Integration architecture
For FreeIPA deployments, FreeSCIM should consume identity events as eventual source-of-truth updates, not as a second control plane. The expected pattern is:
- Read LDAP/IPA attributes through a bounded trust path.
- Normalize identity fields to SCIM canonical types in a deterministic mapper.
- Emit user and group lifecycle events with idempotency keys.
- Persist audit events for every connector write and reconcile response.
Attribute contract and mapping risk
The most common integration failure is inconsistent attribute projection between directory schema and SCIM extension fields.
- Map
uidandkrbPrincipalNameexplicitly with a documented fallback path. - Normalize group names and Distinguished Name values before write operations.
- Store mapping rules in code-reviewable configuration with explicit versioning.
Trust and hardening controls
FreeIPA Directory --(TLS + service principal)--> SCIM Auth Gateway --(idempotent payload)--> User/Group Writer --(audit)--> Event StoreOperational caveat
Do not mirror FreeIPA administrative groups into FreeSCIM managed groups unless there is an explicit change control owner. Directory-provisioned entitlement changes should follow approval steps and include rollback checkpoints.
Deployment and validation checklist
- Verify service account scope and lock it to least privilege for write APIs.
- Run synthetic tests for nested group import and user rename behavior.
- Confirm that stale LDAP values fail closed with actionable error categories.
FreeIPA mapping edge checks
- Validate uid/krbPrincipalName mapping before write operations.
- Normalize DN and group path collisions before sync batching.
- Attach source mapping revision in each audit record.