Product SiteDocumentation Site

1.3. Relationships Between Servers and Clients

FreeIPA itself defines a domain, a group of machines that have shared configuration, policies, and identity stores. This shared configuration allows the machines (and users) within the domain to be aware of each other and operate together. This awareness can be used to enable cross-platform compatibility, like unifying Windows and Linux systems, or to enable infrastructure-wide single sign-on.

1.3.1. About FreeIPA Servers and Replicas

FreeIPA works by having identified servers which are the master stores of information for user and machine identities and domain-wide policies. These servers also host domain-related services such as Kerberos and DNS. The server essentially is a central repository of identity and policy information. This information is sent routinely to the clients.
Servers can be cloned and their information mirrored onto subordinate FreeIPA servers called replicas. FreeIPA servers are the data masters; replicas contain copies of that information, which is synchronized between the internal 389 Directory Server and Certificate System databases through mutual replication agreements.
Server and Replica Interactions
Figure 1.2. Server and Replica Interactions

Replicas can communicate with clients, the same as servers, so replicas provide a means to balance the loads on servers while using the same domain configuration. This load balancing is done automatically, using the SRV records in DNS. The SRV record priority sets the order that servers and replicas are contacted, while weight distributed the load between servers/replicas with the same priority. The server and replica DNS entries can be edited to change the load balancing, which is covered in Example 8.5, “SRV Record” and Section 8.12, “Changing Load Balancing for FreeIPA Servers and Replicas”.

1.3.2. About FreeIPA Clients

A client is simply any machine which is configured to operate within the FreeIPA domain, using its Kerberos and DNS services, NTP settings, and certificate services. That's an important distinction: a client does not require a daemon or (necessarily) an installed product. It requires only system configurations which direct it to use FreeIPA services.
For Fedora systems, a certain number of platform tools are available for FreeIPA to use, such as SSSD. These are FreeIPA-enabled platform applications, which is simply a way of saying that they are aspects of the underlying platform that work with FreeIPA services. Other tools, like certain PAM and NSS modules and FreeIPA command-line utilities, are provided as FreeIPA-specific packages that must be installed on the machine. These are FreeIPA-related components.
Server and Client Interactions
Figure 1.3. Server and Client Interactions

FreeIPA uses the local storage (cache) on a client to improve performance in a few ways:
  • Store FreeIPA information when the machine is offline.
  • Keep information active beyond its normal timeout period if the client cannot access the central server. The cache is persistent even after rebooting the machine.
  • Reduce the round-trip time of requests by checking information locally before looking at the server.
Information is stored either in an LDB database (similar to LDAP) or the local filesystem (as XML files), depending on the type of information.
  • Identity information (about users, machines, and groups) is stored in the LDB database, which uses the same syntax as an LDAP directory. This identity information is originally stored in the FreeIPA server's 389 Directory Server instance. Because this information changes frequently and is referenced frequently, it is important to be able to call the more current information quickly, which is possible using an LDB database on the client and the Directory Server on the server.
  • Policy information is more static than identity information, and it can include configuration for SELinux or sudo. These policies are set globally on the server and then are propagated to the clients. On the client, the policy information is stored in the filesystem in XML files which can be downloaded and converted into a native file for whatever service is being managed.
A specific set of services on the FreeIPA server interact with a subset of services and modules on the FreeIPA client. A client is any machine (a host) which can retrieve a keytab or certificates from the FreeIPA domain.
Interactions Between FreeIPA Services
Figure 1.4. Interactions Between FreeIPA Services

Figure 1.4, “Interactions Between FreeIPA Services” shows that Fedora uses two native daemons to interact with the FreeIPA server:
  • SSSD provides the user authentication for the machine and enforces host-based access control rules.
  • certmonger monitors and renews the certificates on the client. It can request new certificates for the services on the system, including virtual machines.
When a Fedora client is added to the domain (enrolled), its SSSD and certmonger are configured to connect to the FreeIPA server and the required Kerberos keytab and host certificates are created. (The host certificate is not used directly by FreeIPA; it may be used by other services, such as a web server.)