Integrated identity management with FreeIPA
Highly Available Data
After completing the basic server configuration, you should replicate the directory server data on a second machine. Because FreeIPA stores the complete Kerberos configuration and the Kerberos database in LDAP, this replication gives you a second master server in next to no time.
In the case of a master server failure, the secondary master still has all the data, on which you can even edit the data. Once the primary master goes back online, the modified data is then replicated back to it. The use of at least two servers is also a good idea for load balancing purposes.
If you store data at two distinct geographical locations, you should consider configuring more servers and setting them up as replicas to avoid the use of a WAN connection whenever you query or change the directory.
The primary master has a configuration file with all the information you need to create a second server:
Now just copy the file created at the last step to the replica host and launch the installation there:
# scp /var/lib/ipa/replica-info-devel-srv2.virt.foo.de root@devel-srv2:/tmp/ # ipa-replica-install /tmp/replica-info-devel-srv2.virt.foo.de
Assuming the installation program completes without error, you can start a replication of the LDAP database. If you then assign a separate DNS zone file to the replica, you have two independent servers. With the use of ipa-replica-manage, you can view and modify any replication agreements set up in this way.
Active Directory Synchronization
Administrators can use ipa-replica-manage to synchronize data between a Windows Active Directory server and a FreeIPA server. The current developer version of FreeIPA already implements this feature. To do so, you need a TLS/SSL certificate on the Windows server; this is mandatory for synchronizing the data on the Active Directory server with FreeIPA. The Fedora Wiki has a HOWTO .
Now copy the CA certificate used here to the FreeIPA server to verify the TLS/SSL certificate on the Active Directory server. When you launch the ipa-server-install program, the Windows Sync plugin is installed automatically. However, the plugin is not used unless you set up data replication between a Windows server and a FreeIPA server with ipa-replica-manage. The tool has several new options:
- winsync – defines data replication between a Windows server and a FreeIPA server.
- binddn – defines the user account for logging into the Active Directory. This user needs a number of privileges (read, write, search, password change, DirSync).
- bindpw – specifies a password for the specified user account.
- cacert – defines a path to the ASCII/PEM-encoded CA certificate that is used to sign the Windows server's TLS/SSL certificate. This setting is then stored in the FreeIPA certificate repository.
After entering the required information, the Active Directory user's container is synchronized with the FreeIPA server. All Unix/Linux IPA clients can then access this information via a native interface. Because the synchronization process is unidirectional, new users who have accounts on both Windows and Linux clients must first be created in Active Directory.
FreeIPA unifies a number of popular tools under a common umbrella. Version 1 focuses on storing identities. Although components such as certificate, audit, and policy management are still missing, it is easy to see where the product is heading.
- FreeIPA: http://www.freeipa.org
- Likewise: http://www.likewisesoftware.com
- Windows Sync HOWTO: http://directory.fedoraproject.org/wiki/Howto:WindowsSync
Buy this article as PDF
Should you trust an online service to store your online passwords?
New B+ board lets you build cool things without the complication of a powered USB hub.
Redmond rushes in to root out alleged malware haven.
New initiative will bring futuristic virtual reality effects to the web surfing experience.
Dyreza malware launches a man-in-the-middle attack that compromises SSL.
New cloud combines worldwide access with local attention to data security.
A first cousin of the recent Heartbleed attack affects EAP-based wireless and peer-to-peer authentication.
FOSS community acts to protect freedom of choice for laptop devices.
Quintessential open source browser shores up its market share with a step toward the proprietary dark side.
Authorities in 16 countries take action against users of the imfamous BlackShades malware tool.