Open source takes on Active Directory

Coming out of RedHat ecosystem is FreeIPA,  a self-styled integrated security information management solution. IPA stands for Identity, Policy, Audit. Make no mistake – there is no PaidIPA, and FreeIPA is a take on Active Directory, combining the OS, LDAP, Kerberos and integrating Web and certificate services, as well as other infrastructure services into the software stack. Detailed features:

Version 1 will focus on

  • Allowing an administrator to quickly install, setup, and
    administer one or more IPA servers for centralized authentication and
    user identity management.

Version 2 will focus on

  • Adding DNS and Certificate Authority to the IPA core
  • Allowing an admin to join a machine to an IPA realm
  • Providing kerberos principal and cert to the joined machine
  • Providing service keytabs and service certificates to services
  • Managing the keytabs and certificates once provided
  • Plug-in architecture for IPA extensibility. freeRADIUS as a first plugin.
  • IPA Client code for managing authentication, authorization, caching, connection
  • Policy. Centrally managed sudoers/netgroups, SELinux role based access
  • Audit. Centrally collected audit logs from IPA servers and from IPA clients

I assume there will be an easy way to integrate email and real-time communications system into the IPA.

We have had all of this (bar a mandatory access control system) in Active Directory for a long while now. UNIX and Linux integrate well into AD through Samba and Likewise Open. But integrated authentication and authorisation subsystem designed specifically for Linux was missing. Until now, there were bits and pieces that are hard to integrate. FreeIPA is an attempt to close that gap and create some competition to Active Directory, which is a good thing.