On ke, 21 joulu 2022, Federico Ferrari via FreeIPA-users wrote:
Hi i'm new to this channel and i'm studying the FreeIPA code in order to understand how things works, so i was wondering how FreeIPA works with 389 Directory Server in order to create the LDAP database and how dose it syncs with the OS users, if you can provide me a link to the code or a brief explanation on how it works it would be very appreciated. Also I was thinking if for FreeIPA it would be possible to support other Directory server such as OpenLDAP or it dose already support other servers, in this case does someone knows which other LDAP server does support, thanks a lot to everyone.
FreeIPA is a solution which comprised of several components, both on server and client sides. The server side is tightly integrated and none of the server side components can be replaced. Client side is mostly an installer that configures your system to use SSSD to operate. SSSD can talk to multiple directory services, including FreeIPA, Active Directory implementations, or generic LDAP servers, among others. You cannot replace 389-ds server in FreeIPA with OpenLDAP. FreeIPA implements 15 specialized plugins to 389-ds and relies on specific 389-ds integrated plugins and behaviors to provide functionality you see as 'FreeIPA'. Replacing 389-ds with OpenLDAP would mean a rewrite of majority of those plugins from scratch as LDAP server APIs are not compatible. This certainly would not be a FreeIPA server anymore. Same with MIT Kerberos KDC integration. FreeIPA provides own database driver to MIT Kerberos KDC which implements a lot of specialized logic which standard ldap KDB driver in MIT Kerberos does not implement at all. FreeIPA KDB driver complexity is on par with Samba AD database driver. You may want to read through the presentations and pages referenced at https://www.freeipa.org/page/Documentation#Developer_Documentation. It gives a lot of information and helps to understand some decisions made during FreeIPA development. We aren't updating freeipa.org anymore but https://freeipa.readthedocs.io/en/latest/designs/index.html contains recent design documents for all new features which went into FreeIPA during past several years. Recently I have been working on reconstructing a high level architecture view of FreeIPA from administrators' point of view. It does not include anything detailed but should help at least with authentication and access flows. It does not cover certificate management or IPA objects' management at all too. May be it would be useful to review too: https://talks.vda.li/talks/2022/freeipa-high-level-architecture.pdf The FreeIPA source code is a must to look into as well. You'll find various references in the design pages to specific areas but you need to read through C and Python code and know about LDAP schema to get through all of that. There is no shortcut. ;) -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
