Product SiteDocumentation Site

Fedora 18

FreeIPA: Identity/Policy Management

Managing Identity and Authorization Policies for Linux-Based Infrastructures

Edition 3.1.5

Ella Deon Lackey

Legal Notice

Copyright © 2012 Red Hat.
The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available at The original authors of this document, and Red Hat, designate the Fedora Project as the "Attribution Party" for purposes of CC-BY-SA. In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must provide the URL for the original version.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, Red Hat Enterprise Linux, the Shadowman logo, JBoss, MetaMatrix, Fedora, the Infinity Logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.
For guidelines on the permitted uses of the Fedora trademarks, refer to
Linux® is the registered trademark of Linus Torvalds in the United States and other countries.
Java® is a registered trademark of Oracle and/or its affiliates.
XFS® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries.
MySQL® is a registered trademark of MySQL AB in the United States, the European Union and other countries.
All other trademarks are the property of their respective owners.
Identity and policy management — for both users and machines — is a core function for almost any enterprise environment. IPA provides a way to create an identity domain that allows machines to enroll to a domain and immediately access identity information required for single sign-on and authentication services, as well as policy settings that govern authorization and access. This manual covers all aspects of installing, configuring, and managing IPA domains, including both servers and clients. This guide is intended for IT and systems administrators.

