Fedora's FreeIPA offers identity, security services
- 14 July, 2008 11:16
Fedora 9, released last month, included the first release of FreeIPA, a new free/open source project that comes out of Red Hat with the goal of becoming a complete and integrated security information management solution. In this article we take a look at exactly what FreeIPA is, both what it can do now and what its developers hope it will be capable of in the future. It seems destined to become a key feature of Red Hat Enterprise Linux 6, and with Fedora 9 released and FreeIPA tightly integrated, now seems to be the perfect time to explore this new technology.
The project has been running for a year and has recently made its 1.0 release. While the "IPA" part of the name stands for Identity, Policy and Auditing, the current focus is solely on providing the tools to make the identity part of the solution work, with the others being targeted for future releases. This includes the ability to centrally authenticate and administer user identities, functionality which is available in the 1.0 release through the unification of the Fedora Directory Server and MIT Kerberos, with plans to provide similar functionality for machines and services over the coming year.
Beyond the core functionality, the 1.0 release targeted simplifying the installation and configuration of the IPA environment, along with interfaces that will allow systems administrators to interact with the tool in an efficient manner. Both a command line and a web GUI are available in the 1.0 release, along with installation scripts that walk the administrator through the initial configuration.
Once the identity functionality is in place with regard to machines and services as well as users, the plan is to use the information generated to allow systems administrators to build security policies. Perhaps the two most important features planned for this side of FreeIPA are the ability to centrally manage Fedora servers and their accompanying SELinux policies. The technology has not been developed solely with Fedora in mind either, but is designed to be compatible with all of the major UNIX OSs. Not all UNIX versions, of course are capable of all of the features and so these would be restricted to certain platforms. SELinux, for example, is Linux-only. Most significant, however, is the planned ability to be capable of applying policies to individual boxes depending on which group they belong to, including the ability to target virtual machines separate from their physical hosts.
Microsoft Windows support is on the road map, but not available yet.
Following this, the final piece of the IPA puzzle to be implemented will be auditing, which will allow systems administrators to easily review a number of important security logs so that they can be aware if an incident occurs, and also discover important information such as which user used which machine and when. The major benefit of this particular feature will be to allow organisations to easily comply with a number of new regulations that require detailed information such as user access histories.
The developers of the project are well aware that it is possible to perform all of the functions in 1.0 using existing stand-alone technologies such as Kerberos and NIS, but they are also aware of the significant challenges these ad-hoc solutions pose: particularly significant is the difficulty of migrating from these solutions, as well as the expertise required to set-up and administer the system. To combat this significant effort has been put into documentation on how to link with lots of different external systems, and there is also a strong focus on ensuring that it is not just the code that is free but the data that the system generates. To this end, FreeIPA aims to use standard formats such as XML/RPC as well as making the data easily accessible within the system. There are a number of existing commercial products such as Symark's Powerbroker, but these are often expensive and are built around around proprietary technologies, re-inventing the wheel when the building blocks of these systems already exist. By building on existing free software solutions and focusing on allowing the companies to own their data, FreeIPA hopes to provide a compelling reason for migration.
It seems there is a lot to look forward to in FreeIPA, even if the current implementation is somewhat limited. If you are interested in trying FreeIPA for yourself, the website has detailed information on how to install and configure it on Fedora 9, along with information on how to configure client systems. And if you are interested in working on the development of FreeIPA, and perhaps guiding its direction, you may be interested in discovering their community tools such as the mailing lists and IRC.