Identity Management In Red Hat Enterprise Linux. Dave Sirrine Solutions Architect

Similar documents
Identity Management: Unicorn or Gorgon?

Practical Steps Implementing Red Hat Identity Management Solution David Sirrine Senior Technical Account Manager, Red Hat Jerel Gilmer SEC June 29,

RED HAT ENTERPRISE LINUX: ACTIVE DIRECTORY - CLIENT INTEGRATION OPTIONS

Red Hat Enterprise Linux 8.0 Beta

FreeIPA - Control your identity

Identity Management Scaling Out and Up

Escape from the Identity crisis with FreeIPA

Florence Blanc-Renaud Senior Software Engineer - Identity Management - Red Hat

Integrating the RHCI Suite with IdM

FreeIPA Cross Forest Trusts

FreeIPA. Directory and authentication services the easy way. Christian Stankowic. Free and Open Source software Conference

SSSD. Client side identity management. LinuxDays 2012 Jakub Hrozek

FreeIPA - Control your identity

MIT Kerberos & Red Hat

Identity Management and Compliance in OpenShift

Linux authentication using the System Security Services Daemon (SSSD) explained

The System Security Services Daemon (SSSD) explained

VMware Workspace ONE Quick Configuration Guide. VMware AirWatch 9.1

Guide to Deploying VMware Workspace ONE. VMware Identity Manager VMware AirWatch 9.1

Guide to Deploying VMware Workspace ONE with VMware Identity Manager. SEP 2018 VMware Workspace ONE

GLOBAL CATALOG SERVICE IMPLEMENTATION IN FREEIPA. Alexander Bokovoy Red Hat Inc. May 4th, 2017

SAML-Based SSO Solution

Guide to Deploying VMware Workspace ONE. DEC 2017 VMware AirWatch 9.2 VMware Identity Manager 3.1

Red Hat Enterprise Linux 7

FreeIPA and SSSD. Free software identity management. Red Hat Developers Conference Jakub Hrozek Martin Nagy September 14, 2009

Red Hat Enterprise Linux 7

Installing and Configuring VMware Identity Manager Connector (Windows) OCT 2018 VMware Identity Manager VMware Identity Manager 3.

Implementing the SSSD using SUSE Linux Enterprise Server 12 and Active Directory

Single Sign-On Architectures. Jan De Clercq Senior Member of Technical Staff Technology Leadership Group Hewlett-Packard

Red Hat Enterprise Linux 7

Red Hat Enterprise Linux 6

DoD Common Access Card Authentication. Feature Description

Integrating AirWatch and VMware Identity Manager

VMware Identity Manager Administration

Subtitle: Join Sun Solaris Systems to Active Directory with Likewise

Red Hat Enterprise Linux 7

SDC EMEA 2019 Tel Aviv

Build an open hybrid cloud and paint it red and blue

SSSD: FROM AN LDAP CLIENT TO SYSTEM SECURITY SERVICES DEAMON

Office 365 and Azure Active Directory Identities In-depth

Liferay Security Features Overview. How Liferay Approaches Security

VMWARE HORIZON CLOUD WITH VMWARE IDENTITY MANAGER QUICK START GUIDE WHITE PAPER MARCH 2018

Storage Made Easy. SoftLayer

O365 Solutions. Three Phase Approach. Page 1 34

Cisco ISE Features. Cisco Identity Services Engine Administrator Guide, Release 1.4 1

VMware Identity Manager Cloud Deployment. DEC 2017 VMware AirWatch 9.2 VMware Identity Manager

VMware Identity Manager Cloud Deployment. Modified on 01 OCT 2017 VMware Identity Manager

Kerberos-enabled applications. Core services for UNIX shell programs and applications. Kerberos environment. Centrify DirectControl Service Library

REVISED 6 NOVEMBER 2018 COMPONENT DESIGN: VMWARE IDENTITY MANAGER ARCHITECTURE

OpenIAM Identity and Access Manager Technical Architecture Overview

the SWIFT Customer Security

TEN LAYERS OF CONTAINER SECURITY

Are You Sure Your AWS Cloud Is Secure? Alan Williamson Solution Architect at TriNimbus

OpenVMS Security Update 1M01

Storage Made Easy. Mirantis

Kerberos & HPC Batch systems. Matthieu Hautreux (CEA/DAM/DIF)

