Identity Management Improvements in Red Hat Enterprise Linux 7.3: Part 2

In Part 1 of this series, we looked at core improvements for Identity Management (IdM) in Red Hat Enterprise Linux (RHEL) 7.3, as well as manageability and other improvements. In the second half, we’re going to look at interoperabilty, and Active Directory integration. 

Certificate Management

Enriched certificate management is an ongoing theme for several releases.

In the current release we focused on the following use case: assume you issue certificates for different purposes like devices, systems, services, VPNs, switches and so on, using IdM CA. If you have a single CA, all the certificates come from the same trust chain, so administrators have to explicitly limit the scope of the certificates to the environment they are used in to prevent cross pollination and misuse of the certificates issued for one purpose with a different service.

Getting all these access control rules right becomes a really complex task. It would have been much easier if one could just have a dedicated CA for each of the environments. But standing up a separate CA infrastructure is usually an even bigger task. Not anymore! With the SubCA feature one can create a dedicated CA with a couple of commands in seconds.

The second enhancement is the ability to authenticate using smart cards via SSSD and IdM, but this time with added support for Active Directory users coming from a trusted forest. In version 7.2, we introduced the ability to authenticate IdM users using certificates on smart cards when they log into the Linux systems configured with SSSD. This time we added the ability for Active Directory users in trusted forests to use their certificates when they are published to Active Directory or into ID override entries in IdM.

Making certificate related enhancements to bring more and more related functionality is a multi release plan. You will see more additions in this area when the next release arrives.

Interoperability

For some time, you have asked about making the IdM management API available. We were still not confident that it is ready, although we included an API browser into the IdM UI as an experimental feature. Finally, we made a set of changes that enables us to make the API publicly available. We take the commitment to support the IdM management API very seriously and want to make sure there are no issues that would force us to make incompatible changes.

This is why, in the Red Hat Enterprise Linux 7.3 release, we offer a technical preview of the IdM API. We plan to declare full support in one of the future releases. Your feedback and comments will be extremely valuable. To get more information about the IdM management API please read the knowledge base article we published last November on using the technology preview.

Many customers still have legacy UNIX systems and we often get questions about how to integrate these systems into the IdM ecosystem. While IdM can provide authentication via standard LDAP & Kerberos protocols and perform identity lookups via LDAP protocol, the access control capabilities implemented in IdM are not available to those UNIX systems.

To close this gap and provide a single central place for access control management across modern Linux and legacy UNIX systems, a new community project has been launched – pam_hbac.   This project offers a pam module that leverages IdM host-based-access-control rules. It is currently built for Solaris, FreeBSD  and Linux. This module is not included in Red Hat Enterprise Linux as it needs to be installed on other platforms and is not supported by Red Hat but rather by a community of open source developers. If you are interested in this project, please collaborate via GitHub. If you are interested in an AIX version, please contact your IBM representative and open an RFE with IBM.

As I have written some time ago, Red Hat has been working on the identity provider solution to allow federation and SSO for web applications using SAML and OpenID Connect protocols. Earlier this year, Red Hat released a fully supported solution called Red Hat SSO powered by the Keycloak community project. IdM in Red Hat Enterprise Linux 7.3 has been validated as a back end for RH SSO, in parallel to Active Directory and generic LDAP. However, we recommend waiting a bit until the next version of Red Hat SSO is released in several weeks. That version will include a tighter integration between IdP server and IdM/SSSD bringing a better user experience in complex setups.

Active Directory Integration

Clients in AD domains

Some customers that consider deploying IdM with Active Directory trusts face a challenge related to the names of the hosts. If LInux systems are deployed inside the same DNS domain as Active Directory domain controllers, moving to trusts would mean changing hostnames to a different domain when Kerberos SSO is expected to work between all the systems in the environment. In some cases renaming is possible, in some it is really hard. To discuss this issue in details and suggest some workarounds I put together a separate blog post.

Here I want to mention that while we took a look at what else can be done for this use case, we could not find anything that is in our power to improve in the current situation. Hosts can remain unchanged, but that would make it impossible to SSH into those hosts leveraging Kerberos based SSO. If this is acceptable then no name changes would be needed. At that point it becomes a deployment choice and would depend on the constraints and priorities of the specific customer environment.

External trust

The original implementation of IdM to AD trusts implies a full trust between IdM and the whole Active Directory forest. In some cases this is not desirable. Sometimes the users that should be exposed to IdM resources are isolated in a separate domain and it makes sense to have a direct trust with that specific domain rather than with the whole forest. IdM in Red Hat Enterprise Linux 7.3 now has the capability to establish trust with a selected Active Directory domain, rather than with the whole forest.

UPN Support

Users in Active Directory can have an arbitrary name assigned to them called User Principal Name (UPN). By default UPN is constructed from the domain name and user login name automatically, but in some cases it can explicitly be reconfigured. In this case, no assumptions can be made about the UPN name – it is just a string that can pretty much contain any value. SSSD was capable of working with arbitrarily UPN names in the direct integration scenario but was lacking the same flexibility in trust cases. This limitation has been addressed and SSSD can now handle arbitrary UPN names when connected to IdM in trust setup with AD.

Keytab Renewal

When a system is joined directly to Active Directory as a domain member, it has to adhere to key rotation policies. SSSD is now capable of automatically renewing its kerberos keys, following policies defined in Active Directory.

Password Change

In a trust setup, legacy UNIX and Linux systems are connected to a special LDAP compatibility view that exposes merged information between data coming from Active Directory and data stored in IdM. In the current release Active Directory and IdM users authenticating via legacy systems connected to the compatibility tree can change their user password when it expires. Password change via compatibility tree was not possible in the past.

As you can see in the last release, as in every release before, we have delivered a lot of new identity management capabilities. We would be glad to hear your input on the new and old features as well as your improvement requests. Comments are always welcome! Try it, use it, provide feedback. We are here to listen, build and make your day-to-day life easier.

  1. Can IDM do DHCP? I ask because I am a architect for an RH elite partner and it would GREATLY simplify my Sat6 designs if I can use IDM/IDM replicas as a DHCP capsule/provider to Sat6 like I do for DNS. This would COMPLETELY bypass the issue Sat6 has with not yet having multi-homed support so Capsules can be in multiple broadcast domains at once.

    When will RH make IDM it’d own product and spin it out from underneath RHEL? I miss the ID management track from the 2012 RHCA program! Now more than ever with IDM packing enough punch to have the possibility to finally KO ad for many shops!

    Do I still need to select RHEL for IDM based cases/questions?

    My current project is to learn enough IDM to get my Sat6 with Puppet and Hiera to build and configure IDM servers and replica servers so that my Puppet based builds of Sat6 built from a master Sat6 server can integrate to the new IDM servers.

    1. IdM does not include DHCP server. There is no plan to add it. We considered it but decided so far against it as many other services like Satellite already include DHCP so we do not want to duplicate efforts.
      SSSD is capable of doing automatic IP registration with DNS using Kerberos. This is the extent of it.

      IdM will be a part of RHEL and not a separate product for years to come. With containers its delivery cadence might change but this is not clear at the moment how and when.

      Unfortunately there is no dedicated training but there are some aspects of IdM included into other training modules.
      There are now some training available in the community around FreeIPA.

      There is a special integration between Satellite and IdM that allows automatically registering clients with IdM as they they are provisioned.

      Let me know how else can I help.

      Dmitri

      1. Dmitri,

        I will clarify why I was hoping to move DHCP away from Sat6 to a more centralized solution like IDM similar to what I have done for DNS. While Sat6 does do DHCP is does not yet as far as I know support multi-homing which you need if a sat/cap server needs to be in multiple broadcast domains. This is why I was hoping to NOT uase DHN or DHCP and have IDM as a better way to go. Similar products like QIP that do DHS also do DHCP. Also for distributed DHCP that has HA I was again hoping IDM could do it.

        Some things that puzzle me thopugh:

        1. Is IPV6 -REALLY- required? My current IDM install has “ipv6.disable=1” and has zero issues (I also removed ::1 from hosts).

        2. What is the Install DOCs talking about when they refer to a “master” domain for DNS that is just for IDM? In my lab I only have “homelinux.com” and no sub-domains and IDM is the master of that domain which is the same name of the realm and everything goes into that one domain. There are, of course multiple subnets and reverse zones in that one domain/realm though. Did I not set that up right?

        3. If I understand the concept of replicas right they are identical copies of the master but designated different so at any point (like if a master fails) I can just take any replica and “promote” it to master. Is my understanding correct? If so I see how this could come in handy for “moving” a master from say a KVM server to a new RHEV4 HA domain.

        4. Is there any plans to eventually allow IDM to be the CA for puppet? For now do I just somehow designate the Sat6/capsules as “child” CAs to IDM “(trust chain?). Do you have any DOC links on that. Unfortunately CAs and Certs is another topic I need to start from scratch on. In previous companies like most larger firms that “silo” was another teams domain.

