Product SiteDocumentation Site

Fedora 17

FreeIPA: Identity/Policy Management

Managing Identity and Authorization Policies for Linux-Based Infrastructures

Edition 2.2.0

Ella Deon Lackey

Legal Notice

Copyright © 2012 Red Hat.
The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available at The original authors of this document, and Red Hat, designate the Fedora Project as the "Attribution Party" for purposes of CC-BY-SA. In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must provide the URL for the original version.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, Red Hat Enterprise Linux, the Shadowman logo, JBoss, MetaMatrix, Fedora, the Infinity Logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.
For guidelines on the permitted uses of the Fedora trademarks, refer to
Linux® is the registered trademark of Linus Torvalds in the United States and other countries.
Java® is a registered trademark of Oracle and/or its affiliates.
XFS® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries.
All other trademarks are the property of their respective owners.
Identity and policy management — for both users and machines — is a core function for almost any enterprise environment. IPA provides a way to create an identity domain that allows machines to enroll to a domain and immediately access identity information required for single sign-on and authentication services, as well as policy settings that govern authorization and access. This manual covers all aspects of installing, configuring, and managing IPA domains, including both servers and clients. This guide is intended for IT and systems administrators.

1. Audience and Purpose
2. Examples and Formatting
2.1. Brackets
2.2. Client Tool Information
2.3. Text Formatting and Styles
3. Giving Feedback
4. Document Change History
1. Introduction to FreeIPA
1.1. FreeIPA v. LDAP: A More Focused Type of Service
1.1.1. A Working Definition for FreeIPA
1.1.2. Contrasting FreeIPA with a Standard LDAP Directory
1.2. Bringing Linux Services Together
1.2.1. Authentication: Kerberos KDC
1.2.2. Data Storage: 389 Directory Server
1.2.3. Authentication: Dogtag Certificate System
1.2.4. Server/Client Discovery: DNS
1.2.5. Management: NTP
1.3. Relationships Between Servers and Clients
1.3.1. About FreeIPA Servers and Replicas
1.3.2. About FreeIPA Clients
2. Installing a FreeIPA Server
2.1. Preparing to Install the FreeIPA Server
2.1.1. Hardware Recommendations
2.1.2. Software Requirements
2.1.3. Supported Web Browsers
2.1.4. System Prerequisites
2.1.5. Networking
2.2. Installing the FreeIPA Server Packages
2.3. Creating a FreeIPA Server Instance
2.3.1. About ipa-server-install
2.3.2. Setting up a FreeIPA Server: Basic Interactive Installation
2.3.3. Examples of Creating the FreeIPA Server
2.3.4. Troubleshooting Installation Problems
2.4. Setting up FreeIPA Replicas
2.4.1. Prepping and Installing the Replica Server
2.4.2. Creating the Replica
2.4.3. Troubleshooting Replica Installation
2.5. Uninstalling FreeIPA Servers and Replicas
2.6. Upgrading from FreeIPA 2.1 to 2.2
2.6.1. Upgrading Packages
2.6.2. Removing Browser Configuration for Ticket Delegation
2.6.3. Testing Before Upgrading the FreeIPA Server
3. Setting up Systems as FreeIPA Clients
3.1. What Happens in Client Setup
3.2. Supported Platforms for FreeIPA Clients
3.3. System Ports
3.4. Configuring a Fedora System as a FreeIPA Client
3.5. Manually Configuring a Linux Client
