Recommendations for Identity Solution in Red Hat environment.

Latest response

My group continues to research solutions that will provide cost-savings, improve stability, ease-of-management, etc... Fortunately - we embrace Red Hat as the strategic platform.  

We have Red Hat Enterprise Storage, Red Hat Network Satellite, RH Cluster and are considering Red Hat Storage and CloudForms.

Currently we are researching the optimal solution for Identity Management.  Active Directory will ultimately be "the source".  

My question(s) are:

  • is Identity Management (formerly IPA) sufficive for our goals?  Or, should we put more consideration behind Red Hat Directory Services?
  • Are there any "future gotcha's" that we need to specifically consider in our selection?
  • Do you feel that if we make a decision at this point that a migration to another strategy would be considerably overwhelming? (i.e. if we chose IdM now, and decide to migrate to RHDS later)

At this point, I personally feel that IdM would be quite sufficient as we mostly need to only provide a password conduit back to AD and possibly automount.  However, I am worried that we may decide to implement something in the coming year that might cause some regret.

Thanks in advance!


I think IdM will be sufficient for your needs. RHDS is a complex beast which while very good is likely overkill if you just want to integrate with AD for authentication. IdM is moving forward fast. IPA 3.0 will ship with RHEL 6.4 which brings a number of improvements with the AD integration like you can actually run a separate Directory and link it with AD with a trust.

The critical questions you need to ask is "what are my goals for identity management" and "how big/complex is my authentication domain".

If you're simply looking for centralized authentication services using an Active Directory source - and you don't have an AD that's hundreds of thousands of objects in size or has lots of cross-realm trusts - then you don't have to mess around with anything all that complex nor do you have to add any additional modules to your identity-clients. All you have to do is leverage the in-built authentication modules. To get basic, centralized authentication management services on RHEL (Linux and most Unix platforms, in general, really) from AD, all you need to do is configure one client authentication module. You can chose any one of the built-in modules: OpenLDAP client; Kerberos client; or, Winbind client. It's dead-easy and requires no setup of additional servers, services or bridging-technologies.

About the only things that start to require add-on technologies are things like: your enterprise's Active Directory services contain tens of thousands of users and thousands of non-user objects that you wish to leverage; your enterprise's Active Directory service is part of a mult-domain forest and need to deal with cross-realm trusts; you want to do more than just authentication - that is, you want to do client policy management and other similar tasks by way of your centralized identity-management solution. At that point, you need to really know what all those other requirements are and identify solutions that will accommodate them. The various add-on products have price-points ranging from free to quite expensive - it all depends on the features and types of support you want.

We've just rolled out IdM to replace an old Fedora Directory Server. Found it does a pretty good job although there are a few niggles.
Lack of backup/restore commands is a pain for us. I ended up creating as fault tolerant a design as I could, with a master and 7 replicas dotted around the network. Would still like backup & restore to keep the BCP guys happy.
Current performance isn't stellar although I think there's an SELinux fix in the pipeline for RHEL 6.4.
The WebUI is OK, but should really be dynamic to my browser windows size.
Overall opinion is that it's a good opening play, but that there is work to do. I'd really like to see the Audit part of IPA started.