FreeIPA
Status: Final
FreeIPA is Red Hat's integrated identity management solution for Linux/Unix environments. It combines OpenLDAP + MIT Kerberos + BIND DNS + Dogtag CA + NTP into a single platform — essentially "Active Directory for Linux."
Components
| Component | Role |
|---|---|
| 389 Directory Server (LDAP) | Identity store |
| MIT Kerberos KDC | Authentication |
| BIND DNS | Service discovery |
| Dogtag Certificate System | Internal CA |
| SSSD | Client-side auth agent |
| Certmonger | Certificate lifecycle on clients |
Conceptual Mapping to Active Directory
| Active Directory | FreeIPA |
|---|---|
| Domain Controller | IPA Server |
| NTDS.dit | 389-DS LDAP database |
| DNS | BIND (DNSSEC optional) |
| ADCS | Dogtag CA |
| Group Policy | HBAC (Host-Based Access Control) + sudo rules |
| Trust | Cross-realm Kerberos trust with AD |
AD Trust
FreeIPA supports a cross-realm Kerberos trust with Active Directory. This allows AD users to authenticate to IPA-enrolled Linux hosts using their AD credentials.
Attack implication: If the trust is bidirectional or if the IPA KDC is misconfigured, there may be paths to escalate from the IPA realm into the AD realm.
Attack Surface
| Attack | Description |
|---|---|
| FreeIPA LDAP admin account compromise | Full directory control |
| KDC database dump | kdb5_util dump on compromised IPA server — all Kerberos keys |
| Dogtag CA compromise | Forge certificates for any IPA principal |
Client ipa command abuse | Privileged IPA CLI for user/group/sudo manipulation |
| SSSD cache abuse | Offline cached credentials on clients |
| CVE exploits in IPA components | Several critical RCEs in historical versions |
Cross-Links
| Topic | Link |
|---|---|
| OpenLDAP | openldap |
| Linux SSSD | linux-sssd |
| Linux Kerberos | linux-kerberos |