3.6. Setting up a Linux Client Through Kickstart
3.7. Configuring a Microsoft Windows System to Join the FreeIPA Realm
3.8. Configuring a Solaris System as a FreeIPA Client
3.8.1. Configuring Solaris 10
3.8.2. Configuring Solaris 9
3.9. Configuring an HP-UX System as a FreeIPA Client
3.9.1. Configuring NTP
3.9.2. Configuring LDAP Authentication
3.9.3. Configuring Kerberos
3.9.4. Configuring PAM
3.9.5. Configuring SSH
3.9.6. Configuring Access Control
3.9.7. Testing the Configuration
3.10. Configuring an AIX System as a FreeIPA Client
3.10.1. Prerequisites
3.10.2. Configuring the AIX Client
3.11. Troubleshooting Client Installations
3.11.1. The client can't resolve reverse hostnames when using an external DNS.
3.11.2. The client is not added to the DNS zone.
3.12. Uninstalling a FreeIPA Client
4. Basic Usage
4.1. About the FreeIPA Client Tools
4.1.1. About the FreeIPA Command-Line Tools
4.1.2. Looking at the FreeIPA UI
4.2. Logging into FreeIPA
4.2.1. Logging into FreeIPA
4.2.2. Logging in When an FreeIPA User Is Different Than the System User
4.2.3. Checking the Current Logged in User
4.2.4. Caching User Kerberos Tickets
4.3. Using the FreeIPA Web UI
4.3.1. Supported Web Browsers
4.3.2. Opening the FreeIPA Web UI
4.3.3. Configuring the Browser
4.3.4. Using a Browser on Another System
4.3.5. Logging in with Simple Username/Password Credentials
4.3.6. Using the UI with Proxy Servers
4.3.7. Troubleshooting UI Connection Problems
4.4. Understanding Search Limits and Settings
4.4.1. Types of Search Limits and Where They Apply
4.4.2. Setting FreeIPA Search Limits
4.4.3. Overriding the Search Defaults
4.4.4. Setting Search Attributes
4.4.5. Attributes Returned in Search Results
5. Identity: Managing Users and User Groups
5.1. Setting up User Home Directories
5.1.1. About Home Directories
5.1.2. Enabling the PAM Home Directory Module
5.1.3. Manually Mounting Home Directories
5.2. Managing User Entries
5.2.1. About Username Formats
5.2.2. Adding Users
5.2.3. Editing Users
5.2.4. Activating and Deactivating User Accounts
5.2.5. Deleting Users
5.3. Managing Public SSH Keys for Users
5.4. Changing Passwords
5.4.1. From the Web UI
5.4.2. From the Command Line
5.5. Unlocking User Accounts After Password Failures
5.6. Managing User Private Groups
5.6.1. Disabling Private Groups for a Specific User
5.6.2. Disabling Private Groups Globally
5.7. Managing Unique UID and GID Number Assignments
5.7.1. About ID Range Assignments During Installation
5.7.2. Adding New Ranges
5.8. Managing User and Group Schema
5.8.1. About Changing the Default User and Group Schema
5.8.2. Applying Custom Object Classes to New User Entries
5.8.3. Applying Custom Object Classes to New Group Entries
5.9. Managing User Groups
5.9.1. Creating User Groups
5.9.2. Adding Group Members
5.9.3. Deleting User Groups
5.10. Searching for Users and Groups
5.10.1. With the UI
5.10.2. With the Command Line
5.11. Specifying Default User and Group Settings
5.11.1. Viewing Settings from the Web UI
5.11.2. Viewing Settings from the Command Line
6. Identity: Managing Hosts and Services
6.1. About Hosts, Services, and Machine Identity and Authentication
6.2. Adding Host Entries
6.2.1. Adding Host Entries from the Web UI
6.2.2. Adding Host Entries from the Command Line
6.3. Enrolling Clients Manually
6.3.1. Performing a Split Enrollment
6.4. Manually Unconfiguring Client Machines
6.5. Managing Services
