• No results found

Red Hat Identity Management

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Red Hat Identity Management"

Copied!
22
0
0

Loading.... (view fulltext now)

Download now ( 22 Page )

Full text

(1)

Red Hat Identity Management

Overview

Thorsten Scherf

Senior Consultant

(2)

2

Agenda

● What is Red Hat Identity Management?

● Main values

● Architecture

● Features

● Active Directory Integration

(3)

What is Red Hat Identity Management?

● Red Hat Identity Management is a solution based on

FreeIPA (or just IPA) open source technology

● IPA stands for Identity, Policy, Audit

● FreeIPA open source project was started in 2007

● FreeIPA v1 was released in 2008

(4)

Main values

● IPA is a domain controller for Linux/UNIX environment

● Think Active Directory but for Linux

● Central server that stores identity information, policies

(5)

High Level Architecture

KDC LDAP CLI/GUI Unix/Linux Admin PKI DNS

(6)

Why IPA?

● Identity and authentication is a complex problem –

many disjoint technologies exist

● We want to make it more simple to deploy and use

● With the growth of the Linux share of servers in the

enterprises there should be a server that has needs of Linux clients in its heart

(7)

Features

● Centralized authentication via Kerberos or LDAP

● Identity management:

● users, groups, hosts, host groups, netgroups, services

● Manageability:

● Simple installation scripts for server and client

● Rich CLI and web-based user interface

● Pluggable and extensible framework for UI/CLI

(8)

Features (Continued)

● Certificate provisioning for hosts and services

● Serving sets of automount maps to different clients

● Advanced features:

● Host-based access control

● Centrally-managed SUDO

● Group-based password policies

● Automatic management of private groups

● Can act as NIS server for legacy systems

● Painless password migration

(9)

Features (Continued)

● SELinux policy management

● SSH key management

● Cross Kerberos-Trust for mixed IdM <-> AD setups

● Optional integrated DNS server managed by IPA

● Replication:

● Supports server deployment based on the

multi-master replication

● User replication with MS Active Directory

● Separate topology for CAs

(10)

Under the Hood

IPA Core Directory Server Kerberos KDC NTP DNS Management framework Managed host (client) SSSD Management Station CLI Browser Certmonger ipa-client CA ConfiguresConfigures Configures Configures nss_ldap WEBUI Authentication Authentication Name lookups Name lookups and service and service discovery discovery

Cert tracking &

Cert tracking &

provisioning

provisioning

Other maps

Other maps

Enrollment & un-enrollment

Enrollment & un-enrollment

Management Management Users, Groups, Users, Groups, Netgroups, HBAC Netgroups, HBAC

(11)

Under the Hood

IPA Core Directory Server Kerberos KDC NTP DNS Management framework Managed host (client) SSSD Management Station CLI Browser Certmonger ipa-client CA Configures Configures nss_ldap WEBUI Authentication Name lookups and service discovery

Cert tracking & provisioning

Other maps

Enrollment & un-enrollment

Management

Users, Groups,

Users, Groups,

Netgroups, HBAC

(12)

Client Configurations

● SSSD

● With IPA back end

● LDAP or Proxy for identity

● Kerberos or LDAP for authentication

● nss_ldap for other maps

● Non-SSSD

● LDAP (nss_ldap) or NIS (nss_nis) for identity

(13)

AD – IdM Integration

● For most companies AD is the central hub of the user

identity management inside the enterprise

● All systems that AD users can access (including Linux)

need (in some way, i.e. directly or indirectly) to have access to AD to perform authentication and identity lookups

● In some cases the AD is the only allowed central

authentication server due to compliance requirements

● In some cases DNS is tightly controlled by the

Windows side of the enterprise and non Windows systems need to adapt to this

(14)

Aspects of integration

● Authentication

● User logs into a Linux system, how he is authenticated?

● Identity lookup

● How system knows about the right accounts?

● How AD accounts are mapped to POSIX?

● Name resolution and service discovery

● How system knows where is its authentication and

identity server?

● Policy management

● How other identity related policies are managed on the

(15)

IdM Based Integration Option

AD Linux System SSSD Authentication KDC LDAP DNS Identities Name resolution Policies sudo hbac automount selinux Policies are centrally managed over LDAP IdM KDC LDAP DNS A DNS zone is delegated by AD to IdM to manage Linux

environment Name resolution and service discovery queries are resolved against IdM Users are synchronized from AD to IdM

(16)

IdM – AD Trust

AD Linux System SSSD Authentication KDC LDAP DNS Identities Name resolution Policies sudo hbac automount selinux Policies are centrally managed over LDAP IdM KDC LDAP DNS

Domains trust each other. Users stay where they are, no synchronization needed

A DNS zone is delegated by AD to IdM to manage Linux systems or IdM has an independent namespace Client software connects to the right server depending on the information it needs

(17)

IdM 3.0

● Targeted for RHEL6.4

● Cross Kerberos-Trust for mixed IdM <-> AD setups

● Multiple IdM domains

● SELinux policy management

● Additional standard maps

(18)

Future features

● Disk encryption key management

● External authentication integration (OTP)

● User certificate management

(19)

19

CONFIDENTIAL – FOR USE UNDER NON-DISCLOSURE AGREEMENT ONLY

Resources

Project wiki:

www.freeipa.org

Project trac:

https://fedorahosted.org/freeipa/

Code:

http://git.fedorahosted.org/git/?p=freeipa.git

SSSD:

https://fedorahosted.org/sssd/

Certmonger:

https://fedorahosted.org/certmonger/

Mailing lists:

[email protected]

[email protected]

[email protected]

(20)

20

CONFIDENTIAL – FOR USE UNDER NON-DISCLOSURE AGREEMENT ONLY

Resources

Project wiki:

www.freeipa.org

Project trac:

https://fedorahosted.org/freeipa/

Code:

http://git.fedorahosted.org/git/?p=freeipa.git

SSSD:

https://fedorahosted.org/sssd/

Certmonger:

https://fedorahosted.org/certmonger/

Mailing lists:

[email protected]

[email protected]

[email protected]

(21)
(22)

References

Download now ( PDF - 22 Page - 332.98 KB )

Related documents

Configuring Integrated Windows Authentication for JBoss with SAS 9.2 Web Applications

If Active Directory is installed on a Domain Controller running Windows 2000 Server (or higher), and the client browser supports the Kerberos authentication protocol, Kerberos

FreeIPA Cross Forest Trusts

Use of FreeIPA client system with AD cross forest credentials: Client system is provisioned with ipa-client-install SSSD is configured during provisioning to talk to FreeIPA

Red Hat Enterprise IPA Identity & Access Management for Linux and Unix Environments. Dragos Manac

identities for machines &amp; services ■ costs Increased IT efficiency / reduced ■ Compliance. User and group host

SSSD. Client side identity management. LinuxAlt 2012 Jakub Hrozek 3. listopadu 2012

UNIX/Linux – LDAP, LDAP + Kerberos, NIS Windows – Active Directory (LDAP + Kerberos) LDAP is the most common identity store.. Centralized user databases.. Basic LDAP

Red Hat Enterprise ipa

Future versions of Red Hat Enterprise IPA will enable IT to group up users, services, machines, and vms, and then put in place policy that will centrally control who can access

System Security Services Daemon

Identity lookups with SSSD N etw or k B ou n d ar y Identity Server Authentication Server Client Client Client SSSD NSS Responder PAM Responder Domain Provider Auth Provider

LinuxCon North America

Identity Management Under the Hood FreeIPA Core Directory Server Kerberos KDC NTP DNS Management framework Managed host (client) SSSD Management Station CLI

Red Hat Enterprise Identity (IPA) Centralized Management of Identities & Authentication

Under the Hood IPA Core Directory Server Kerberos KDC NTP DNS Management framework Managed host (client) SSSD Management Station CLI Browser Certmonger