Red Hat Identity Management

( 2 / 25 )

Agenda

● Identity Management (IdM) in Red Hat Enterprise Linux● System Security Services Daemon (SSSD)● Active Directory Integration● Demo● Public Resources

Red Hat Identity Management

Identity Management (IdM) inRed Hat Enterprise Linux

( 4 / 25 )

Identity Management in Red Hat Enterprise Linux

● Implements Standards-Based, Integrated Components◼ Kerberos, LDAP, DNS and x.509 certificates provide a simple

integrated identity management solution● Reduces costs

◼ Leverage Red Hat IdM for your RHEL (and other Linux/Unix!) servers, potentially reducing licensing costs for third-party directory servers like Active Directory.

● Simplify Management◼ Consistent user, group, sudo, selinux, automounts (and more!)

management throughout the RHEL environment

( 5 / 25 )

Identity Management in Red Hat Enterprise Linux

● Enhances Security◼ Centralizes authentication, authorization and access control for

UNIX/Linux environments● Provides eSSO (enterprise Single Sign-On) via Kerberos

◼ Enables users to access many different enterprise resources after their initial log-in without having to log in again and again

● Centralizes Administration and Control◼ Easily consolidate and manage identity servers in a UNIX/Linux

environment; with the option to interoperate with Active Directory

( 6 / 25 )

Identity Management in RHEL: Features

● Command Line Interface● Web Based GUI

◼ Management Console◼ User Self Service

● Enterprise SSO for Kerberos aware applications● Interoperability with Microsoft Active Directory domains● Smooth migration paths from NIS and LDAP services● Two Factor Authentication w/One Time Passwords (OTP)● Up to 20 servers and replicas and an unlimited number of

clients in a single domain (~ 2,000 clients per server)

( 7 / 25 )

Identity Management in RHEL: Features

● Centralized management of:◼ Automounts◼ Global Password Policies ◼ Host Based Access Control (HBAC)◼ Integrated DNS (optional - can be delegated)◼ Selinux Configurations and User Mappings◼ SSH Key Management

● Host Fingerprints● User SSH keys

◼ SSL Certificate Management● Server, Services and Users

◼ Sudoers

( 8 / 25 )

IdM – simplified architecture view

( 9 / 25 )

IdM Components in Red Hat Enterprise Linux

IdM Core

DirectoryServer

KerberosKDCNTP

DNS

Managementframework

Managed host (client)

SSSD

Management Station

CLI

Browser

CertMonger

ipa-client

CA

Configures

Configures

nss_ldap

WEBUI

Authentication

Name lookupsand servicediscovery

Cert tracking &provisioning

Other maps

Enrollment & un-enrollment

Management

Users, Groups, Netgroups, HBAC

( 10 / 25 )

IdM Design Considerations

● Internal or External DNS◼ Internal easier to manage, but customers usually have their own

DNS already◼ Side step the problem via zone delegation

● Desired integration with Active Directory◼ User/Group and Password Sync◼ Active Directory Trusts (RHEL7)

● Multi-Site◼ Server selection (6.4), Preferred servers

● Certificate Setup◼ Root CA or subordinate CA

Red Hat Identity Management

System Security Services Daemon (SSSD)

( 12 / 25 )

What is SSSD?

● The System Security Services Daemon (SSSD) provides access to different identity and authentication providers. SSSD is an intermediary between local clients and any configured data store. Local clients connect to SSSD and then SSSD contacts the external providers. SSSD provides a number of benefits for administrators:◼ Credential caching / Offline authentication◼ Reduced load on authentication/identification servers◼ Able to handle multiple configurations simultaneously

( 13 / 25 )

What is SSSD?

● SSSD recognizes domains, which are associated with different identity servers. Domains are a combination of an identity provider and an authentication method

● SSSD works with LDAP identity providers ◼ IdM in RHEL◼ Red Hat Directory Server◼ OpenLDAP◼ Microsoft Active Directory

● SSSD also works with other native LDAP authentication or Kerberos authentication

( 14 / 25 )

● How do I know if sssd is being used◼ Is the service running (sssd)◼ In /etc/nsswitch.conf, look for the 'sss' directive

● Documentation◼ Primary documentation for SSSD is in the RHEL Deployment

Guide● Identification Provider / Authentication Provider

Combinations◼ LDAP / LDAP◼ LDAP / Kerberos◼ LDAP / Proxy◼ Proxy / LDAP◼ Proxy / Kerberos◼ Proxy / Proxy

SSSD Technical Details

Red Hat Identity Management

Active Directory Integration

( 16 / 25 )

Direct SSSD → AD Integration Option

AD

Linux System

SSSDAuthentication

KDCLDAPDNS

Identities

Name resolution

Policiessudo

hbac

automount

selinuxAuthentication can use LDAP or Kerberos

Can map AD SID to POSIX attributesCan join system into AD domain

Policies are delivered via configuration files managed locally or via a config server like Puppet

AD can be extended to servebasic sudo and automount

( 17 / 25 )

Pros and Cons of Direct SSSD → AD Integration

● Pros:◼ Does not require third party software◼ Does not require SFU/IMU (RHEL 6.4 and newer)◼ Supports trusted domains with IPA (RHEL 6.4 and newer)◼ Perceived more stable than Winbind

● Cons:◼ Does not support trusted AD domains◼ Does not support some advance AD optimizations◼ Policy management requires separate configuration mechanisms

such as Satellite and Puppet

( 18 / 25 )

IdM → AD Synchronization Option

AD

Linux System

SSSDIdentities

KDCLDAPDNS

Authentication

Name Resolution

Policiessudo

hbac

automount

selinux

Policies are centrally managed over LDAP

IdM

KDCLDAPDNS

A DNS zone is delegated by ADto IdM to manage Linux environment

Name resolution and service discovery queries are resolved against IdM

Users are synchronizedfrom AD to IdM

** Supported, not Recommended **

( 19 / 25 )

Pros and Cons of IdM → AD Synchronization

● Pros:◼ Reduces cost – no CALs or 3rd party◼ Policies are centrally managed◼ Gives control to Linux admins◼ Enabled independent growth of the Linux environment

● Cons:◼ Requires user and password sync◼ Authentication does not happen in AD◼ Requires proper DNS setup

( 20 / 25 )

IdM ↔ AD Trust Integration Option

AD

Linux System

SSSDAuthentication

KDCLDAPDNS

Identities

Name Resolution

Policiessudo

hbac

automount

selinux

Policies are centrally managed over LDAP

IdM

KDCLDAPDNS

Domains trust eachother. Users stay where they are, no synchronizationneeded

A DNS zone is delegatedby AD to IdM to manage Linux systems or IdM has an independent namespace

Client software connects to the right server depending on the information it needs

( 21 / 25 )

Pros and Cons of IdM ↔ AD Trust Integration

● Pros:◼ Reduces cost – no CALs or 3rd party◼ Policies are centrally managed◼ Gives control to Linux admins◼ Enabled independent growth of the Linux environment◼ No synchronization required◼ Authentication happens in AD

● Cons:◼ Requires proper DNS setup◼ Requires latest SSSD◼ Requires RHEL 7

Red Hat Identity Management

Demo

http://bit.ly/1lj8zVv

Red Hat Identity Management

Public Resources

( 24 / 25 )

Public Resources

● Customer Portal:◼ http://red.ht/20Aw1hw

● Product Documentation: ◼ http://red.ht/1Ac5cUp

Questions?