Product SiteDocumentation Site

Fedora 15

FreeIPA: Identity/Policy Management

Managing Identity and Authorization Policies for Linux-Based Infrastructures

Edition 2.1.3

Ella Deon Lackey

Legal Notice

Copyright © 2011 Red Hat.
The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available at The original authors of this document, and Red Hat, designate the Fedora Project as the "Attribution Party" for purposes of CC-BY-SA. In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must provide the URL for the original version.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, Red Hat Enterprise Linux, the Shadowman logo, JBoss, MetaMatrix, Fedora, the Infinity Logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.
For guidelines on the permitted uses of the Fedora trademarks, refer to
Linux® is the registered trademark of Linus Torvalds in the United States and other countries.
Java® is a registered trademark of Oracle and/or its affiliates.
XFS® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries.
All other trademarks are the property of their respective owners.
Identity and policy management — for both users and machines — is a core function for almost any enterprise environment. IPA provides a way to create an identity domain that allows machines to enroll to a domain and immediately access identity information required for single sign-on and authentication services, as well as policy settings that govern authorization and access. This manual covers all aspects of installing, configuring, and managing IPA domains, including both servers and clients. This guide is intended for IT and systems administrators.

1. Audience and Purpose
2. Examples and Formatting
2.1. Brackets
2.2. Client Tool Information
2.3. Text Formatting and Styles
3. Giving Feedback
4. Document Change History
1. Introduction to FreeIPA
1.1. FreeIPA v. LDAP: A More Focused Type of Service
1.1.1. A Working Definition for FreeIPA
1.1.2. Contrasting FreeIPA with a Standard LDAP Directory
1.2. Bringing Linux Services Together
1.2.1. Authentication: Kerberos KDC
1.2.2. Data Storage: 389 Directory Server
1.2.3. Authentication: Dogtag Certificate System
1.2.4. Server/Client Discovery: DNS
1.2.5. Management: NTP
1.3. Relationships Between Servers and Clients
1.3.1. About FreeIPA Servers and Replicas
1.3.2. About FreeIPA Clients
2. Installing a FreeIPA Server
2.1. Preparing to Install the FreeIPA Server
2.1.1. Hardware Requirements
2.1.2. Software Requirements
2.1.3. Supported Web Browsers
2.1.4. System Prerequisites
2.2. Installing the FreeIPA Server Packages
2.3. Creating a FreeIPA Server Instance
2.3.1. About ipa-server-install
2.3.2. Setting up a FreeIPA Server: Basic Interactive Installation
2.3.3. Examples of Creating the FreeIPA Server
2.3.4. Troubleshooting Installation Problems
2.4. Setting up FreeIPA Replicas
2.4.1. Prepping and Installing the Replica Server
2.4.2. Creating the Replica
2.4.3. Troubleshooting Replica Installation
2.5. Uninstalling FreeIPA Servers and Replicas
3. Setting up Systems as FreeIPA Clients
3.1. What Happens in Client Setup
3.2. Supported Platforms for FreeIPA Clients
3.3. Configuring a Fedora System as a FreeIPA Client
3.4. Manually Configuring a Linux Client
3.5. Configuring a Solaris System as a FreeIPA Client
3.5.1. Configuring Solaris 10
3.5.2. Configuring Solaris 9
3.6. Configuring an HP-UX System as a FreeIPA Client
3.6.1. Configuring NTP
3.6.2. Configuring LDAP Authentication
3.6.3. Configuring Kerberos
3.6.4. Configuring PAM
3.6.5. Configuring SSH