Today s workforce is Mobile. Cloud and SaaSbased. are being deployed and used faster than ever. Most applications are Web-based apps

SAML-Based SSO Solution

The Road to Digital Transformation: Increase Agility Building and Managing Cloud Infrastructure. Albert Law Solution Architect Manager

Best Practices: Authentication & Authorization Infrastructure. Massimo Benini HPCAC - April,

SAP Security in a Hybrid World. Kiran Kola

Cross-realm trusts with FreeIPA v3

Manage SAML Single Sign-On

Endpoint Protection with DigitalPersona Pro

Google Identity Services for work

Setting Up Identity Management

Android Mobile Single Sign-On to VMware Workspace ONE. SEP 2018 VMware Workspace ONE VMware Identity Manager VMware Identity Manager 3.

ZENworks 11 Support Pack 4 User Source and Authentication Reference. October 2016

VMware AirWatch Chrome OS Platform Guide Managing Chrome OS Devices with AirWatch

VMware Tunnel Guide for Windows Installing the VMware Tunnel for your AirWatch environment

Securing ArcGIS Services

SAP Single Sign-On 2.0 Overview Presentation

Nicolas Williams Staff Engineer Sun Microsystems, Inc.

BEYOND AUTHENTICATION IDENTITY AND ACCESS MANAGEMENT FOR THE MODERN ENTERPRISE

Securing Containers Using a PNSC and a Cisco VSG

Kerberos and NFS4 on Linux. isginf Workshop

Securing Containers Using a PNSC and a Cisco VSG

DATACENTER MANAGEMENT Goodbye ADFS, Hello Modern Authentication! Osman Akagunduz

VMware Identity Manager Connector Installation and Configuration (Legacy Mode)

AppController :28:18 UTC Citrix Systems, Inc. All rights reserved. Terms of Use Trademarks Privacy Statement

Single Sign-On Showdown

Managing Your Privileged Identities: The Choke Point of Advanced Attacks

ISILON ONEFS WITH HADOOP KERBEROS AND IDENTITY MANAGEMENT APPROACHES. Technical Solution Guide

Linux Administration

VMware Tunnel Guide for Windows

Deploying VMware Identity Manager in the DMZ. SEPT 2018 VMware Identity Manager 3.3

Developing Microsoft Azure Solutions (70-532) Syllabus

AXIAD IDS CLOUD SOLUTION. Trusted User PKI, Trusted User Flexible Authentication & Trusted Infrastructure

VMware AirWatch Chrome OS Platform Guide Managing Chrome OS Devices with AirWatch

User Authentication Principles and Methods

VMware Tunnel on Windows. VMware Workspace ONE UEM 1810

Who s Protecting Your Keys? August 2018

Kerberos and Active Directory symmetric cryptography in practice COSC412

Enabling Smart Card Logon for Mac OS X Using Centrify Suite

VMware Tunnel Guide Deploying the VMware Tunnel for your AirWatch environment

Inside Symantec O 3. Sergi Isasi. Senior Manager, Product Management. SR B30 - Inside Symantec O3 1

Migrating vrealize Automation 6.2 to 7.2

VMware AirWatch - Workspace ONE, Single Sign-on and VMware Identity Manager

Cisco VCS Authenticating Devices

Single Secure Credential to Access Facilities and IT Resources

Transcription:

Identity Management In Red Hat Enterprise Linux Dave Sirrine Solutions Architect

Agenda Goals of the Presentation 2 Identity Management problem space What Red Hat Identity Management solution is about? What problems Identity Management solution solves? Benefits of the Red Hat Identity Management solution Identity Management solution architecture Provide examples of some real-world use cases that can be solved with the identity management capabilities Red Hat offers

Agenda Goals of the Presentation Or... 3 Understand what you want to know Answer your questions Help you to make decisions Establish a dialog

Identity Management Problem Space

What is Identity Management? What does this mean to you? What issues are you running into in this area? 5

Identity Management Problem Space There are four main problems we try to solve with IdM 6 Central management of identities Provide various authentication mechanisms Access control Central management of Linux policies

Identity Management Problem Space Main aspects Identities Where are my users stored? What properties do they have? How is this data made available to systems and applications? Authentication What credentials do my users use to authenticate? Passwords? Smart Cards? Special devices? Is there SSO? How can the same user access file stores and web applications without requiring re-authentication? 7

