Red Hat Enterprise Linux 6

Identity Management Guide

Managing Identity and Authorization Policies for Linux-Based Infrastructures

Aneta Šteflová Petrová

Red Hat Customer Content Services

Marc Muehlfeld

Red Hat Customer Content Services

Tomáš Čapek

Red Hat Customer Content Services

Milan Navrátil

Red Hat Customer Content Services

Ella Deon Ballard

Red Hat Customer Content Services

Legal Notice

Copyright © 2016 Red Hat, Inc.
This document is licensed by Red Hat under the Creative Commons Attribution-ShareAlike 3.0 Unported License. If you distribute this document, or a modified version of it, you must provide attribution to Red Hat, Inc. and provide a link to the original. If the document is modified, all Red Hat trademarks must be removed.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, Red Hat Enterprise Linux, the Shadowman logo, JBoss, OpenShift, Fedora, the Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.
Linux® is the registered trademark of Linus Torvalds in the United States and other countries.
Java® is a registered trademark of Oracle and/or its affiliates.
XFS® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries.
MySQL® is a registered trademark of MySQL AB in the United States, the European Union and other countries.
Node.js® is an official trademark of Joyent. Red Hat Software Collections is not formally related to or endorsed by the official Joyent Node.js open source or commercial project.
The OpenStack® Word Mark and OpenStack logo are either registered trademarks/service marks or trademarks/service marks of the OpenStack Foundation, in the United States and other countries and are used with the OpenStack Foundation's permission. We are not affiliated with, endorsed or sponsored by the OpenStack Foundation, or the OpenStack community.
All other trademarks are the property of their respective owners.


