FreeIPA connector

FreeIPA is an integrated Identity and Authentication solution for Linux/UNIX networked environments (combining Linux (Fedora), 389 Directory Server, MIT Kerberos, NTP, DNS, Dogtag (Certificate System)). A FreeIPA server provides centralized authentication, authorization and account information by storing data about users, groups, hosts and other objects necessary to manage the security aspects of a network of computers.

Connector operations

OpenIAM provides users with a possibility to integrate with FreeIPA solution with FreeIPA connector. In OpenIAM, the IPA connector performs the following user operations:

• save user;
• search;
• resume;
• suspend;
• delete user;
• reset password.

Additionally, the connector also runs a test connection operation. Here, using Username and password, indicated in the Managed system, it makes the following API call:

call api https://myhost/ipa/session/login_password 

where contentype is x-www-form-urlencoded and myhost is a host of IPA instance.

Hence, the connector passes the managed system parameters and receives Success connection or No success connection response.

The connector can be used to synchronize groups. It cannot perform CRUD operations, but it can search existing groups in the target system.

The connector also uses a lookup method to find a single user using the following API call:

https://myhost/ipa/session/json
method : user_show 

Here, a used method is specified in a json. For instance, for a lookup method a user_show method is used. Additionally, to add/update user POST API is used with json payload of the following methods user_add and user_mod. To change user's membership in the groups of the target system, the methods group_add_member and group_remove_member are used.

To synchronize (to perform a search operation), the user_find or group_find methods are used.

If necessary, users can use filter when searching for the objects they need, the pattern is shown below.

• * to find all objects.
• to filter objects needed - option1=value1_opt
• users can use several filters using the -- sigs. The filter will look like this: option1=value1_opt--option2=value2_opt

The option notion and what options are allowed to insert into the pattern above is covered in FreeIPA documentation.

Overall, the following methods are used for API operation with FreeIPA connector.

OpenIAM, in its turn, can receive the following attributed from IPA system.

"objectclass":
"cn":
"gecos":
"ipauniqueid":
"krblastpwdchange":
"krbpasswordexpiration":
"krbextradata":
"sn":
"givenname":
"gidnumber":
"loginshell":
"nsaccountlock":
"uidnumber":
"homedirectory":
"uid":
"krbprincipalname":
"has_password":
"has_keytab":
"preserved":
"memberof_group":
"dn":

Configuring Managed system

OpenIAM has an out-of-the-box Managed system configuration named Red Hat Identity Management IPA, which can be found by logging in to webconsole and going to Provisioning > Managed system. It can be used as is since it was mainly already configured. The only change the users need to make is specifying the Host URL (being the instance URL), Login ID and Password. The latter two are the credentials for an account that can manage the IPA service.

When clicking on Policy map tab on he left from Managed system page, one can a policy map for user provisioning. This policy map has the required field for user provisioning; however, they can be expanded to cover the fields, supported by the target system.

Synchronization

OpenIAM provides two pre-configured synchronization options for FreeIPA:

1. User Synchronization
   • Matches users by employee ID and employee ID number.
2. Group Synchronization
   • Matches groups by name and cn.

To access synchronization settings:

1. Log in to the Web Console.
2. Navigate to Provisioning > Synchronization.
3. Search for Red Hat Identity Management IPA.

Both synchronization configurations come with example transformation scripts.