FreeIPA
Draft version. Content is hallucinated. Do not use!
policy

Policy Management

Centralized access control with HBAC, sudo rules, and SELinux user mapping

HBAC sudo SELinux Password Policies Kerberos Policies

Overview

FreeIPA provides comprehensive policy management capabilities to control user access, enforce security requirements, and maintain compliance. Centralized policy management ensures consistent security posture across your entire infrastructure.

Host-Based Access Control (HBAC)

Overview

HBAC rules control which users can access which hosts using which services. This provides fine-grained access control beyond traditional Unix permissions.

Rule Components

HBAC rules consist of four elements:

  • Who: Users or user groups
  • Accessing What: Hosts or host groups
  • Via Which Service: SSH, login, sudo, etc.
  • From Where: Source hosts (optional)

Creating HBAC Rules

# Create HBAC rule
ipa hbacrule-add developers_ssh_access \
  --desc="Allow developers SSH access to dev servers"

# Add users/groups
ipa hbacrule-add-user developers_ssh_access \
  --groups=developers

# Add hosts/host groups
ipa hbacrule-add-host developers_ssh_access \
  --hostgroups=dev_servers

# Add services
ipa hbacrule-add-service developers_ssh_access \
  --hbacsvcs=sshd

# Enable the rule
ipa hbacrule-enable developers_ssh_access

Rule Priority and Precedence

  • Rules are evaluated in order
  • First matching rule determines access
  • Default deny-all after FreeIPA deployment
  • Built-in “allow_all” rule (disabled by default)

Testing HBAC Rules

# Test access before deploying
ipa hbactest --user=jsmith --host=dev01.example.com \
  --service=sshd

# Detailed rule evaluation
ipa hbactest --user=jsmith --host=dev01.example.com \
  --service=sshd --rules --enabled

Sudo Rules

Overview

Centralize sudo access management across all systems with FreeIPA sudo rules, eliminating the need to manage /etc/sudoers files on individual hosts.

Rule Structure

Sudo rules define:

  • Who: Users or groups
  • On Which Hosts: Individual hosts or host groups
  • Can Run: Commands or command groups
  • As Which User: Target user (usually root)
  • With Options: NOPASSWD, PASSWD, etc.

Creating Sudo Rules

# Create sudo rule
ipa sudorule-add admin_full_access \
  --desc="Full sudo access for administrators"

# Add users
ipa sudorule-add-user admin_full_access \
  --groups=admins

# Add hosts
ipa sudorule-add-host admin_full_access \
  --hostgroups=all_servers

# Allow all commands
ipa sudorule-add-allow-command admin_full_access \
  --sudocmds=ALL

# Run as any user
ipa sudorule-mod admin_full_access --runasusercat=all

# No password required
ipa sudorule-add-option admin_full_access \
  --sudooption='!authenticate'

Command Groups

Organize commands for easier management:

# Create command group
ipa sudocmdgroup-add service_management \
  --desc="Service management commands"

# Add commands to group
ipa sudocmdgroup-add-member service_management \
  --sudocmds='/usr/bin/systemctl' \
  --sudocmds='/usr/sbin/service'

# Use in sudo rule
ipa sudorule-add-allow-command app_restart \
  --sudocmdgroups=service_management

Sudo Testing

# Test sudo access
ipa sudorule-show admin_full_access

# User tests their access
sudo -l

SELinux User Mapping

Overview

Map FreeIPA users to SELinux users to enforce mandatory access control based on user identity.

SELinux User Categories

  • unconfined_u: Unrestricted users
  • user_u: Regular unprivileged users
  • staff_u: Users who can switch roles
  • sysadm_u: System administrators
  • guest_u: Heavily restricted users

Creating SELinux Mappings

# Map administrators to sysadm_u
ipa selinuxusermap-add admin_mapping \
  --selinuxuser='sysadm_u:s0-s0:c0.c1023' \
  --desc="Map admins to sysadm_u"

# Add users
ipa selinuxusermap-add-user admin_mapping \
  --groups=admins

# Add hosts
ipa selinuxusermap-add-host admin_mapping \
  --hostgroups=production_servers

# Enable the rule
ipa selinuxusermap-enable admin_mapping

Order and Priority

# Set rule priority
ipa selinuxusermap-mod admin_mapping --order=1

# View all mappings
ipa selinuxusermap-find --all

Password Policies

Global Password Policy

Configure organization-wide password requirements:

# Modify global password policy
ipa pwpolicy-mod --minlife=1 \
  --maxlife=90 \
  --history=6 \
  --minclasses=3 \
  --minlength=12 \
  --maxfail=3 \
  --failinterval=300 \
  --lockouttime=600

Policy parameters:

  • minlife: Minimum password lifetime (days)
  • maxlife: Maximum password lifetime (days)
  • history: Number of previous passwords to remember
  • minclasses: Minimum character classes (uppercase, lowercase, digits, special)
  • minlength: Minimum password length
  • maxfail: Maximum failed login attempts
  • failinterval: Failed attempt window (seconds)
  • lockouttime: Account lockout duration (seconds)

Group-Specific Policies

Create different policies for different user groups:

# Create policy for admins group
ipa pwpolicy-add admins \
  --minlife=1 \
  --maxlife=60 \
  --history=10 \
  --minlength=16 \
  --maxfail=5

# Create policy for service accounts
ipa pwpolicy-add service_accounts \
  --maxlife=0 \
  --maxfail=0

Password Expiration Notifications

FreeIPA can notify users before password expiration:

