Questions tagged [freeipa]

FreeIPA is an integrated Identity and Authentication solution for Linux/UNIX networked environments. A FreeIPA server provides centralized authentication, authorization and account information by storing data about user, groups, hosts and other objects necessary to manage the security aspects of a network of computers.

FreeIPA is an integrated security information management solution combining Linux (Fedora), 389 Directory Server, MIT Kerberos, NTP, DNS, Dogtag (Certificate System). It consists of a web interface and command-line administration tools.

FreeIPA is an integrated Identity and Authentication solution for Linux/UNIX networked environments. A FreeIPA server provides centralized authentication, authorization and account information by storing data about user, groups, hosts and other objects necessary to manage the security aspects of a network of computers.

FreeIPA is built on top of well known Open Source components and standard protocols with a very strong focus on ease of management and automation of installation and configuration tasks.

Multiple FreeIPA servers can easily be configured in a FreeIPA Domain in order to provide redundancy and scalability. The 389 Directory Server is the main data store and provides a full multi-master LDAPv3 directory infrastructure. Single-Sign-on authentication is provided via the MIT Kerberos KDC. Authentication capabilities are augmented by an integrated Certificate Authority based on the Dogtag project. Optionally Domain Names can be managed using the integrated ISC Bind server.

Security aspects related to access control, delegation of administration tasks and other network administration tasks can be fully centralized and managed via the Web UI or the ipa Command Line tool.

218 questions
18
votes
1 answer

IPA vs just LDAP for Linux boxes - looking for a comparison

There are few (~30) Linux (RHEL) boxes and I'm looking for centralized and easy managed solution, mostly for control user accounts. I'm familiar with LDAP, and I deployed a pilot of IPA ver2 from Red Hat (==FreeIPA). I understand that in theory IPA…
13
votes
2 answers

Using FreeIPA for centralized sudo - how to specify ALL commands?

I'm having a hard time wrapping my head around FreeIPA's model. The FreeIPA manual states: FreeIPA adds an extra control measure with sudo command groups, which allow a group of commands to be defined and then applied to the sudo configuration as…
HTTP500
  • 4,827
  • 4
  • 22
  • 31
11
votes
3 answers

IPA dynamic DNS updates only the AAAA record. Where are my A records?

I'm setting up a FreeIPA domain. In my lab are three virtual machines: the domain controller ipadc1, and two clients puppet and wordpress (creative, yes, I know). All three VMs are running freshly installed CentOS 6.4 (FreeIPA 3.0.0). I've installed…
Michael Hampton
  • 237,123
  • 42
  • 477
  • 940
9
votes
2 answers

VMware vCenter/ESXi with FreeIPA instead of Active Directory?

Can vCenter authenticate against FreeIPA instead of Active Directory? If so, how would you set it up? We have a pure Linux environment (CentOS) and need to have vCenter and our VM's have the same users. vCenter is deployed as a Linux appliance.…
Luke
  • 1,892
  • 4
  • 22
  • 27
8
votes
1 answer

Windows 7 NFS Client Using Kerberos and Linux KDC

I am trying to configure a Windows 7 Enterprise client to mount a NFSv4 share on a Linux NFS server using Kerberos and a Linux KDC. The setup is: IPA Server (OS: Scientific Linux 6.4, Pkg: ipa-server) NFS Server (OS: Scientific Linux 6.4, Pkg:…
Mike
  • 295
  • 3
  • 9
7
votes
1 answer

Can't change password of FreeIPA admin - "Current password's minimum life has not expired"

We have a FreeIPA-based system, admin's password has expired and needs to be changed but the standard password changing procedure over SSH fails: sashka@cellar ~ ssh admin@ipa.xxxxxxxxxx.com admin@ipa.xxxxxxxxxx.com's password: Password expired.…
Alex
  • 7,789
  • 4
  • 36
  • 51
6
votes
1 answer

Configuring Synology NAS as freeIPA client

I'm attempting to deploy freeIPA in my company. The network is quite simple: < 10 FC20 (and FC21 beta) desktops < 5 FC20 servers (including the one with freeIPA) 1 Synology NAS DS1813+ (DSM 5.0) I am first simulating everything on VMs (including…
cornuz
  • 437
  • 1
  • 7
  • 17
6
votes
4 answers

FreeIPA: prevent local root accessing user accounts

So after asking this question, I've been test-driving FreeIPA as a central authentication source based on this question: Managing access to multiple linux system One problem I ran into is that if a user is given local root permissions, they can in…
Swartz
  • 294
  • 5
  • 14
6
votes
1 answer

Using FreeIPA for centralized sudo - using SSSD for sudoers

I have setup FreeIPA for centralized sudo and all is working well with the exception of being able to use SSSD for sudoers. If I have in my client /etc/nsswitch.conf the following: sudoers: files ldap a sudo command works as desired when the…
HTTP500
  • 4,827
  • 4
  • 22
  • 31
6
votes
3 answers

freeipa ssl ldap and round robin dns

I'm trying to ask this question in a way that's answerable, but part of the issue is knowing the implications of my current situation and if there's an issue or technical debt which'll bite me further on. I've setup a few IPA servers in a master &…
Sirex
  • 5,447
  • 2
  • 32
  • 54
6
votes
3 answers

backup and restoration of a freeipa infrastructure

I'm finding the documentation on ipa server backup and restoration sadly lacking, and being so centrally critical it's not something i'm really happy about shooting in the dark with - could some kind soul more knowledable in the matter please…
Sirex
  • 5,447
  • 2
  • 32
  • 54
5
votes
1 answer

How do I sign a new FreeIPA Server's internal CA with my organizational internal CA?

My organization has an internal Certificate Authority (CA) which we have already generated many internal certificates and have installed on machines. I am setting up a FreeIPA LDAP/Kerberos server and after the initial install, it has generated an…
Josh
  • 9,001
  • 27
  • 78
  • 124
5
votes
3 answers

FreeIPA without web UI or change of ports

Can I install FreeIPA server without httpd (without web UI)?? Or at least can I change the ports?? (80->8880 and 443->8443)
jjaros
  • 259
  • 1
  • 4
  • 9
5
votes
2 answers

Google authenticator with Openldap or Fedora 389 Server or FreeIPA

After a little googling I could see some references of configuring Google Authenticator with Windows Active Directory, however, I could not see how I could do it on Linux/CentOS system. What would be involved in setting up Google Authenticator on…
chandank
  • 847
  • 3
  • 14
  • 31
4
votes
2 answers

how to export all FreeIPA users list to a csv format?

How can export all FreeIPA users to a csv file?
sanjayparmar
  • 623
  • 8
  • 18
1
2 3
14 15