Discovery and Affinity

Questions related to DNS and service discovery regularly come up during deployments of Identity Management (IdM) in Red Hat Enterprise Linux in a trust configuration with Active Directory. This blog article will shed some light of this aspect of the integration.

We will start with a description of the environment. Let us say that the Active Directory  environment consist of

Continue reading “Discovery and Affinity”

Direct, or Indirect, that is the Question…

In my last post I reviewed some of my observations from the RSA Security Conference. As mentioned, I enjoyed the opportunity to speak with conference attendees about Red Hat’s Identity Management (IdM) offerings. That said, I was quick to note that whether I’m out-and-about staffing an event or “back home” answering e-mails – one of the most frequently asked questions I receive goes something like this: “…I’m roughly familiar with both direct and indirect integration options… and I’ve read some of the respective ‘pros’ and ‘cons’… but I’m still not sure which approach to use… what should I do?” If you’ve ever asked a similar question – I have some good news – today’s post will help you to determine which option aligns best with your current (and future) needs.

Continue reading “Direct, or Indirect, that is the Question…”

SSSD vs Winbind

In a previous post, I compared the features and capabilities of Samba winbind and SSSD. In this post, I will focus on formulating a set of criteria for how to choose between SSSD and winbind. In general, my recommendation is to choose SSSD… but there are some notable exceptions.

Continue reading “SSSD vs Winbind”

New SSSD Features in Red Hat Enterprise Linux 7.1

This post is dedicated to the new SSSD features in Red Hat Enterprise Linux 7.1 that have significance when SSSD is used by itself (i.e. without IdM integration) – for example, when connecting directly to Active Directory (AD) or some other Directory Server.

Control Access to Linux Machines with Active Directory GPO

A common use case for managing computer-based access control in an Active Directory environment is through the use of GPO policy settings related to Windows Logon Rights. The Administrator who maintains a heterogeneous AD and Red Hat Enterprise Linux network without an IdM server has traditionally had to face the challenging task of centrally controlling access to the Linux machines without being able to update the SSSD configuration on each and every client machine.

In Red Hat Enterprise Linux 7.1, the Administrator is (now) able to

Continue reading “New SSSD Features in Red Hat Enterprise Linux 7.1”

Active Directory and Identity Management (IdM) Trusts – Exactly Where Are My Users?

As this is my sixth post on Identity Management I thought it would (first) be wise to explain (and link back to) my previous efforts.  My first post kicked off the series by outlining challenges associated with interoperability in the modern enterprise.  My second post explored  how the integration gap between Linux systems and Active Directory emerged, how it was formerly addressed, and what options are available now.  My third post outlined the set of criteria with which one is able to examine various integration options.  And my most recent entries, post four and five, reviewed options for direct and indirect integration, respectively.

Delving deeper into the world of indirect integration (i.e. utilizing a trust-based approach) – two of the biggest questions are often: “Where are my users?” and “Where does authentication actually happen?” As opposed to a solution that relies upon synchronization

Continue reading “Active Directory and Identity Management (IdM) Trusts – Exactly Where Are My Users?”

Overview of Direct Integration Options

As mentioned in my previous post there are multiple ways to connect a Linux system to Active Directory (AD) directly. With this in mind, let us review the following list of options…

  • The legacy integration option: this is a solution where (likely older) native Linux tools are used to connect to an LDAP server of your choice (e.g. AD).
  • The traditional integration option: this is a solution based on Samba winbind.
  • The third-party integration option: this is a solution based on (proprietary) commercial software.
  • The contemporary integration option: this is a solution based on SSSD.

Legacy Integration Option

In the case of the legacy integration option (see figure above), a Linux system is connected to AD using LDAP for identity lookup and LDAP or Kerberos for authentication. It pretty much solves the problem of basic user authentication. That said, such a solution has the following significant limitations:

Continue reading “Overview of Direct Integration Options”

Aspects of Integration

In my previous post I reviewed the trends related to the integration of Linux systems into environments managed by Active Directory (AD). In this post I will review two integration options, namely: direct integration and indirect integration.

The direct option is, not surprisingly, when your systems are integrated into AD directly (i.e. your Linux systems communicate directly with AD), while the indirect option leverages an intermediary server (see figure below).

Continue reading “Aspects of Integration”

Closing the Integration Gap

This post is the second in a series of blog posts about integrating Linux systems into Active Directory environments. In the previous post we discussed dishwashers and, more seriously, some basic principles. In this post I will continue by exploring how the integration gap between Linux systems and Active Directory emerged, how it was formerly addressed, and what options are available now.

Let’s start with a bit of history… before the advent of Active Directory, Linux and UNIX systems had developed ways to connect to, and interact with, a central LDAP server for identity look-up and authentication purposes. These connections were basic, but as the environments were not overly complex (in comparison to modern equivalents) – they were good enough for the time. Then… AD was born.

Active Directory not only integrated several services (namely: LDAP, Kerberos, and DNS) under one hood, but it also

Continue reading “Closing the Integration Gap”

An Introduction to Interoperability Challenges in the Modern Enterprise

Have you ever purchased a new dishwasher? For those of you who have, you know that the dishes don’t get washed until your “purchase” is picked-up/delivered, the old dishwasher is removed, and the new unit is hooked-up. In fact, until the new dishwasher is hooked-up, it simply doesn’t work. The dishwasher can be smart, stylish, noiseless, and/or energy-efficient… but none of this matters if it’s not properly connected. At the end of the day, if you want to enjoy the luxury of automatic dish washing, one thing is clear: your new dishwasher needs to be hooked-up.

The act of hooking-up a dishwasher is not unlike adding a Linux system to an existing enterprise IT environment. When you deploy a Linux system, it too needs to be “hooked-up”. As the data that flows through your environment consists of different kinds of objects (e.g. users, groups, hosts, and services) the associated identity information is not unlike the water in your dishwasher. Without this identity information

Continue reading “An Introduction to Interoperability Challenges in the Modern Enterprise”