manidentityReviewed July 3, 2026
FreeIPA, SCIM, and Authority Boundaries
Problem statement Linux identity systems become unstable when human approval, source of truth ownership, and enforcement points are split without an explicit contract. FreeIPA may own host side policy and Kerberos identi
freeipascimidentityauthority
Problem statement
Linux identity systems become unstable when human approval, source-of-truth ownership, and enforcement points are split without an explicit contract. FreeIPA may own host-side policy and Kerberos identity, while SCIM may own lifecycle intent coming from an external platform. The failure is not mixed authority by itself. The failure is mixed authority without documented boundaries.
Operator guidance
- Declare which system may create, disable, or re-enable identities.
- Keep Linux enforcement close to FreeIPA, SSSD, and host policy.
- Treat SCIM as a lifecycle input, not a magical replacement for host-side identity rules.
- Record exception handling and approval paths in the same manual tree as the technical controls.