Introduction to FreeIPA

FreeIPA is an open source product that combines multiple technologies and protocols into a single complex identity management solution. It provides a much richer experience when compared to native LDAP solutions including features such as:

  • Support for two factor and smartcard-based authentication

  • Host-Based Access Control (HBAC)

  • Host groups

  • SELinux user maps

  • Integrated DNS server

  • Dynamic DNS updates

  • Site locations

  • … and much more …


SSSD is the main FreeIPA client therefore it provides the full experience and always supports every new feature at the same time when it becomes available on the server.

FreeIPA can be managed either through a command line interface with the ipa command or through rich web interface. You can try it right away using an online demo.

One of the main FreeIPA features is its ability to seamlessly integrate with Active Directory. The integration is achieved through creating a trust with existing Active Directory domains. Users and groups from trusted domains are then available on FreeIPA enrolled hosts (which also means that Active Directory users and log into the Linux host) and all policies and rules (such as HBAC or sudo) are applied on them as well.

FreeIPA in combination with SSSD also provides additional functionality that further enhance the integration with Active Directory such as:

  • No POSIX attributes are required on Active Directory objects

  • SIDs are automatically mapped to user and groups IDs within an ID Range

  • POSIX attributes can be overwritten through ID Views

  • … and much more …

See also

The following documents provide more information on the Active Directory integration: