Hello FreeIPA developers and community!
I'm excited to share with you a plugin I've developed for FreeIPA that extends its functionality with Group Policy management capabilities.
PROJECT OVERVIEW
I've created a FreeIPA plugin that extends the LDAP schema and provides both WEB and CLI interfaces for managing Group Policies in your domain.
Repository: https://github.com/danila-Skachedubov/freeipa-server-gpo.git
PURPOSE & MOTIVATION
This plugin is designed to bring Group Policy functionality to FreeIPA domains. While there are existing open-source solutions for Group Policies in Samba environments:
GPUI - ADMX template editor: https://github.com/august-alt/gpui.git
GPUpdate - Client-side policy application tool: https://github.com/altlinux/gpupdate.git
I recognized an opportunity to create a management layer specifically for FreeIPA. Although administrators may have alternative configuration management methods, I believe having native Group Policy functionality would be valuable for many FreeIPA deployments.
IMPLEMENTATION APPROACH
This implementation isn't a direct replica of traditional AD Group Policies due to fundamental differences in FreeIPA's LDAP data structure. Instead of Organizational Units (OUs), I've introduced the concept of POLICY CHAINS:
KEY CONCEPTS:
Policy Chains serve as containers that link user groups and computer groups with GPO objects
Sequential Processing - Policies within chains maintain ordered lists, allowing administrators to control application precedence when settings conflict
Master-Level Ordering - Chains themselves are ordered in a Group Policy Master object, enabling precise control when users/computers belong to multiple groups across different chains
LEARN MORE
For detailed technical documentation, architecture diagrams, and usage examples, please refer to the comprehensive README.md in the repository.
COMMUNITY FEEDBACK
I would greatly appreciate feedback from the FreeIPA community and developers @freeipa on this implementation. I'm eager to hear your thoughts, answer questions, and discuss potential improvements.
Thank you for your time and consideration!
Best regards,
Daniel
-- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