3.6.6. Configuring Access Control
3.6.7. Testing the Configuration
3.7. Configuring an AIX System as a FreeIPA Client
3.7.1. Prerequisites
3.7.2. Configuring the AIX Client
3.8. Troubleshooting Client Installations
3.9. Uninstalling a FreeIPA Client
4. Basic Usage
4.1. About the FreeIPA Client Tools
4.1.1. About the FreeIPA Command-Line Tools
4.1.2. Looking at the FreeIPA UI
4.2. Logging into FreeIPA
4.2.1. Logging into FreeIPA
4.2.2. Logging in When an FreeIPA User Is Different Than the System User
4.2.3. Checking the Current Logged in User
4.2.4. Caching User Kerberos Tickets
4.3. Using the FreeIPA Web UI
4.3.1. Supported Web Browsers
4.3.2. Opening the FreeIPA Web UI
4.3.3. Configuring the Browser
4.3.4. Using a Browser on Another System
4.3.5. Enabling Username/Password Authentication in Your Browser
4.3.6. Using the UI with Proxy Servers
4.3.7. Troubleshooting UI Connection Problems
5. Identity: Managing Users and User Groups
5.1. Setting up User Home Directories
5.1.1. About Home Directories
5.1.2. Enabling the PAM Home Directory Module
5.1.3. Manually Automounting Home Directories
5.2. Managing User Accounts
5.2.1. About User Entries
5.2.2. Adding Users
5.2.3. Editing Users
5.2.4. Activating and Deactivating User Accounts
5.2.5. Deleting Users
5.3. Changing Passwords
5.3.1. From the Web UI
5.3.2. From the Command Line
5.4. Managing Unique UID and GID Number Assignments
5.4.1. About ID Range Assignments During Installation
5.4.2. Adding New Ranges
5.5. Managing User Groups
5.5.1. Creating User Groups
5.5.2. Adding Group Members
5.5.3. Deleting User Groups
5.6. Searching for Users and Groups
5.6.1. With the UI
5.6.2. With the Command Line
5.7. Specifying Default User and Group Settings
5.7.1. Viewing the Settings Configuration
5.7.2. Setting Default Search Limits
5.7.3. Setting User Search Attributes
5.7.4. Setting Group Search Attributes
6. Identity: Managing Hosts and Services
6.1. About Hosts, Services, and Machine Identity and Authentication
6.2. Adding Host Entries
6.2.1. Adding Host Entries from the Web UI
6.2.2. Adding Host Entries from the Command Line
6.3. Enrolling Clients Manually
6.3.1. Performing a Split Enrollment
6.3.2. Performing a Bulk or Kickstart Enrollment
6.4. Manually Unconfiguring Client Machines
6.5. Managing Services
6.5.1. Adding and Editing Service Entries and Keytabs
6.5.2. Adding Services and Certificates for Services
6.5.3. Storing Certificates in NSS Databases
6.5.4. Configuring Clustered Services
6.5.5. Using the Same Service Principal for Multiple Services
6.6. Disabling Host and Service Entries
6.7. Extending Access Permissions over Other Hosts and Services
6.7.1. Delegating Service Management
6.7.2. Delegating Host Management
6.7.3. Accessing Delegated Services
6.8. Renaming Machines and Reconfiguring FreeIPA Client Configuration
6.9. Managing Host Groups
6.9.1. Creating Host Groups
6.9.2. Adding Group Members
6.10. Troubleshooting Host Problems
6.10.1. Certificate Not Found/Serial Number Not Found Errors
6.10.2. Debugging Client Connection Problems
7. Identity: Integrating with Microsoft Active Directory
7.1. About Active Directory and FreeIPA
7.1.1. About Active Directory Synchronization
7.1.2. Attributes Which Are Synchronized
7.1.3. User Schema Differences between FreeIPA and Active Directory
7.2. Setting up Active Directory for Synchronization
7.3. Managing Synchronization Agreements
7.3.1. Trusting the Active Directory and FreeIPA CA Certificates
7.3.2. Creating Synchronization Agreements
7.3.3. Changing the Behavior for Syncing User Account Attributes
