This post is dedicated to the new SSSD features in Red Hat Enterprise Linux 7.1 that have significance when SSSD is used by itself (i.e. without IdM integration) – for example, when connecting directly to Active Directory (AD) or some other Directory Server.
Control Access to Linux Machines with Active Directory GPO
A common use case for managing computer-based access control in an Active Directory environment is through the use of GPO policy settings related to Windows Logon Rights. The Administrator who maintains a heterogeneous AD and Red Hat Enterprise Linux network without an IdM server has traditionally had to face the challenging task of centrally controlling access to the Linux machines without being able to update the SSSD configuration on each and every client machine.
In Red Hat Enterprise Linux 7.1, the Administrator is (now) able to
Continue reading “New SSSD Features in Red Hat Enterprise Linux 7.1”
As this is my sixth post on Identity Management I thought it would (first) be wise to explain (and link back to) my previous efforts. My first post kicked off the series by outlining challenges associated with interoperability in the modern enterprise. My second post explored how the integration gap between Linux systems and Active Directory emerged, how it was formerly addressed, and what options are available now. My third post outlined the set of criteria with which one is able to examine various integration options. And my most recent entries, post four and five, reviewed options for direct and indirect integration, respectively.
Delving deeper into the world of indirect integration (i.e. utilizing a trust-based approach) – two of the biggest questions are often: “Where are my users?” and “Where does authentication actually happen?” As opposed to a solution that relies upon synchronization
Continue reading “Active Directory and Identity Management (IdM) Trusts – Exactly Where Are My Users?”
The main alternative to direct integration of Linux/UNIX systems into Active Directory (AD) environments is the indirect approach – where Linux systems are first connected to a central server and this server is then somehow connected to AD. This approach is not new. Over the years many environments have deployed LDAP servers to manage their Linux/UNIX systems (using this LDAP server) while users were stored in AD. To reconcile this issue and to enable users from AD to access Linux systems – users and their passwords were routinely synchronized from AD. While this approach is viable – it’s also quite limited and prone to error. In addition, there is little value in having a separate LDAP server. The only reason for such a setup is to have a separation of duties between Linux and Windows administrators. The net result is that the overhead is quite high while the value of such an approach is quite low.
When IdM (Identity Management in Red Hat Enterprise Linux based on FreeIPA technology) emerged, many environments were either considering direct integration or were “in-process” with respect to adoption. How, exactly, does IdM work? IdM provides
Continue reading “Overview of Indirect Active Directory Integration Using Identity Management (IdM)”
As mentioned in my previous post there are multiple ways to connect a Linux system to Active Directory (AD) directly. With this in mind, let us review the following list of options…
- The legacy integration option: this is a solution where (likely older) native Linux tools are used to connect to an LDAP server of your choice (e.g. AD).
- The traditional integration option: this is a solution based on Samba winbind.
- The third-party integration option: this is a solution based on (proprietary) commercial software.
- The contemporary integration option: this is a solution based on SSSD.
Legacy Integration Option
In the case of the legacy integration option (see figure above), a Linux system is connected to AD using LDAP for identity lookup and LDAP or Kerberos for authentication. It pretty much solves the problem of basic user authentication. That said, such a solution has the following significant limitations:
Continue reading “Overview of Direct Integration Options”
This post is the second in a series of blog posts about integrating Linux systems into Active Directory environments. In the previous post we discussed dishwashers and, more seriously, some basic principles. In this post I will continue by exploring how the integration gap between Linux systems and Active Directory emerged, how it was formerly addressed, and what options are available now.
Let’s start with a bit of history… before the advent of Active Directory, Linux and UNIX systems had developed ways to connect to, and interact with, a central LDAP server for identity look-up and authentication purposes. These connections were basic, but as the environments were not overly complex (in comparison to modern equivalents) – they were good enough for the time. Then… AD was born.
Active Directory not only integrated several services (namely: LDAP, Kerberos, and DNS) under one hood, but it also
Continue reading “Closing the Integration Gap”
It seems that the daily news is full of the fallout that results when companies fail to protect online identities. The ability to limit access to sensitive applications and information to the right people with the right credentials is critical to ensuring the overall security of your infrastructure; critical… but not always easy.
Until recently, options for centralized identity management for the Linux environment were limited. There was no turnkey domain controller-like solution for the Linux/UNIX environment. Some Linux shops integrated open source tools like Kerberos and DNS to create centralized Linux-based identity management, but this option could be time-consuming to develop and expensive to maintain. Others integrated Linux clients directly into Microsoft Active Directory, but this option limited their ability to take advantage of some useful native Linux functionality like sudo and automount.
Continue reading “Who Goes There? Identity Management in Red Hat Enterprise Linux 7 Beta”