SlideShare ist ein Scribd-Unternehmen logo

Building Open Source Identity Management with FreeIPA

LDAPCon
LDAPCon
Technologie
1 von 31
Downloaden Sie, um offline zu lesen
Building Open Source Identity Management with FreeIPA Martin Kosek <mkosek@redhat.com> Supervisor, Software Engineering, Red Hat, Inc.
Getting a Context What is Identity Management? – “Identity management (IdM) describes the management of individual principals, their authentication, authorization, and privileges within or across system and enterprise boundaries with the goal of increasing security and productivity while decreasing cost, downtime and repetitive tasks.” Wikipedia This is the theory, but what does it mean? – Identities (principals): users, machines, services/applications – Authentication: password, biometry, 2FA – Authorization: Policies, ACLs, DAC, MAC – Can be configured locally, but what about 1000+ machine network ? Synchronization nightmare... 2
IdM Related Technologies Active Directory – Main identity management solution deployed in more than 90% of the enterprises LDAP – Often used for custom IdM solution, different flavours Kerberos – Authentication solution Samba, Samba 4 DC NIS (NIS+) – Obsoleted
Active Directory vs. Open Source Why is Active Directory so popular? – Integrated solution – It is relatively easy to use – Simple configuration for clients – All the complexity is hidden from users and admins – Has comprehensive interfaces
Active Directory vs. Open Source (2) What about Open Source tools? – Solve individual problems • “do one thing and do it well” – Bag of technologies lacking integration – Hard to install and configure • Have you ever tried manual LDAP+Kerberos configuration? – Too many options exposed • Which to choose? Prevent shooting myself in the leg – Lack of good user interfaces Is the situation really that bad?
Introducing FreeIPA IPA stands for Identity, Policy, Audit – So far we have focused on identities and related policies Main problems FreeIPA solves: – Central management of authentication and identities for Linux clients better than stand-alone LDAP/Kerberos/NIS - based solutions – Hides complexity, presents easy to understand CLI/UI • Install with one command, in several minutes – Acts as a gateway between the Linux and AD infrastructure making it more manageable and more cost effective • This is a requirement. As we said earlier, Active Directory is often the main Identity Management source
The Core Directory Server – Main data backend for all other services – Custom plugins: authentication hooks, password policy, compatibility tree (slapi-nis), validation, extended operations... Kerberos KDC – Provides authentication for entire FreeIPA realm PKI Server – Certificates for services (web, LDAP, TLS) HTTP Server – Provides public interface (API)
High-level architecture PKI HTTP KDC LDAP CLI/UI NTP DNS SSSD identity auth policies certiticates Web UI/CLI/JSON SSSD Admin FreeIPA server SSSD
Example - Using FreeIPA CLI $ kinit admin Password for admin@EXAMPLE.COM: $ klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: admin@EXAMPLE.COM Valid starting Expires Service principal 10/15/12 10:47:35 10/16/12 10:47:34 krbtgt/EXAMPLE.COM@...
Example - Using FreeIPA CLI (2) $ ipa user-add --first=John --last=Doe jdoe --random ----------------Added user "jdoe" ----------------User login: jdoe First name: John Last name: Doe Full name: John Doe Display name: John Doe Initials: JD Home directory: /home/jdoe GECOS field: John Doe Login shell: /bin/sh Kerberos principal: jdoe@EXAMPLE.COM Email address: jdoe@example.com Random password: xMc2XkI=ivVM UID: 1998400002 GID: 1998400002 Password: True Kerberos keys available: True
Features: Deployment Hide complexity of LDAP+Kerberos+CA+... deployment We have few requirements : – Sane DNS environment (reverse records) • DNS is crucial to identify machines • Kerberos service principals, X509 Certificates use DNS names – Static FQDN hostnames Configuration with one command – ipa-server-install, ipa-client-install Supports replicas – Essential for redundancy and fault protection – ipa-replica-install
Features: Identity Management Users, groups: – Automatic and unique UIDs, across replicas – Manage SSH public keys (not needed when authenticating with Kerberos) – Role-based access control, self-service Hosts, host groups, netgroups: – Manage host life-cycle, enrollment Services/applications – Manage keytab, certificate Automatic group membership based on rules – Just add a user/host and all matching group/host group membership is added
Features: DNS Optional feature DNS data stored in LDAP Plugin for BIND9 name server (bind-dyndb-ldap) – Bridge between LDAP and DNS worlds Integration of DNS records with the rest of the framework
Features: Policy Management HBAC – Control who can do what and where – Enforced by SSSD for authentication requests going through PAM – Useful when automember is in use $ ipa hbacrule-show labmachines_login Rule name: labmachines_login Enabled: TRUE User Groups: labusers, labadmins Host Groups: labmachines Services: sshd, login
Features: Policy Management (2) SUDO: $ ipa sudorule-show test Rule name: test Enabled: TRUE User Groups: labadmins Host Groups: labmachines Sudo Allow Commands: /usr/sbin/service Automount: $ ipa automountkey-find brno auto.direct ----------------------1 automount key matched ----------------------Key: /nfs/apps Mount information: export.example.com:/apps
Features: Policy Management (3) SELinux user roles – Centrally assign SELinux user roles to users – Useful for confined environments – Avoid configuring roles per-server using “semanage user” command $ ipa selinuxusermap-show labguests Rule name: labguests SELinux User: guest_u:s0 Enabled: TRUE User Groups: labusers Host Groups: labmachines
Use case: Kerberize a Web Service Provide centralized identity and authentication (SSO) for a web application with few commands : # ipa-client-install -p admin -w PAsSw0rd --unattended Discovery was successful! Hostname: web.example.com Realm: EXAMPLE.COM DNS Domain: example.com IPA Server: ipa.example.com BaseDN: dc=example,dc=com Synchronizing time with KDC... Enrolled in IPA realm EXAMPLE.COM ... DNS server record set to: web.example.com -> 10.0.0.10 ... Client configuration complete.
Use case: Kerberize a web service (2) # kinit admin # ipa service-add HTTP/web.example.com # ipa-getkeytab -p HTTP/web.example.com -s ipa.example.com -k /etc/httpd/conf/httpd.keytab # chown apache:apache /etc/httpd/conf/http.keytab # chmod 0400 /etc/httpd/conf/http.keytab
Use case: Kerberize a web service (3) # yum install mod_auth_kerb # Kerberos auth for Apache # cat /etc/httpd/conf.d/webapp.conf <Location "/secure"> AuthType Kerberos AuthName "Web app Kerberos authentization" KrbMethodNegotiate on KrbMethodK5Passwd on KrbServiceName HTTP KrbAuthRealms EXAMPLE.COM Krb5Keytab /etc/httpd/conf/http.keytab KrbSaveCredentials off Require valid-user </Location> # service httpd restart
Introducing SSSD SSSD is a service/daemon used to retrieve information from a central identity management system. SSSD connects a Linux system to a central identity store like: – Active Directory – FreeIPA – Any other directory server Provides identity, authentication and access control
Introducing SSSD (2) Multiple parallel sources of identity and authentication – domains All information is cached locally for offline use – Remote data center use case – Laptop or branch office system use case Advanced features for – FreeIPA integration – AD integration - even without FreeIPA
FreeIPA and Active Directory Active Directory is present in most of the businesses IdM in Linux and Windows cannot be 2 separate isles – Doubles the identity and policy management work Need to address some form of cooperation 3rd party solutions for AD Integration – Enables machine to join AD as Windows machines – Linux machines are 2nd class citizens – Increases costs for the solution + Windows CLA – Does not offer centralization for Linux native services • SELinux, Automount, ...
FreeIPA and Active Directory (2) FreeIPA v2 - winsync+passsync – User and password synchronization – Easier management, but 2 separate identities – One-way, name collisions, no SSO FreeIPA v3+ - Cross-realm Kerberos trusts – Users in AD domain can access resources in a FreeIPA domain and vice versa – One Identity, no name collisions (aduser@ad.domain), SSO with AD credentials
Cross-Realm Kerberos Trust FreeIPA deployment is a fully managed Kerberos realm Can be integrated with Windows as RFC 4120 compliant Kerberos realm Traditional Kerberos trust management applies: – Manual mapping of Identities in both Active Directory and Linux (~/.k5login) – Does not scale with thousands of users and computers Better approach - native cross forest trusts – AD DC thinks considers FreeIPA server as another AD DC – MS-specific extensions to standard protocols need to be supported
FreeIPA as AD DC FreeIPA Samba passdb backend – Expansion of traditional Samba LDAP passdb backend – New schema objects and attributes to support trusted domain information FreeIPA KDC backend: – Verifies and signs MS-PAC coming from a trusted cross forest realm – Accepts principals and tickets from a trusted realm – Generates MS-PAC information out of LDAP CLDAP plugin handling NetLogon requests Additional API for handling new objects and attributes
Integration Plan Step 1: allow AD users to connect to FreeIPA services. For example: – SSH from a Windows machine to FreeIPA-managed Linux machine - with SSO! – Mounting Kerberos-protected NFS share Step 2: allow FreeIPA users to interactively log in into AD machines – Requires support for Global Catalog on FreeIPA server side – Work in progress, planned for FreeIPA 3.4 (Q1/2014)
Is it enough? What is the catch? We can manage Linux machines with FreeIPA We can manage Windows machines with AD We can establish a trust between them - good! Works great for green field deployments BUT! – What about users already using Linux-AD integration? • Identity Management for Unix AD LDAP extension • Third party plugins – What about users with legacy machines? • Older Linuxes, UNIXes... • They cannot use the modern SSSD with AD support – Address before moving forward
Existing Linux-AD integration Main problem is the UID/GID generation – FreeIPA 3.0-3.2 generates them from SID • Maps Windows style SID (e.g. S-1-5-21-16904141-1481897002149043814-1234) to UNIX-style UID/GID based on user ranges (e.g. UID 9870001234, GID 9870001234) AD users may already contain defined UID/GID attributes – Identity Management for Unix AD LDAP extension – UID/GID are already used on Linux machines – If changed, file ownership breaks Allow reading these attributes! – New setting for AD Trust – SSSD reads the POSIX attributes from AD and uses them
Legacy clients using AD Trust Administrator may want older systems to authenticate both AD and Linux users – SSSD with AD support may not available – Using just nss_ldap is not enough, AD users are not in FreeIPA DS Solved by compatibility LDAP tree in FreeIPA server – Exposes a compatibility tree managed by slapi-nis DS plugin – Provides both identity and authentication standard via LDAP operations – Intercepts LDAP bind operations • For FreeIPA user, it just does LDAP bind to FreeIPA LDAP tree • For external user: – Asks SSSD for user/group (getpwnam_/getgrnam_r), it asks AD – Does PAM system-auth command, also via SSSD
Legacy clients using AD Trust (2) FreeIPA server FreeIPA AD KDC LDAP KDC 3) Gets identity with system calls 6) Authenticates Member 5) Authenticates via PAM SSSD Authentication Identities 4) Reads identity from AD 7) Identity + authentication via LDAP AD Domain Member LDAP Legacy client 1) Authenticate nss_ldap 8) Success/Failure Authentication Identities 2) LDAP Bind to compat tree
Thanks! www.freeipa.org

