Upload
amoseva
View
229
Download
0
Embed Size (px)
Citation preview
7/28/2019 Rh-pdfFile (4) Identity Managemet
1/6
EXECUTIVE SUMMARY
.e.
In td IT enirnment eerthin i rwin, epecill the number f uer, tem,
erice, pplictin, nd irtul mchine. Mnull mnin uer ccunt, pwrd, nd
cce permiin n mchine per- mchine bi i n lner feible in the er f irtuliz-
tin nd increed reultin. Mt cmpnie re till delin with iled identit tre tht
frce uer t remember multiple pwrd nd dminitrtr t duplicte uer priinin
cr numeru tem nd pplictin, ll f which i time cnumin, prne t errr, nd
cn led t breche in ecurit nd l f prductiit. IT rniztin upprtin Linux nd
UNIX environments are struggling to nd a simple, secure, scalable, and affordable solution
t centrll mne nd uthenticte identitie nd cntrl nd enure uthrized cce t
reurce, pplictin, nd dt.
Unfrtuntel, mt identit nd cce mnement lutin re cmplex, expenie t
implement, nd deined fr hmenu enirnment. Nne f thee lutin i deined
t ue ntie Linux tl t upprt mixed Linux nd UNIX enirnment. In dditin, the exper-
tie necer t uccefull implement nd mintin een the implet lutin i enerll
lckin.
Identity Management in Red Hat Enterprise Linux provides a centralized and efcient way to
mne identitie fr uer, mchine, nd erice within Linux nd UNIX enterprie enirn-
ments and provides a way to dene system and Linux service access control policies to govern
the identitie.
Becue Identit Mnement i interted with Red Ht Enterprie Linux, it i e nd ct-
effectie t intrduce identit nd plic mnement int Linux nd UNIX enirnment
whereer u need it.
WhITEpApER
identity management in Linux
and unix environments
7/28/2019 Rh-pdfFile (4) Identity Managemet
2/6
2.e.
IDENTITy MaNagEMENT IN LINUX aND UNIX ENvIRoNMENTsWhITEpApER
Existing solutions and thEir drawbacks
IT rniztin preiul hd three ptin t mne identitie nd cce: build lutin
in-hue, depl prprietr third-prt lutin, r ttempt t interte with n exitin
Micrft actie Directr lutin. all f thee ptin he drwbck tht mke them lethn idel.
Build In-house
In-hue identit mnement prject re expenie, ln term prject tht require lre
munt f intertin between prtcl nd nd pplictin t ecurel mne uer uthen-
tictin nd uthriztin t pplictin nd dt. Thee enirnment frequentl cnit f
n NIs dmin t trck mchine, n LDaP directr fr trin uer identitie, Kerber fr
uthentictin, nd ud t mne cce. sme rniztin he depled Kerber t
pride enterprie inle in-n cpbilitie. smetime thi i cmbined with centrl LDaP-
bed identit tre, but the reultin lutin i hihl cmplex nd require cntnt effrt
t mintin cnitenc between the eprte identit urce.
While thee lutin cn be pwerful, the re cmplex t implement nd mintin, nt tihtl
interted, nd lck cmprehenie tl r Web gUI. a reult, thi ptin require er
high degree of expertise in LDAP and signicant conguration and customization, which makes
the solution costly and inexible. In addition, while this option is adequate for managing identi-
ties, it is difcult to enact and manage policies for ne-grained access control.
prorietary Solutions
a riet f ftwre cmpnie ffer lutin t mne nd enfrce identit nd cce
plicie. Thee pplictin he been ilble fr mn er but l intrduce number f
iue. Firt, while full-fetured nd pwerful, thee lutin re l cmplex nd expenie.