Identity and policy management — for both users and machines — is a core function for almost any enterprise environment. IPA provides a way to create an identity domain that allows machines to enroll to a domain and immediately access identity information required for single sign-on and authentication services, as well as policy settings that govern authorization and access. This manual covers all aspects of installing, configuring, and managing IPA domains, including both servers and clients. This guide is intended for IT and systems administrators.
1. Introduction to Identity Management
1.1. IdM v. LDAP: A More Focused Type of Service
1.1.1. A Working Definition for Identity Management
1.1.2. Contrasting Identity Management with a Standard LDAP Directory
1.2. Bringing Linux Services Together
1.2.1. Authentication: Kerberos KDC
1.2.2. Data Storage: 389 Directory Server
1.2.3. Authentication: Dogtag Certificate System
1.2.4. Server/Client Discovery: DNS
1.2.5. Management: SSSD
1.2.6. Management: NTP
1.3. Relationships Between Servers and Clients
1.3.1. About IdM Servers and Replicas
1.3.2. About IdM Clients
I. Installing Identity Management Servers and Services
2. Prerequisites for Installation
2.1. Supported Server Platforms
2.2. Hardware Recommendations
2.3. Software Requirements
2.4. System Prerequisites
2.4.1. DNS Records
2.4.2. Hostname and IP Address Requirements
2.4.3. Directory Server
2.4.4. System Files
2.4.5. System Ports
2.4.6. NTP
2.4.7. NSCD
2.4.8. Networking
3. Installing an IdM Server
3.1. Installing the IdM Server Packages
3.2. About ipa-server-install
3.3. Example: Running the Script Interactively and Silently
3.3.1. Basic Interactive Installation
3.3.2. Silent (Non-Interactive) Installation
3.4. Examples: Installing with Different CA Configurations
3.4.1. Installing with an Internal Root CA
3.4.2. Installing Using an External CA
3.4.3. Installing without a CA
3.5. Example: Configuring DNS Services within the IdM Domain
3.5.1. DNS Notes
3.5.2. Installing with an Integrated DNS
4. Setting up IdM Replicas
4.1. Planning the Server/Replica Topologies
4.2. Prerequisites for Installing a Replica Server
4.3. Installing the Replica Packages
4.4. Creating the Replica
4.5. Alternate Options for Creating a Replica
4.5.1. Different DNS Settings
4.5.2. Different CA Settings
4.5.3. Different Services
5. Setting up Systems as IdM Clients
5.1. What Happens in Client Setup
5.2. System Ports
5.3. Configuring a Linux System as an IdM Client
5.3.1. Installing the Client (Full Example)
5.3.2. Examples of Other Client Installation Options
5.4. Manually Configuring a Linux Client
5.4.1. Setting up an IdM Client (Full Procedure)
5.4.2. Other Examples of Adding a Host Entry Adding Host Entries from the Web UI Adding Host Entries from the Command Line
5.5. Setting up a Linux Client Through Kickstart
5.6. Performing a Two-Administrator Enrollment
5.7. Manually Unconfiguring Client Machines
6. Upgrading Identity Management
6.1. Upgrade Notes
6.2. Upgrading Packages
6.3. Removing Browser Configuration for Ticket Delegation (For Upgrading from 6.2)
6.4. Testing Before Upgrading the IdM Server (Recommended)
7. Uninstalling IdM Servers and Replicas
8. The Basics of Managing the IdM Server and Services
8.1. Starting and Stopping the IdM Domain
8.2. About the IdM Client Tools
8.2.1. The Structure of the ipa Command Adding, Editing, and Deleting Entries with ipa Finding and Displaying Entries with ipa Adding Members to Groups and Containers with ipa
8.2.2. Positional Elements in ipa Commands
8.2.3. Managing Entry Attributes with --setattr, --addattr, and --delattr
8.2.4. Using Special Characters with IdM Tools
8.2.5. Logging into the IdM Domain Before Running
8.3. Logging into IdM
8.3.1. Logging into IdM
8.3.2. Logging in When an IdM User Is Different Than the System User
8.3.3. Checking the Current Logged in User
8.3.4. Caching User Kerberos Tickets
8.4. Using the IdM Web UI
8.4.1. About the Web UI
8.4.2. Opening the IdM Web UI
8.4.3. Configuring the Browser Configuring Firefox Configuring Chrome
8.4.4. Using a Browser on Another System
8.4.5. Logging in with Simple Username/Password Credentials
8.4.6. Using the UI with Proxy Servers
8.5. Configuring an IdM Server to Run in a TLS 1.2 Environment
9. Identity: Managing Users and User Groups
9.1. Setting up User Home Directories
9.1.1. About Home Directories
9.1.2. Enabling the PAM Home Directory Module
9.1.3. Manually Mounting Home Directories
9.2. Managing User Entries
9.2.1. About Username Formats
9.2.2. Adding Users From the Web UI From the Command Line
9.2.3. Editing Users From the Web UI From the Command Line
9.2.4. Deleting Users With the Web UI From the Command Line