1. Audience and Purpose
2. Examples and Formatting
2.1. Brackets
2.2. Client Tool Information
2.3. Text Formatting and Styles
3. Giving Feedback
4. Document Change History
1. Introduction to FreeIPA
1.1. FreeIPA v. LDAP: A More Focused Type of Service
1.1.1. A Working Definition for FreeIPA
1.1.2. Contrasting FreeIPA with a Standard LDAP Directory
1.2. Bringing Linux Services Together
1.2.1. Authentication: Kerberos KDC
1.2.2. Data Storage: 389 Directory Server
1.2.3. Authentication: Dogtag Certificate System
1.2.4. Server/Client Discovery: DNS
1.2.5. Management: NTP
1.3. Relationships Between Servers and Clients
1.3.1. About FreeIPA Servers and Replicas
1.3.2. About FreeIPA Clients
2. Installing a FreeIPA Server
2.1. Preparing to Install the FreeIPA Server
2.1.1. Hardware Recommendations
2.1.2. Software Requirements
2.1.3. Supported Web Browsers
2.1.4. System Prerequisites
2.1.5. Networking
2.2. Installing the FreeIPA Server Packages
2.3. Creating a FreeIPA Server Instance
2.3.1. About ipa-server-install
2.3.2. Setting up a FreeIPA Server: Basic Interactive Installation
2.3.3. Examples of Creating the FreeIPA Server
2.3.4. Troubleshooting Installation Problems
2.4. Setting up FreeIPA Replicas
2.4.1. Prepping and Installing the Replica Server
2.4.2. Creating the Replica
2.4.3. Troubleshooting Replica Installation
2.5. Uninstalling FreeIPA Servers and Replicas
2.6. Upgrading from FreeIPA 2.1 to 2.2
2.6.1. Upgrading Packages
2.6.2. Removing Browser Configuration for Ticket Delegation (For Upgrading from 6.2)
2.6.3. Testing Before Upgrading the FreeIPA Server (Recommended)
3. Setting up Systems as FreeIPA Clients
3.1. What Happens in Client Setup
3.2. Supported Platforms for FreeIPA Clients
3.3. System Ports
3.4. Configuring a Fedora System as a FreeIPA Client
3.5. Manually Configuring a Linux Client
3.6. Setting up a Linux Client Through Kickstart
3.7. Configuring a Microsoft Windows System to Join the FreeIPA Realm
3.8. Configuring a Solaris System as a FreeIPA Client
3.8.1. Configuring Solaris 10
3.8.2. Configuring Solaris 9
3.9. Configuring an HP-UX System as a FreeIPA Client
3.9.1. Configuring NTP
3.9.2. Configuring LDAP Authentication
3.9.3. Configuring Kerberos
3.9.4. Configuring PAM
3.9.5. Configuring SSH
3.9.6. Configuring Access Control
3.9.7. Testing the Configuration
3.10. Configuring an AIX System as a FreeIPA Client
3.10.1. Prerequisites
3.10.2. Configuring the AIX Client
3.11. Troubleshooting Client Installations
3.11.1. The client can't resolve reverse hostnames when using an external DNS.
3.11.2. The client is not added to the DNS zone.
3.12. Uninstalling a FreeIPA Client
4. Basic Usage
4.1. About the FreeIPA Client Tools
4.1.1. About the FreeIPA Command-Line Tools
4.1.2. Looking at the FreeIPA UI
4.2. Logging into FreeIPA
4.2.1. Logging into FreeIPA
4.2.2. Logging in When an FreeIPA User Is Different Than the System User
4.2.3. Checking the Current Logged in User
4.2.4. Caching User Kerberos Tickets
4.3. Using the FreeIPA Web UI
4.3.1. Supported Web Browsers
4.3.2. Opening the FreeIPA Web UI
4.3.3. Configuring the Browser
4.3.4. Using a Browser on Another System
4.3.5. Logging in with Simple Username/Password Credentials
4.3.6. Using the UI with Proxy Servers
4.3.7. Troubleshooting UI Connection Problems
4.4. Understanding Search Limits and Settings
4.4.1. Types of Search Limits and Where They Apply
4.4.2. Setting FreeIPA Search Limits
4.4.3. Overriding the Search Defaults
4.4.4. Setting Search Attributes
4.4.5. Attributes Returned in Search Results
5. Identity: Managing Users and User Groups
5.1. Setting up User Home Directories
5.1.1. About Home Directories
5.1.2. Enabling the PAM Home Directory Module
5.1.3. Manually Mounting Home Directories
5.2. Managing User Entries
5.2.1. About Username Formats
5.2.2. Adding Users
5.2.3. Editing Users
5.2.4. Activating and Deactivating User Accounts
5.2.5. Deleting Users
5.3. Managing Public SSH Keys for Users
5.3.1. About the SSH Key Format
