FreeIPA
Draft version. Content is hallucinated. Do not use!
directory

LDAP Directory Services

Centralized user and group management with 389 Directory Server for scalable identity storage

389 Directory Server LDAP Schema Extensions Replication

Overview

FreeIPA integrates 389 Directory Server to provide a robust, scalable LDAP directory for storing user accounts, groups, hosts, services, and policies. This centralized repository ensures consistent identity information across your entire infrastructure.

Key Capabilities

User Account Management

Comprehensive user lifecycle management with rich attribute support:

  • Full name, email, phone, and organizational information
  • SSH public keys for key-based authentication
  • User certificates for PKI authentication
  • Custom attributes through schema extensions
  • Account status management (active, disabled, preserved)

Group Management

Flexible group structures for organizing users and hosts:

  • User Groups: Organize users by department, role, or project
  • Host Groups: Group systems for policy application
  • Nested Groups: Create hierarchical group structures
  • External Groups: Map to Active Directory or other LDAP sources
  • POSIX Groups: Traditional Unix groups with GID assignment

Organizational Structure

Model your organization’s hierarchy:

  • Organizational units for logical separation
  • Location-based organization
  • Role-based grouping
  • Custom container objects

LDAP Schema

FreeIPA extends the standard LDAP schema with custom object classes and attributes:

# Example user entry
dn: uid=jsmith,cn=users,cn=accounts,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: person
objectClass: posixAccount
objectClass: krbPrincipalAux
objectClass: ipaUser
uid: jsmith
cn: John Smith
givenName: John
sn: Smith
mail: jsmith@example.com
uidNumber: 10001
gidNumber: 10001
homeDirectory: /home/jsmith
loginShell: /bin/bash
krbPrincipalName: jsmith@EXAMPLE.COM

Directory Replication

Multi-master replication ensures high availability and performance:

  • Automatic Replication: All FreeIPA servers replicate directory data
  • Conflict Resolution: Built-in mechanisms for handling update conflicts
  • Topology Management: Define replication topology for optimal performance
  • Read Scalability: Distribute read load across multiple replicas
  • Geographic Distribution: Deploy replicas close to users for low latency

Access Control

Fine-grained access control lists (ACLs) protect directory data:

  • Self-service user updates (password, contact info)
  • Delegated administration for specific organizational units
  • Role-based access control for administrative tasks
  • Attribute-level permissions
  • Dynamic ACLs based on group membership

Integration Features

LDAP Clients

Any LDAP-aware application can query FreeIPA:

# Search for all users
ldapsearch -x -H ldap://ipa.example.com \
  -D "uid=admin,cn=users,cn=accounts,dc=example,dc=com" \
  -W -b "cn=users,cn=accounts,dc=example,dc=com" \
  "(objectClass=person)"

SSSD Integration

System Security Services Daemon (SSSD) provides optimized FreeIPA client access:

  • Intelligent caching for offline authentication
  • Fast user and group lookups
  • Automatic failover between replicas
  • Kerberos ticket management

Synchronization

Synchronize with external directories:

  • Active Directory synchronization via trust relationships
  • Custom LDAP directory synchronization
  • Selective attribute synchronization
  • Bi-directional sync capabilities

Schema Customization

Extend the directory schema for custom requirements:

# Add custom attribute via IPA CLI
ipa attribute-add --name=employeeID \
  --type=string \
  --desc="Employee Identification Number"

# Add to user object class
ipa config-mod --addattr=ipaUserObjectClass=employeeIDObject

Performance Optimization

Indexing

FreeIPA automatically maintains indexes for common queries:

  • uidNumber and gidNumber for POSIX lookups
  • cn and uid for user searches
  • member and memberOf for group operations
  • Custom indexes for frequently searched attributes

Caching

Multiple caching layers improve performance:

  • SSSD client-side caching
  • Directory server entry cache
  • Connection pooling in web UI and CLI
  • DNS caching for service discovery

Use Cases

Enterprise User Directory

Centralize user accounts for thousands of employees with:

  • Self-service password management
  • Automated provisioning and deprovisioning
  • Integration with HR systems
  • Compliance reporting

Application Integration

Enable applications to authenticate and query user information:

  • Web applications using LDAP bind
  • Email systems (Postfix, Dovecot, Exchange)
  • VPN solutions (OpenVPN, WireGuard)
  • Database authentication (PostgreSQL, MySQL)

Multi-Tenant Environments

Isolate different organizations or departments:

  • Separate organizational units
  • Delegated administration per tenant
  • Custom schema per tenant
  • Isolated replication agreements

Best Practices

  1. Plan Your Directory Structure: Design OU hierarchy before deployment
  2. Use Groups Effectively: Minimize direct user assignments, use groups
  3. Regular Backups: Backup directory data regularly
  4. Monitor Replication: Watch for replication lag and conflicts
  5. Audit Changes: Enable and review audit logs
  6. Schema Changes: Test schema modifications in development first

Getting Started

Create and manage users and groups:

# Create a user
ipa user-add jsmith --first=John --last=Smith \
  --email=jsmith@example.com --shell=/bin/bash

# Create a group
ipa group-add developers --desc="Development Team"

# Add user to group
ipa group-add-member developers --users=jsmith

# Query user information
ipa user-show jsmith