# Configure notification
ipa config-mod --pwdexpnotify=14

Kerberos Policies

Ticket Policies

Control Kerberos ticket lifetimes and renewal:

# Global ticket policy
ipa krbtpolicy-mod --maxlife=86400 \
  --maxrenew=604800

# Per-user ticket policy
ipa krbtpolicy-mod jsmith \
  --maxlife=28800

Parameters:

  • maxlife: Maximum ticket lifetime (seconds)
  • maxrenew: Maximum renewable lifetime (seconds)

Authentication Indicators

Require specific authentication methods:

# Require OTP for specific service
ipa service-mod HTTP/webapp.example.com \
  --auth-ind=otp

# View authentication indicators
ipa service-show HTTP/webapp.example.com --all

Automember Rules

Auto-Assignment to Groups

Automatically assign users and hosts to groups based on attributes:

# Create automember rule for users
ipa automember-add --type=user developers_auto \
  --desc="Auto-assign to developers group"

# Add condition
ipa automember-add-condition --type=user developers_auto \
  --inclusive-regex='^dev-.*' \
  --key=uid

# Set target group
ipa automember-default-group-set --type=user \
  --default-group=developers developers_auto

Host Auto-Assignment

# Auto-assign hosts to groups
ipa automember-add --type=hostgroup web_servers_auto

# Add condition based on hostname
ipa automember-add-condition --type=hostgroup web_servers_auto \
  --inclusive-regex='^web[0-9]+\.example\.com$' \
  --key=fqdn

Delegation

Role-Based Administration

Delegate administrative tasks without granting full admin access:

# Create role
ipa role-add helpdesk --desc="Help Desk Support"

# Add privileges
ipa role-add-privilege helpdesk \
  --privileges="User Administrators" \
  --privileges="Group Administrators"

# Assign users to role
ipa role-add-member helpdesk --users=helpdesk_staff

Custom Permissions

Create fine-grained permissions:

# Create permission
ipa permission-add "Manage user passwords" \
  --type=user \
  --attrs=userPassword \
  --rights=write

# Add to privilege
ipa privilege-add "Password Management"
ipa privilege-add-permission "Password Management" \
  --permissions="Manage user passwords"

# Assign to role
ipa role-add-privilege helpdesk \
  --privileges="Password Management"

Compliance and Auditing

Audit Logging

FreeIPA logs all policy changes and access events:

# View audit logs
journalctl -u ipa -f

# Search for specific events
journalctl -u ipa | grep "hbacrule-add"

Compliance Reports

Generate reports for compliance:

# List all HBAC rules
ipa hbacrule-find --all

# List users with specific access
ipa hbacrule-show production_access --all

# Export sudo rules
ipa sudorule-find --all --raw > sudo_rules_export.json

Use Cases

Least Privilege Access

Implement principle of least privilege:

  • Grant minimum necessary access
  • Time-based access (add/remove from groups)
  • Just-in-time access elevation
  • Regular access reviews

Regulatory Compliance

Meet compliance requirements:

  • PCI DSS: Separate admin and user accounts
  • HIPAA: Audit all access to sensitive systems
  • SOX: Segregation of duties
  • GDPR: Access control and audit trails

Multi-Tier Architecture

Secure multi-tier applications:

  • Web tier: Limited sudo for web admins
  • App tier: Different access for app admins
  • Database tier: Restricted DBA access
  • Network isolation through HBAC

Best Practices

  1. Start Restrictive: Begin with deny-all and add specific allow rules
  2. Use Groups: Manage access through groups, not individual users
  3. Regular Reviews: Audit and update rules quarterly
  4. Testing: Test new rules in development before production
  5. Documentation: Document the purpose of each rule
  6. Naming Convention: Use descriptive rule names
  7. Least Privilege: Grant minimum necessary access
  8. Separation of Duties: Prevent conflicts of interest

Troubleshooting

HBAC Issues

# Check if SSSD is using HBAC
sssctl config-check

# Clear SSSD cache
sssctl cache-expire -E

# Detailed HBAC test
ipa hbactest --user=jsmith --host=server01.example.com \
  --service=sshd --rules --enabled --disabled

Sudo Issues

# Verify sudo rules are retrieved
sudo -l -U jsmith

# Check SSSD sudo responder
sssctl domain-status example.com

# Manual LDAP query for sudo rules
ldapsearch -x -b "ou=sudoers,dc=example,dc=com"

Getting Started

Basic policy setup workflow:

# 1. Disable allow_all rule
ipa hbacrule-disable allow_all

# 2. Create admin access rule
ipa hbacrule-add admin_access
ipa hbacrule-add-user admin_access --groups=admins
ipa hbacrule-add-host admin_access --hostgroups=all_hosts
ipa hbacrule-add-service admin_access --hbacsvcs=sshd
ipa hbacrule-enable admin_access

# 3. Create sudo rule for admins
ipa sudorule-add admin_sudo
ipa sudorule-add-user admin_sudo --groups=admins
ipa sudorule-add-host admin_sudo --hostgroups=all_hosts
ipa sudorule-add-allow-command admin_sudo --sudocmds=ALL
ipa sudorule-mod admin_sudo --runasusercat=all

# 4. Set password policy
ipa pwpolicy-mod --minlength=12 --maxlife=90

# 5. Test access
ipa hbactest --user=admin --host=server01.example.com --service=sshd