6.5.1. Adding and Editing Service Entries and Keytabs
6.5.2. Adding Services and Certificates for Services
6.5.3. Storing Certificates in NSS Databases
6.5.4. Configuring Clustered Services
6.5.5. Using the Same Service Principal for Multiple Services
6.6. Disabling and Re-enabling Host and Service Entries
6.6.1. Disabling Host and Service Entries
6.6.2. Re-enabling Hosts and Services
6.7. Extending Access Permissions over Other Hosts and Services
6.7.1. Delegating Service Management
6.7.2. Delegating Host Management
6.7.3. Delegating Host or Service Management in the Web UI
6.7.4. Accessing Delegated Services
6.8. Managing Public SSH Keys for Hosts
6.8.1. About FreeIPA Clients and OpenSSH
6.8.2. Adding Host Keys
6.8.3. Removing Host Keys
6.9. Renaming Machines and Reconfiguring FreeIPA Client Configuration
6.10. Managing Host Groups
6.10.1. Creating Host Groups
6.10.2. Adding Group Members
6.11. Troubleshooting Host Problems
6.11.1. Certificate Not Found/Serial Number Not Found Errors
6.11.2. Debugging Client Connection Problems
7. Identity: Integrating with NIS Domains and Netgroups
7.1. About NIS and FreeIPA
7.2. Setting the NIS Port for FreeIPA
7.3. Creating Netgroups
7.3.1. Adding Netgroups
7.3.2. Adding Netgroup Members
7.4. Exposing Automount Maps to NIS Clients
7.5. Migrating from NIS to FreeIPA
7.5.1. Preparing Netgroup Entries in FreeIPA
7.5.2. Enabling the NIS Listener in FreeIPA
7.5.3. Setting Weak Password Encryption for NIS User Authentication to FreeIPA
8. Identity: Integrating with Microsoft Active Directory
8.1. About Active Directory and FreeIPA
8.2. About Synchronized Attributes
8.2.1. User Attribute Synchronization
8.2.2. Group Attribute Synchronization
8.3. Setting up Active Directory for Synchronization
8.4. Managing Synchronization Agreements
8.4.1. Trusting the Active Directory and FreeIPA CA Certificates
8.4.2. Creating Synchronization Agreements
8.4.3. Changing the Behavior for Syncing User Account Attributes
8.4.4. Changing the Synchronized Windows Subtree
8.4.5. Configuring Uni-Directional Sync
8.4.6. Deleting Synchronization Agreements
8.4.7. Winsync Agreement Failures
8.5. Managing Password Synchronization
8.5.1. Setting up the Windows Server for Password Synchronization
8.5.2. Setting up Password Synchronization
8.5.3. Exempting Active Directory Users from Password Synchronization
9. Identity: Managing DNS
9.1. About DNS in FreeIPA
9.2. The FreeIPA-Generated DNS File
9.3. Setting up DNS After FreeIPA Server Installation
9.4. Managing DNS Zone Entries
9.4.1. Adding DNS Zones
9.4.2. Modifying DNS Zones
9.4.3. Enabling and Disabling Zones
9.5. Managing DNS Record Entries
9.5.1. Adding Records to DNS Zones
9.5.2. Deleting Records from DNS Zones
9.6. Configuring the bind-dyndb-ldap Plug-in
9.6.1. Changing the DNS Cache Setting
9.6.2. Enabling Zone Refreshes and Persistent Searches
9.7. Changing Recursive Queries Against Forwarders
9.8. Enabling Dynamic DNS Updates
9.8.1. Enabling Dynamic DNS Updates in the Web UI
9.8.2. Enabling Dynamic DNS Updates in the Command Line
9.9. Configuring Forwarders and Forward Policy
9.9.1. Configuring Global Forwarders
9.9.2. Configuring Zone Forwarders
9.9.3. Configuring Forwarder Policy for a Zone
9.10. Enabling Zone Transfers
9.11. Defining DNS Queries
9.12. Synchronizing Forward and Reverse Zone Entries
9.13. Setting DNS Access Policies
9.14. Resolving Hostnames in the FreeIPA Domain