9.3. Managing Public SSH Keys for Users
9.3.1. About the SSH Key Format
9.3.2. Uploading User SSH Keys Through the Web UI
9.3.3. Uploading User SSH Keys Through the Command Line
9.3.4. Deleting User Keys
9.4. Changing Passwords
9.4.1. From the Web UI
9.4.2. From the Command Line
9.5. Enabling and Disabling User Accounts
9.5.1. From the Web UI
9.5.2. From the Command Line
9.6. Unlocking User Accounts After Password Failures
9.7. Smart Cards
9.7.1. Smart Card and Smart Card Reader Support in Identity Management
9.7.2. Exporting a Certificate From a Smart Card
9.7.3. Storing Smart Card Certificates for IdM Users
9.7.4. Smart Card Authentication on Identity Management Clients Configuring Smart Card Authentication on an IdM Client SSH Log in Using a Smart Card
9.8. Managing User Private Groups
9.8.1. Listing User Private Groups
9.8.2. Disabling Private Groups for a Specific User
9.8.3. Disabling Private Groups Globally
9.9. Managing Unique UID and GID Number Assignments
9.9.1. About ID Number Ranges
9.9.2. About ID Range Assignments During Installation
9.9.3. A Note on Conflicting ID Ranges
9.9.4. Adding New Ranges
9.9.5. Repairing Changed UID and GID Numbers
9.10. Managing User and Group Schema
9.10.1. About Changing the Default User and Group Schema
9.10.2. Applying Custom Object Classes to New User Entries From the Web UI From the Command Line
9.10.3. Applying Custom Object Classes to New Group Entries From the Web UI From the Command Line
9.10.4. Specifying Default User and Group Attributes Viewing Attributes from the Web UI Viewing Attributes from the Command Line
9.11. Managing User Groups
9.11.1. Types of Groups in IdM
9.11.2. Group Object Classes Creating User Groups Adding Group Members Deleting User Groups
9.11.3. Searching for Users and Groups Setting Search Limits Setting Search Attributes Searching for Groups Based on Type
10. Identity: Managing Hosts
10.1. About Hosts, Services, and Machine Identity and Authentication
10.2. About Host Entry Configuration Properties
10.3. Disabling and Re-enabling Host Entries
10.3.1. Disabling Host Entries
10.3.2. Re-enabling Hosts
10.4. Managing Public SSH Keys for Hosts
10.4.1. About the SSH Key Format
10.4.2. About ipa-client-install and OpenSSH
10.4.3. Uploading Host SSH Keys Through the Web UI
10.4.4. Adding Host Keys from the Command Line
10.4.5. Removing Host Keys
10.5. Setting Ethers Information for a Host
10.6. Renaming Machines and Reconfiguring IdM Client Configuration
10.7. Managing Host Groups
10.7.1. Creating Host Groups Creating Host Groups from the Web UI Creating Host Groups from the Command Line
10.7.2. Adding Host Group Members Showing and Changing Group Members Adding Host Group Members from the Web UI Adding Host Group Members from the Command Line
11. Identity: Managing Services
11.1. Adding and Editing Service Entries and Keytabs
11.1.1. Adding Services and Keytabs from the Web UI
11.1.2. Adding Services and Keytabs from the Command Line
11.2. Adding Services and Certificates for Services
11.2.1. Adding Services and Certificates from the Web UI
11.2.2. Adding Services and Certificates from the Command Line
11.3. Storing Certificates in NSS Databases
11.4. Configuring Clustered Services
11.5. Using the Same Service Principal for Multiple Services
11.6. Disabling and Re-enabling Service Entries
11.6.1. Disabling Service Entries
11.6.2. Re-enabling and Services
12. Identity: Delegating Access to Hosts and Services
12.1. Delegating Service Management
12.2. Delegating Host Management
12.3. Delegating Host or Service Management in the Web UI
12.4. Accessing Delegated Services
13. Identity: Integrating with NIS Domains and Netgroups
13.1. About NIS and Identity Management
13.2. Setting the NIS Port for Identity Management
13.3. Creating Netgroups
13.3.1. Adding Netgroups With the Web UI With the Command Line
13.3.2. Adding Netgroup Members With the Web UI With the Command Line
13.4. Exposing Automount Maps to NIS Clients
13.5. Migrating from NIS to IdM
13.5.1. Preparing Netgroup Entries in IdM
13.5.2. Enabling the NIS Listener in Identity Management
13.5.3. Exporting and Importing the Existing NIS Data Importing User Entries Importing Group Entries Importing Host Entries Importing Netgroup Entries Importing Automount Maps
13.5.4. Setting Weak Password Encryption for NIS User Authentication to IdM
14. Identity: Integrating with Active Directory Through Cross-forest Trust (Technology Preview)
15. Identity: Integrating with Microsoft Active Directory Through Synchronization
15.1. Supported Windows Platforms
15.2. About Active Directory and Identity Management
15.3. About Synchronized Attributes
