Embed Size (px)
Citation preview
LinuxCon North AmericaLinuxCon North America
Enterprise IdentityEnterprise IdentityManagement with OpenManagement with Open
Source ToolsSource Tools
Dmitri PalSr. Engineering Manager Red Hat, Inc.
09.16.2013
2 LinuxCon North America
Context
● What is identity management?
3 LinuxCon North America
Context
● What is identity management?
“Identity management (IdM) describes the management of individual principals, their authentication, authorization, and privileges within or across system and enterprise boundaries with the goal of increasing security and productivity while decreasing cost, downtime and repetitive tasks.”
Wikipedia
4 LinuxCon North America
IdM Related Technologies
● Active Directory● Main identity management solution deployed
in more than 90% of the enterprises
● LDAP● OpenLDAP● 389 (RHDS)● OpenDS● ApacheDS● SunDS● eDirectory● ...
5 LinuxCon North America
IdM Related Technologies (cont)
● Kerberos● MIT implementation● Heimdal implementation
● Samba● An open source clone of Active Directory● A file server (Samba FS)● A client component to join Active Directory
(winbind)
● NIS
6 LinuxCon North America
IdM Related Technologies (cont)
● Web related technologies● OpenID● OAuth● SAML● WS-...
● Strong authentication● Smart cards● One Time Passwords (OTP)
7 LinuxCon North America
Active Directory vs. Open Source
● Why is Active Directory so popular?● It is an integrated solution● It is relatively easy to use● Offers a simple configuration for clients● All the complexity is hidden from users and
admins● Has comprehensive interfaces
8 LinuxCon North America
Active Directory vs. Open Source (2)
● What about Open Source tools?● Solve individual problems● Bag of technologies lacking integration● Hard to install and configure● Too many options exposed, which to choose?● Lack of good user interfaces
Is the situation really that bad?
9 LinuxCon North America
Introducing FreeIPA
● IPA stands for Identity, Policy, Audit● So far we have focused on identities and
related policies
● Main problems FreeIPA solves:● Central management of authentication and
identities for Linux clients better than stand - alone LDAP/Kerberos/NIS - based solutions
● Acts as a gateway between the Linux infrastructure and AD environment making infrastructure more manageable and more cost effective
10 LinuxCon North America
High Level Conceptual Architecture
KDC
LDAP CLI/GUI
Unix/Linux
Admin
PKI
DNS
11 LinuxCon North America
Features
● Centralized authentication via Kerberos or LDAP
● Identity management: ● Users, groups, hosts, host groups, netgroups,
services● Integrated identities
● Manageability:● Simple installation scripts for server and client● Rich CLI and web-based user interface● Pluggable and extensible framework for UI/CLI● Flexible delegation and administrative model
12 LinuxCon North America
Features (continued)
● Certificate provisioning for hosts and services
● Serving sets of automount maps to different clients
● Advanced features:● Host-based access control● Centrally-managed SUDO● Group-based password policies● Automatic management of private groups● Can act as NIS server for legacy systems● Painless password migration● Managed hosts
13 LinuxCon North America
Features (continued)
● Optional integrated DNS server
● Replication:● Supports multi-server deployment based on multi-
master replication● User replication with MS Active Directory● Flexibility in deploying Certificate Authorities on
different replicas● Compatibility with a broad set of clients
14 LinuxCon North America
Introducing SSSD
● SSSD is a service used to retrieve information from a central identity management system.
● SSSD connects a Linux system to a central identity store like:
● Active Directory● FreeIPA● Any other directory server
● Provides authentication and access control
15 LinuxCon North America
Introducing SSSD (continued)
● Multiple parallel sources of identity and authentication – domains
● All information is cached locally for offline use● Remote data center use case● Laptop or branch office system use case
● Advanced features for● FreeIPA integration● AD integration
16 LinuxCon North America
Identity Management Under the HoodFreeIPA Core
DirectoryServer
KerberosKDCNTP
DNS
Managementframework
Managed host (client)
SSSD
Management Station
CLI
Browser
Certmonger
ipa-client
CAConfigures
Configures
nss_ldap
WEBUI
AuthenticationAuthentication
Name lookupsName lookupsand serviceand servicediscoverydiscovery
Cert tracking &Cert tracking &provisioningprovisioning
Other mapsOther maps
Enrollment & un-enrollment Enrollment & un-enrollment
ManagementManagement
Users, Groups, Users, Groups, Netgroups, HBACNetgroups, HBAC
