA to use libraries and binaries to set up and maintain the trust to an Active Directory domain
How To Test
- Detailed information about how to set up and test Trusts to Active Directory domains can be found at IPAv3 testing AD Trust
- install FreeIPA server
- add a user with ipa user-add command
- setup PAM and NSS to use SSSD for authentication
- setup sssd to connect to the ipa server and user it as id and auth provider
- try to log in (and change your password if asked to)
- if this works, then initial setup is complete
- log out
- add SELinux user map which applies to the user/host pair by ipa selinuxusermap-add command
- setup SSSD to use the IPA server as session provider
- try to log in
- a file should be created in /etc/selinux/<username> which contains the mapping as set by ipa selinuxusermap-add command
- If a trust is created between an Active Directory and an IPA domain
- Users from the Active Directory Domain can access resources of the IPA domain and the other way round
- For kerberized services single-sign-on is possilbe
- for Trust to Active Directory domains a recent and extended version of the samba4 package is needed.
None necessary, revert to previous release behaviour.
- IPAv3 testing AD Trust describes the steps how to set up a trust relationship to an Active Directory domain and how to use it.
- With Fedora 17 it would be possible to create a trust relationship between an IPA and an Active Directory domain which would allow users from one domain to access resource of the other domain.