9.15. Changing Load Balancing for FreeIPA Servers and Replicas
10. Policy: Using Automount
10.1. About Automount and FreeIPA
10.2. Configuring Automount
10.2.1. Configuring autofs on Fedora
10.2.2. Configuring Automount on Solaris
10.3. Setting up a Kerberized NFS Server
10.3.1. Setting up a Kerberized NFS Server
10.3.2. Setting up a Kerberized NFS Client
10.4. Configuring Kerberized CIFS
10.4.1. Setting up Samba Groups in FreeIPA
10.4.2. Configuring the CIFS Client
10.5. Configuring Locations
10.5.1. Configuring Locations through the Web UI
10.5.2. Configuring Locations through the Command Line
10.6. Configuring Maps
10.6.1. Configuring Direct Maps
10.6.2. Configuring Indirect Maps
10.6.3. Importing Automount Maps
11. Policy: Defining Password Policies
11.1. About Password Policies and Policy Attributes
11.2. Viewing Password Policies
11.2.1. Viewing the Global Password Policy
11.2.2. Viewing Group-Level Password Policies
11.2.3. Viewing the Password Policy in Effect for a User
11.3. Creating and Editing Password Policies
11.3.1. Creating Password Policies in the Web UI
11.3.2. Creating Password Policies with the Command Line
11.3.3. Editing Password Policies with the Command Line
11.4. Managing Password Expirations
11.5. Changing the Priority of Group Password Policies
11.6. Setting Account Lockout Policies
11.6.1. In the UI
11.6.2. In the CLI
11.7. Enabling a Password Change Dialog
12. Policy: Managing the Kerberos Domain
12.1. About Kerberos
12.1.1. About Principal Names
12.1.2. About Protecting Keytabs
12.2. Setting Kerberos Ticket Policies
12.2.1. Setting Global Ticket Policies
12.2.2. Setting User-Level Ticket Policies
12.3. Refreshing Kerberos Tickets
12.4. Caching Kerberos Passwords
12.5. Removing Keytabs
12.6. Troubleshooting Kerberos Errors
13. Policy: Using sudo
13.1. About sudo and IPA
13.1.1. General sudo Configuration in FreeIPA
13.1.2. sudo and Netgroups
13.1.3. Supported sudo Clients
13.2. Setting up sudo Commands and Command Groups
13.2.1. Adding sudo Commands
13.2.2. Adding sudo Command Groups
13.3. Defining sudo Rules
13.3.1. About External Users and Hosts
13.3.2. About sudo Options Format
13.3.3. Defining sudo Rules in the Web UI
13.3.4. Defining sudo Rules in the Command Line
13.4. An Example of Configuring sudo
13.4.1. Server Configuration for sudo Rules
13.4.2. Client Configuration for sudo Rules
14. Policy: Configuring Host-Based Access Control
14.1. About Host-Based Access Control
14.2. Creating Host-Based Access Control Entries for Services and Service Groups
14.2.1. Adding HBAC Services
14.2.2. Adding Service Groups
14.3. Defining Host-Based Access Control Rules
14.3.1. Setting Host-Based Access Control Rules in the Web UI
14.3.2. Setting Host-Based Access Control Rules in the Command Line
14.4. Testing Host-Based Access Control Rules
14.4.1. The Limits of Host-Based Access Control Configuration
14.4.2. Test Scenarios for Host-Based Access Control (CLI-Based)
14.4.3. Testing Host-Based Access Control Rules in the UI
15. Policy: Defining SELinux User Maps
15.1. About FreeIPA, SELinux, and Mapping Users
15.2. Configuring SELinux Users in FreeIPA
15.2.1. In the Web UI
15.2.2. In the CLI
15.3. Mapping SELinux Users and FreeIPA Users
15.3.1. In the Web UI
15.3.2. In the CLI
15.4. Troubleshooting SELinux Login Problems
16. Policy: Defining Automatic Group Membership for Users and Hosts
16.1. About Automembership
16.2. Defining Automembership Rules (Basic Procedure)
