Red Hat Identity Management - · PDF fileCentralizes Administration and Control ... Red Hat...
Transcript of Red Hat Identity Management - · PDF fileCentralizes Administration and Control ... Red Hat...
Red Hat Identity Management
( 2 / 25 )
Agenda
● Identity Management (IdM) in Red Hat Enterprise Linux● System Security Services Daemon (SSSD)● Active Directory Integration● Demo● Public Resources
Red Hat Identity Management
Identity Management (IdM) inRed Hat Enterprise Linux
( 4 / 25 )
Identity Management in Red Hat Enterprise Linux
● Implements Standards-Based, Integrated Components◼ Kerberos, LDAP, DNS and x.509 certificates provide a simple
integrated identity management solution● Reduces costs
◼ Leverage Red Hat IdM for your RHEL (and other Linux/Unix!) servers, potentially reducing licensing costs for third-party directory servers like Active Directory.
● Simplify Management◼ Consistent user, group, sudo, selinux, automounts (and more!)
management throughout the RHEL environment
( 5 / 25 )
Identity Management in Red Hat Enterprise Linux
● Enhances Security◼ Centralizes authentication, authorization and access control for
UNIX/Linux environments● Provides eSSO (enterprise Single Sign-On) via Kerberos
◼ Enables users to access many different enterprise resources after their initial log-in without having to log in again and again
● Centralizes Administration and Control◼ Easily consolidate and manage identity servers in a UNIX/Linux
environment; with the option to interoperate with Active Directory
( 6 / 25 )
Identity Management in RHEL: Features
● Command Line Interface● Web Based GUI
◼ Management Console◼ User Self Service
● Enterprise SSO for Kerberos aware applications● Interoperability with Microsoft Active Directory domains● Smooth migration paths from NIS and LDAP services● Two Factor Authentication w/One Time Passwords (OTP)● Up to 20 servers and replicas and an unlimited number of
clients in a single domain (~ 2,000 clients per server)
( 7 / 25 )
Identity Management in RHEL: Features
● Centralized management of:◼ Automounts◼ Global Password Policies ◼ Host Based Access Control (HBAC)◼ Integrated DNS (optional - can be delegated)◼ Selinux Configurations and User Mappings◼ SSH Key Management
● Host Fingerprints● User SSH keys
◼ SSL Certificate Management● Server, Services and Users
◼ Sudoers
( 8 / 25 )
IdM – simplified architecture view
( 9 / 25 )
IdM Components in Red Hat Enterprise Linux
IdM Core
DirectoryServer
KerberosKDCNTP
DNS
Managementframework
Managed host (client)
SSSD
Management Station
CLI
Browser
CertMonger
ipa-client
CA
Configures
Configures
nss_ldap
WEBUI
Authentication
Name lookupsand servicediscovery
Cert tracking &provisioning
Other maps
Enrollment & un-enrollment
Management
Users, Groups, Netgroups, HBAC
( 10 / 25 )
IdM Design Considerations
● Internal or External DNS◼ Internal easier to manage, but customers usually have their own
DNS already◼ Side step the problem via zone delegation
● Desired integration with Active Directory◼ User/Group and Password Sync◼ Active Directory Trusts (RHEL7)
● Multi-Site◼ Server selection (6.4), Preferred servers
● Certificate Setup◼ Root CA or subordinate CA
Red Hat Identity Management
System Security Services Daemon (SSSD)
( 12 / 25 )
What is SSSD?
● The System Security Services Daemon (SSSD) provides access to different identity and authentication providers. SSSD is an intermediary between local clients and any configured data store. Local clients connect to SSSD and then SSSD contacts the external providers. SSSD provides a number of benefits for administrators:◼ Credential caching / Offline authentication◼ Reduced load on authentication/identification servers◼ Able to handle multiple configurations simultaneously
( 13 / 25 )
What is SSSD?
● SSSD recognizes domains, which are associated with different identity servers. Domains are a combination of an identity provider and an authentication method
● SSSD works with LDAP identity providers ◼ IdM in RHEL◼ Red Hat Directory Server◼ OpenLDAP◼ Microsoft Active Directory
● SSSD also works with other native LDAP authentication or Kerberos authentication
( 14 / 25 )
● How do I know if sssd is being used◼ Is the service running (sssd)◼ In /etc/nsswitch.conf, look for the 'sss' directive
● Documentation◼ Primary documentation for SSSD is in the RHEL Deployment
Guide● Identification Provider / Authentication Provider
Combinations◼ LDAP / LDAP◼ LDAP / Kerberos◼ LDAP / Proxy◼ Proxy / LDAP◼ Proxy / Kerberos◼ Proxy / Proxy
SSSD Technical Details
Red Hat Identity Management
Active Directory Integration
( 16 / 25 )
Direct SSSD → AD Integration Option
AD
Linux System
SSSDAuthentication
KDCLDAPDNS
Identities
Name resolution
Policiessudo
hbac
automount
selinuxAuthentication can use LDAP or Kerberos
Can map AD SID to POSIX attributesCan join system into AD domain
Policies are delivered via configuration files managed locally or via a config server like Puppet
AD can be extended to servebasic sudo and automount
( 17 / 25 )
Pros and Cons of Direct SSSD → AD Integration
● Pros:◼ Does not require third party software◼ Does not require SFU/IMU (RHEL 6.4 and newer)◼ Supports trusted domains with IPA (RHEL 6.4 and newer)◼ Perceived more stable than Winbind
● Cons:◼ Does not support trusted AD domains◼ Does not support some advance AD optimizations◼ Policy management requires separate configuration mechanisms
such as Satellite and Puppet
( 18 / 25 )
IdM → AD Synchronization Option
AD
Linux System
SSSDIdentities
KDCLDAPDNS
Authentication
Name Resolution
Policiessudo
hbac
automount
selinux
Policies are centrally managed over LDAP
IdM
KDCLDAPDNS
A DNS zone is delegated by ADto IdM to manage Linux environment
Name resolution and service discovery queries are resolved against IdM
Users are synchronizedfrom AD to IdM
** Supported, not Recommended **
( 19 / 25 )
Pros and Cons of IdM → AD Synchronization
● Pros:◼ Reduces cost – no CALs or 3rd party◼ Policies are centrally managed◼ Gives control to Linux admins◼ Enabled independent growth of the Linux environment
● Cons:◼ Requires user and password sync◼ Authentication does not happen in AD◼ Requires proper DNS setup
( 20 / 25 )
IdM ↔ AD Trust Integration Option
AD
Linux System
SSSDAuthentication
KDCLDAPDNS
Identities
Name Resolution
Policiessudo
hbac
automount
selinux
Policies are centrally managed over LDAP
IdM
KDCLDAPDNS
Domains trust eachother. Users stay where they are, no synchronizationneeded
A DNS zone is delegatedby AD to IdM to manage Linux systems or IdM has an independent namespace
Client software connects to the right server depending on the information it needs
( 21 / 25 )
Pros and Cons of IdM ↔ AD Trust Integration
● Pros:◼ Reduces cost – no CALs or 3rd party◼ Policies are centrally managed◼ Gives control to Linux admins◼ Enabled independent growth of the Linux environment◼ No synchronization required◼ Authentication happens in AD
● Cons:◼ Requires proper DNS setup◼ Requires latest SSSD◼ Requires RHEL 7
Red Hat Identity Management
Demo
http://bit.ly/1lj8zVv
Red Hat Identity Management
Public Resources
( 24 / 25 )
Public Resources
● Customer Portal:◼ http://red.ht/20Aw1hw
● Product Documentation: ◼ http://red.ht/1Ac5cUp
Questions?