15.3.1. User Schema Differences between Identity Management and Active Directory Values for cn Attributes Values for street and streetAddress Constraints on the initials Attribute Requiring the surname (sn) Attribute
15.3.2. Active Directory Entries and RFC 2307 Attributes
15.4. Setting up Active Directory for Synchronization
15.4.1. Creating an Active Directory User for Sync
15.4.2. Setting up an Active Directory Certificate Authority
15.5. Managing Synchronization Agreements
15.5.1. Trusting the Active Directory and IdM CA Certificates
15.5.2. Creating Synchronization Agreements
15.5.3. Changing the Behavior for Syncing User Account Attributes
15.5.4. Changing the Synchronized Windows Subtree
15.5.5. Configuring Uni-Directional Sync
15.5.6. Deleting Synchronization Agreements
15.5.7. Winsync Agreement Failures
15.6. Managing Password Synchronization
15.6.1. Setting up the Windows Server for Password Synchronization
15.6.2. Setting up Password Synchronization
15.6.3. Allowing Uers to Change Other Users' Passwords Cleanly
16. Identity: ID Views and Migrating Existing Environments to Trust
16.1. User Overrides and Group Overrides
16.2. Managing ID Views on the Server Side
16.3. ID Views on the Client Side
16.4. Migrating from the Synchronization-Based to the Trust-Based Solution
17. Identity: Managing DNS
17.1. About DNS in IdM
17.2. Using IdM and DNS Service Discovery with an Existing DNS Configuration
17.3. DNS Notes
17.4. Adding or Updating DNS Services After Installation
17.5. Setting up the rndc Service
17.6. Managing DNS Zone Entries
17.6.1. Adding Forward DNS Zones From the Web UI From the Command Line
17.6.2. Adding Additional Configuration for DNS Zones DNS Zone Configuration Attributes Editing the Zone Configuration in the Web UI Editing the Zone Configuration in the Command Line
17.6.3. Adding Reverse DNS Zones
17.6.4. Enabling and Disabling Zones Disabling Zones in the Web UI Disabling Zones in the Command Line
17.6.5. Enabling Dynamic DNS Updates Enabling Dynamic DNS Updates in the Web UI Enabling Dynamic DNS Updates in the Command Line
17.6.6. Configuring Forwarders and Forward Policy Configuring Forwarders in the UI Configuring Forwarders in the Command Line
17.6.7. Enabling Zone Transfers Enabling Zone Transfers in the UI Enabling Zone Transfers in the Command Line
17.6.8. Defining DNS Queries
17.6.9. Synchronizing Forward and Reverse Zone Entries Configuring Zone Entry Sync in the UI Configuring Zone Entry Sync in the Command Line
17.6.10. Setting DNS Access Policies Setting DNS Access Policies in the UI Setting DNS Access Policies in the Command Line
17.7. Managing DNS Record Entries
17.7.1. Adding Records to DNS Zones Adding DNS Resource Records from the Web UI Adding DNS Resource Records from the Command Line
17.7.2. Deleting Records from DNS Zones Deleting Records with the Web UI Deleting Records with the Command Line
17.8. Configuring the bind-dyndb-ldap Plug-in
17.8.1. Changing the DNS Cache Setting
17.8.2. Disabling Persistent Searches
17.9. Changing Recursive Queries Against Forwarders
17.10. Resolving Hostnames in the IdM Domain
18. Policy: Using Automount
18.1. About Automount and IdM
18.2. Configuring Automount
18.2.1. Configuring NFS Automatically
18.2.2. Configuring autofs Manually to Use SSSD and Identity Management
18.2.3. Configuring Automount on Solaris
18.3. Setting up a Kerberized NFS Server
18.3.1. Setting up a Kerberized NFS Server
18.3.2. Setting up a Kerberized NFS Client
18.4. Configuring Locations
18.4.1. Configuring Locations through the Web UI
18.4.2. Configuring Locations through the Command Line
18.5. Configuring Maps
18.5.1. Configuring Direct Maps Configuring Direct Maps from the Web UI Configuring Direct Maps from the Command Line
18.5.2. Configuring Indirect Maps Configuring Indirect Maps from the Web UI Configuring Indirect Maps from the Command Line
18.5.3. Importing Automount Maps
19. Policy: Defining Password Policies
19.1. About Password Policies and Policy Attributes
19.2. Viewing Password Policies
19.2.1. Viewing the Global Password Policy With the Web UI With the Command Line
19.2.2. Viewing Group-Level Password Policies With the Web UI With the Command Line
19.2.3. Viewing the Password Policy in Effect for a User
19.3. Creating and Editing Password Policies
19.3.1. Creating Password Policies in the Web UI
19.3.2. Creating Password Policies with the Command Line
19.3.3. Editing Password Policies with the Command Line
19.4. Managing Password Expiration Limits
19.5. Changing the Priority of Group Password Policies
19.6. Setting Account Lockout Policies
19.6.1. In the UI
19.6.2. In the CLI
19.7. Enabling a Password Change Dialog
20. Policy: Managing the Kerberos Domain
20.1. About Kerberos