7.3.4. Changing the Synchronized Windows Subtree
7.3.5. Deleting Synchronization Agreements
7.3.6. Winsync Agreement Failures
7.4. Managing Password Synchronization
7.4.1. Setting up the Windows Server for Password Synchronization
7.4.2. Setting up Password Synchronization
7.4.3. Exempting Active Directory Users from Password Synchronization
8. Identity: Managing DNS
8.1. About DNS in FreeIPA
8.2. Configuring DNS in FreeIPA
8.3. Configuring the bind-dyndb-ldap Plug-in
8.4. Changing Recursive Queries Against Forwarders
8.5. Adding DNS Zones
8.5.1. Adding DNS Zones from the Web UI
8.5.2. Adding DNS Zones from the Command Line
8.6. Modifying DNS Zones
8.6.1. Editing the Zone Configuration in the Web UI
8.6.2. Editing the Zone Configuration in the Command Line
8.7. Enabling Dynamic DNS Updates
8.7.1. Enabling Dynamic DNS Updates in the Web UI
8.7.2. Enabling Dynamic DNS Updates in the Command Line
8.8. Enabling and Disabling Zones
8.8.1. Disabling Zones in the Web UI
8.8.2. Disabling Zones in the Command Line
8.9. Adding Records to DNS Zones
8.9.1. Adding DNS Resource Records from the Web UI
8.9.2. Adding DNS Resource Records from the Command Line
8.10. Deleting Records from DNS Zones
8.10.1. Deleting Records with the Web UI
8.10.2. Deleting Records with the Command Line
8.11. Resolving Hostnames in the FreeIPA Domain
8.12. Changing Load Balancing for FreeIPA Servers and Replicas
9. Policy: Using Automount
9.1. About Automount and FreeIPA
9.2. Configuring Automount
9.2.1. Configuring autofs on Fedora
9.2.2. Configuring Automount on Solaris
9.3. Setting up a Kerberized NFS Server
9.3.1. Setting up a Kerberized NFS Server
9.3.2. Setting up a Kerberized NFS Client
9.4. Configuring Locations
9.4.1. Configuring Locations through the Web UI
9.4.2. Configuring Locations through the Command Line
9.5. Configuring Maps
9.5.1. Configuring Direct Maps
9.5.2. Configuring Indirect Maps
9.5.3. Importing Automount Maps
10. Policy: Integrating with NIS Domains and Netgroups
10.1. About NIS and FreeIPA
10.2. Creating Netgroups
10.2.1. Adding Netgroups
10.2.2. Adding Netgroup Members
10.3. Exposing Automount Maps to NIS Clients
10.4. Migrating from NIS to FreeIPA
10.4.1. Preparing Netgroup Entries in FreeIPA
10.4.2. Enabling the NIS Listener in FreeIPA
10.4.3. Exporting the Existing NIS Data
11. Policy: Defining Password Policies
11.1. About Password Policies and Policy Attributes
11.2. Viewing Password Policies
11.2.1. Viewing the Global Password Policy
11.2.2. Viewing Group-Level Password Policies
11.2.3. Viewing the Password Policy in Effect for a User
11.3. Editing the Global Password Policy
11.3.1. With the UI
11.3.2. With the Command Line
11.4. Creating Group-Level Password Policies
11.4.1. With the Web UI
11.4.2. With the Command Line
11.5. Changing the Priority of Group Password Policies
11.6. Setting Account Lockout Policies
11.7. Enabling a Password Change Dialog
12. Policy: Managing the Kerberos Domain
12.1. About Kerberos
12.1.1. About Principal Names
12.1.2. About Protecting Keytabs
12.2. Setting Kerberos Ticket Policies
12.2.1. Setting Global Ticket Policies
12.2.2. Setting User-Level Ticket Policies
12.3. Refreshing Kerberos Tickets
12.4. Caching Kerberos Passwords
12.5. Removing Keytabs
12.6. Troubleshooting Kerberos Errors
13. Policy: Using sudo
13.1. About sudo and IPA
13.1.1. General sudo Configuration in FreeIPA
13.1.2. sudo and Netgroups
13.1.3. Supported sudo Clients
13.2. Setting up sudo Commands and Command Groups
13.2.1. Adding sudo Commands