Smaller, proprietary point solutions do not ll every need and can be difcult to integrate with
ther pint prduct nd enterprie pplictin. a reult, mn rniztin limit depl-
ment to specic high-risk machines, or only deploy pieces of the overall solution. Second, these
solutions are large, proprietary applications that are difcult to enhance, customize, and inte-
grate, which limits exibility. Finally, identity data is often stored in a proprietary format that
makes it difcult for other applications to reuse or analyze policy and audit data.
Integrating wit Microsoft Active Directory
Mn rniztin lred mintin Micrft actie Directr infrtructure t upprt the
Windw enirnment nd ttempt t extend it t Linux r UNIX tem b mkin them mem-
ber f the actie Directr dmin. There re number f pen urce nd third-prt lu-
tin t ccmplih thi, but thee re either limited r require dditinl inetment.
This approach is generally adequate for user authentication but not sufcient for policy, as it
frce Windw plic cncept n t Linux nd UNIX tem. In dditin, the Linux nd UNIX
enirnment becme cmpletel dependent n the actie Directr dminitrtr fr updte
and changes, which introduces delay, limits exibility, and increases security risk.
7/28/2019 Rh-pdfFile (4) Identity Managemet
3/6
3.e.
IDENTITy MaNagEMENT IN LINUX aND UNIX ENvIRoNMENTsWhITEpApER
idEntity managEmEnt in rEd hat EntErprisE linux
Identity Management in Red Hat Enterprise Linux provides the tools to quickly install, cong-
ure, nd centrll mne identit mnement erer in lre nd mll Linux nd UNIX
enterprie enirnment, uin Linux tl n Linux tem. It l pridin the ptin tinterperte with Micrft actie Directr. Interted int Red Ht Enterprie Linux, Identit
Mnement llw u t expnd ur ue f Linux, t the me time reducin ct, dmin-
itrtie ld, nd riin cmplince leel b implementin centrl uthentictin, identit
lookup service, and ne-grained access control.
Identity Management integrates capabilities from Kerberos, LDAP, DNS, and x.509 certicates
t pride relible, clble, imple-t-ue, nd ecure identit mnement lutin. While
centrlized identit/plic/uthriztin ftwre i hrdl new, Identit Mnement i ne
f the nl ptin tht upprt Linux nd UNIX dmin uin Linux tl.
Enanced Security
Identit Mnement enhnce ecurit b helpin t enure tht peple he cce nl t
the tem, erice, nd dt tht the need t perfrm their jb. It pride the plicie
nd mechnim t uthenticte uer nd mchine nd t uthrize uer t cce crprte
tem nd dt, thu preentin ccidentl r frudulent ue tht culd netiel impct the
buine. Fr exmple, bckup dminitrtr cn be ien rt cce t mll et f cm-
mnd n limited number f tem.
Becue ll dt i centrlized, number f ctiitie cn be utmted t incree ecurit.
Fr exmple:
User rovisioning/derovisioning: User accounts can be quickly provisioned, modied, or
dectited cr ll tem nd erice when uer jin, me within, r lee the rn-
iztin. If interted with actie Directr, uer ccunt tht re dibled in ne dmin re
dibled in the ther.
password olicies: Pwrd plicie minimize rik b enfrcin dequte cmplexit tn-
drd t thwrt brute frce ttck nd t enure pwrd re chned frequentl enuh
t mitite the rik f mene reelin r dicerin pwrd. In dditin, if l uin
actie Directr, pwrd cn be nchrnized bth w.
Comliance: Identit Mnement help rniztin cmpl with crprte nd ern-
mentl reultin b limitin cce t pplictin nd dt nd pridin ne trceble
identit fr ll uer.
Recertifcation: Sarbanes-Oxley (SOX) requires nancial services rms, as well as other pub-
licl-trded cmpnie, t reiew eer emplee t let nce er t re-certif tht the
till need cce t tem. Identit Mnement cn pride Web-bed iew f indiidu-
l nd their cce t mke it eier fr mner t erif emplment ttu int HR
recrd.
7/28/2019 Rh-pdfFile (4) Identity Managemet
4/6
4.e.
Enterrise Single Sign-On
Identit Mnement pride the centrlized uer uthentictin required t implement enter-
prie inle in-n (esso). esso enble uer t cce mn different enterprie reurce
fter their initil l-in withut hin t l in t ech reurce. Thi tremlined cceincree prductiit nd reduce pwrd ftiue nd help dek cll fr frtten p-
wrd. If interperbilit with actie Directr i enbled, uer re uthenticted when the
l in t their dektp.
Identit Mnement dd Kerber esso nd LDaP t Linux, UNIX, nd Mc tem in
the w thee tem expect. It l pride Kerber-bed ut-f-the-bx esso fr n
enterprie pplictin tht upprt Kerber r LDaP, includin smb, apche, ssH, NFs,
Websphere, JB, Tmct, saP, orcle, nd MsQL.
Centralized Administration and Control
a mjr l f Identit Mnement i t retl reduce dminitrtie erhed. Thi i
ccmplihed b intertin ll f the different pplictin tether emlel, uin inle
and simplied tool set. Users, machines, services, and polices are all congured and managed in
one place. A Web user interface and CLI provide a layer that unies all of the services and sim-
plies administration tasks for managing users, systems, and security.
Thee interfce llw mnement tk t be utmted nd perfrmed repetedl in cn-
sistent manner for greater efciency and security. For example, identities are maintained on a
centrl identit erice repreented b rup f replictin erer nd uer nd plicie re
unifrml pplied t enrlled mchine. and, becue Identit Mnement crete dmin,
multiple machines can all use the same conguration and the same resources simply by joining
the dmin. a reult, dminitrtr re le dependent n cmplex cript nd enir dmin-
itrtr t mne uer identitie nd cce.
The centrlized identit tre f Identit Mnement l enble better cntrl er wh h
cce t which tem nd reurce. Uer ccunt re cnlidted, which mke it e-ier t enfrce ecurit plicie. Interted uthriztin enble u t cntrl hw nd when
uer cn cce Linux nd UNIX tem, nd exctl which cmmnd the cn execute n
the tem. Thi llw u t ppl rnulr prtectin t enterprie reurce. Fr exm-
ple, you can congure end-user self service to allow end users to update their own personal
prole information and change passwords. You can set different access levels for laptops and
remte uer, r u cn retrict the hur f cce fr certin rup f uer.
Finll, the Web uer interfce hw intnt, iul reltinhip between entitie. Fr exmple,
ll f the rup, cce rule, nd plicie cited with uer. With thi infrmtin, mn-
er cn ee lit f tff nd the cce riht ined t them the cn better undertnd
if there i cmprmie, r determine if peple he cce t the tl nd prcee the
need t perfrm their jb.
IDENTITy MaNagEMENT IN LINUX aND UNIX ENvIRoNMENTsWhITEpApER
7/28/2019 Rh-pdfFile (4) Identity Managemet
5/6
5.e.
Standards-Based Integrated Comonents
Identity Management provides an integrated, unied interface for the standards-based cap-
abilities of Kerberos, LDAP, DNS and x.509 certicates to deliver a reliable, scalable, simple-
t-ue identit mnement lutin. althuh ll f thee cmpnent cn be ued indiid-ually to implement a solution, Identity Management in Red Hat Enterprise Linux is more exible
nd eier t dminiter becue it i deined nd ptimized fr inle purpe: t mne
identitie.
Identit Mnement fcue n centrll mnin identitie (uer nd mchine) nd the pli-
cie tht relte t the identitie nd their interctin. While it ue LDaP t tre it dt,
Identity Management provides a purpose-built structure that denes a particular set of identity-
relted entr tpe nd their reltinhip in detil.