Identity Management Problem Space Main aspects, continued Access control Which users have access to which systems, services, applications? What commands can they run on those systems? What SELinux context is a user is mapped to? Policies What is the strength of the password? What are the automount rules? What are Kerberos ticket policies? 8

Red Hat Vision In the past each application had its own database, identity management solutions were copying data around for a system of record (HR systems usually) to all application databases This is hard to manage, keep secure and in sync and thus is a bad practice User, system and service accounts should be managed in the dedicated system and not copied around Single set of credentials instead of disjoint passwords copied around Policies for passwords and other credentials defined and enforced by one system Enterprise Single-Single-On 9

Benefits enables customers to: Significantly simplify their Identity Management infrastructure Meet modern compliance requirements like PCI DSS, USGCB, STIG Reduce the risk of unauthorized access or unauthorized privilege escalation Create a foundation for a highly dynamic and scalable, cloud and container capable, operational environment Automate deployment of new systems, VMs and containers with preconfigured identity, authentication and access control capabilities Reduce the cost of day-to-day operation 10

Benefits enables customers to: Minimize investment into the underlying infrastructure Improve user experience with enterprise wide single-sign-on across heterogeneous environment Enable tighter application integration into the identity management fabric Manage identity information and authentication credentials for users, services, systems and devices 11

What s new in 7.4

Updates to IdM in 7.4 13 Integration with external DNS providers through nsupdate FIPS 140-2 compliant SSSD Short Name support Improved Smart Card capabilities Map cards to AD user record Map a single smart card to multiple roles Custom attributing mapping

Overview of the Identity Management Components

Components of the Portfolio 15 (IdM) SSSD Certmonger Keycloak IdP Apache modules

Identity Management (IdM) Domain controller for Linux/UNIX environments Based on the FreeIPA open source project Combines LDAP, Kerberos, DNS and certificate management capabilities Provides centralized authentication, authorization and identity information for Linux/UNIX infrastructure Enables centralized policy and privilege escalation management Integrates with Active Directory on the server-to-server level 16

FreeIPA/IdM High Level Architecture Linux KDC UNIX PKI CLI/UI LDAP DNS Admin 17

Comparison Area 18 DS IdM Use General purpose LDAP server Domain controller for Linux/UNIX Extensibility Highly customizable Preconfigured data and object model Interfaces LDAP, command line tools, admin console Rich CLI, JSON RPC API, Web UI Schema & tree LDAPv3 compliant, tree design up to deployment Optimized for domain controller use case Authentication LDAP LDAP, Kerberos with SSO, Certificate based AD integration User synchronization Advanced integration via cross forest trusts Replication Up to 20 masters + unlimited read only replicas and hubs Up to 60 active masters Scalability Scales well beyond 100K objects Has limitations beyond 100K objects

Costs

What is the cost? All mentioned components and solutions are provided using Red Hat Enterprise Linux without extra charge No third party vendors involved Deployment is easy and integrated saves time The main cost is server side subscriptions, but one server can serve about 2-3K clients 20

Wrap-up

Resources Summary Linux Domain Identity, Authentication, and Policy Guide https://access.redhat.com/site/documentation/en-us/red_hat_enterpris e_linux/7/html/linux_domain_identity_authentication_and_policy_guide /index.html Windows Integration Guide https://access.redhat.com/site/documentation/en-us/red_hat_enterpri se_linux/7/html/windows_integration_guide/index.html System-Level Authentication Guide https://access.redhat.com/site/documentation/en-us/red_hat_enterpri se_linux/7/html/system-level_authentication_guide/index.html 22

Resources Summary FreeIPA Project wiki: www.freeipa.org Project trac: https://fedorahosted.org/freeipa/ Code: http://git.fedorahosted.org/git/?p=freeipa.git Mailing lists: freeipa-users@redhat.com freeipa-devel@redhat.com freeipa-interest@redhat.com SSSD: https://fedorahosted.org/sssd/ Mailing lists: sssd-devel@lists.fedorahosted.org sssd-users@lists.fedorahosted.org 23

Training Materials and Blogs Training http://www.freeipa.org/page/documentation#freeipa_training_series Blog aggregation http://planet.freeipa.org/ FreeIPA demo instance in the cloud http://www.freeipa.org/page/demo 24

