LinuxCon North America



Similar documents
Red Hat Enterprise Identity (IPA) Centralized Management of Identities & Authentication

Red Hat Identity Management

Integrating Linux systems with Active Directory

FreeIPA - Open Source Identity Management in Linux

Identity Management based on FreeIPA

Building Open Source Identity Management with FreeIPA. Martin Kosek

Managing Identity & Access in On-premise and Cloud Environments. Ellen Newlands Identity Management Product Manager Red Hat, Inc

How to build an Identity Management System on Linux. Simo Sorce Principal Software Engineer Red Hat, Inc.

Identity Management: The authentic & authoritative guide for the modern enterprise

CAC AND KERBEROS FROM VISION TO REALITY

AD Integration options for Linux Systems

PKI Made Easy: Managing Certificates with Dogtag. Ade Lee Sr. Software Engineer Red Hat, Inc

Handling POSIX attributes for trusted Active Directory users and groups in FreeIPA

Advancements in Linux Authentication and Authorisation using SSSD

Red Hat Enterprise ipa

Interoperability Update: Red Hat Enterprise Linux 7 beta and Microsoft Windows

Cross-Realm Trust Interoperability, MIT Kerberos and AD

FreeIPA Cross Forest Trusts

SSSD. Client side identity management. LinuxAlt 2012 Jakub Hrozek 3. listopadu 2012

External and Federated Identities on the Web

Integration with Active Directory. Jeremy Allison Samba Team

System Security Services Daemon

FreeIPA Client and Server

Integrating Red Hat Enterprise Linux 6 with Microsoft Active Directory Presentation

Fedora 17 FreeIPA: Identity/ Policy Management

FreeIPA 3.3 Trust features

IPA Identity, Policy, Audit Karl Wirth, Red Hat Kevin Unthank, Red Hat

Fedora 18 FreeIPA: Identity/ Policy Management

Open Directory. Apple s standards-based directory and network authentication services architecture. Features

Integrating UNIX and Linux with Active Directory. John H Terpstra

Mac OS X Directory Services

Security with LDAP. Andrew Findlay. February Skills 1st Ltd

Authentication in a Heterogeneous Environment

FreeIPA Client and Server

RHEL Clients to AD Integrating RHEL clients to Active Directory

Active Directory and DirectControl

70-647: Windows Server Enterprise Administration

identity management in Linux and UNIX environments

Access Management Analysis of some available solutions

Going in production Winbind in large AD domains today. Günther Deschner (Red Hat / Samba Team)

Red Hat Enterprise IPA Identity & Access Management for Linux and Unix Environments. Dragos Manac

Active Directory Services with Windows Server 10969B; 5 days, Instructor-led

Protect Everything: Networks, Applications and Cloud Services

Implementing Linux Authentication and Authorisation Using SSSD

External Identity and Authentication Providers For Apache HTTP Server

Setting up a DNS MX Record for mail.corp.com p. 327 Installing Fedora on the Front-End Mail Server with the Postfix and SpamAssassin Packages

Microsoft Active Directory Services with Windows Server

Open Source Terminal Server Architecture for Enterprise Environment

Network Startup Resource Center

FreeIPA v3: Trust Basic trust setup

Active Directory Services with Windows Server

OVERVIEW. DIGIPASS Authentication for Office 365

Course Active Directory Services with Windows Server

Implementing and Administering Security in a Microsoft Windows Server 2003 Network

MS Implementing Active Directory Federation Services 2.0 for Windows Server 2008

Samba as an Active Directory Domain Controller

Active Directory Services with Windows Server MOC 10969

An Overview of Samsung KNOX Active Directory-based Single Sign-On

Course 10969A Active Directory Services with Windows Server

Table of Contents. Red Hat Summit Labs. Lab Overview... 3 Background... 3

SSSD DNS Improvements in AD Environment

Security Provider Integration Kerberos Server

Windows Security and Directory Services for UNIX using Centrify DirectControl

BOF2337 Open Source Identity and Access Management Expert Panel, Part II. 23 September :30p Hilton - Golden Gate 6/7/8 San Francisco CA

Mac OS X. Playing nice in a heterogeneous world PRESENTED BY:Charles Edge 318.COM

Securing Administrator Access to Internal Windows Servers

Using Entrust certificates with VPN

Microsoft. Official Course. Introduction to Active Directory Domain Services. Module 2

Fedora Directory Server FUDCon III London, 2005

MCITP MCITP: Enterprise Administrator on Windows Server 2008 (5 Modules)

Open Source Identity Management in the Enterprise

Using SUSE Linux Enterprise Desktop with Microsoft * Active Directory Infrastructure

