Discovery and Affinity

Questions related to DNS and service discovery regularly come up during deployments of Identity Management (IdM) in Red Hat Enterprise Linux in a trust configuration with Active Directory. This blog article will shed some light of this aspect of the integration.

We will start with a description of the environment. Let us say that the Active Directory  environment consist of

Continue reading “Discovery and Affinity”

I Really Can’t Rename My Hosts!

Hello again! In this post I will be sharing some ideas about what you can do to solve a complex identity management challenge.

As the adoption of Identity Management (IdM) grows and especially in the case of heterogeneous environments where some systems are running Linux and user accounts are in the Active Directory (AD) – the question of renaming hosts becomes more and more relevant. Here is a set of requirements that we often hear from customers

Continue reading “I Really Can’t Rename My Hosts!”

Why Use SSSD Instead of a Direct LDAP Configuration for Applications?

In my Identity Management and Application Integration blog post I talk about how applications can make the most of the identity ecosystem. For example, a number of applications have integrated Apache modules and SSSD to provide a more flexible authentication experience.  Despite this progress – some (people) remain unconvinced. They wonder why they should use Apache modules and SSSD in conjunction with, for example, Active Directory instead of using a simple LDAP configuration… essentially asking: why bother?

Let’s look at this scenario in greater detail.  If an application supports

Continue reading “Why Use SSSD Instead of a Direct LDAP Configuration for Applications?”

Active Directory and Identity Management (IdM) Trusts – Exactly Where Are My Users?

As this is my sixth post on Identity Management I thought it would (first) be wise to explain (and link back to) my previous efforts.  My first post kicked off the series by outlining challenges associated with interoperability in the modern enterprise.  My second post explored  how the integration gap between Linux systems and Active Directory emerged, how it was formerly addressed, and what options are available now.  My third post outlined the set of criteria with which one is able to examine various integration options.  And my most recent entries, post four and five, reviewed options for direct and indirect integration, respectively.

Delving deeper into the world of indirect integration (i.e. utilizing a trust-based approach) – two of the biggest questions are often: “Where are my users?” and “Where does authentication actually happen?” As opposed to a solution that relies upon synchronization

Continue reading “Active Directory and Identity Management (IdM) Trusts – Exactly Where Are My Users?”

Overview of Direct Integration Options

As mentioned in my previous post there are multiple ways to connect a Linux system to Active Directory (AD) directly. With this in mind, let us review the following list of options…

  • The legacy integration option: this is a solution where (likely older) native Linux tools are used to connect to an LDAP server of your choice (e.g. AD).
  • The traditional integration option: this is a solution based on Samba winbind.
  • The third-party integration option: this is a solution based on (proprietary) commercial software.
  • The contemporary integration option: this is a solution based on SSSD.

Legacy Integration Option

In the case of the legacy integration option (see figure above), a Linux system is connected to AD using LDAP for identity lookup and LDAP or Kerberos for authentication. It pretty much solves the problem of basic user authentication. That said, such a solution has the following significant limitations:

Continue reading “Overview of Direct Integration Options”

Closing the Integration Gap

This post is the second in a series of blog posts about integrating Linux systems into Active Directory environments. In the previous post we discussed dishwashers and, more seriously, some basic principles. In this post I will continue by exploring how the integration gap between Linux systems and Active Directory emerged, how it was formerly addressed, and what options are available now.

Let’s start with a bit of history… before the advent of Active Directory, Linux and UNIX systems had developed ways to connect to, and interact with, a central LDAP server for identity look-up and authentication purposes. These connections were basic, but as the environments were not overly complex (in comparison to modern equivalents) – they were good enough for the time. Then… AD was born.

Active Directory not only integrated several services (namely: LDAP, Kerberos, and DNS) under one hood, but it also

Continue reading “Closing the Integration Gap”

An Introduction to Interoperability Challenges in the Modern Enterprise

Have you ever purchased a new dishwasher? For those of you who have, you know that the dishes don’t get washed until your “purchase” is picked-up/delivered, the old dishwasher is removed, and the new unit is hooked-up. In fact, until the new dishwasher is hooked-up, it simply doesn’t work. The dishwasher can be smart, stylish, noiseless, and/or energy-efficient… but none of this matters if it’s not properly connected. At the end of the day, if you want to enjoy the luxury of automatic dish washing, one thing is clear: your new dishwasher needs to be hooked-up.

The act of hooking-up a dishwasher is not unlike adding a Linux system to an existing enterprise IT environment. When you deploy a Linux system, it too needs to be “hooked-up”. As the data that flows through your environment consists of different kinds of objects (e.g. users, groups, hosts, and services) the associated identity information is not unlike the water in your dishwasher. Without this identity information

Continue reading “An Introduction to Interoperability Challenges in the Modern Enterprise”

Who Goes There? Identity Management in Red Hat Enterprise Linux 7 Beta

It seems that the daily news is full of the fallout that results when companies fail to protect online identities. The ability to limit access to sensitive applications and information to the right people with the right credentials is critical to ensuring the overall security of your infrastructure; critical… but not always easy.

Until recently, options for centralized identity management for the Linux environment were limited. There was no turnkey domain controller-like solution for the Linux/UNIX environment. Some Linux shops integrated open source tools like Kerberos and DNS to create centralized Linux-based identity management, but this option could be time-consuming to develop and expensive to maintain. Others integrated Linux clients directly into Microsoft Active Directory, but this option limited their ability to take advantage of some useful native Linux functionality like sudo and automount.

Continue reading “Who Goes There? Identity Management in Red Hat Enterprise Linux 7 Beta”