Questions? Finally 25

SUPPORTING SLIDES

Use Cases and Challenges How can I provide centralized authentication? How to address Active Directory interoperability challenges? Can I define access control to hosts without copying configuration files? Can I manage SSH keys for users and hosts? Can I provide centralized SUDO, automount, SELinux user mappings? How can I provide certificates for services, hosts, devices and users? Is there a cost effective solution that provides strong authentication using OTP? Can I provide a smooth SSO experience for my users inside the enterprise? How can I integrate my applications into the same identity space? 27

SSSD (System Security Services Daemon) Client-side component Part of Red Hat Enterprise Linux and many other Linux distributions Allows connecting a system to the identity and authentication source of your choice Caches identity and policy information for offline use Capable of connecting to different sources of identity data at the same time 28

SSSD Architecture Simplified SSSD Client Client Client 29 PAM Responder Cache NSS Responder Identity Server Identity Provider Domain Provider Authenticatio n Provider Authentication Server

Certmonger Client side component Connects to central Certificate Server and requests certificates Tracks and auto renews the certificates it is tracking 30

Red Hat SSO Identity Provider implementation Allows federation between different applications using SAML, OIDC based SSO 31

Apache Modules Modules that can be integrated with Apache server Modules that support forms-based, Kerberos, certificate-based or SAML authentication We are working on OIDC authentication Authorization and identity data lookups are also possible using corresponding modules 32

Example Architecture Active Directory IdM Trust Linux System Browse r IdP Business Application Module s Admin 33 SSSD Certmong er

Centralized Authentication Steps: Consolidate your user accounts Load your user data into a IdM Connect your Linux/UNIX systems to IdM ipa-client-install IdM Why would I use IdM? Linux 34 Linux Linux Different authentication methods: LDAP, Kerberos, OTP, Certificates Integrated solution Easy to install and manage Integrates with AD Better security management for Linux hosts

Kerberos SSO Accessing a resource Service Ticket (ST) 3 Resource User Client TG (Principa T l) 2 Service Ticket (ST) 0 1 KDC (IdM) 35 Service (Principa l)

Kerberos Flow User logs into the system that is connected to a Kerberos server It can be: Kerberos KDC, Active Directory or IdM User authenticates (0) and gets a ticket granting ticket (TGT) from the Kerberos server User accesses a resource (for example NFS client) Kerberos library will request a service ticket from KDC (1-2) The ticket is presented to the service (for example NFS server) (3) The server decrypts ticket using its Kerberos key (stored in a keytab) Keys are distributed at installation/configuration time, and can be rotated as necessary 36

Connecting Systems AD Integration Options AD Windows Linux UNIX Direct Integration 37 IdM Windows Linux UNIX Indirect Integration

Integration Paths Overview User and password synchronization (not recommended) Cross forest trusts (recommended) 38

Synchronization Solution Overview 39 LDAP level synchronization AD is the authoritative source - one way sync No group synchronization, only users Only one domain can be synchronized Single point of failure - sync happens only on one replica Limited set of attributes is replicated Passwords need to captured and synced Requires a plugin on every AD DC Mismatch of password policies can lead to strange errors

IdM - AD Integration with Trust IdM PKI DNS LDA P Active Directory KDC KDC Linux System SSSD Policies Authentication sudo Identities HBAC automount 40 Name Resolution selinux Certificates/Keys ssh keys LDA P DNS PKI

IdM - AD Integration with Trust Chain IdM PKI DNS LDA P Active Directory KDC KDC Linux System SSSD Policies Authentication sudo Identities HBAC automount 41 Name Resolution selinux Certificates/Keys ssh keys LDA P DNS PKI

IdM - AD Integration with Trust Allocate a separate zone IdM PKI DNS LDA P KDC KDC Linux System SSSD Policies Authentication sudo Identities HBAC automount 42 Active Directory Name Resolution selinux Certificates/Keys ssh keys LDA P DNS PKI

IdM - AD Integration with Trust IdM Active Directory Cross Forest Trust PKI DNS LDA P KDC KDC Linux System SSSD Policies Authentication sudo Identities HBAC automount 43 Name Resolution selinux Certificates/Keys ssh keys LDA P DNS PKI

