![Page 1: Red Hat Identity · PDF fileRed Hat Identity Management Overview Thorsten Scherf Senior Consultant Red Hat Global Professional Services](https://reader031.vdocuments.us/reader031/viewer/2022030505/5ab1ea047f8b9abc2f8d50a0/html5/thumbnails/1.jpg)
Red Hat Identity ManagementOverview
Thorsten ScherfSenior Consultant
Red Hat Global Professional Services
![Page 2: Red Hat Identity · PDF fileRed Hat Identity Management Overview Thorsten Scherf Senior Consultant Red Hat Global Professional Services](https://reader031.vdocuments.us/reader031/viewer/2022030505/5ab1ea047f8b9abc2f8d50a0/html5/thumbnails/2.jpg)
2
Agenda
● What is Red Hat Identity Management?
● Main values
● Architecture
● Features
● Active Directory Integration
● Resources
![Page 3: Red Hat Identity · PDF fileRed Hat Identity Management Overview Thorsten Scherf Senior Consultant Red Hat Global Professional Services](https://reader031.vdocuments.us/reader031/viewer/2022030505/5ab1ea047f8b9abc2f8d50a0/html5/thumbnails/3.jpg)
What is Red Hat Identity Management?
● Red Hat Identity Management is a solution based on FreeIPA (or just IPA) open source technology
● IPA stands for Identity, Policy, Audit● FreeIPA open source project was started in 2007● FreeIPA v1 was released in 2008● FreeIPA v3 RC is available
![Page 4: Red Hat Identity · PDF fileRed Hat Identity Management Overview Thorsten Scherf Senior Consultant Red Hat Global Professional Services](https://reader031.vdocuments.us/reader031/viewer/2022030505/5ab1ea047f8b9abc2f8d50a0/html5/thumbnails/4.jpg)
Main values
● IPA is a domain controller for Linux/UNIX environment● Think Active Directory but for Linux● Central server that stores identity information, policies
related to identities and performs authentication
![Page 5: Red Hat Identity · PDF fileRed Hat Identity Management Overview Thorsten Scherf Senior Consultant Red Hat Global Professional Services](https://reader031.vdocuments.us/reader031/viewer/2022030505/5ab1ea047f8b9abc2f8d50a0/html5/thumbnails/5.jpg)
High Level Architecture
KDC
LDAP CLI/GUI
Unix/Linux
Admin
PKI
DNS
![Page 6: Red Hat Identity · PDF fileRed Hat Identity Management Overview Thorsten Scherf Senior Consultant Red Hat Global Professional Services](https://reader031.vdocuments.us/reader031/viewer/2022030505/5ab1ea047f8b9abc2f8d50a0/html5/thumbnails/6.jpg)
Why IPA?
● Identity and authentication is a complex problem – many disjoint technologies exist
● We want to make it more simple to deploy and use● With the growth of the Linux share of servers in the
enterprises there should be a server that has needs of Linux clients in its heart
![Page 7: Red Hat Identity · PDF fileRed Hat Identity Management Overview Thorsten Scherf Senior Consultant Red Hat Global Professional Services](https://reader031.vdocuments.us/reader031/viewer/2022030505/5ab1ea047f8b9abc2f8d50a0/html5/thumbnails/7.jpg)
Features
● Centralized authentication via Kerberos or LDAP● Identity management:
● users, groups, hosts, host groups, netgroups, services ● Manageability:
● Simple installation scripts for server and client● Rich CLI and web-based user interface● Pluggable and extensible framework for UI/CLI● Flexible delegation and administrative model
![Page 8: Red Hat Identity · PDF fileRed Hat Identity Management Overview Thorsten Scherf Senior Consultant Red Hat Global Professional Services](https://reader031.vdocuments.us/reader031/viewer/2022030505/5ab1ea047f8b9abc2f8d50a0/html5/thumbnails/8.jpg)
Features (Continued)
● Certificate provisioning for hosts and services● Serving sets of automount maps to different clients● Advanced features:
● Host-based access control● Centrally-managed SUDO● Group-based password policies● Automatic management of private groups● Can act as NIS server for legacy systems● Painless password migration● Managed hosts
