Red Hat Training
A Red Hat training course is available for Red Hat Enterprise Linux
Kapitel 12. Authentifizierung und Interoperabilität
Manual Backup and Restore Functionality
This update introduces the
ipa-backup
and ipa-restore
commands to Identity Management (IdM), which allow users to manually back up their IdM data and restore them in case of a hardware failure. For further information, see the ipa-backup(1) and ipa-restore(1) manual pages or the documentation in the Linux Domain Identity, Authentication, and Policy Guide.
Unterstützung für die Migration von WinSync zu Trust
This update implements the new
ID Views
mechanism of user configuration. It enables the migration of Identity Management users from a WinSync synchronization-based architecture used by Active Directory
to an infrastructure based on Cross-Realm Trusts. For the details of ID Views
and the migration procedure, see the documentation in the Windows Integration Guide.
One-Time Password Authentication
One of the best ways to increase authentication security is to require two factor authentication (2FA). A very popular option is to use one-time passwords (OTP). This technique began in the proprietary space, but over time some open standards emerged (HOTP: RFC 4226, TOTP: RFC 6238). Identity Management in Red Hat Enterprise Linux 7.1 contains the first implementation of the standard OTP mechanism. For further details, see the documentation in the System-Level Authentication Guide.
SSSD-Integration für das Common Internet File System
A plug-in interface provided by
SSSD
has been added to configure the way in which the cifs-utils utility conducts the ID-mapping process. As a result, an SSSD
client can now access a CIFS share with the same functionality as a client running the Winbind service. For further information, see the documentation in the Windows Integration Guide.
Certificate-Authority-Verwaltungstool
The
ipa-cacert-manage renew
command has been added to the Identity management (IdM) client, which makes it possible to renew the IdM Certification Authority (CA) file. This enables users to smoothly install and set up IdM using a certificate signed by an external CA. For details on this feature, see the ipa-cacert-manage(1) manual page.
Feinere Granularität der Zugriffssteuerung
It is now possible to regulate read permissions of specific sections in the Identity Management (IdM) server UI. This allows IdM server administrators to limit the accessibility of privileged content only to chosen users. In addition, authenticated users of the IdM server no longer have read permissions to all of its contents by default. These changes improve the overall security of the IdM server data.
Eingeschränkter Domainzugriff für nicht privilegierte Benutzer
The
domains=
option has been added to the pam_sss
module, which overrides the domains=
option in the /etc/sssd/sssd.conf
file. In addition, this update adds the pam_trusted_users
option, which allows the user to add a list of numerical UIDs or user names that are trusted by the SSSD
daemon, and the pam_public_domains
option and a list of domains accessible even for untrusted users. The mentioned additions allow the configuration of systems, where regular users are allowed to access the specified applications, but do not have login rights on the system itself. For additional information on this feature, see the documentation in the Linux Domain Identity, Authentication, and Policy Guide.
Automatische Konfiguration des Data-Providers
Der Befehl
ipa-client-install
konfiguriert nun standardmäßig SSSD
als Data-Provider für den sudo-Dienst. Dieses Verhalten kann deaktiviert werden mithilfe der Option --no-sudo
. Darüber hinaus wurde die Option --nisdomain
hinzugefügt, um den NIS-Domainnamen für die Identity-Management-Client-Installation festzulegen, und die Option --no_nisdomain
wurde hinzugefügt, um das Festlegen des NIS-Domainnamens zu verhindern. Falls keine dieser Optionen verwendet wird, dann wird stattdessen die IPA-Domain verwendet.
Verwendung von AD- und LDAP-Sudo-Providern
Der AD-Provider ist ein Back-End, das zur Verbindung mit einem Active Directory Server verwendet wird. In Red Hat Enterprise Linux 7.1 wird die Verwendung des AD-Sudo-Providers zusammen mit dem LDAP-Provider als Technologievorschau unterstützt. Um den AD-Sudo-Provider zu aktivieren, fügen Sie die Einstellung
sudo_provider=ad
zum Domain-Abschnitt der sssd.conf
-Datei hinzu.
32-bit Version of krb5-server and krb5-server-ldap Deprecated
The 32-bit version of
Kerberos 5 Server
is no longer distributed, and the following packages are deprecated starting with Red Hat Enterprise Linux 7.1: krb5-server.i686, krb5-server.s390, krb5-server.ppc, krb5-server-ldap.i686, krb5-server-ldap.s390, and krb5-server-ldap.ppc. There is no need to distribute the 32-bit version of krb5-server on Red Hat Enterprise Linux 7, which is supported only on the following architectures: AMD64 and Intel 64 systems (x86_64
), 64-bit IBM Power Systems servers (ppc64
), and IBM System z (s390x
).