FreeIPA - Integrated Identity and Authentication solution for Linux/UNIX
FreeIPA Introduction
When I scrapped my Microsoft Active Directory server in favor of Open Source, I began replacing the functions one by one; DNS service got replaced by Bind9 and Certificate Authority got replaced with EJBCA. Then I was considering replacing the Identity Management part with OpenLDAP, but before I got that far I found out about FreeIPA.
Note: I still don’t know what the acronym FreeIPA stands for. It sounds like you are getting free beer… hang on…
Great! A tool that combines DNS, Identity Management and Certificate Management into one server, just like Active Directory, but designed for Linux Machines!
Note: If you have Windows Machines in your network, you still need Microsoft AD. But FreeIPA and AD can coexist and work together.
FreeIPA combines many open source components into one:
Fedora Linux as the underlying operating system.
ISC Bind for the DNS service.
Dogtag for PKI certificate management.
389 Directory Server for LDAPv3 identity management.
I was happy and mad at the same time. I was thrilled that I found a tool that fits small businesses with a low maintenance cost, but I had already spent so much time setting up my certificate authority and now I had to start all over again. Oh well…
My Experience with FreeIPA
The DNS service was probably the least amount of hassle to configure. I only had some weird caveat with OpenDNS and their IPv6 addresses. You can read about that in my next post.
The Directory Service was a pain to configure due to poor documentation. I did however finally make it work on all my Linux machines. Once I figured it out, it works every time. The freeIPA client software is a very neat way to enroll clients. Now I only need to learn how to define access roles for users.
Setting up the certificate service was a nightmare! After many, many hours of pulling my hair, I managed deploy a basic web certificate to a server, but I had to give it up because of 3 reasons:
The configuration is way too complex. Everything needs to be done through CLI because there is hardly any options in the GUI.
As far as I know there is no official ECC support. Something that I used to have with EJBCA.
The documentations is terribly crappy. I run into different error messages all the time and I can’t find any advice for most of them.
Therefore I have decided to deactivate the dogtag service and use a third-party certificate authority; probably EJBCA since I already have positive experiences with it. That tool was a pain to install, but at least it was fairly easy to manage.
FreeIPA guides
I will start writing down my experiences into blogposts. These are to ones that are planned so far:
FreeIPA Setup Part 1: Installing FreeIPA
FreeIPA Setup Part 2: Configuring DNS zones
FreeIPA Setup Part 3: Configuring Groups, Users and LDAP Client
FreeIPA Setup Part 4: Certificate Management