Interview: Simo Sorce
Simo Sorce will give a talk about FreeIPA identity management at FOSDEM 2009.
Could you briefly introduce yourself?
My name is Simo Sorce, I have been an active free Software developer for many years now. My main contributions have historically been within the Samba project of which I am a Team Member, and currently the GPL compliance officer, since 2001. I am currently working mostly on FreeIPA, where I am one of the leading software architects. FreeIPA is a project that aims to provide an Identity Management System easy to use and setup, using an LDAP directory and Kerberos, along with other related technologies. Most of the software we are using or writing to make IdM easy has been available for a long time, but it has always been too complex to setup to widespread. We hope that building a coherent set of tools and standards around known components and making it easy to use the final product, can help adoption of modern, and most importantly Free Software based, tools, so that people don't get dependent on proprietary, lock-in heavy, solutions.
What will your talk be about, exactly?
I am going to give a brief introduction of FreeIPA. I will describe what challenges we faced in v1 and what we face for v2, and dive in technical details about the architecture and future developments.
What do you hope to accomplish by giving this talk ? What do you expect?
My objective is to make this project better known. We see a community of enthusiasts already forming around our project and we are eager to see more. We also hope to see help in porting the software to other distributions. It's not a huge task as building it from scratch, but so far we have concentrated ourselves only on Fedora and by extension (with minor adjustments) Red Hat Enterprise Linux. We would love to see other distributions help modifying install scripts and porting the missing components needed to build the full server and client bits.
How does the FreeIPA project compare with Novell Identity Manager?
For a start this is a Free Software project, not a proprietary technology of a single company. We think that is important because we certainly believe that something as important as an Identity Management solution that is at the core of the security of any organization should be free. In my opinion organizations must be empowered to audit, and manage their own risk. They must be able to support such a core infrastructure even if the developers that made it up suddenly disappear or change business for any reason. Only Free Software gives you both the technical and legal means to do so.
On the technical side Novell IdM has certainly had a longer history and on some specific points they may be currently technically superior, but we have an aggressive roadmap and we are re-using existing proven reliable tools as much as possible, and we think the 'P' (Policy) and 'A' (Audit) parts will soon be extremely interesting differentiators. We are also actively working with the Fedora distribution to make FreeIPA integration even better (IPA is currently already distributed in Fedora), and we will continue to do so for all components.
One of the goals of FreeIPA v2 is to address the barriers to v1 usage. Which barriers are these?
V1 has many limitations we want to address, it needs better integration with the clients to be effective in managing an organization security needs. From better centralized access control, to offline capabilities and policy distribution, naming system, etc... We are expanding v2 in all areas previously touched by v1 and more.
What does v2 add to the Identity functionality compared to v1?
One key piece for v2 is Machine Identity. In v1 we didn't have time to properly address the machine identity piece, but it is one of the key features of v2. To be able to manage machines and trust them you need to provide machines with an identity so that they can have kerberos principal and use it to identify the machine itself to IPA. Allows us to easily encrypt communication and provide policies to controlled hosts, so that domain wide security configurations can be easily controlled from the IPA console. We are also planning on adding a minimal CA to IPA, and tools to automatically deploy and renew x509 service certificates to machines. This will make much easier to keep track of your deployed certificates, obtain new ones, renew or revoke them at will.
Which initial Policy and Audit functionality will v2 have?
We are working hard on providing a core policy engine and console for v2, we are concentrating on distributing security policies within the IPA framework, but the policy engine is built to be able to touch just any configuration file you want it to. For audit we are concentrating on basic functionality to easily collect, safely transmit and store audit logs for managed clients.
The target date of FreeIPA v2 is April/May 2009. Is this realistic? The goals of v2 are really ambitious.
We have indeed very ambitious goals, I am not sure we will have the final v2 version ready by May, but I hope we will have at least a pre-release we can start to show off by that date.
How many developers are working on FreeIPA? Are these all Red Hat employees?
At the moment most developers are indeed on Red Hat payroll, although we have contributors from outside Red Hat and we definitely encourage people to participate if they are interested.
What's the difference between Red Hat Enterprise IPA and FreeIPA?
Red Hat Enterprise IPA is the supported version from Red Hat, we do through QA tests before releasing it (and in the process we often fix bugs that we then commit to FreeIPA), and provide related services to our paying customers. It is more or less like what Red Hat Enterprise Linux is with regard to Fedora. FreeIPA is our upstream, Red Hat Enterprise IPA is our branded and supported product.
This interview is licensed under a Creative Commons Attribution-No Derivative Works 2.0 Belgium License.