        5. For most single domain sincle root CA cliets can IDM be the only CA/certificate system that generates all Org certs (including for things like ILOs, DRACs, app UIs, etc.) so nothing is self signed any longer? Self signing is becoming a llarger issue for each new browser release it seems.

        6. For IDM questions do I just open a “RHEL” support topic ticket?

        7. Are there any RHCA level exams covering IDM or do I need to look at outside places like identity management institute, CISSP, etc.?

        I am going through YouTube videos learning the basics about ID management concepts and then will start on IDM specifics. Ultimately I need to learn how to fully integrate Sat6, CFME, RHEV, RHEL, CEPH, Neutron, and eventually Openshift completely into IDM. There is so much to learn just in the ID management and IDM space its quite a lot to take on. Any links to concepts, design considerations, planning, etc. greatly appreciated.

        I would appreciate any web links you think may help in the learning process. Once I get the broad strokes down on ID management and IDM 7.x administration I will start creating puppet code to do IDM server and replica installs 100% automated using Hiera data which I already have complete for Sat6 builds. It will take me a while but eventually I will have most every Red Hat product being installed hands off start to finish with all configurations needed from one master Sat6 server using data from Hiera.

      2. 0. I understand the reasoning but IMO it would be easier to fix it in Satellite than add to IdM.
        1. IPV6 needs to be enabled in the kernel. Otherwise the libraries that do host name resolution fail. You do not need to use IPV6 addresses but Kernel should be IPV6 aware.
        2. Unlike AD where one DNZ zone = one Kerberos realm, IdM supports multiple DNS zones in one kerberos realm. The default zone created at the installation will match but you can create other zones.
        3. All the servers have same capabilities (but some components are optional, like DNS for example and can be added if needed). But only one server has the responsibility of being the main server. The first one you install is by default the “main” server. It performs to additional functions a) Publishes CRLs b) Tracks the renewal of the internal certs. Both this functions can be transitioned to any other replica of your choice (that has a CA component if you use CA at all). If you use a CA-less install there is no tracking of the certs and there is not publishing of CRLs since there is no CA so all replicas are effectively the same.
        4. Please open a support case and ask them to file and RFE. We would like to do this but we are waiting for request like yours to have justification.
        5. Well, it is the intent. If you see any limitations we would like to know and address them.
        6. Yes
        7. There are no dedicated training courses that Red Hat offers that IdM explicit but materials about it are included into other courses and exams. But looking at other places might also be a good idea. Filing an official request with Red Hat would also help to prioritize things.
        8. Maybe you should come to Red Hat Summit in early May in Boston and we should meet in person. I have some materials but they need context so talking through might be better.

      3. I am definitely going to be at Summit. As far as training materials I am trying to earn IDM start to finish similar to raking lvls 1,2,3 in the RHEL classes. The reason is I see IDM as the great hope of putting the lid on the AD coffin! And {YES} adding samba into IDM so native Ms clients auth right to AD is AWESOME and hopefully the nail for the coffin lid! I saw your last summit video outlining IDM roadmap. I work for a red hat ELITE partner and would LOVE to go to clients and tell them they can support the lone wolf’s Ms server and not need a hole set of new tools and such just to support one server. That is also why I plan to get sat6 to build win servers and desktops.

        One thing I am doing is creating puppet code that will install completely hands off end to end an IDM server then fully configure it hands off using only Hiera data. I did this already for Sat6 and before I add IDM integration code to the Sat6 puppet install I need to build a IDM server and replica that I can test the integration code against.

        As for IPv6 what symptoms should be seen when IPv6 is disabled. I ask because my IDM install is on an IPv6 fully disabled RHEL7 and so far I have had zero issues or errors but that might be because of my inexperience with IDM.

        I will open an RFE case for sat6 fully deferring all CA items to IDM for all capsules and let you know the case number.

      4. Please also create a case for use of Samba to manage Windows machines. This will be a very important driver to justify the effort.
        I think the install fails when you do not have IPv6 enabled. So I suspect the Kernel setting is there since your install did not fail.

        See you at Summit!

        Dmitri

      5. Case created to add Samba with justification:

        https://access.redhat.com/support/cases/#/case/01812953
        Case Title : IDM: Add Samba so that AD is no longer needed
        Case Number : 01812953
        Case Open Date : 2017-03-17 10:50:09
        Severity : 4 (Low)
        Problem Type : Feature / Enhancement Request

        By default every system I build via my lab Sat6 is IPv6 disabled so I can say for sure that when I installed IDM IPv6 was totally disabled but I saw no errors and still do not. I would like to see there be no requirement for IPv6 which I can open a case for if needed. I have yet to ever encounter or work for anyone who was even planning for IPv6 yet. Was the lack of any errors because I disabled via kernel param and not sysctl and that I also removed ::1 from hosts? I know that leaving ::1 in hosts will definitely cause issues if IPv6 is disabled.

