Product SiteDocumentation Site

1.3. Relationships Between Servers and Clients

FreeIPA itself defines a domain, a group of machines that have shared configuration, policies, and identity stores. This shared configuration allows the machines (and users) within the domain to be aware of each other and operate together. This awareness can be used to enable cross-platform compatibility, like unifying Windows and Linux systems, or to enable infrastructure-wide single sign-on.

1.3.1. About FreeIPA Servers and Replicas

FreeIPA works by having identified servers which are the master stores of information for user and machine identities and domain-wide policies. These servers host domain-related services such as certificate authorities, NTP, Kerberos, SSH, and DNS. The server also acts as a central repository of identity and policy information.
Clients interact indirectly with FreeIPA servers when they attempt to access domain resources, such as fileshares, services, remote machines, or authentication (through SSSD and Kerberos).
As said, a FreeIPA server is a controller for a lot of associated services. While a number of those services are support, most of them are not required. For example, a server may have a CA, a DNS server, or an NTP server — or it can be installed without those services.
Once a FreeIPA server is set up, its configuration can be copied and used as the basis for another FreeIPA server. When a FreeIPA server is copied, that copy is called a replica.


The only real different between a FreeIPA server and a FreeIPA replica is that a server is a new installation and a replica is based on an existing server. Once the instance is configured, servers and replicas are basically identical in functionality and behavior within the FreeIPA domain.
There is a good deal of flexibility in the FreeIPA server (and replica) topology. For example, Server A can be installed with a CA and DNS services, while Replica A can be based on Server A's configuration but not host either DNS or CA services. Server B can be added to the domain, also without CA or DNS services. At any time in the future, a CA or DNS service can be created and configured on Replica A or Server B.
Servers and replicas both use underlying LDAP directories to store user and host entries, configuration data, policy configuration, and keytabs, certificates, and keys. Servers and replicas propagate data among each other through multi-master replication agreements. Both servers and replicas are masters in the replication topology.
Server and Replica Interactions
Figure 1.2. Server and Replica Interactions


The replication topology essentially creates a cloud of FreeIPA servers. One benefit of a server domain is automatic load balancing, using the SRV records in DNS. The SRV record priority sets the order that servers and replicas are contacted, while weight distributed the load between servers/replicas with the same priority. The server and replica DNS entries can be edited to change the load balancing, which is covered in Example 9.4, “SRV Record” and Section 9.15, “Changing Load Balancing for FreeIPA Servers and Replicas”.

1.3.2. About FreeIPA Clients

A client is simply any machine which is configured to operate within the FreeIPA domain, using its Kerberos and DNS services, NTP settings, and certificate services. That's an important distinction: a client does not require a daemon or (necessarily) an installed product. It requires only system configurations which direct it to use FreeIPA services.
For Fedora systems, a certain number of platform tools are available for FreeIPA to use, such as SSSD. These are FreeIPA-enabled platform applications, which is simply a way of saying that they are aspects of the underlying platform that work with FreeIPA services. Other tools, like certain PAM and NSS modules and FreeIPA command-line utilities, are provided as FreeIPA-specific packages that must be installed on the machine. These are FreeIPA-related components.
Server and Client Interactions
Figure 1.3. Server and Client Interactions

FreeIPA uses the local storage (cache) on a client to improve performance in a few ways:
  • Store FreeIPA information when the machine is offline.
  • Keep information active beyond its normal timeout period if the client cannot access the central server. The cache is persistent even after rebooting the machine.
  • Reduce the round-trip time of requests by checking information locally before looking at the server.
Information is stored either in an LDB database (similar to LDAP) or the local filesystem (as XML files), depending on the type of information.
  • Identity information (about users, machines, and groups) is stored in the LDB database, which uses the same syntax as an LDAP directory. This identity information is originally stored in the FreeIPA server's 389 Directory Server instance. Because this information changes frequently and is referenced frequently, it is important to be able to call the more current information quickly, which is possible using an LDB database on the client and the Directory Server on the server.
  • Policy information is more static than identity information, and it can include configuration for SELinux or sudo. These policies are set globally on the server and then are propagated to the clients. On the client, the policy information is stored in the filesystem in XML files which can be downloaded and converted into a native file for whatever service is being managed.
A specific set of services on the FreeIPA server interact with a subset of services and modules on the FreeIPA client. A client is any machine (a host) which can retrieve a keytab or certificates from the FreeIPA domain.
Interactions Between FreeIPA Services
Figure 1.4. Interactions Between FreeIPA Services

Figure 1.4, “Interactions Between FreeIPA Services” shows that Fedora uses two native daemons to interact with the FreeIPA server:
  • SSSD provides the user authentication for the machine and enforces host-based access control rules.
  • certmonger monitors and renews the certificates on the client. It can request new certificates for the services on the system, including virtual machines.
When a Fedora client is added to the domain (enrolled), its SSSD and certmonger are configured to connect to the FreeIPA server and the required Kerberos keytab and host certificates are created. (The host certificate is not used directly by FreeIPA; it may be used by other services, such as a web server.)