17 LinuxCon North America
Identity Management Under the HoodFreeIPA Core
DirectoryServer
KerberosKDC
18 LinuxCon North America
Identity Management Under the HoodFreeIPA Core
DirectoryServer
KerberosKDC
Managed host (client)
SSSD
AuthenticationAuthentication
Users, Groups, Users, Groups, Netgroups, HBACNetgroups, HBAC
19 LinuxCon North America
Identity Management Under the HoodFreeIPA Core
DirectoryServer
KerberosKDC
Managed host (client)
SSSD
nss_ldap
AuthenticationAuthentication
Users, Groups, Users, Groups, Netgroups, HBACNetgroups, HBAC
Other mapsOther maps
20 LinuxCon North America
Identity Management Under the HoodFreeIPA Core
DirectoryServer
KerberosKDCNTP
Managed host (client)
SSSD
nss_ldap
AuthenticationAuthentication
Other mapsOther maps
Users, Groups, Users, Groups, Netgroups, HBACNetgroups, HBAC
21 LinuxCon North America
Identity Management Under the HoodFreeIPA Core
DirectoryServer
KerberosKDCNTP
DNS
Managed host (client)
SSSD
nss_ldap
AuthenticationAuthentication
Name lookupsName lookupsand serviceand servicediscoverydiscovery
Other mapsOther maps
Users, Groups, Users, Groups, Netgroups, HBACNetgroups, HBAC
22 LinuxCon North America
Identity Management Under the HoodFreeIPA Core
DirectoryServer
KerberosKDCNTP
DNS
Managed host (client)
SSSD
CA
nss_ldap
AuthenticationAuthentication
Name lookupsName lookupsand serviceand servicediscoverydiscovery
Other mapsOther maps
Users, Groups, Users, Groups, Netgroups, HBACNetgroups, HBAC
23 LinuxCon North America
Identity Management Under the HoodFreeIPA Core
DirectoryServer
KerberosKDCNTP
DNS
Managementframework
Managed host (client)
SSSD
CA
nss_ldap
AuthenticationAuthentication
Name lookupsName lookupsand serviceand servicediscoverydiscovery
Other mapsOther maps
Users, Groups, Users, Groups, Netgroups, HBACNetgroups, HBAC
24 LinuxCon North America
Identity Management Under the HoodFreeIPA Core
DirectoryServer
KerberosKDCNTP
DNS
Managementframework
Managed host (client)
SSSD
Management Station
CLI
Browser
CA
nss_ldap
WEBUI
AuthenticationAuthentication
Name lookupsName lookupsand serviceand servicediscoverydiscovery
Other mapsOther maps
ManagementManagement
Users, Groups, Users, Groups, Netgroups, HBACNetgroups, HBAC
25 LinuxCon North America
Identity Management Under the HoodFreeIPA Core
DirectoryServer
KerberosKDCNTP
DNS
Managementframework
Managed host (client)
SSSD
Management Station
CLI
Browser
CertmongerCA
nss_ldap
WEBUI
AuthenticationAuthentication
Name lookupsName lookupsand serviceand servicediscoverydiscovery
Cert tracking &Cert tracking &provisioningprovisioning
Other mapsOther maps
ManagementManagement
Users, Groups, Users, Groups, Netgroups, HBACNetgroups, HBAC
26 LinuxCon North America
Identity Management Under the HoodFreeIPA Core
DirectoryServer
KerberosKDCNTP
DNS
Managementframework
Managed host (client)
SSSD
Management Station
CLI
Browser
Certmonger
ipa-client
CAConfigures
Configures
nss_ldap
WEBUI
AuthenticationAuthentication
Name lookupsName lookupsand serviceand servicediscoverydiscovery
Cert tracking &Cert tracking &provisioningprovisioning
Other mapsOther maps
Enrollment & un-enrollment Enrollment & un-enrollment
ManagementManagement
Users, Groups, Users, Groups, Netgroups, HBACNetgroups, HBAC
27 LinuxCon North America
FreeIPA and Active Directory
● User and password synchronization● Cross realm Kerberos trusts
● Users in AD domain can access resources in a FreeIPA domain and vice verse
● A lot of use cases addressed and need to be addressed in future
● Complexity of transitive domains
28 LinuxCon North America
FreeIPA and Web Technologies
● Green field – not much has been done● What can be done:
● FreeIPA as an OpenID provider● Can be integrated with IdP to provide bridging
between ESSO and identity federation via mod_auth_kerb
29 LinuxCon North America
FreeIPA and Strong Authentication
● OTP support was recently introduced in FreeIPA
● First ever solution to provide OTP based ESSO via Kerberos
● Features● Proxy to external RADIUS server● Support of the TOTP tokens
30 LinuxCon North America
FreeIPA Future
● More cross project integration● Support of sophisticated AD integration use
cases● Polishing the OTP solution● User certificate and smart card support● Enhancements
● DHCP integration● Big backlog of RFEs
31 LinuxCon North America
FreeIPA and SSSD Communities
● Open● Friendly● Responsive● Welcoming
Come join us!
32 LinuxCon North America
Resources● FreeIPA
● Project wiki: www.freeipa.org
● Project trac: https://fedorahosted.org/freeipa/
● Code: http://git.fedorahosted.org/git/?p=freeipa.git
● Mailing lists:
● SSSD: https://fedorahosted.org/sssd/
● Mailing lists:
● Certmonger: https://fedorahosted.org/certmonger/
33 LinuxCon North America
Questions?
