Product SiteDocumentation Site

1.2. Bringing Linux Services Together

FreeIPA unifies disparate yet related Linux services into a single management environment. From there, it establishes a simple, easy way to bring host machines into the domain of those services.
A FreeIPA server is, at its core, an identity and authentication server. The primary FreeIPA server, essentially a domain controller, uses a Kerberos server and KDC for authentication. An LDAP backend contains all of the domain information, including users, client machines, and domain configuration.
The FreeIPA Server: Unifying Services
Figure 1.1. The FreeIPA Server: Unifying Services

Other services are included to provide support for the core identity/authentication functions. DNS is used for machine discovery and for connecting to other clients in the domain. NTP is used to synchronize all domain clocks so that logging, certificates, and operations can occur as expected. A certificate service provides certificates for Kerberos-aware services. All of these additional services work together under the control of the FreeIPA server.
The FreeIPA server also has a set of tools which are used to manage all of the FreeIPA-associated services. Rather than managing the LDAP server, KDC, or DNS settings individually, using different tools on local machines, FreeIPA has a single management toolset (CLI and web UI) that allows centralized and cohesive administration of the domain.

1.2.1. Authentication: Kerberos KDC

Kerberos is an authentication protocol. Kerberos uses symmetric key cryptography to generate tickets to users. Kerberos-aware services check the ticket cache (a keytab) and authenticate users with valid tickets.
Kerberos authentication is significantly safer than normal password-based authentication because passwords are never sent over the network — even when services are accessed on other machines.
In FreeIPA, the Kerberos administration server is set up on the FreeIPA domain controller, and all of the Kerberos data are stored in FreeIPA's backend Directory Server. The Directory Server instance defines and enforces access controls for the Kerberos data.


The FreeIPA Kerberos server is managed through FreeIPA tools instead of Kerberos tools because all of its data are stored in the Directory Server instance. The KDC is unaware of the Directory Server, so managing the KDC with Kerberos tools does not effect the FreeIPA configuration.

1.2.2. Data Storage: 389 Directory Server

FreeIPA contains an internal 389 Directory Server instance. All of the Kerberos information, user accounts, groups, services, policy information, DNS zone and host entries, and all other information in FreeIPA is stored in this 389 Directory Server instance.
When multiple servers are configured, they can talk to each other because 389 Directory Server supports multi-master replication. Agreements are automatically configured between the initial server and any additional replicas which are added to the domain.

1.2.3. Authentication: Dogtag Certificate System

Kerberos can use certificates along with keytabs for authentication, and some services require certificates for secure communication. FreeIPA includes a certificate authority, through Dogtag Certificate System, with the server. This CA issues certificates to the server, replicas, and hosts and services within the FreeIPA domain.
The CA can be a root CA or it can have its policies defined by another, external CA (so that it is subordinate to that CA). Whether the CA is a root or subordinate CA is determined when the FreeIPA server is set up.

1.2.4. Server/Client Discovery: DNS

FreeIPA defines a domain — multiple machines with different users and services, each accessing shared resources and using shared identity, authentication, and policy configuration. The clients need to be able to contact each other, as FreeIPA servers. Additionally, services like Kerberos depend on hostnames to identify their principal identities.
Hostnames are associated with IP address using the Domain Name Service (DNS). DNS maps hostnames to IP addresses and IP addresses to hostnames, providing a resource that clients can use when they need to look up a host. From the time a client is enrolled in the FreeIPA domain, it uses DNS to locate the FreeIPA server and then all of the services and clients within the domain.
Multiple DNS servers are usually configured, each one working as an authoritative resource for machines within a specific domain. Having the FreeIPA server also be a DNS server is optional, but it is strongly recommended. When the FreeIPA server also manages DNS, there is tight integration between the DNS zones and the FreeIPA clients and the DNS configuration can be managed using native FreeIPA tools. Even if a FreeIPA server is a DNS server, other external DNS servers can still be used.

1.2.5. Management: NTP

Many services require that servers and clients have the same system time, within a certain variance. For example, Kerberos tickets use time stamps to determine their validity. If the times between the server and client skew outside the allowed range, then any Kerberos tickets are invalidated.
Clocks are synchronized over a network using Network Time Protocol (NTP). A central server acts as an authoritative clock and all of the clients which reference that NTP server sync their times to match.
When the FreeIPA server is the NTP server for the domain, all times and dates are synchronized before any other operations are performed. This allows all of the date-related services — including password expirations, ticket and certificate expirations, account lockout settings, and entry create dates — to function as expected.
The FreeIPA server, by default, works as the NTP server for the domain. Other NTP servers can also be used for the hosts.