5.3.2. Uploading User SSH Keys Through the Web UI
5.3.3. Uploading User SSH Keys Through the Command Line
5.3.4. Deleting User Keys
5.4. Changing Passwords
5.4.1. From the Web UI
5.4.2. From the Command Line
5.5. Unlocking User Accounts After Password Failures
5.6. Managing User Private Groups
5.6.1. Disabling Private Groups for a Specific User
5.6.2. Disabling Private Groups Globally
5.7. Repairing Changed UID and GID Numbers
5.8. Managing Unique UID and GID Number Assignments
5.8.1. About ID Range Assignments During Installation
5.8.2. Adding New Ranges
5.9. Managing User and Group Schema
5.9.1. About Changing the Default User and Group Schema
5.9.2. Applying Custom Object Classes to New User Entries
5.9.3. Applying Custom Object Classes to New Group Entries
5.10. Managing User Groups
5.10.1. Creating User Groups
5.10.2. Adding Group Members
5.10.3. Deleting User Groups
5.11. Searching for Users and Groups
5.11.1. With the UI
5.11.2. With the Command Line
5.12. Specifying Default User and Group Settings
5.12.1. Viewing Settings from the Web UI
5.12.2. Viewing Settings from the Command Line
6. Identity: Managing Hosts and Services
6.1. About Hosts, Services, and Machine Identity and Authentication
6.2. Adding Host Entries
6.2.1. Adding Host Entries from the Web UI
6.2.2. Adding Host Entries from the Command Line
6.3. Enrolling Clients Manually
6.3.1. Performing a Split Enrollment
6.4. Manually Unconfiguring Client Machines
6.5. Managing Services
6.5.1. Adding and Editing Service Entries and Keytabs
6.5.2. Adding Services and Certificates for Services
6.5.3. Storing Certificates in NSS Databases
6.5.4. Configuring Clustered Services
6.5.5. Using the Same Service Principal for Multiple Services
6.6. Disabling and Re-enabling Host and Service Entries
6.6.1. Disabling Host and Service Entries
6.6.2. Re-enabling Hosts and Services
6.7. Extending Access Permissions over Other Hosts and Services
6.7.1. Delegating Service Management
6.7.2. Delegating Host Management
6.7.3. Delegating Host or Service Management in the Web UI
6.7.4. Accessing Delegated Services
6.8. Managing Public SSH Keys for Hosts
6.8.1. About the SSH Key Format
6.8.2. About ipa-client-install and OpenSSH
6.8.3. Uploading Host SSH Keys Through the Web UI
6.8.4. Adding Host Keys from the Command Line
6.8.5. Removing Host Keys
6.9. Renaming Machines and Reconfiguring FreeIPA Client Configuration
6.10. Managing Host Groups
6.10.1. Creating Host Groups
6.10.2. Adding Group Members
6.11. Troubleshooting Host Problems
6.11.1. Certificate Not Found/Serial Number Not Found Errors
6.11.2. Debugging Client Connection Problems
7. Identity: Integrating with NIS Domains and Netgroups
7.1. About NIS and FreeIPA
7.2. Setting the NIS Port for FreeIPA
7.3. Creating Netgroups
7.3.1. Adding Netgroups
7.3.2. Adding Netgroup Members
7.4. Exposing Automount Maps to NIS Clients
7.5. Migrating from NIS to FreeIPA
7.5.1. Preparing Netgroup Entries in FreeIPA
7.5.2. Enabling the NIS Listener in FreeIPA
7.5.3. Setting Weak Password Encryption for NIS User Authentication to FreeIPA
8. Identity: Integrating with Active Directory Through Cross-Realm Kerberos Trusts
8.1. The Meaning of "Trust"
8.1.1. How Trust Works: Transparency Between Kerberos and DNS Realms
8.1.2. Trust in Contrast to Synchronization
8.1.3. Active Directory Users and FreeIPA Features: sudo and Host-Based Access Control Policies
8.1.4. Potential Issues with Group Mapping and SIDs
8.1.5. Active Directory Users and FreeIPA Administration
8.2. Environment and Machine Requirements to Set Up Trusts
8.2.1. Domain and Realm Names
8.2.2. NetBIOS Names
8.2.3. Integrated DNS
8.2.4. Firewalls and Ports
8.2.5. Clock Settings
8.2.6. Supported Username Formats
8.2.7. Trust Can Only Be Configured Once
8.3. Setting up Trust with FreeIPA as a DNS Subdomain of Active Directory
8.4. Setting up Trust with FreeIPA and Active Directory in Different DNS Domains
8.5. Creating FreeIPA Groups for Active Directory Users
8.6. Using SSH from Active Directory Machines for FreeIPA Resources
8.7. Using Trust with Kerberized Web Applications
9. Identity: Integrating with Microsoft Active Directory Through Synchronization
9.1. About Active Directory and FreeIPA
9.2. About Synchronized Attributes
9.2.1. User Schema Differences between FreeIPA and Active Directory
9.2.2. Active Directory Entries and RFC 2307 Attributes
9.3. Setting up Active Directory for Synchronization
9.4. Managing Synchronization Agreements
9.4.1. Trusting the Active Directory and FreeIPA CA Certificates
9.4.2. Creating Synchronization Agreements
9.4.3. Changing the Behavior for Syncing User Account Attributes
9.4.4. Changing the Synchronized Windows Subtree
9.4.5. Configuring Uni-Directional Sync
9.4.6. Deleting Synchronization Agreements
9.4.7. Winsync Agreement Failures
9.5. Managing Password Synchronization
9.5.1. Setting up the Windows Server for Password Synchronization
9.5.2. Setting up Password Synchronization
9.5.3. Exempting Active Directory Users from Password Synchronization
10. Identity: Managing DNS
10.1. About DNS in FreeIPA
10.2. The FreeIPA-Generated DNS File
10.3. Setting up DNS After FreeIPA Server Installation
10.4. Managing DNS Zone Entries
10.4.1. Adding DNS Zones
10.4.2. Modifying DNS Zones
10.4.3. Enabling and Disabling Zones
10.5. Managing DNS Record Entries
10.5.1. Adding Records to DNS Zones
10.5.2. Deleting Records from DNS Zones
10.6. Configuring the bind-dyndb-ldap Plug-in
10.6.1. Changing the DNS Cache Setting
10.6.2. Enabling Zone Refreshes and Persistent Searches
10.7. Changing Recursive Queries Against Forwarders
10.8. Enabling Dynamic DNS Updates
10.8.1. Enabling Dynamic DNS Updates in the Web UI
10.8.2. Enabling Dynamic DNS Updates in the Command Line
10.9. Configuring Forwarders and Forward Policy
10.9.1. Configuring Global Forwarders
10.9.2. Configuring Zone Forwarders
10.9.3. Configuring Forwarder Policy for a Zone
10.10. Enabling Zone Transfers
10.11. Defining DNS Queries
10.12. Synchronizing Forward and Reverse Zone Entries
10.13. Setting DNS Access Policies
10.14. Resolving Hostnames in the FreeIPA Domain
10.15. Changing Load Balancing for FreeIPA Servers and Replicas
11. Policy: Using Automount
11.1. About Automount and FreeIPA
11.2. Configuring Automount
11.2.1. Configuring autofs on Fedora
11.2.2. Configuring Automount on Solaris
11.3. Setting up a Kerberized NFS Server
11.3.1. Setting up a Kerberized NFS Server
11.3.2. Setting up a Kerberized NFS Client
11.4. Configuring Locations
11.4.1. Configuring Locations through the Web UI
11.4.2. Configuring Locations through the Command Line
11.5. Configuring Maps
11.5.1. Configuring Direct Maps
11.5.2. Configuring Indirect Maps
11.5.3. Importing Automount Maps
12. Policy: Defining Password Policies
12.1. About Password Policies and Policy Attributes
12.2. Viewing Password Policies
12.2.1. Viewing the Global Password Policy
12.2.2. Viewing Group-Level Password Policies
12.2.3. Viewing the Password Policy in Effect for a User
12.3. Creating and Editing Password Policies
12.3.1. Creating Password Policies in the Web UI
12.3.2. Creating Password Policies with the Command Line
12.3.3. Editing Password Policies with the Command Line
12.4. Managing Password Expiration Limits
12.5. Changing the Priority of Group Password Policies
12.6. Setting Account Lockout Policies
12.6.1. In the UI
12.6.2. In the CLI
12.7. Enabling a Password Change Dialog
13. Policy: Managing the Kerberos Domain
13.1. About Kerberos
13.1.1. About Principal Names
13.1.2. About Protecting Keytabs
13.2. Setting Kerberos Ticket Policies
13.2.1. Setting Global Ticket Policies
13.2.2. Setting User-Level Ticket Policies
13.3. Refreshing Kerberos Tickets
13.4. Caching Kerberos Passwords
13.5. Removing Keytabs
13.6. Troubleshooting Kerberos Errors
14. Policy: Using sudo
14.1. About sudo and IPA
14.1.1. General sudo Configuration in FreeIPA
14.1.2. sudo and Netgroups
14.1.3. Supported sudo Clients
14.2. Setting up sudo Commands and Command Groups
14.2.1. Adding sudo Commands