13.2.2. Adding sudo Command Groups
13.3. Defining sudo Rules
13.3.1. Defining sudo Rules in the Web UI
13.3.2. Defining sudo Rules in the Command Line
13.4. An Example of Configuring sudo
13.4.1. Server Configuration for sudo Rules
13.4.2. Client Configuration for sudo Rules
14. Policy: Configuring Host-Based Access Control
14.1. About Host-Based Access Control
14.2. Creating Host-Based Access Control Entries for Services and Service Groups
14.2.1. Adding HBAC Services
14.2.2. Adding Service Groups
14.3. Defining Host-Based Access Control Rules
14.3.1. Setting Host-Based Access Control Rules in the Web UI
14.3.2. Setting Host-Based Access Control Rules in the Command Line
14.4. Testing Host-Based Access Control Rules
14.4.1. The Limits of Host-Based Access Control Configuration
14.4.2. Test Scenarios for Host-Based Access Control
15. Configuration: Defining Access Control within FreeIPA
15.1. About Access Controls for FreeIPA Entries
15.1.1. A Brief Look at Access Control Concepts
15.1.2. Access Control Methods in FreeIPA
15.2. Defining Self-Service Settings
15.2.1. Creating Self-Service Rules from the Web UI
15.2.2. Creating Self-Service Rules from the Command Line
15.2.3. Editing Self-Service Rules
15.3. Delegating Permissions over Users
15.3.1. Delegating Access to User Groups in the Web UI
15.3.2. Delegating Access to User Groups in the Command Line
15.4. Defining Role-Based Access Controls
15.4.1. Creating Roles
15.4.2. Creating New Permissions
15.4.3. Creating New Privileges
16. Configuring the FreeIPA Server
16.1. FreeIPA Files and Logs
16.1.1. A Reference of FreeIPA Server Configuration Files and Directories
16.1.2. About default.conf and Context Configuration Files
16.1.3. Checking FreeIPA Server Logs
16.2. Disabling Anonymous Binds
16.3. Configuring Alternate Certificate Authorities
16.4. Configuring CRLs and OCSP Responders
16.4.1. Using an OSCP Responder with SELinux
16.4.2. Changing the CRL Update Interval
16.4.3. Changing the OCSP Responder Location
16.5. Setting a FreeIPA Server as an Apache Virtual Host
16.6. Setting DNS Entries for Multi-Homed Servers
16.7. Managing Replication Agreements Between FreeIPA Servers
16.7.1. Listing Replication Agreements
16.7.2. Creating and Removing Replication Agreements
16.7.3. Forcing Replication
16.7.4. Reinitializing FreeIPA Servers
16.8. Promoting a Replica to a FreeIPA Server
16.8.1. Promoting a Replica with a Dogtag Certificate System CA
16.8.2. Promoting a Replica with a Self-Signed CA
16.9. Testing Before Upgrading the FreeIPA Server
17. Migrating from an LDAP Directory to FreeIPA
17.1. An Overview of LDAP to FreeIPA Migration
17.1.1. Planning the Client Configuration
17.1.2. Planning Password Migration
17.1.3. Migration Considerations and Requirements
17.2. Scenario 1: Using SSSD as Part of Migration
17.3. Scenario 2: Migrating an LDAP Server Directly to FreeIPA
18. Working with certmonger
18.1. Requesting a Certificate with certmonger
18.2. Storing Certificates in NSS Databases
18.3. Tracking Certificates with certmonger
A. Frequently Asked Questions
B. FreeIPA Tools Reference
B.1. Using Special Characters
B.2. ipa
B.2.1. Location
B.2.2. Syntax
B.2.3. Help Topics
B.2.4. Global Options
B.2.5. Adding Attributes with --setattr and --addattr
B.2.6. Return Codes
B.2.7. Commands
B.3. ipa DNS Commands
B.3.1. ipa dnszone-add
B.4. ipa Host Commands
B.4.1. ipa host-add
B.5. Server Scripts
B.5.1. ipa-replica-install
B.5.2. ipa-replica-prepare
B.5.3. ipa-server-install
B.6. Client Scripts
B.6.1. ipa-client-install