Open source takes on Active Directory

Coming out of RedHat ecosystem is FreeIPA,  a self-styled integrated security information management solution. IPA stands for Identity, Policy, Audit. Make no mistake – there is no PaidIPA, and FreeIPA is a take on Active Directory, combining the OS, LDAP, Kerberos and integrating Web and certificate services, as well as other infrastructure services into the software stack. Detailed features:

Version 1 will focus on

  • Allowing an administrator to quickly install, setup, and
    administer one or more IPA servers for centralized authentication and
    user identity management.

Version 2 will focus on

  • Adding DNS and Certificate Authority to the IPA core
  • Allowing an admin to join a machine to an IPA realm
  • Providing kerberos principal and cert to the joined machine
  • Providing service keytabs and service certificates to services
  • Managing the keytabs and certificates once provided
  • Plug-in architecture for IPA extensibility. freeRADIUS as a first plugin.
  • IPA Client code for managing authentication, authorization, caching, connection
  • Policy. Centrally managed sudoers/netgroups, SELinux role based access
  • Audit. Centrally collected audit logs from IPA servers and from IPA clients

I assume there will be an easy way to integrate email and real-time communications system into the IPA.

We have had all of this (bar a mandatory access control system) in Active Directory for a long while now. UNIX and Linux integrate well into AD through Samba and Likewise Open. But integrated authentication and authorisation subsystem designed specifically for Linux was missing. Until now, there were bits and pieces that are hard to integrate. FreeIPA is an attempt to close that gap and create some competition to Active Directory, which is a good thing.




One thought on “Open source takes on Active Directory”

  1. If you look at the roadmap (, FreeIPA’s version 2 was due about a year ago. They have not released a version of version 1.x FreeIPA in a year per There is basically no traffic on their listserver. Their lead developer won’t commit to the product’s roadmap and is vague on when v2 may even be released RedHat was going to do a paid IPA per, but per they are not promoting it nor have they released it as a commercial offering. So it looks clear that this is not a piece of software whose future is clear nor is there is a significant commitment to it from RedHat (especially in light they have some developers working on Samba4, which also competes with AD from a directory server perspective), so I don’t think Microsoft is shaking in its boots about this as a new AD competitor. Finally, don’t confuse “AD clients” for *nix (ie apps that integrate non-MSFT systems into AD, and you forgot to mention Centrify – with a directory server, which is what FreeIPA is about. Not only would FreeIPA have to release a stable v2, but would also have to build a large set of clients for Windows and various UNIX / Linux / Mac systems for it to be a viable competitor in the directory server market. Don’t get me wrong, I too think competition in the directory market is a good thing (especially in light of Sun Directory probably fading away vis a vis Oracle Internet Directory), and I think it is great you brought up this topic, but RedHat has to be serious about this product if they really want to compete with AD.

Leave a Reply

Your email address will not be published. Required fields are marked *