Empfohlen

A brief study on Kubernetes and its components
A brief study on Kubernetes and its componentsA brief study on Kubernetes and its components
A brief study on Kubernetes and its components
Ramit Surana
 
Kubernetes PPT.pptx
Kubernetes PPT.pptxKubernetes PPT.pptx
Kubernetes PPT.pptx
ssuser0cc9131
 
Deploying IPv6 on OpenStack
Deploying IPv6 on OpenStackDeploying IPv6 on OpenStack
Deploying IPv6 on OpenStack
Vietnam Open Infrastructure User Group
 
Getting Started with Kubernetes
Getting Started with Kubernetes Getting Started with Kubernetes
Getting Started with Kubernetes
VMware Tanzu
 
Network Automation with Ansible
Network Automation with AnsibleNetwork Automation with Ansible
Network Automation with Ansible
Anas
 
iptables 101- bottom-up
iptables 101- bottom-upiptables 101- bottom-up
iptables 101- bottom-up
HungWei Chiu
 
FreeIPA - Attacking the Active Directory of Linux
FreeIPA - Attacking the Active Directory of LinuxFreeIPA - Attacking the Active Directory of Linux
FreeIPA - Attacking the Active Directory of Linux
Julian Catrambone
 
Getting started with Ansible
Getting started with AnsibleGetting started with Ansible
Getting started with Ansible
Ivan Serdyuk
 

Empfohlen

A brief study on Kubernetes and its components
A brief study on Kubernetes and its componentsA brief study on Kubernetes and its components
A brief study on Kubernetes and its components
Ramit Surana
 