IdM - AD Integration with Trust IdM PKI DNS LDA P Active Directory KDC KDC Linux System SSSD Policies Authentication sudo Identities HBAC automount 44 Name Resolution selinux Certificates/Keys ssh keys LDA P DNS PKI

Trust Setup Active Directory Trust IdM Authenticati on Access to host/linux@idm admin@ad 45 linux@idm

Ticket Exchange Active Directory 1 - AS-REQ 2 - TGT Trust IdM 3 - Service 5 - Cross realm Ticket ticket 6 - Service ticket 4 - Cross realm host/linux@idm ticket user: admin@ad ticket: host/linux@idm admin@ad 46 linux@idm

Trust Details Allows users of one Forest to access resources in a different Forest provided the two Forest admins previously set up an agreement. The foundation of this agreement are cryptographic keys shared by the two Forests. Cross-forest trust are established by the root domains (only) Two-way and one-way trust (IdM trusts AD) AD/Samba DC trusting IdM is on the roadmap Trust agents (different behavior of different replicas) Migration from the sync to trust 47

User Mapping Details Can leverage SFU/IMU for POSIX (brown field) This functionality is deprecated by Microsoft Can do dynamic mapping of the SIDs to UIDs & GIDs (green field) Static override with ID views Other data can be overwritten too SSH Keys OTP & Certificates in future 48

Host Based Access Control IdM AD Host based access control: Which users or group of users can access Which hosts or groups of hosts Using which login services: console, ssh, sudo, ftp, sftp, etc. You define rules centrally Works with trusted AD users Linux 49 Linux Linux

SSH Key Management IdM Digest User public key SSH Linux A 50 Linux B Host public keys uploaded at the client installation time User can upload his public key to IdM manually When user SSHs from a system A the public key of to the target system B is delivered to system A (no manual validation of digest) User public key is automatically delivered to system B Works with trusted AD users

Smart Cards Problem Authentication using certificates on smart cards required mapping of the user identity in the certificate to the user on the operating system pam_pkcs11 was able to do mapping using local file which is not scalable pam_krb5 requires Kerberos extension in a certificate which is usually not there SSSD being the gateway and provider of different authentication methods against multiple identity sources did not support smart card authentication 51

Smart Cards Solution pam_pkcs11 and SSSD are fixed to do dynamic mapping of the certs to users via an LDAP lookup SSSD will be able to authenticate users that have certificates registered in IdM The certificate can be issued by an external CA SSSD might be able to authenticate users with certificates registered in AD (experimental) 52

Smart Cards Benefit Benefit: Customers can use IdM and SSSD to provide smart card based authentication into Linux environment using SSH The solution is now much easier to manage and is scalable Reference: https://fedorahosted.org/sssd/wiki/designdocs/smartcardauthenticatio nstep1 53

SUDO Integration IdM Commands ABC Linux 54 AD Commands KLMN Linux Commands XYZ Linux Centrally define commands and groups of commands Define which groups of users can run these commands or groups of commands on which hosts or groups of hosts Rules are enforced on client Rules are cached (in SSSD) Capability is integrated into the sudo utility Works with trusted AD users

SELinux Integration (user mapping) IdM AD Mappings can be defined centrally Allow different users on different systems have different SELinux context Default SELinux labels are available in IdM configuration Mappings are enforced on the client Mappings are cached (by SSSD) Works with trusted AD users unprivileged Linux 55 privileged Linux super privileged Linux

Automount Maps for US locatio n Linux in US File server (US) 56 IdM Maps for Japan locatio n Linux in Japan File server (Japan) Define direct or indirect maps Associate maps with a particular location Configure clients to pull data from that location (part of the LDAP tree) Maps are defined centrally Maps are applied on the client Maps are cached Maps are integrated with autofs

Certificate Management Subjects Users, hosts, devices, services Profiles Different certificates can have different extensions Virtual Sub-CAs (in works) A CA per a particular purpose Tracking and renewal of certificates using certmonger 57

Certificate Authentication IdM AD IdM user with a certificate or smart card AD user with a certificate or smart card in direct or indirect integration (in works) Certificate authentication into IdM UI/CLI (in works) Linux 58 Linux Linux

THANK YOU plus.google.com/+redhat facebook.com/redhatinc linkedin.com/company/red-hat twitter.com/redhatnews youtube.com/user/redhatvide os

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback