Skip to navigationSkip to content
libvirtd docs
Commands

Manual nav

Search `/` or jump with `g` / `G`.

Portal

  • Home manual
  • Command explorer
Foundations6 sections
  • Overview1
  • Installation2
  • Platform1
  • Concepts5
  • Domains2
  • Domain XML2
Subsystems9 sections
  • Identity1
  • Automation2
  • Daemons3
  • virsh3
  • Networking5
  • Storage4
  • Security3
  • Observability2
  • Remote Access1
Operations6 sections
  • Migration2
  • Backup2
  • Performance3
  • Recovery1
  • Troubleshooting2
  • References2

/ search · g top · G quickstart

manidentityReviewed July 3, 2026

FreeIPA, SCIM, and Authority Boundaries

Problem statement Linux identity systems become unstable when human approval, source of truth ownership, and enforcement points are split without an explicit contract. FreeIPA may own host side policy and Kerberos identi

freeipascimidentityauthority

Problem statement

Linux identity systems become unstable when human approval, source-of-truth ownership, and enforcement points are split without an explicit contract. FreeIPA may own host-side policy and Kerberos identity, while SCIM may own lifecycle intent coming from an external platform. The failure is not mixed authority by itself. The failure is mixed authority without documented boundaries.

Operator guidance

  • Declare which system may create, disable, or re-enable identities.
  • Keep Linux enforcement close to FreeIPA, SSSD, and host policy.
  • Treat SCIM as a lifecycle input, not a magical replacement for host-side identity rules.
  • Record exception handling and approval paths in the same manual tree as the technical controls.

Related

  • Modular daemons context
  • Troubleshooting playbook

On this page

  • Problem statement
  • Operator guidance