![Page 9: Red Hat Identity · PDF fileRed Hat Identity Management Overview Thorsten Scherf Senior Consultant Red Hat Global Professional Services](https://reader031.vdocuments.us/reader031/viewer/2022030505/5ab1ea047f8b9abc2f8d50a0/html5/thumbnails/9.jpg)
Features (Continued)
● SELinux policy management● SSH key management● Cross Kerberos-Trust for mixed IdM <-> AD setups● Optional integrated DNS server managed by IPA● Replication:
● Supports multi-server deployment based on the multi-master replication
● User replication with MS Active Directory● Separate topology for CAs
● Compatibility with broad set of clients
![Page 10: Red Hat Identity · PDF fileRed Hat Identity Management Overview Thorsten Scherf Senior Consultant Red Hat Global Professional Services](https://reader031.vdocuments.us/reader031/viewer/2022030505/5ab1ea047f8b9abc2f8d50a0/html5/thumbnails/10.jpg)
Under the Hood
IPA Core
DirectoryServer
KerberosKDCNTP
DNS
Managementframework
Managed host (client)
SSSD
Management Station
CLI
Browser
Certmonger
ipa-client
CAConfiguresConfigures
ConfiguresConfigures
nss_ldap
WEBUI
AuthenticationAuthentication
Name lookupsName lookupsand serviceand servicediscoverydiscovery
Cert tracking &Cert tracking &provisioningprovisioning
Other mapsOther maps
Enrollment & un-enrollment Enrollment & un-enrollment
ManagementManagement
Users, Groups, Users, Groups, Netgroups, HBACNetgroups, HBAC
![Page 11: Red Hat Identity · PDF fileRed Hat Identity Management Overview Thorsten Scherf Senior Consultant Red Hat Global Professional Services](https://reader031.vdocuments.us/reader031/viewer/2022030505/5ab1ea047f8b9abc2f8d50a0/html5/thumbnails/11.jpg)
Under the Hood
IPA Core
DirectoryServer
KerberosKDCNTP
DNS
Managementframework
Managed host (client)
SSSD
Management Station
CLI
Browser
Certmonger
ipa-client
CAConfigures
Configures
nss_ldap
WEBUI
Authentication
Name lookupsand servicediscovery
Cert tracking &provisioning
Other maps
Enrollment & un-enrollment
Management
Users, Groups, Users, Groups, Netgroups, HBACNetgroups, HBAC
![Page 12: Red Hat Identity · PDF fileRed Hat Identity Management Overview Thorsten Scherf Senior Consultant Red Hat Global Professional Services](https://reader031.vdocuments.us/reader031/viewer/2022030505/5ab1ea047f8b9abc2f8d50a0/html5/thumbnails/12.jpg)
Client Configurations
● SSSD● With IPA back end● LDAP or Proxy for identity● Kerberos or LDAP for authentication ● nss_ldap for other maps
● Non-SSSD● LDAP (nss_ldap) or NIS (nss_nis) for identity● LDAP (pam_ldap) or Kerberos (pam_krb5) for auth
![Page 13: Red Hat Identity · PDF fileRed Hat Identity Management Overview Thorsten Scherf Senior Consultant Red Hat Global Professional Services](https://reader031.vdocuments.us/reader031/viewer/2022030505/5ab1ea047f8b9abc2f8d50a0/html5/thumbnails/13.jpg)
AD – IdM Integration
● For most companies AD is the central hub of the user identity management inside the enterprise
● All systems that AD users can access (including Linux) need (in some way, i.e. directly or indirectly) to have access to AD to perform authentication and identity lookups
● In some cases the AD is the only allowed central authentication server due to compliance requirements
● In some cases DNS is tightly controlled by the Windows side of the enterprise and non Windows systems need to adapt to this
![Page 14: Red Hat Identity · PDF fileRed Hat Identity Management Overview Thorsten Scherf Senior Consultant Red Hat Global Professional Services](https://reader031.vdocuments.us/reader031/viewer/2022030505/5ab1ea047f8b9abc2f8d50a0/html5/thumbnails/14.jpg)
Aspects of integration
● Authentication● User logs into a Linux system, how he is authenticated?
● Identity lookup● How system knows about the right accounts?● How AD accounts are mapped to POSIX?
● Name resolution and service discovery● How system knows where is its authentication and
identity server?
● Policy management● How other identity related policies are managed on the
system?
![Page 15: Red Hat Identity · PDF fileRed Hat Identity Management Overview Thorsten Scherf Senior Consultant Red Hat Global Professional Services](https://reader031.vdocuments.us/reader031/viewer/2022030505/5ab1ea047f8b9abc2f8d50a0/html5/thumbnails/15.jpg)
IdM Based Integration Option
AD
Linux System
SSSD
Authentication
KDCLDAPDNS
Identities
Name resolution
Policies
sudo
hbac
automount
selinux
Policies are centrally managed over LDAP
IdM
KDCLDAPDNS
A DNS zone is delegated by ADto IdM to manage Linux environment
Name resolution and service discovery queries are resolved against IdM
Users are synchronizedfrom AD to IdM
![Page 16: Red Hat Identity · PDF fileRed Hat Identity Management Overview Thorsten Scherf Senior Consultant Red Hat Global Professional Services](https://reader031.vdocuments.us/reader031/viewer/2022030505/5ab1ea047f8b9abc2f8d50a0/html5/thumbnails/16.jpg)
IdM – AD Trust
AD
Linux System
SSSD
Authentication
KDCLDAPDNS
Identities
Name resolution
Policies
sudo
hbac
automount
selinux
Policies are centrally managed over LDAP
IdM
KDCLDAPDNS
Domains trust eachother. Users stay where they are, no synchronizationneeded
A DNS zone is delegated
by AD to IdM to manage Linux systems or IdM has an independent namespace
Client software connects to the right server depending on the information it needs
![Page 17: Red Hat Identity · PDF fileRed Hat Identity Management Overview Thorsten Scherf Senior Consultant Red Hat Global Professional Services](https://reader031.vdocuments.us/reader031/viewer/2022030505/5ab1ea047f8b9abc2f8d50a0/html5/thumbnails/17.jpg)
IdM 3.0
● Targeted for RHEL6.4● Cross Kerberos-Trust for mixed IdM <-> AD setups● Multiple IdM domains● SELinux policy management● Additional standard maps● UI enhancements
![Page 18: Red Hat Identity · PDF fileRed Hat Identity Management Overview Thorsten Scherf Senior Consultant Red Hat Global Professional Services](https://reader031.vdocuments.us/reader031/viewer/2022030505/5ab1ea047f8b9abc2f8d50a0/html5/thumbnails/18.jpg)
Future features
● Disk encryption key management● External authentication integration (OTP)● User certificate management● RADIUS
![Page 19: Red Hat Identity · PDF fileRed Hat Identity Management Overview Thorsten Scherf Senior Consultant Red Hat Global Professional Services](https://reader031.vdocuments.us/reader031/viewer/2022030505/5ab1ea047f8b9abc2f8d50a0/html5/thumbnails/19.jpg)
19CONFIDENTIAL – FOR USE UNDER NON-DISCLOSURE AGREEMENT ONLY
Resources
●Project wiki: www.freeipa.org●Project trac: https://fedorahosted.org/freeipa/
●Code: http://git.fedorahosted.org/git/?p=freeipa.git
●SSSD: https://fedorahosted.org/sssd/●Certmonger:
https://fedorahosted.org/certmonger/●Mailing lists:
![Page 20: Red Hat Identity · PDF fileRed Hat Identity Management Overview Thorsten Scherf Senior Consultant Red Hat Global Professional Services](https://reader031.vdocuments.us/reader031/viewer/2022030505/5ab1ea047f8b9abc2f8d50a0/html5/thumbnails/20.jpg)
20CONFIDENTIAL – FOR USE UNDER NON-DISCLOSURE AGREEMENT ONLY
Resources
●Project wiki: www.freeipa.org●Project trac: https://fedorahosted.org/freeipa/
●Code: http://git.fedorahosted.org/git/?p=freeipa.git
●SSSD: https://fedorahosted.org/sssd/●Certmonger:
https://fedorahosted.org/certmonger/●Mailing lists:
![Page 21: Red Hat Identity · PDF fileRed Hat Identity Management Overview Thorsten Scherf Senior Consultant Red Hat Global Professional Services](https://reader031.vdocuments.us/reader031/viewer/2022030505/5ab1ea047f8b9abc2f8d50a0/html5/thumbnails/21.jpg)
Questions?
![Page 22: Red Hat Identity · PDF fileRed Hat Identity Management Overview Thorsten Scherf Senior Consultant Red Hat Global Professional Services](https://reader031.vdocuments.us/reader031/viewer/2022030505/5ab1ea047f8b9abc2f8d50a0/html5/thumbnails/22.jpg)