The Identit Mnement erer i depled lel t mne identitie, which prduce
ret del f dminitrtie implicit. It pride imple, ne-cmmnd intlltin tht
also installs a Web server and Web application to manage the solution an easy conguration
process, and a unied set of commands. It also has a clearly dened role in the overall IT infra -
structure. An Identity Management domain is easy to congure, join, and manage, and the func-
tin tht it ere prticulrl identit nd uthentictin tk like enterprie sso re l
eier t perfrm with Identit Mnement thn with mre enerl-purpe directr erer.
In dditin, the Identit Mnement erer cn eil be replicted t pride ld blncin
nd hih ilbilit.
Identit Mnement crete n lterntie t actie Directr fr Linux nd UNIX tem
nd pride dminitrtr mre cntrl er identitie in their Linux nd UNIX enirnment.
Identit Mnement tke er the rle f actie Directr nd pride uthentictin,
uthriztin, nd dminitrtin infrtructure t the ret f the enterprie, Includin Linux,
UNIX, nd Mc tem. Identit Mnement brin ntie cntrl t Linux nd UNIX er-
er, uin ntie tl nd pplictin methin tht i nt pible in actie Directr.
additinll, becue Identit Mnement i Windw-wre, criticl uer dt, includin
pwrd, cn be nchrnized between actie Directr nd Identit Mnement, preer-
in centrlized uer tre.
IDENTITy MaNagEMENT IN LINUX aND UNIX ENvIRoNMENTsWhITEpApER
7/28/2019 Rh-pdfFile (4) Identity Managemet
6/6
SALES AND INQUIRIES LATIN AMERICA
+54 11 4329 7300
www.ltm.redht.cm
NORTh AMERICA
1888REDHaT1
www.redht.cm
EUROpE, MIDDLE EAST
AND AFRICA
00800 7334 2835
www.eurpe.redht.cm
ASIA pACIFIC
+65 6490 4200
www.pc.redht.cm
Red Ht w funded in 1993 nd i hedqurtered in Rleih, NC. Td, with mre thn 60
ofces around the world, Red Hat is the largest publicly traded technology company fully com-
mitted t pen urce. Tht cmmitment h pid ff er time, fr u nd ur cutmer, pr-
in the lue f pen urce ftwre nd etblihin ible buine mdel built rund thepen urce w.
ABOUT RED hAT
Cpriht 2011 Red Ht, Inc. Red Ht, Red Ht Enterprie Linux, the shdwmn l, JB, MetMtrix, nd RHCE re trdemrk fRed Ht, Inc., reitered in the U.s. nd ther cuntrie. Linux i the reitered trdemrk f Linu Trld in the U.s. nd ther cuntrie.
.e.#8529617_1211
Reduce Costs
Identit Mnement i interted int Red Ht Enterprie Linux nd de nt require n dd-
itinl ubcriptin. When u ue Identit Mnement, u eliminte the need t purche
third-prt lutin t interte Linux nd UNIX uer int actie Directr.
other in include:
Eliminates te cost of integration: prtcl, dt, nd cce pplictin re lred
interted nd mned with inle tl.
Reduces el desk calls: a imple pwrd reet tl help reduce ct lre percent-
e f help dek cll re relted t pwrd reet. self-erice help lleite the trin
n the help dek nd the inetment in humn cpitl required t pride thi kind f bic
upprt.
Allows for faster deloyment: New pplictin cn be depled fter nd uer cn be
priined fter. New emplee need cce t pplictin nd reurce quickl
pible. Identit Mnement cn be ued t utmte uer priinin nd depriin-
in tht cn help enure tht ll tk re cmpleted quickl pible. Ht nd irtul
mchine cn be priined fter b utmticll enrllin nd cnnectin them t the
Identit Mnement erer.
Reduces administrator costs: Free IT dminitrtr frm mnull mnin ecurit
prcee. al incree prductiit b enblin enterprie inle in-n.
Reduces training costs: Enables you to harness the power of LDAP, Kerberos, and Certicate
authrit withut extenie trinin nd expertie.
For morE inFormation
T lern mre but Red Ht Enterprie Linux, cntct ur lcl le pern r iit
redat.com.