Hello FreeIPA developers and community!

 

I'm excited to share with you a plugin I've developed for FreeIPA that extends its functionality with Group Policy management capabilities.

 

PROJECT OVERVIEW

I've created a FreeIPA plugin that extends the LDAP schema and provides both WEB and CLI interfaces for managing Group Policies in your domain.

 

Repository: https://github.com/danila-Skachedubov/freeipa-server-gpo.git

 

PURPOSE & MOTIVATION

This plugin is designed to bring Group Policy functionality to FreeIPA domains. While there are existing open-source solutions for Group Policies in Samba environments:

 

GPUI - ADMX template editor: https://github.com/august-alt/gpui.git

 

GPUpdate - Client-side policy application tool: https://github.com/altlinux/gpupdate.git

 

I recognized an opportunity to create a management layer specifically for FreeIPA. Although administrators may have alternative configuration management methods, I believe having native Group Policy functionality would be valuable for many FreeIPA deployments.

 

IMPLEMENTATION APPROACH

This implementation isn't a direct replica of traditional AD Group Policies due to fundamental differences in FreeIPA's LDAP data structure. Instead of Organizational Units (OUs), I've introduced the concept of POLICY CHAINS:

 

KEY CONCEPTS:

 

Policy Chains serve as containers that link user groups and computer groups with GPO objects

 

Sequential Processing - Policies within chains maintain ordered lists, allowing administrators to control application precedence when settings conflict

 

Master-Level Ordering - Chains themselves are ordered in a Group Policy Master object, enabling precise control when users/computers belong to multiple groups across different chains

 

LEARN MORE

For detailed technical documentation, architecture diagrams, and usage examples, please refer to the comprehensive README.md in the repository.

 

COMMUNITY FEEDBACK

I would greatly appreciate feedback from the FreeIPA community and developers @freeipa on this implementation. I'm eager to hear your thoughts, answer questions, and discuss potential improvements.

 

Thank you for your time and consideration!

 

Best regards,

Daniel