Identity Check

Enterprise Linux systems employ a set of standard tools for security, auditing, and identity management. These tools work well independently, once you get them all configured, but when it comes to integration, the admin often must improvise. Features such as central management of audit logs from multiple machines, as well as the ability to distribute SELinux policy modules to multiple machines, are often the domain of home-grown scripts. Although many proprietary solutions exist, they are typically expensive and inflexible.

The FreeIPA [1] project is an effort to combine a number of popular open source projects into a common, unified system. IPA stands for Identity, Policy, and Audit, but the developers clearly use this abbreviation with an eye on future goals. The current emphasis is on identity management, with support for Kerberos and LDAP. Future releases will offer central configuration and management of certificates, as well as policy and auditing features.

Figure 1 shows the individual FreeIPA version 1 components and how they cooperate. The combination of LDAP and Kerberos means that FreeIPA is easy to integrate with Microsoft's Active Directory System. Although the Linux world offers other options for Active Directory integration (such as Samba or Likewise [2]), Active Directory itself is only part of the solution for a fully integrated security and auditing tool. For instance, Active Directory does not offer anything in the line of policy or audit management for Linux systems, thus forcing admins to turn to other sources for these functions. Many Linux users must also consider whether it is a good idea to place their network security infrastructure in the hands of a proprietary technology like Microsoft Active Directory.

[...]