14.2.2. Adding sudo Command Groups
14.3. Defining sudo Rules
14.3.1. About External Users and Hosts
14.3.2. About sudo Options Format
14.3.3. Defining sudo Rules in the Web UI
14.3.4. Defining sudo Rules in the Command Line
14.4. Applying the Configured sudo Policies to Hosts
15. Policy: Configuring Host-Based Access Control
15.1. About Host-Based Access Control
15.2. Creating Host-Based Access Control Entries for Services and Service Groups
15.2.1. Adding HBAC Services
15.2.2. Adding Service Groups
15.3. Defining Host-Based Access Control Rules
15.3.1. Setting Host-Based Access Control Rules in the Web UI
15.3.2. Setting Host-Based Access Control Rules in the Command Line
15.4. Testing Host-Based Access Control Rules
15.4.1. The Limits of Host-Based Access Control Configuration
15.4.2. Test Scenarios for Host-Based Access Control (CLI-Based)
15.4.3. Testing Host-Based Access Control Rules in the UI
16. Policy: Defining SELinux User Maps
16.1. About FreeIPA, SELinux, and Mapping Users
16.2. Configuring SELinux Users in FreeIPA
16.2.1. In the Web UI
16.2.2. In the CLI
16.3. Mapping SELinux Users and FreeIPA Users
16.3.1. In the Web UI
16.3.2. In the CLI
16.4. Troubleshooting SELinux Login Problems
17. Policy: Defining Automatic Group Membership for Users and Hosts
17.1. About Automembership
17.2. Defining Automembership Rules (Basic Procedure)
17.2.1. From the Web UI
17.2.2. From the CLI
17.3. Examples of Using Automember Groups
17.3.1. Setting an All Users/Hosts Rule
17.3.2. Defining Default Automembership Groups
17.3.3. Using Automembership Groups with Windows Users
18. Configuration: Defining Access Control within FreeIPA
18.1. About Access Controls for FreeIPA Entries
18.1.1. A Brief Look at Access Control Concepts
18.1.2. Access Control Methods in FreeIPA
18.2. Defining Self-Service Settings
18.2.1. Creating Self-Service Rules from the Web UI
18.2.2. Creating Self-Service Rules from the Command Line
18.2.3. Editing Self-Service Rules
18.3. Delegating Permissions over Users
18.3.1. Delegating Access to User Groups in the Web UI
18.3.2. Delegating Access to User Groups in the Command Line
18.4. Defining Role-Based Access Controls
18.4.1. Creating Roles
18.4.2. Creating New Permissions
18.4.3. Creating New Privileges
19. Configuration: Configuring the FreeIPA Server
19.1. FreeIPA Files and Logs
19.1.1. A Reference of FreeIPA Server Configuration Files and Directories
19.1.2. About default.conf and Context Configuration Files
19.1.3. Checking FreeIPA Server Logs
19.2. Disabling Anonymous Binds
19.3. Configuring Alternate Certificate Authorities
19.4. Configuring CRLs and OCSP Responders
19.4.1. Using an OSCP Responder with SELinux
19.4.2. Changing the CRL Update Interval
19.4.3. Changing the OCSP Responder Location
19.5. Setting DNS Entries for Multi-Homed Servers
19.6. Managing Replication Agreements Between FreeIPA Servers
19.6.1. Listing Replication Agreements
19.6.2. Creating and Removing Replication Agreements
19.6.3. Forcing Replication
19.6.4. Reinitializing FreeIPA Servers
19.6.5. Resolving Replication Conflicts
19.7. Removing a Replica
19.8. Troubleshooting
19.8.1. Starting FreeIPA with Expired Certificates
19.8.2. There are SASL, GSS-API, and Kerberos errors in the 389 Directory Server logs when the replica starts.
20. Migrating from an LDAP Directory to FreeIPA
20.1. An Overview of LDAP to FreeIPA Migration
20.1.1. Planning the Client Configuration
20.1.2. Planning Password Migration
20.1.3. Migration Considerations and Requirements
20.2. Examples for Using migrate-ds
20.2.1. Migrating Specific Subtrees
20.2.2. Specifically Including or Excluding Entries
20.2.3. Excluding Entry Attributes
20.2.4. Setting the Schema to Use
20.3. Scenario 1: Using SSSD as Part of Migration
20.4. Scenario 2: Migrating an LDAP Server Directly to FreeIPA
A. Frequently Asked Questions
B. Working with certmonger
B.1. Requesting a Certificate with certmonger
B.2. Storing Certificates in NSS Databases
B.3. Tracking Certificates with certmonger