Kubernetes PPT.pptx
Kubernetes PPT.pptxKubernetes PPT.pptx
Kubernetes PPT.pptx
ssuser0cc9131
 
Deploying IPv6 on OpenStack
Deploying IPv6 on OpenStackDeploying IPv6 on OpenStack
Deploying IPv6 on OpenStack
Vietnam Open Infrastructure User Group
 
Getting Started with Kubernetes
Getting Started with Kubernetes Getting Started with Kubernetes
Getting Started with Kubernetes
VMware Tanzu
 
Network Automation with Ansible
Network Automation with AnsibleNetwork Automation with Ansible
Network Automation with Ansible
Anas
 
iptables 101- bottom-up
iptables 101- bottom-upiptables 101- bottom-up
iptables 101- bottom-up
HungWei Chiu
 
FreeIPA - Attacking the Active Directory of Linux
FreeIPA - Attacking the Active Directory of LinuxFreeIPA - Attacking the Active Directory of Linux
FreeIPA - Attacking the Active Directory of Linux
Julian Catrambone
 
Getting started with Ansible
Getting started with AnsibleGetting started with Ansible
Getting started with Ansible
Ivan Serdyuk
 
Kubernetes Introduction
Kubernetes IntroductionKubernetes Introduction
Kubernetes Introduction
Peng Xiao
 
How VXLAN works on Linux
How VXLAN works on LinuxHow VXLAN works on Linux
How VXLAN works on Linux
Etsuji Nakai
 
Deep dive into Kubernetes Networking
Deep dive into Kubernetes NetworkingDeep dive into Kubernetes Networking
Deep dive into Kubernetes Networking
Sreenivas Makam
 
Kubernetes Networking
Kubernetes NetworkingKubernetes Networking
Kubernetes Networking
CJ Cullen
 
Docker Swarm for Beginner
Docker Swarm for BeginnerDocker Swarm for Beginner
Docker Swarm for Beginner
Shahzad Masud
 
Introduction to Kubernetes Workshop
Introduction to Kubernetes WorkshopIntroduction to Kubernetes Workshop
Introduction to Kubernetes Workshop
Bob Killen
 
Terraform 101
Terraform 101Terraform 101
Terraform 101
Haggai Philip Zagury
 
Introduction to Docker Compose
Introduction to Docker ComposeIntroduction to Docker Compose
Introduction to Docker Compose
Ajeet Singh Raina
 
Kubernetes - introduction
Kubernetes - introductionKubernetes - introduction
Kubernetes - introduction
Sparkbit
 
Terraform Tips and Tricks - LAOUC 2022
Terraform Tips and Tricks - LAOUC 2022Terraform Tips and Tricks - LAOUC 2022
Terraform Tips and Tricks - LAOUC 2022
Nelson Calero
 
DockerCon 2017 - Cilium - Network and Application Security with BPF and XDP
DockerCon 2017 - Cilium - Network and Application Security with BPF and XDPDockerCon 2017 - Cilium - Network and Application Security with BPF and XDP
DockerCon 2017 - Cilium - Network and Application Security with BPF and XDP
Thomas Graf
 
An overview of the Kubernetes architecture
An overview of the Kubernetes architectureAn overview of the Kubernetes architecture
An overview of the Kubernetes architecture
Igor Sfiligoi
 
An Introduction to Kubernetes
An Introduction to KubernetesAn Introduction to Kubernetes
An Introduction to Kubernetes
Imesh Gunaratne
 
Kubernetes
KubernetesKubernetes
Kubernetes
Henry He
 
Podman rootless containers
Podman rootless containersPodman rootless containers
Podman rootless containers
Giuseppe Scrivano
 
Introduction to kubernetes
Introduction to kubernetesIntroduction to kubernetes
Introduction to kubernetes
Raffaele Di Fazio
 
Kubernetes networking
Kubernetes networkingKubernetes networking
Kubernetes networking
Sim Janghoon
 
Network automation (NetDevOps) with Ansible
Network automation (NetDevOps) with AnsibleNetwork automation (NetDevOps) with Ansible
Network automation (NetDevOps) with Ansible
Bangladesh Network Operators Group
 
Kubernetes
KubernetesKubernetes
Kubernetes
Lhouceine OUHAMZA
 
Optimizing Kubernetes Resource Requests/Limits for Cost-Efficiency and Latenc...
Optimizing Kubernetes Resource Requests/Limits for Cost-Efficiency and Latenc...Optimizing Kubernetes Resource Requests/Limits for Cost-Efficiency and Latenc...
Optimizing Kubernetes Resource Requests/Limits for Cost-Efficiency and Latenc...
Henning Jacobs
 
Complete open source IAM solution
Complete open source IAM solutionComplete open source IAM solution
Complete open source IAM solution
Radovan Semancik
 
Open Source & Identity Management
Open Source & Identity ManagementOpen Source & Identity Management
Open Source & Identity Management
JISC Netskills
 

Weitere ähnliche Inhalte

Was ist angesagt?

How VXLAN works on Linux
How VXLAN works on LinuxHow VXLAN works on Linux
How VXLAN works on Linux
Etsuji Nakai
 
DockerCon 2017 - Cilium - Network and Application Security with BPF and XDP
DockerCon 2017 - Cilium - Network and Application Security with BPF and XDPDockerCon 2017 - Cilium - Network and Application Security with BPF and XDP
DockerCon 2017 - Cilium - Network and Application Security with BPF and XDP
Thomas Graf
 
An Introduction to Kubernetes
An Introduction to KubernetesAn Introduction to Kubernetes
An Introduction to Kubernetes
Imesh Gunaratne
 

Was ist angesagt? (20)

Kubernetes Introduction
Kubernetes IntroductionKubernetes Introduction
Kubernetes Introduction
 
How VXLAN works on Linux
How VXLAN works on LinuxHow VXLAN works on Linux
How VXLAN works on Linux
 
Deep dive into Kubernetes Networking
Deep dive into Kubernetes NetworkingDeep dive into Kubernetes Networking
Deep dive into Kubernetes Networking
 
Kubernetes Networking
Kubernetes NetworkingKubernetes Networking
Kubernetes Networking
 
Docker Swarm for Beginner
Docker Swarm for BeginnerDocker Swarm for Beginner
Docker Swarm for Beginner
 
Introduction to Kubernetes Workshop
Introduction to Kubernetes WorkshopIntroduction to Kubernetes Workshop
Introduction to Kubernetes Workshop
 
Terraform 101
Terraform 101Terraform 101
Terraform 101
 
Introduction to Docker Compose
Introduction to Docker ComposeIntroduction to Docker Compose
Introduction to Docker Compose
 
Kubernetes - introduction
Kubernetes - introductionKubernetes - introduction
Kubernetes - introduction
 
Terraform Tips and Tricks - LAOUC 2022
Terraform Tips and Tricks - LAOUC 2022Terraform Tips and Tricks - LAOUC 2022
Terraform Tips and Tricks - LAOUC 2022
 
DockerCon 2017 - Cilium - Network and Application Security with BPF and XDP
DockerCon 2017 - Cilium - Network and Application Security with BPF and XDPDockerCon 2017 - Cilium - Network and Application Security with BPF and XDP
DockerCon 2017 - Cilium - Network and Application Security with BPF and XDP
 
An overview of the Kubernetes architecture
An overview of the Kubernetes architectureAn overview of the Kubernetes architecture
An overview of the Kubernetes architecture
 
An Introduction to Kubernetes
An Introduction to KubernetesAn Introduction to Kubernetes
An Introduction to Kubernetes
 
Kubernetes
KubernetesKubernetes
Kubernetes
 
Podman rootless containers
Podman rootless containersPodman rootless containers
Podman rootless containers
 
Introduction to kubernetes
Introduction to kubernetesIntroduction to kubernetes
Introduction to kubernetes
 
Kubernetes networking
Kubernetes networkingKubernetes networking
Kubernetes networking
 
Network automation (NetDevOps) with Ansible
Network automation (NetDevOps) with AnsibleNetwork automation (NetDevOps) with Ansible
Network automation (NetDevOps) with Ansible
 
Kubernetes
KubernetesKubernetes
Kubernetes
 
Optimizing Kubernetes Resource Requests/Limits for Cost-Efficiency and Latenc...
Optimizing Kubernetes Resource Requests/Limits for Cost-Efficiency and Latenc...Optimizing Kubernetes Resource Requests/Limits for Cost-Efficiency and Latenc...
Optimizing Kubernetes Resource Requests/Limits for Cost-Efficiency and Latenc...
 

Andere mochten auch

Enhancing The Role Of A Large Us Federal Agency As An Intermediary In The Fed...
Enhancing The Role Of A Large Us Federal Agency As An Intermediary In The Fed...Enhancing The Role Of A Large Us Federal Agency As An Intermediary In The Fed...
Enhancing The Role Of A Large Us Federal Agency As An Intermediary In The Fed...
Wen Zhu
 
The OSGi Service Platform in Integrated Management Environments - Cristina Di...
The OSGi Service Platform in Integrated Management Environments - Cristina Di...The OSGi Service Platform in Integrated Management Environments - Cristina Di...
The OSGi Service Platform in Integrated Management Environments - Cristina Di...
mfrancis
 
Advanced Microservices - Greach 2015
Advanced Microservices - Greach 2015Advanced Microservices - Greach 2015
Advanced Microservices - Greach 2015
Steve Pember
 
Cloud Foundry Roadmap in 2016
Cloud Foundry Roadmap in 2016Cloud Foundry Roadmap in 2016
Cloud Foundry Roadmap in 2016
Cloud Standards Customer Council
 
NTNU Tech Talks : Smartening up a Pi Zero Security Camera with Amazon Web Ser...
NTNU Tech Talks : Smartening up a Pi Zero Security Camera with Amazon Web Ser...NTNU Tech Talks : Smartening up a Pi Zero Security Camera with Amazon Web Ser...
NTNU Tech Talks : Smartening up a Pi Zero Security Camera with Amazon Web Ser...
Mark West
 
Apache ActiveMQ, Camel, CXF and ServiceMix Overview
Apache ActiveMQ, Camel, CXF and ServiceMix OverviewApache ActiveMQ, Camel, CXF and ServiceMix Overview
Apache ActiveMQ, Camel, CXF and ServiceMix Overview
Marcelo Jabali
 
The New oVirt Extension API: Taking AAA (Authentication Authorization Account...
The New oVirt Extension API: Taking AAA (Authentication Authorization Account...The New oVirt Extension API: Taking AAA (Authentication Authorization Account...
The New oVirt Extension API: Taking AAA (Authentication Authorization Account...
Martin Peřina
 
Benchmarks on LDAP directories
Benchmarks on LDAP directoriesBenchmarks on LDAP directories
Benchmarks on LDAP directories
LDAPCon
 
Fortress Open Source IAM on LDAPv3
Fortress Open Source IAM on LDAPv3Fortress Open Source IAM on LDAPv3
Fortress Open Source IAM on LDAPv3
LDAPCon
 

Andere mochten auch (20)

Complete open source IAM solution
Complete open source IAM solutionComplete open source IAM solution
Complete open source IAM solution
 
Open Source & Identity Management
Open Source & Identity ManagementOpen Source & Identity Management
Open Source & Identity Management
 
SambaXP 2014: Trusting Active Directory with FreeIPA: a story beyond Samba
SambaXP 2014: Trusting Active Directory with FreeIPA: a story beyond SambaSambaXP 2014: Trusting Active Directory with FreeIPA: a story beyond Samba
SambaXP 2014: Trusting Active Directory with FreeIPA: a story beyond Samba
 
Enhancing The Role Of A Large Us Federal Agency As An Intermediary In The Fed...
Enhancing The Role Of A Large Us Federal Agency As An Intermediary In The Fed...Enhancing The Role Of A Large Us Federal Agency As An Intermediary In The Fed...
Enhancing The Role Of A Large Us Federal Agency As An Intermediary In The Fed...
 
Free IPA (Identity - Policy - Audit) - OSDCM: User Management
Free IPA (Identity - Policy - Audit) - OSDCM: User ManagementFree IPA (Identity - Policy - Audit) - OSDCM: User Management
Free IPA (Identity - Policy - Audit) - OSDCM: User Management
 
Інтернет-ресурси з військово -патріотичного виховання
Інтернет-ресурси з військово -патріотичного вихованняІнтернет-ресурси з військово -патріотичного виховання
Інтернет-ресурси з військово -патріотичного виховання
 
Open Source Identity Management
Open Source Identity ManagementOpen Source Identity Management
Open Source Identity Management
 
The OSGi Service Platform in Integrated Management Environments - Cristina Di...
The OSGi Service Platform in Integrated Management Environments - Cristina Di...The OSGi Service Platform in Integrated Management Environments - Cristina Di...
The OSGi Service Platform in Integrated Management Environments - Cristina Di...
 
Advanced Microservices - Greach 2015
Advanced Microservices - Greach 2015Advanced Microservices - Greach 2015
Advanced Microservices - Greach 2015
 
Apache Camel Introduction & What's in the box
Apache Camel Introduction & What's in the boxApache Camel Introduction & What's in the box
Apache Camel Introduction & What's in the box
 
Explain Kerberos like I'm 5
Explain Kerberos like I'm 5Explain Kerberos like I'm 5
Explain Kerberos like I'm 5
 
Cloud Foundry Roadmap in 2016
Cloud Foundry Roadmap in 2016Cloud Foundry Roadmap in 2016
Cloud Foundry Roadmap in 2016
 
NTNU Tech Talks : Smartening up a Pi Zero Security Camera with Amazon Web Ser...
NTNU Tech Talks : Smartening up a Pi Zero Security Camera with Amazon Web Ser...NTNU Tech Talks : Smartening up a Pi Zero Security Camera with Amazon Web Ser...
NTNU Tech Talks : Smartening up a Pi Zero Security Camera with Amazon Web Ser...
 
Apache ActiveMQ, Camel, CXF and ServiceMix Overview
Apache ActiveMQ, Camel, CXF and ServiceMix OverviewApache ActiveMQ, Camel, CXF and ServiceMix Overview
Apache ActiveMQ, Camel, CXF and ServiceMix Overview
 
Présentation de l'offre IAM de LINAGORA LinID
Présentation de l'offre IAM de LINAGORA LinIDPrésentation de l'offre IAM de LINAGORA LinID
Présentation de l'offre IAM de LINAGORA LinID
 
Creating Real-Time Data Mashups with Node.JS and Adobe CQ
Creating Real-Time Data Mashups with Node.JS and Adobe CQCreating Real-Time Data Mashups with Node.JS and Adobe CQ
Creating Real-Time Data Mashups with Node.JS and Adobe CQ
 
The New oVirt Extension API: Taking AAA (Authentication Authorization Account...
The New oVirt Extension API: Taking AAA (Authentication Authorization Account...The New oVirt Extension API: Taking AAA (Authentication Authorization Account...
The New oVirt Extension API: Taking AAA (Authentication Authorization Account...
 
Benchmarks on LDAP directories
Benchmarks on LDAP directoriesBenchmarks on LDAP directories
Benchmarks on LDAP directories
 
Fortress Open Source IAM on LDAPv3
Fortress Open Source IAM on LDAPv3Fortress Open Source IAM on LDAPv3
Fortress Open Source IAM on LDAPv3
 
Microservices OSGi-running-with-apache-karaf
Microservices OSGi-running-with-apache-karafMicroservices OSGi-running-with-apache-karaf
Microservices OSGi-running-with-apache-karaf
 

Ähnlich wie Building Open Source Identity Management with FreeIPA

Windows server 2003_r2
Windows server 2003_r2Windows server 2003_r2
Windows server 2003_r2
tameemyousaf
 
Securing Your Enterprise Web Apps with MongoDB Enterprise
Securing Your Enterprise Web Apps with MongoDB Enterprise Securing Your Enterprise Web Apps with MongoDB Enterprise
Securing Your Enterprise Web Apps with MongoDB Enterprise
MongoDB
 
BSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming WorkshopBSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming Workshop
Ajay Choudhary
 

Ähnlich wie Building Open Source Identity Management with FreeIPA (20)

Securing Hadoop - MapR Technologies
Securing Hadoop - MapR TechnologiesSecuring Hadoop - MapR Technologies
Securing Hadoop - MapR Technologies
 
Technical tips for secure Apache Hadoop cluster #ApacheConAsia #ApacheCon
Technical tips for secure Apache Hadoop cluster #ApacheConAsia #ApacheConTechnical tips for secure Apache Hadoop cluster #ApacheConAsia #ApacheCon
Technical tips for secure Apache Hadoop cluster #ApacheConAsia #ApacheCon
 
Hadoop security
Hadoop securityHadoop security
Hadoop security
 
Kamailio - Secure Communication
Kamailio - Secure CommunicationKamailio - Secure Communication
Kamailio - Secure Communication
 
Windows server 2003_r2
Windows server 2003_r2Windows server 2003_r2
Windows server 2003_r2
 
Ubuntu For Intranet Services
Ubuntu For Intranet ServicesUbuntu For Intranet Services
Ubuntu For Intranet Services
 
SSO with kerberos
SSO with kerberosSSO with kerberos
SSO with kerberos
 
Hadoop Security Architecture
Hadoop Security ArchitectureHadoop Security Architecture
Hadoop Security Architecture
 
Secure Credential Management with CredHub - DaShaun Carter & Sharath Sahadevan
Secure Credential Management with CredHub - DaShaun Carter & Sharath Sahadevan Secure Credential Management with CredHub - DaShaun Carter & Sharath Sahadevan
Secure Credential Management with CredHub - DaShaun Carter & Sharath Sahadevan
 
Open Source Security Tools for Big Data
Open Source Security Tools for Big DataOpen Source Security Tools for Big Data
Open Source Security Tools for Big Data
 
Open Source Security Tools for Big Data
Open Source Security Tools for Big DataOpen Source Security Tools for Big Data
Open Source Security Tools for Big Data
 
Understanding Active Directory Enumeration
Understanding Active Directory EnumerationUnderstanding Active Directory Enumeration
Understanding Active Directory Enumeration
 
Cl116
Cl116Cl116
Cl116
 
Securing Your Enterprise Web Apps with MongoDB Enterprise
Securing Your Enterprise Web Apps with MongoDB Enterprise Securing Your Enterprise Web Apps with MongoDB Enterprise
Securing Your Enterprise Web Apps with MongoDB Enterprise
 
BSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming WorkshopBSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming Workshop
 
Connect your datacenter to Microsoft Azure
Connect your datacenter to Microsoft AzureConnect your datacenter to Microsoft Azure
Connect your datacenter to Microsoft Azure
 
Demystifying SharePoint Infrastructure – for NON-IT People
Demystifying SharePoint Infrastructure – for NON-IT People Demystifying SharePoint Infrastructure – for NON-IT People
Demystifying SharePoint Infrastructure – for NON-IT People
 
Windows Server2008 Overview
Windows Server2008 OverviewWindows Server2008 Overview
Windows Server2008 Overview
 
Windows Server2008 Overview 090222022333 Phpapp01
Windows Server2008 Overview 090222022333 Phpapp01Windows Server2008 Overview 090222022333 Phpapp01
Windows Server2008 Overview 090222022333 Phpapp01
 
Deep Dive: AWS CloudHSM (Classic)
Deep Dive: AWS CloudHSM (Classic)Deep Dive: AWS CloudHSM (Classic)
Deep Dive: AWS CloudHSM (Classic)
 

Mehr von LDAPCon

Fusiondirectory: your infrastructure manager based on ldap
Fusiondirectory: your infrastructure manager based on ldapFusiondirectory: your infrastructure manager based on ldap
Fusiondirectory: your infrastructure manager based on ldap
LDAPCon
 
Synchronize AD and OpenLDAP with LSC
Synchronize AD and OpenLDAP with LSCSynchronize AD and OpenLDAP with LSC
Synchronize AD and OpenLDAP with LSC
LDAPCon
 
A Backend to tie them all?
A Backend to tie them all?A Backend to tie them all?
A Backend to tie them all?
LDAPCon
 
Update on the OpenDJ project
Update on the OpenDJ projectUpdate on the OpenDJ project
Update on the OpenDJ project
LDAPCon
 
Build your LDAP Web Interface with LinID Directory Manager
Build your LDAP Web Interface with LinID Directory ManagerBuild your LDAP Web Interface with LinID Directory Manager
Build your LDAP Web Interface with LinID Directory Manager
LDAPCon
 
LDAP Development Using Spring LDAP
LDAP Development Using Spring LDAPLDAP Development Using Spring LDAP
LDAP Development Using Spring LDAP
LDAPCon
 
Do The Right Thing! How LDAP servers should help LDAP clients
Do The Right Thing! How LDAP servers should help LDAP clientsDo The Right Thing! How LDAP servers should help LDAP clients
Do The Right Thing! How LDAP servers should help LDAP clients
LDAPCon
 
Distributed Virtual Transaction Directory Server
Distributed Virtual Transaction Directory ServerDistributed Virtual Transaction Directory Server
Distributed Virtual Transaction Directory Server
LDAPCon
 
What's New in OpenLDAP
What's New in OpenLDAPWhat's New in OpenLDAP
What's New in OpenLDAP
LDAPCon
 
What makes a LDAP server running fast ? An bit of insight about the various b...
What makes a LDAP server running fast ? An bit of insight about the various b...What makes a LDAP server running fast ? An bit of insight about the various b...
What makes a LDAP server running fast ? An bit of insight about the various b...
LDAPCon
 
Manage password policy in OpenLDAP
Manage password policy in OpenLDAPManage password policy in OpenLDAP
Manage password policy in OpenLDAP
LDAPCon
 
OpenLDAP configuration brought to Apache Directory Studio
OpenLDAP configuration brought to Apache Directory StudioOpenLDAP configuration brought to Apache Directory Studio
OpenLDAP configuration brought to Apache Directory Studio
LDAPCon
 
Making Research "Social" using LDAP
Making Research "Social" using LDAPMaking Research "Social" using LDAP
Making Research "Social" using LDAP
LDAPCon
 
Bridging the gap: Adding missing client (security) features using OpenLDAP pr...
Bridging the gap: Adding missing client (security) features using OpenLDAP pr...Bridging the gap: Adding missing client (security) features using OpenLDAP pr...
Bridging the gap: Adding missing client (security) features using OpenLDAP pr...
LDAPCon
 
eSCIMo - User Provisioning over Web
eSCIMo - User Provisioning over WebeSCIMo - User Provisioning over Web
eSCIMo - User Provisioning over Web
LDAPCon
 
Give a REST to your LDAP directory services
Give a REST to your LDAP directory servicesGive a REST to your LDAP directory services
Give a REST to your LDAP directory services
LDAPCon
 
How AD has been re-engineered to extend to the cloud
How AD has been re-engineered to extend to the cloudHow AD has been re-engineered to extend to the cloud
How AD has been re-engineered to extend to the cloud
LDAPCon
 
IAM to IRM: The Shift to Identity Relationship Management
IAM to IRM: The Shift to Identity Relationship ManagementIAM to IRM: The Shift to Identity Relationship Management
IAM to IRM: The Shift to Identity Relationship Management
LDAPCon
 

Mehr von LDAPCon (18)

Fusiondirectory: your infrastructure manager based on ldap
Fusiondirectory: your infrastructure manager based on ldapFusiondirectory: your infrastructure manager based on ldap
Fusiondirectory: your infrastructure manager based on ldap
 
Synchronize AD and OpenLDAP with LSC
Synchronize AD and OpenLDAP with LSCSynchronize AD and OpenLDAP with LSC
Synchronize AD and OpenLDAP with LSC
 
A Backend to tie them all?
A Backend to tie them all?A Backend to tie them all?
A Backend to tie them all?
 
Update on the OpenDJ project
Update on the OpenDJ projectUpdate on the OpenDJ project
Update on the OpenDJ project
 
Build your LDAP Web Interface with LinID Directory Manager
Build your LDAP Web Interface with LinID Directory ManagerBuild your LDAP Web Interface with LinID Directory Manager
Build your LDAP Web Interface with LinID Directory Manager
 
LDAP Development Using Spring LDAP
LDAP Development Using Spring LDAPLDAP Development Using Spring LDAP
LDAP Development Using Spring LDAP
 
Do The Right Thing! How LDAP servers should help LDAP clients
Do The Right Thing! How LDAP servers should help LDAP clientsDo The Right Thing! How LDAP servers should help LDAP clients
Do The Right Thing! How LDAP servers should help LDAP clients
 
Distributed Virtual Transaction Directory Server
Distributed Virtual Transaction Directory ServerDistributed Virtual Transaction Directory Server
Distributed Virtual Transaction Directory Server
 
What's New in OpenLDAP
What's New in OpenLDAPWhat's New in OpenLDAP
What's New in OpenLDAP
 
What makes a LDAP server running fast ? An bit of insight about the various b...
What makes a LDAP server running fast ? An bit of insight about the various b...What makes a LDAP server running fast ? An bit of insight about the various b...
What makes a LDAP server running fast ? An bit of insight about the various b...
 
Manage password policy in OpenLDAP
Manage password policy in OpenLDAPManage password policy in OpenLDAP
Manage password policy in OpenLDAP
 
OpenLDAP configuration brought to Apache Directory Studio
OpenLDAP configuration brought to Apache Directory StudioOpenLDAP configuration brought to Apache Directory Studio
OpenLDAP configuration brought to Apache Directory Studio
 
Making Research "Social" using LDAP
Making Research "Social" using LDAPMaking Research "Social" using LDAP
Making Research "Social" using LDAP
 
Bridging the gap: Adding missing client (security) features using OpenLDAP pr...
Bridging the gap: Adding missing client (security) features using OpenLDAP pr...Bridging the gap: Adding missing client (security) features using OpenLDAP pr...
Bridging the gap: Adding missing client (security) features using OpenLDAP pr...
 
eSCIMo - User Provisioning over Web
eSCIMo - User Provisioning over WebeSCIMo - User Provisioning over Web
eSCIMo - User Provisioning over Web
 
Give a REST to your LDAP directory services
Give a REST to your LDAP directory servicesGive a REST to your LDAP directory services
Give a REST to your LDAP directory services
 
How AD has been re-engineered to extend to the cloud
How AD has been re-engineered to extend to the cloudHow AD has been re-engineered to extend to the cloud
How AD has been re-engineered to extend to the cloud
 
IAM to IRM: The Shift to Identity Relationship Management
IAM to IRM: The Shift to Identity Relationship ManagementIAM to IRM: The Shift to Identity Relationship Management
IAM to IRM: The Shift to Identity Relationship Management
 

Kürzlich hochgeladen

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 

Kürzlich hochgeladen (20)

Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 

Building Open Source Identity Management with FreeIPA

  • 1. Building Open Source Identity Management with FreeIPA Martin Kosek <mkosek@redhat.com> Supervisor, Software Engineering, Red Hat, Inc.
  • 2. Getting a Context What is Identity Management? – “Identity management (IdM) describes the management of individual principals, their authentication, authorization, and privileges within or across system and enterprise boundaries with the goal of increasing security and productivity while decreasing cost, downtime and repetitive tasks.” Wikipedia This is the theory, but what does it mean? – Identities (principals): users, machines, services/applications – Authentication: password, biometry, 2FA – Authorization: Policies, ACLs, DAC, MAC – Can be configured locally, but what about 1000+ machine network ? Synchronization nightmare... 2
  • 3. IdM Related Technologies Active Directory – Main identity management solution deployed in more than 90% of the enterprises LDAP – Often used for custom IdM solution, different flavours Kerberos – Authentication solution Samba, Samba 4 DC NIS (NIS+) – Obsoleted
  • 4. Active Directory vs. Open Source Why is Active Directory so popular? – Integrated solution – It is relatively easy to use – Simple configuration for clients – All the complexity is hidden from users and admins – Has comprehensive interfaces
  • 5. Active Directory vs. Open Source (2) What about Open Source tools? – Solve individual problems • “do one thing and do it well” – Bag of technologies lacking integration – Hard to install and configure • Have you ever tried manual LDAP+Kerberos configuration? – Too many options exposed • Which to choose? Prevent shooting myself in the leg – Lack of good user interfaces Is the situation really that bad?
  • 6. Introducing FreeIPA IPA stands for Identity, Policy, Audit – So far we have focused on identities and related policies Main problems FreeIPA solves: – Central management of authentication and identities for Linux clients better than stand-alone LDAP/Kerberos/NIS - based solutions – Hides complexity, presents easy to understand CLI/UI • Install with one command, in several minutes – Acts as a gateway between the Linux and AD infrastructure making it more manageable and more cost effective • This is a requirement. As we said earlier, Active Directory is often the main Identity Management source
  • 7. The Core Directory Server – Main data backend for all other services – Custom plugins: authentication hooks, password policy, compatibility tree (slapi-nis), validation, extended operations... Kerberos KDC – Provides authentication for entire FreeIPA realm PKI Server – Certificates for services (web, LDAP, TLS) HTTP Server – Provides public interface (API)
  • 9. Example - Using FreeIPA CLI $ kinit admin Password for admin@EXAMPLE.COM: $ klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: admin@EXAMPLE.COM Valid starting Expires Service principal 10/15/12 10:47:35 10/16/12 10:47:34 krbtgt/EXAMPLE.COM@...
  • 10. Example - Using FreeIPA CLI (2) $ ipa user-add --first=John --last=Doe jdoe --random ----------------Added user "jdoe" ----------------User login: jdoe First name: John Last name: Doe Full name: John Doe Display name: John Doe Initials: JD Home directory: /home/jdoe GECOS field: John Doe Login shell: /bin/sh Kerberos principal: jdoe@EXAMPLE.COM Email address: jdoe@example.com Random password: xMc2XkI=ivVM UID: 1998400002 GID: 1998400002 Password: True Kerberos keys available: True
  • 11. Features: Deployment Hide complexity of LDAP+Kerberos+CA+... deployment We have few requirements : – Sane DNS environment (reverse records) • DNS is crucial to identify machines • Kerberos service principals, X509 Certificates use DNS names – Static FQDN hostnames Configuration with one command – ipa-server-install, ipa-client-install Supports replicas – Essential for redundancy and fault protection – ipa-replica-install
  • 12. Features: Identity Management Users, groups: – Automatic and unique UIDs, across replicas – Manage SSH public keys (not needed when authenticating with Kerberos) – Role-based access control, self-service Hosts, host groups, netgroups: – Manage host life-cycle, enrollment Services/applications – Manage keytab, certificate Automatic group membership based on rules – Just add a user/host and all matching group/host group membership is added
  • 13. Features: DNS Optional feature DNS data stored in LDAP Plugin for BIND9 name server (bind-dyndb-ldap) – Bridge between LDAP and DNS worlds Integration of DNS records with the rest of the framework
  • 14. Features: Policy Management HBAC – Control who can do what and where – Enforced by SSSD for authentication requests going through PAM – Useful when automember is in use $ ipa hbacrule-show labmachines_login Rule name: labmachines_login Enabled: TRUE User Groups: labusers, labadmins Host Groups: labmachines Services: sshd, login
  • 15. Features: Policy Management (2) SUDO: $ ipa sudorule-show test Rule name: test Enabled: TRUE User Groups: labadmins Host Groups: labmachines Sudo Allow Commands: /usr/sbin/service Automount: $ ipa automountkey-find brno auto.direct ----------------------1 automount key matched ----------------------Key: /nfs/apps Mount information: export.example.com:/apps
  • 16. Features: Policy Management (3) SELinux user roles – Centrally assign SELinux user roles to users – Useful for confined environments – Avoid configuring roles per-server using “semanage user” command $ ipa selinuxusermap-show labguests Rule name: labguests SELinux User: guest_u:s0 Enabled: TRUE User Groups: labusers Host Groups: labmachines
  • 17. Use case: Kerberize a Web Service Provide centralized identity and authentication (SSO) for a web application with few commands : # ipa-client-install -p admin -w PAsSw0rd --unattended Discovery was successful! Hostname: web.example.com Realm: EXAMPLE.COM DNS Domain: example.com IPA Server: ipa.example.com BaseDN: dc=example,dc=com Synchronizing time with KDC... Enrolled in IPA realm EXAMPLE.COM ... DNS server record set to: web.example.com -> 10.0.0.10 ... Client configuration complete.
  • 18. Use case: Kerberize a web service (2) # kinit admin # ipa service-add HTTP/web.example.com # ipa-getkeytab -p HTTP/web.example.com -s ipa.example.com -k /etc/httpd/conf/httpd.keytab # chown apache:apache /etc/httpd/conf/http.keytab # chmod 0400 /etc/httpd/conf/http.keytab
  • 19. Use case: Kerberize a web service (3) # yum install mod_auth_kerb # Kerberos auth for Apache # cat /etc/httpd/conf.d/webapp.conf <Location "/secure"> AuthType Kerberos AuthName "Web app Kerberos authentization" KrbMethodNegotiate on KrbMethodK5Passwd on KrbServiceName HTTP KrbAuthRealms EXAMPLE.COM Krb5Keytab /etc/httpd/conf/http.keytab KrbSaveCredentials off Require valid-user </Location> # service httpd restart
  • 20. Introducing SSSD SSSD is a service/daemon used to retrieve information from a central identity management system. SSSD connects a Linux system to a central identity store like: – Active Directory – FreeIPA – Any other directory server Provides identity, authentication and access control
  • 21. Introducing SSSD (2) Multiple parallel sources of identity and authentication – domains All information is cached locally for offline use – Remote data center use case – Laptop or branch office system use case Advanced features for – FreeIPA integration – AD integration - even without FreeIPA
  • 22. FreeIPA and Active Directory Active Directory is present in most of the businesses IdM in Linux and Windows cannot be 2 separate isles – Doubles the identity and policy management work Need to address some form of cooperation 3rd party solutions for AD Integration – Enables machine to join AD as Windows machines – Linux machines are 2nd class citizens – Increases costs for the solution + Windows CLA – Does not offer centralization for Linux native services • SELinux, Automount, ...
  • 23. FreeIPA and Active Directory (2) FreeIPA v2 - winsync+passsync – User and password synchronization – Easier management, but 2 separate identities – One-way, name collisions, no SSO FreeIPA v3+ - Cross-realm Kerberos trusts – Users in AD domain can access resources in a FreeIPA domain and vice versa – One Identity, no name collisions (aduser@ad.domain), SSO with AD credentials
  • 24. Cross-Realm Kerberos Trust FreeIPA deployment is a fully managed Kerberos realm Can be integrated with Windows as RFC 4120 compliant Kerberos realm Traditional Kerberos trust management applies: – Manual mapping of Identities in both Active Directory and Linux (~/.k5login) – Does not scale with thousands of users and computers Better approach - native cross forest trusts – AD DC thinks considers FreeIPA server as another AD DC – MS-specific extensions to standard protocols need to be supported
  • 25. FreeIPA as AD DC FreeIPA Samba passdb backend – Expansion of traditional Samba LDAP passdb backend – New schema objects and attributes to support trusted domain information FreeIPA KDC backend: – Verifies and signs MS-PAC coming from a trusted cross forest realm – Accepts principals and tickets from a trusted realm – Generates MS-PAC information out of LDAP CLDAP plugin handling NetLogon requests Additional API for handling new objects and attributes
  • 26. Integration Plan Step 1: allow AD users to connect to FreeIPA services. For example: – SSH from a Windows machine to FreeIPA-managed Linux machine - with SSO! – Mounting Kerberos-protected NFS share Step 2: allow FreeIPA users to interactively log in into AD machines – Requires support for Global Catalog on FreeIPA server side – Work in progress, planned for FreeIPA 3.4 (Q1/2014)
  • 27. Is it enough? What is the catch? We can manage Linux machines with FreeIPA We can manage Windows machines with AD We can establish a trust between them - good! Works great for green field deployments BUT! – What about users already using Linux-AD integration? • Identity Management for Unix AD LDAP extension • Third party plugins – What about users with legacy machines? • Older Linuxes, UNIXes... • They cannot use the modern SSSD with AD support – Address before moving forward
  • 28. Existing Linux-AD integration Main problem is the UID/GID generation – FreeIPA 3.0-3.2 generates them from SID • Maps Windows style SID (e.g. S-1-5-21-16904141-1481897002149043814-1234) to UNIX-style UID/GID based on user ranges (e.g. UID 9870001234, GID 9870001234) AD users may already contain defined UID/GID attributes – Identity Management for Unix AD LDAP extension – UID/GID are already used on Linux machines – If changed, file ownership breaks Allow reading these attributes! – New setting for AD Trust – SSSD reads the POSIX attributes from AD and uses them
  • 29. Legacy clients using AD Trust Administrator may want older systems to authenticate both AD and Linux users – SSSD with AD support may not available – Using just nss_ldap is not enough, AD users are not in FreeIPA DS Solved by compatibility LDAP tree in FreeIPA server – Exposes a compatibility tree managed by slapi-nis DS plugin – Provides both identity and authentication standard via LDAP operations – Intercepts LDAP bind operations • For FreeIPA user, it just does LDAP bind to FreeIPA LDAP tree • For external user: – Asks SSSD for user/group (getpwnam_/getgrnam_r), it asks AD – Does PAM system-auth command, also via SSSD
  • 30. Legacy clients using AD Trust (2) FreeIPA server FreeIPA AD KDC LDAP KDC 3) Gets identity with system calls 6) Authenticates Member 5) Authenticates via PAM SSSD Authentication Identities 4) Reads identity from AD 7) Identity + authentication via LDAP AD Domain Member LDAP Legacy client 1) Authenticate nss_ldap 8) Success/Failure Authentication Identities 2) LDAP Bind to compat tree