FreeIPA
Description
The FreeIPA connector uses the FreeIPA JSON-RPC API over HTTPS to discover user accounts, groups, HBAC (Host-Based Access Control) rules, and sudo rules within a FreeIPA or Red Hat Identity Management domain. It provides complete visibility into centrally managed Linux identity entitlements and role assignments.
System Type Classification
| Field | Value |
|---|---|
| System Type | Directory Service |
| Default Scan Priority | 10 |
Version Support
| OrbisID Edition | Supported |
|---|---|
| Community | No |
| Pro | Yes |
| Enterprise | Yes |
Supported Protocol
| Protocol | Port | Notes |
|---|---|---|
| JSON-RPC API (HTTPS) | 443 TCP | Kerberos or username/password authentication |
What OrbisID Discovers
| Data | Source |
|---|---|
| User accounts | user_find JSON-RPC call |
| Groups | group_find JSON-RPC call |
| Group memberships | member_user from group records |
| HBAC rules | hbacrule_find JSON-RPC call |
| Sudo rules | sudorule_find JSON-RPC call |
| User enabled state | nsAccountLock attribute |
Connection Requirements
Required Permissions
Create a dedicated FreeIPA service account with read access to the directory.
Minimum permissions:
- Member of the ipausers group or equivalent
- Read permission on
user,group,hbacrule, andsudoruleobject types
Credential Mapping
| OrbisID Field | Value |
|---|---|
credential.username | FreeIPA username (e.g., orbisid-scanner) |
credential.password | FreeIPA password |
system.hostname | FreeIPA server hostname (e.g., ipa.example.com) |
Network Requirements
The OrbisID server must have HTTPS access to the FreeIPA server on port 443.
Configuration Steps
- Create a dedicated service account in FreeIPA:
ipa user-add orbisid-scanner --first=OrbisID --last=Scanner --password - Create a Credential in OrbisID:
- Username:
orbisid-scanner - Password: FreeIPA password
- Username:
- Navigate to Systems → Add System
- Fill in the fields:
| Field | Value |
|---|---|
| Name | Descriptive name (e.g., FreeIPA – Corp Domain) |
| OS Type | FreeIpa |
| System Type | Directory Service |
| Hostname | FreeIPA server hostname |
| Credential | The scanning credential |
- Click Test Connection
- Click Save
Troubleshooting
| Symptom | Likely Cause | Resolution |
|---|---|---|
Authentication failed | Invalid credentials | Verify the service account password; check if it has expired |
| No users returned | Session cookie not set | Ensure the JSON-RPC session endpoint (/ipa/session/login_password) is reachable |
403 Forbidden | Insufficient permissions | Check the ACI (access control instructions) for the scanner account |
SSL certificate error | FreeIPA CA not trusted | Add the FreeIPA CA (/etc/ipa/ca.crt) to the OrbisID trust store |