16.2.1. From the Web UI
16.2.2. From the CLI
16.3. Examples of Using Automember Groups
16.3.1. Setting an All Users/Hosts Rule
16.3.2. Defining Default Automembership Groups
16.3.3. Using Automembership Groups with Windows Users
17. Configuration: Defining Access Control within FreeIPA
17.1. About Access Controls for FreeIPA Entries
17.1.1. A Brief Look at Access Control Concepts
17.1.2. Access Control Methods in FreeIPA
17.2. Defining Self-Service Settings
17.2.1. Creating Self-Service Rules from the Web UI
17.2.2. Creating Self-Service Rules from the Command Line
17.2.3. Editing Self-Service Rules
17.3. Delegating Permissions over Users
17.3.1. Delegating Access to User Groups in the Web UI
17.3.2. Delegating Access to User Groups in the Command Line
17.4. Defining Role-Based Access Controls
17.4.1. Creating Roles
17.4.2. Creating New Permissions
17.4.3. Creating New Privileges
18. Configuration: Configuring the FreeIPA Server
18.1. FreeIPA Files and Logs
18.1.1. A Reference of FreeIPA Server Configuration Files and Directories
18.1.2. About default.conf and Context Configuration Files
18.1.3. Checking FreeIPA Server Logs
18.2. Disabling Anonymous Binds
18.3. Configuring Alternate Certificate Authorities
18.4. Configuring CRLs and OCSP Responders
18.4.1. Using an OSCP Responder with SELinux
18.4.2. Changing the CRL Update Interval
18.4.3. Changing the OCSP Responder Location
18.5. Setting a FreeIPA Server as an Apache Virtual Host
18.6. Setting DNS Entries for Multi-Homed Servers
18.7. Managing Replication Agreements Between FreeIPA Servers
18.7.1. Listing Replication Agreements
18.7.2. Creating and Removing Replication Agreements
18.7.3. Forcing Replication
18.7.4. Reinitializing FreeIPA Servers
18.7.5. Resolving Replication Conflicts
18.8. Moving CRL Generation from the Master (Original) Server to Another Replica
18.8.1. About the Master Server, Replicas, and Generating CRLs
18.8.2. Promoting a Replica
18.9. Removing a Replica
18.10. Troubleshooting
18.10.1. Starting FreeIPA with Expired Certificates
18.10.2. There are SASL, GSS-API, and Kerberos errors in the 389 Directory Server logs when the replica starts.
19. Migrating from an LDAP Directory to FreeIPA
19.1. An Overview of LDAP to FreeIPA Migration
19.1.1. Planning the Client Configuration
19.1.2. Planning Password Migration
19.1.3. Migration Considerations and Requirements
19.2. Examples for Using migrate-ds
19.2.1. Migrating Specific Subtrees
19.2.2. Specifically Including or Excluding Entries
19.2.3. Excluding Entry Attributes
19.2.4. Setting the Schema to Use
19.3. Scenario 1: Using SSSD as Part of Migration
19.4. Scenario 2: Migrating an LDAP Server Directly to FreeIPA
A. Frequently Asked Questions
B. Working with certmonger
B.1. Requesting a Certificate with certmonger
B.2. Storing Certificates in NSS Databases
B.3. Tracking Certificates with certmonger
C. FreeIPA Tools Reference
C.1. Using Special Characters with FreeIPA Tools
C.2. ipa
C.2.1. Location
C.2.2. Syntax
C.2.3. Help Topics
C.2.4. Global Options
C.2.5. Managing Attributes with --setattr, --addattr, and --delattr
C.2.6. Return Codes
C.2.7. Commands
C.3. ipa DNS Commands
C.3.1. ipa dnszone-add
C.3.2. ipa dnsrecord-add
C.4. ipa Host Commands
C.4.1. ipa host-add
C.5. Server Scripts
C.5.1. A Quick Summary of Configuration Scripts
C.5.2. ipa-replica-install
C.5.3. ipa-replica-prepare
C.5.4. ipa-server-install
C.6. Client Scripts
C.6.1. ipa-client-install