FreeIPA and Fedora 21
I have a terrible secret to confess: despite all the effort we made in FreeIPA to integrate with Fedora releases, Fedora 21 is the first release where FreeIPA is installable from the distribution media. You can finally fetch an ISO image and install FreeIPA from it without first updating from the Fedora updates.
It is amazing that a simple “meet the deadline” goal is hard to actually meet but that is our reality. In Fedora 21 we’ve got FreeIPA as part of a release criteria for the Fedora Server. Starting from an alpha release, a failure to enroll FreeIPA client to a FreeIPA realm was a release blocker. A beta release criteria included a functioning FreeIPA server as well.
Just couple weeks before the release we discovered that a new method to request and generate keytabs we introduced in FreeIPA 4.0 was actually broken on the wire – the client and the server sides were able to talk to each other without any issue but non-default encryption types, as could be requested by a client, were ignored on the server side. This led us to get rid of our manual marshalling using libber library. Instead, we switched to use wonderful asn1c compiler by Lev Walkin. As asn1c is missing in Red Hat’s RHEL releases, we decided to keep autogenerated code checked in into git repo instead of re-generating on every build. This decision actually allows to notice differences in the generated code earlier and be able to fix them before things go out into a wild world.
Fedora 21 will also be a first Fedora release to see new FreeIPA user interface based on PatternFly Open Interface project. PatternFly attempts to standardize user experience and interfaces of enterprise web applications. A work on adopting PatternFly can be back-tracked from our design page but as with many evolving projects, FreeIPA brought in own use cases and UX needs to PatternFly and influenced some of design decisions in the common scheme. Overall, user interface of FreeIPA 4.x is so much improved that switching back and forth between 3.x and 4.x series makes you realize how big was the effort put by Petr Vobornik.
FreeIPA 4.1 finally provides full support for two-factor authentication (2FA). Separate components of the solution were released gradually starting with 3.3, version 4.1 complements them all with a web UI to handle generated tokens, replicating token usage data across IPA masters and a number of usability improvements towards use of the tokens in real life, thanks to SSSD. More details on how 2FA support is implemented and how to test or use it in Fedora 21 can be found at this page.
FreeIPA 4.1 advances our integration story for Active Directory environments. While multiple fixes were done to smooth process of establishing cross-forest trust with Active Directory, one of major stumbling blocks for many users was the fact that they needed to decide upfront how to handle POSIX attributes for their Active Directory users and groups. FreeIPA supports automated generation of UID and GID values based on the security identifiers (SIDs) of users and groups and this works well for the cases when Active Directory configuration does not include support for UNIX services and UIDs were not allocated in advance. In reality, many organizations have long history of living with POSIX and Active Directory environments side by side; in these cases people might have already UIDs and GIDs assigned in Active Directory.
FreeIPA supports this use case too but prior to version 4.1 it was all-or-nothing approach: either you would rely on autogenerated IDs or on pre-configured in Active Directory. With version 4.1 we implemented so-called ID views, which allow to put the manual mapping of IDs for users and groups to IPA itself and do so on per-host level. ID views are not limited to IDs only; one can redefine login name, shell, home directory, and also store public SSH keys for the users coming from Active Directory.
Applying ID views to client IPA machines wouldn’t be possible without fine work on SSSD side. SSSD team worked hard to complement the work we did on the server side. As result, Fedora 21 is the first distribution that fully supports ID views on client and server sides.
However, for those clients that couldn’t use up to date SSSD or could not be configured with SSSD at all, we added ID views support to a schema compatibility plugin used by FreeIPA to provide NIS and RFC2307 compatibility. Schema compatibility plugin automatically applies a default view for Active Directory users so that information about them will be automatically corrected for these legacy clients though more advanced features like HBAC rules and public SSH keys will not be available.
I did upgrade to Fedora 21 release already on my production server. It is our most productive integration to Fedora releases ever. As we dug deeper into the integration stack, our fellows from a Fedora Server group were successful in making actual joining of Fedora 21 machines to IPA realm or deploying a new IPA realm as simple as it could be, right from the Fedora installer, Anaconda, thanks to RoleKit and a Domain Controller role.
Fedora 21 was released on December 9th, 2014, make sure you’d get some time for it if you are planning your end of year. ;)