OVERVIEW OF TYPICAL WINDOWS SERVER ROLES

Blending FreeIPA in a Certificate Infrastructure

Windows Server : Advanced Services 3 1 1

Websense Support Webinar: Questions and Answers

Novell Access Manager

From centralized to single sign on

Active Directory Services with Windows Server

2013 AWS Worldwide Public Sector Summit Washington, D.C.

Government of Canada Directory Services Architecture. Presentation to the Architecture Framework Advisory Committee November 4, 2013

VMware Identity Manager Connector Installation and Configuration

SSSD Active Directory Improvements

50412: Implementing Active Directory Federation Services 2.0

Collax Active Directory

Configuring Advanced Windows Server 2012 Services

CA SiteMinder. Implementation Guide. r12.0 SP2

Setup Guide Access Manager 3.2 SP3

Integrating VMware Horizon Workspace and VMware Horizon View TECHNICAL WHITE PAPER

HOL9449 Access Management: Secure web, mobile and cloud access

CA Performance Center

OpenAM. 1 open source 1 community experience distilled. Single Sign-On (SSO) tool for securing your web. applications in a fast and easy way

PROVIDING SINGLE SIGN-ON TO AMAZON EC2 APPLICATIONS FROM AN ON-PREMISES WINDOWS DOMAIN

An Overview of Samsung KNOX Active Directory and Group Policy Features

How To Manage Identity On A Cloud (Cloud) With A User Id And A Password (Saas)

Transcription:

LinuxCon North America Enterprise Identity Management with Open Source Tools Dmitri Pal Sr. Engineering Manager Red Hat, Inc. 09.16.2013

Context What is identity management? 2 LinuxCon North America

Context What is identity management? Identity management (IdM) describes the management of individual principals, their authentication, authorization, and privileges within or across system and enterprise boundaries with the goal of increasing security and productivity while decreasing cost, downtime and repetitive tasks. Wikipedia 3 LinuxCon North America

IdM Related Technologies Active Directory LDAP Main identity management solution deployed in more than 90% of the enterprises... OpenLDAP 389 (RHDS) OpenDS ApacheDS SunDS edirectory 4 LinuxCon North America

IdM Related Technologies (cont) Kerberos Samba NIS MIT implementation Heimdal implementation An open source clone of Active Directory A file server (Samba FS) A client component to join Active Directory (winbind) 5 LinuxCon North America

IdM Related Technologies (cont) Web related technologies OpenID OAuth SAML WS-... Strong authentication Smart cards One Time Passwords (OTP) 6 LinuxCon North America

Active Directory vs. Open Source Why is Active Directory so popular? It is an integrated solution It is relatively easy to use Offers a simple configuration for clients All the complexity is hidden from users and admins Has comprehensive interfaces 7 LinuxCon North America

Active Directory vs. Open Source (2) What about Open Source tools? Solve individual problems Bag of technologies lacking integration Hard to install and configure Too many options exposed, which to choose? Lack of good user interfaces Is the situation really that bad? 8 LinuxCon North America

Introducing FreeIPA IPA stands for Identity, Policy, Audit So far we have focused on identities and related policies Main problems FreeIPA solves: Central management of authentication and identities for Linux clients better than stand - alone LDAP/Kerberos/NIS - based solutions Acts as a gateway between the Linux infrastructure and AD environment making infrastructure more manageable and more cost effective 9 LinuxCon North America

High Level Conceptual Architecture Unix/Linux PKI KDC DNS LDAP CLI/GUI Admin 10 LinuxCon North America

Features Centralized authentication via Kerberos or LDAP Identity management: Users, groups, hosts, host groups, netgroups, services Integrated identities Manageability: Simple installation scripts for server and client Rich CLI and web-based user interface Pluggable and extensible framework for UI/CLI Flexible delegation and administrative model 11 LinuxCon North America

Features (continued) Certificate provisioning for hosts and services Serving sets of automount maps to different clients Advanced features: Host-based access control Centrally-managed SUDO Group-based password policies Automatic management of private groups Can act as NIS server for legacy systems Painless password migration Managed hosts 12 LinuxCon North America

Features (continued) Optional integrated DNS server Replication: Supports multi-server deployment based on multimaster replication User replication with MS Active Directory Flexibility in deploying Certificate Authorities on different replicas Compatibility with a broad set of clients 13 LinuxCon North America

Introducing SSSD SSSD is a service used to retrieve information from a central identity management system. SSSD connects a Linux system to a central identity store like: Active Directory FreeIPA Any other directory server Provides authentication and access control 14 LinuxCon North America

Introducing SSSD (continued) Multiple parallel sources of identity and authentication domains All information is cached locally for offline use Remote data center use case Laptop or branch office system use case Advanced features for FreeIPA integration AD integration 15 LinuxCon North America

Identity Management Under the Hood NTP CA FreeIPA Core Kerberos KDC Directory Server DNS Management framework Authentication Users, Groups, Netgroups, HBAC Name lookups and service discovery Cert tracking & provisioning Other maps SSSD Certmonger Enrollment & un-enrollment Managed host (client) Management Station CLI Configures Configures ipa-client nss_ldap Management WEBUI Browser 16 LinuxCon North America

Identity Management Under the Hood FreeIPA Core Kerberos KDC Directory Server 17 LinuxCon North America

Identity Management Under the Hood FreeIPA Core Kerberos KDC Authentication Users, Groups, Netgroups, HBAC SSSD Managed host (client) Directory Server 18 LinuxCon North America

Identity Management Under the Hood FreeIPA Core Kerberos KDC Authentication Users, Groups, Netgroups, HBAC SSSD Managed host (client) Directory Server Other maps nss_ldap 19 LinuxCon North America

Identity Management Under the Hood NTP FreeIPA Core Kerberos KDC Authentication Users, Groups, Netgroups, HBAC SSSD Managed host (client) Directory Server Other maps nss_ldap 20 LinuxCon North America

Identity Management Under the Hood NTP FreeIPA Core Kerberos KDC Directory Server Authentication Users, Groups, Netgroups, HBAC Name lookups and service discovery SSSD Managed host (client) DNS Other maps nss_ldap 21 LinuxCon North America

Identity Management Under the Hood NTP CA FreeIPA Core Kerberos KDC Directory Server Authentication Users, Groups, Netgroups, HBAC Name lookups and service discovery SSSD Managed host (client) DNS Other maps nss_ldap 22 LinuxCon North America

Identity Management Under the Hood NTP CA FreeIPA Core Kerberos KDC Directory Server Authentication Users, Groups, Netgroups, HBAC Name lookups and service discovery SSSD Managed host (client) DNS Other maps nss_ldap Management framework 23 LinuxCon North America

Identity Management Under the Hood NTP CA FreeIPA Core Kerberos KDC Directory Server Authentication Users, Groups, Netgroups, HBAC Name lookups and service discovery SSSD Managed host (client) DNS Other maps nss_ldap Management framework Management Station CLI Management WEBUI Browser 24 LinuxCon North America

Identity Management Under the Hood NTP CA FreeIPA Core Kerberos KDC Directory Server DNS Authentication Users, Groups, Netgroups, HBAC Name lookups and service discovery Cert tracking & provisioning Other maps SSSD Certmonger Managed host (client) nss_ldap Management framework Management Station CLI Management WEBUI Browser 25 LinuxCon North America

Identity Management Under the Hood NTP CA FreeIPA Core Kerberos KDC Directory Server DNS Management framework Authentication Users, Groups, Netgroups, HBAC Name lookups and service discovery Cert tracking & provisioning Other maps SSSD Certmonger Enrollment & un-enrollment Managed host (client) Management Station CLI Configures Configures ipa-client nss_ldap Management WEBUI Browser 26 LinuxCon North America

FreeIPA and Active Directory User and password synchronization Cross realm Kerberos trusts Users in AD domain can access resources in a FreeIPA domain and vice verse A lot of use cases addressed and need to be addressed in future Complexity of transitive domains 27 LinuxCon North America

FreeIPA and Web Technologies Green field not much has been done What can be done: FreeIPA as an OpenID provider Can be integrated with IdP to provide bridging between ESSO and identity federation via mod_auth_kerb 28 LinuxCon North America

FreeIPA and Strong Authentication OTP support was recently introduced in FreeIPA First ever solution to provide OTP based ESSO via Kerberos Features Proxy to external RADIUS server Support of the TOTP tokens 29 LinuxCon North America

FreeIPA Future More cross project integration Support of sophisticated AD integration use cases Polishing the OTP solution User certificate and smart card support Enhancements DHCP integration Big backlog of RFEs 30 LinuxCon North America

FreeIPA and SSSD Communities Open Friendly Responsive Welcoming Come join us! 31 LinuxCon North America

Resources FreeIPA Project wiki: www.freeipa.org Project trac: https://fedorahosted.org/freeipa/ Code: http://git.fedorahosted.org/git/?p=freeipa.git Mailing lists: freeipa-users@redhat.com freeipa-devel@redhat.com freeipa-interest@redhat.com SSSD: https://fedorahosted.org/sssd/ Mailing lists: sssd-devel@lists.fedorahosted.org sssd-users@lists.fedorahosted.org Certmonger: https://fedorahosted.org/certmonger/ 32 LinuxCon North America

Questions? 33 LinuxCon North America

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information