      6. Steven, there is a difference between IPv6 stack being disabled at the kernel level and IPv6 addresses not added on interfaces. IdM uses recommended networking application practices described in manual page for ipv6 (man ipv6): an application should be using a single API to manage both IPv4 and IPv6 presence because IPv4 can be presented as mapped-on IPv6 address and both IPv4 and IPv6 share port namespace. However, this approach requires that IPv6 protocol support is enabled at the kernel level.

        Not using IPv6 is just fine. Not enabling IPv6 protocol support in your kernel is not good. Going forward more applications will follow the same approach and will be broken if kernel support for IPv6 protocol is disabled.

        When IPv6 protocol support is fully disabled in the kernel, IdM is will not be able to operate certain important plugins in its LDAP server. These plugins are required for interoperability with Active Directory.

        Dmitri (with help of Alexander Bokovoy)

      7. So then if I understand this right because I do not do anything with ad that is why I did not/am not seeing any errors and for my lab use disabling IPv6 via sysctl or “ipv6.disable=1” will not show any errors. It would only start showing errors if I added any ad support.

        Is that correct or will I run into issues as I use more IDM features not related to any ms integration?

        I have zero intentions of ever adding ad and not for a lack of trying/asking there is no chance at all anytime in the next year+ of getting Verizon to give me an IPv6 address of any kind so I just kept the lab IPv4 only to keep it simple.

      8. This level of details is a bit too low for me. I think you will be fine for now. If you start seeing issues and since it is a lab you will know that you might need to redeploy with IPv6 enabled down the road. Also as Alexander mentioned more components will over time will expect IPv6 so you might suddenly start seeing issues after an update in future. Just be prepared.
        You do not need to use IPv6 or get IPv6 address from Verizon you need Kernel to know that IPv6 exists in the world. This is what is required not the actual IPv6 configuration of the network.

      9. While searching YouTube I found a link which is exactly what I was looking for:

        https://github.com/freeipa/freeipa-workshop

        If you could please let me know of any other workshops or self-paced learning like this I would really appreciate it. I could not find anything IDM related on sumtotalsystems or dokeos

      10. There are a lot of materials on freeipa.org. HowTos and a link to demo.
        There is a good overview of the application integration approach that we promote: http://www.freeipa.org/page/Web_App_Authentication
        There are a lot of videos of demos that we created for Summits in the past.

        Installing IdM server and client https://drive.google.com/open?id=0B3tfpNCVjJdCTjM2NGpuR09hQzg
        HBAC https://drive.google.com/open?id=0B3tfpNCVjJdCZ2JBRURzaTBzOTA
        OTP https://drive.google.com/open?id=0B3tfpNCVjJdCZDY1a21IZ3pHTVk
        Authentication indicators https://drive.google.com/open?id=0B3tfpNCVjJdCTjJ4dTFFTzF5UnM
        Topology https://drive.google.com/open?id=0B3tfpNCVjJdCbG9STmdkOUJkMWc
        Smart card support https://drive.google.com/open?id=0B3tfpNCVjJdCZHJNOVA3cG1OMnM
        Establishing trust https://drive.google.com/open?id=0B3tfpNCVjJdCTHpocFh3QmtMeVk
        HBAC with trust https://drive.google.com/open?id=0B3tfpNCVjJdCb3llQ2w4RXRaWjg
        ID Views override https://drive.google.com/open?id=0B3tfpNCVjJdCTVVXSndPa1labkE
        Web application integration part 1 https://drive.google.com/open?id=0B3tfpNCVjJdCLXhvRGlTRWlhNUk
        Web application integration part 2 https://drive.google.com/open?id=0B3tfpNCVjJdCQUhjMFNSSnIzZGc
        Web integration application part 3 https://drive.google.com/open?id=0B3tfpNCVjJdCVFhCd3lnZ2dFWWs
        Developer environment https://drive.google.com/open?id=0B3tfpNCVjJdCMFVZNWNhcWFYaTg

        Also there will be a lab at the Summit this year too.

  2. Can you tell me what I should be asking our IBM rep to create a RFE for? Should I just be asking for support or development of pam_hbac or something more specific/generic? It was nice to meet you at Summit this year and have a chance to talk. Thank you for your help.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s