LinuxCon North America

LinuxCon North America

LinuxCon North America

Enterprise Identity

Enterprise Identity

Management with Open

Management with Open

Source Tools

Source Tools

Dmitri Pal

Sr. Engineering Manager Red Hat, Inc. 09.16.2013

Context

Context

●

What is identity management?

“Identity management (IdM) describes the management of individual principals, their authentication, authorization, and privileges within or across system and enterprise

boundaries with the goal of increasing

security and productivity while decreasing cost, downtime and repetitive tasks.”

IdM Related Technologies

●

Active Directory

● Main identity management solution deployed in more than 90% of the enterprises

●

LDAP

IdM Related Technologies (cont)

●

Kerberos

● MIT implementation

● Heimdal implementation

●

Samba

● An open source clone of Active Directory

● A file server (Samba FS)

● A client component to join Active Directory (winbind)

IdM Related Technologies (cont)

●

Web related technologies

● OpenID ● OAuth ● SAML ● WS-... ●

Strong authentication

Active Directory vs. Open Source

●

Why is Active Directory so popular?

● It is an integrated solution

● It is relatively easy to use

● Offers a simple configuration for clients

● All the complexity is hidden from users and admins

Active Directory vs. Open Source (2)

●

What about Open Source tools?

● Solve individual problems

● Bag of technologies lacking integration

● Hard to install and configure

● Too many options exposed, which to choose?

● Lack of good user interfaces

Introducing FreeIPA

●

IPA stands for Identity, Policy, Audit

● So far we have focused on identities and related policies

●

Main problems FreeIPA solves:

● Central management of authentication and

identities for Linux clients better than stand - alone LDAP/Kerberos/NIS - based solutions ● Acts as a gateway between the Linux

infrastructure and AD environment making infrastructure more manageable and more cost effective

High Level Conceptual Architecture

Features

● Centralized authentication via Kerberos or LDAP

● Identity management:

● Users, groups, hosts, host groups, netgroups,

services

● Integrated identities

● Manageability:

● Simple installation scripts for server and client ● Rich CLI and web-based user interface

● Pluggable and extensible framework for UI/CLI ● Flexible delegation and administrative model

Features (continued)

● Certificate provisioning for hosts and services

● Serving sets of automount maps to different clients

● Advanced features:

● Host-based access control ● Centrally-managed SUDO

● Group-based password policies

● Automatic management of private groups ● Can act as NIS server for legacy systems ● Painless password migration

Features (continued)

● Optional integrated DNS server

● Replication:

● Supports server deployment based on

multi-master replication

● User replication with MS Active Directory

● Flexibility in deploying Certificate Authorities on

different replicas

Introducing SSSD

●

SSSD is a service used to retrieve information

from a central identity management system.

●

SSSD connects a Linux system to a central

identity store like:

● Active Directory

● FreeIPA

● Any other directory server

Introducing SSSD (continued)

●

Multiple parallel sources of identity and

authentication – domains

●

All information is cached locally for offline use

● Remote data center use case

● Laptop or branch office system use case

●

Advanced features for

● FreeIPA integration

Identity Management Under the Hood

Cert tracking &

Cert tracking &

provisioning

provisioning

Other maps

Other maps

Enrollment & un-enrollment

Enrollment & un-enrollment

Management Management Users, Groups, Users, Groups, Netgroups, HBAC Netgroups, HBAC

Identity Management Under the Hood

Identity Management Under the Hood

Identity Management Under the Hood

Identity Management Under the Hood

Identity Management Under the Hood

Identity Management Under the Hood

Identity Management Under the Hood

Identity Management Under the Hood

Identity Management Under the Hood

Cert tracking &

Cert tracking &

provisioning provisioning Other maps Other maps Management Management Users, Groups, Users, Groups, Netgroups, HBAC Netgroups, HBAC

Identity Management Under the Hood

Cert tracking &

Cert tracking &

provisioning

provisioning

Other maps

Other maps

Enrollment & un-enrollment

Enrollment & un-enrollment

Management Management Users, Groups, Users, Groups, Netgroups, HBAC Netgroups, HBAC

FreeIPA and Active Directory

●

User and password synchronization

●

Cross realm Kerberos trusts

● Users in AD domain can access resources in a FreeIPA domain and vice verse

● A lot of use cases addressed and need to be addressed in future

FreeIPA and Web Technologies

●

Green field – not much has been done

●

What can be done:

● FreeIPA as an OpenID provider

● Can be integrated with IdP to provide bridging between ESSO and identity federation via mod_auth_kerb

FreeIPA and Strong Authentication

●

OTP support was recently introduced in

FreeIPA

●

First ever solution to provide OTP based

ESSO via Kerberos

●

Features

● Proxy to external RADIUS server

FreeIPA Future

●

More cross project integration

●

Support of sophisticated AD integration use

cases

●

Polishing the OTP solution

●

User certificate and smart card support

●

Enhancements

● DHCP integration

FreeIPA and SSSD Communities

●

Open

●

Friendly

●

Responsive

●

Welcoming

Resources

● FreeIPA

● Project wiki: www.freeipa.org

● Project trac: https://fedorahosted.org/freeipa/

● Code: http://git.fedorahosted.org/git/?p=freeipa.git ● Mailing lists: – [email protected] – [email protected] – [email protected] ● SSSD: https://fedorahosted.org/sssd/ ● Mailing lists: – [email protected] – [email protected] Certmonger: https://fedorahosted.org/certmonger/