FreeIPA Introduction

Filip Pytloun

What is FreeIPA?

Authentication vs. Authorization

A little sidenote on naming:

Authentication is the process of ascertaining that somebody really is who he claims to be.

Authorization refers to rules that determine who is allowed to do what.

FreeIPA Server Components



^- dn (distinquished name = absolute address) of admin user

dn: uid=admin,cn=users,cn=accounts,dc=example,dc=com
krbLastSuccessfulAuth: 20160229111009Z
krbLoginFailedCount: 0
krbLastFailedAuth: 20160223145934Z

memberOf: cn=admins,cn=groups,cn=accounts,dc=example,dc=com
memberOf: cn=Replication Administrators,cn=privileges,cn=pbac,dc=example,dc=com

objectClass: top
objectClass: person
objectClass: posixaccount
objectClass: krbprincipalaux
objectClass: krbticketpolicyaux
objectClass: inetuser
objectClass: ipaobject
objectClass: ipasshuser
objectClass: ipaSshGroupOfPubKeys

uid: admin
krbPrincipalName: admin@EXAMPLE.COM
cn: Administrator
sn: Administrator
uidNumber: 96400000
gidNumber: 96400000
homeDirectory: /home/admin
loginShell: /bin/bash
gecos: Administrator

LDAP client usage

ldapsearch \
 -D uid=apache,cn=users,cn=accounts,dc=example,dc=com \  # Bind DN
 -w somersecretpassword \
 -b dc=example,dc=com   \  # Base DN
 -h   \  # Host to bind
 -ZZ \  # Use and enforce TLS (non-encrypted binds may be disabled)
 "(uid=admin)"  # Search expression



Example service - Apache

It may be also necessary to authorize users by group membership. This can be achieved by using authnz_ldap module.

Unfortunately it doesn't support GSSAPI LDAP bind so we need to use password.

AuthLDAPBindDN "uid=apache,cn=users,cn=accounts,dc=example,dc=com
AuthLDAPBindPassword secretpassword
AuthLDAPURL "ldaps://,dc=com?krbPrincipalName"
Require ldap-attribute memberOf="cn=docs,cn=groups,cn=accounts,dc=example,dc=com"


Another FreeIPA service is NTP (Network Time Protocol).

It's very important to have clock in sync on all kerberos-integrated machines because tickets are timestamped.

If you experience any troubles with kerberos, check that your clock is in sync with clock on the server.


DNS dynamic updates

# Set server, otherwise it will use NS records
# (which may point only to DNS slaves)
# First delete old records
update delete IN A
update delete IN AAAA
# Also delete reverse record
update delete PTR

# Set A record for given zone
update add 1800 IN A
# ..and the same for reverse
update add 1800 PTR

FreeIPA Client

PAM Framework

Name Service Switch

FreeIPA Management

Example client

Add hosts

Client join

Since that, client is enrolled, can kinit and authenticate to other services (eg. to update DNS records, etc.)

Add services

Keytab for webserver

Now we can simply obtain keytabs for our HTTP service.


ipa hostgroup-add fpy-servers
ipa hostgroup-add fpy-servers

Role-Based Access Control

Sudo rules

Next topics



Right, Down, Page DownNext slide
Left, Up, Page UpPrevious slide
POpen presenter console
HToggle this help