Building Cross-Domain Trust Between FreeIPA Deployments

FreeIPA and SSSD teams are working on making independent FreeIPA deployments to interoperate. This talk outlines the progress made toward achieving IPA-IPA trust, a feature that mirrors existing integration with Active Directory (AD) but adapts to modern, self-sufficient deployments that may not rely on traditional AD infrastructure.

IPA-IPA trust leverages Kerberos cross-realm authentication to establish secure relationships between distinct FreeIPA domains and allows seamless access to resources across trusted environments. Building on existing support for AD trusts, the approach reuses proven mechanisms in FreeIPA and SSSD to resolve identities, enforce access policies, and manage trusted domain configurations. This includes adapting Kerberos authorization data extensions to securely exchange identity details and group membership information, which FreeIPA already utilizes for AD trusts.

Key developments include enhancing SSSD to support multiple subdomain types, enabling it to handle IPA-specific identity structures, and introducing new mechanisms to facilitate identity information retrieval across trusted IPA domains. Initial experiments demonstrate the viability of this approach, with prototypes and Fedora-based builds available for testing.

This talk highlights the technical challenges, solutions, and progress achieved so far, offering insights into the collaborative efforts that aim to extend FreeIPA’s trust capabilities.