20.1.1. About Principal Names
20.1.2. About Protecting Keytabs
20.2. Setting Kerberos Ticket Policies
20.2.1. Setting Global Ticket Policies From the Web UI From the Command Line
20.2.2. Setting User-Level Ticket Policies
20.3. Refreshing Kerberos Tickets
20.4. Caching Kerberos Passwords
20.5. Removing Keytabs
21. Policy: Using sudo
21.1. About sudo and IPA
21.1.1. General sudo Configuration in Identity Management
21.1.2. sudo and Netgroups
21.1.3. Supported sudo Clients
21.2. Setting up sudo Commands and Command Groups
21.2.1. Adding sudo Commands Adding sudo Commands with the Web UI Adding sudo Commands with the Command Line
21.2.2. Adding sudo Command Groups Adding sudo Command Groups with the Web UI Adding sudo Command Groups with the Command Line
21.3. Defining sudo Rules
21.3.1. About External Users
21.3.2. About sudo Options Format
21.3.3. Defining sudo Rules in the Web UI
21.3.4. Defining sudo Rules in the Command Line
21.3.5. Suspending and Removing sudo Rules
21.4. Configuring Hosts to Use IdM sudo Policies
21.4.1. Applying the sudo Policies to Hosts Using SSSD
21.4.2. Applying the sudo Policies to Hosts Using LDAP
22. Policy: Configuring Host-Based Access Control
22.1. About Host-Based Access Control
22.2. Creating Host-Based Access Control Entries for Services and Service Groups
22.2.1. Adding HBAC Services Adding HBAC Services in the Web UI Adding Services in the Command Line
22.2.2. Adding Service Groups Adding Service Groups in the Web UI Adding Service Groups in the Command Line
22.3. Defining Host-Based Access Control Rules
22.3.1. Setting Host-Based Access Control Rules in the Web UI
22.3.2. Setting Host-Based Access Control Rules in the Command Line
22.4. Testing Host-Based Access Control Rules
22.4.1. The Limits of Host-Based Access Control Configuration
22.4.2. Test Scenarios for Host-Based Access Control (CLI-Based)
22.4.3. Testing Host-Based Access Control Rules in the UI
23. Policy: Group Policy Object Access Control
23.1. Configuring GPO-Based Access Control
24. Policy: Defining SELinux User Maps
24.1. About Identity Management, SELinux, and Mapping Users
24.2. Configuring SELinux User Map Order and Defaults
24.2.1. In the Web UI
24.2.2. In the CLI
24.3. Mapping SELinux Users and IdM Users
24.3.1. In the Web UI
24.3.2. In the CLI
25. Policy: Defining Automatic Group Membership for Users and Hosts
25.1. About Automembership
25.2. Defining Automembership Rules (Basic Procedure)
25.2.1. From the Web UI
25.2.2. From the CLI
25.3. Examples of Using Automember Groups
25.3.1. Setting an All Users/Hosts Rule
25.3.2. Defining Default Automembership Groups
25.3.3. Using Automembership Groups with Windows Users
26. Policy: Restricting Domains for PAM services
27. Configuration: Defining Access Control for IdM Users
27.1. About Access Controls for IdM Entries
27.1.1. A Brief Look at Access Control Concepts
27.1.2. Access Control Methods in Identity Management
27.2. Defining Self-Service Settings
27.2.1. Creating Self-Service Rules from the Web UI
27.2.2. Creating Self-Service Rules from the Command Line
27.2.3. Editing Self-Service Rules
27.3. Delegating Permissions over Users
27.3.1. Delegating Access to User Groups in the Web UI
27.3.2. Delegating Access to User Groups in the Command Line
27.4. Defining Role-Based Access Controls
27.4.1. Creating Roles Creating Roles in the Web UI Creating Roles in the Command Line
27.4.2. Creating New Permissions Creating New Permissions from the Web UI Creating New Permissions from the Command Line
27.4.3. Creating New Privileges Creating New Privileges from the Web UI Creating New Privileges from the Command Line
28. Configuration: Configuring IdM Servers and Replicas
28.1. Identity Management Files and Logs
28.1.1. A Reference of IdM Server Configuration Files and Directories
28.1.2. IdM Domain Services and Log Rotation
28.1.3. About default.conf and Context Configuration Files
28.1.4. Checking IdM Server Logs Enabling Server Debug Logging Debugging Command-Line Operations
28.2. Managing Certificates and Certificate Authorities
28.2.1. Renewing CA Certificates Issued by External CAs The Renewal Procedure
28.2.2. Configuring Alternate Certificate Authorities
28.2.3. Changing Which Server Generates CRLs
28.2.4. Configuring OCSP Responders Using an OSCP Responder with SELinux Changing the CRL Update Interval Changing the OCSP Responder Location
28.3. Disabling Anonymous Binds
28.4. Changing Domain DNS Configuration
28.4.1. Setting DNS Entries for Multi-Homed Servers
28.4.2. Setting up Additional Name Servers
28.4.3. Changing Load Balancing for IdM Servers and Replicas
28.5. Managing Replication Agreements Between IdM Servers
28.5.1. Listing Replication Agreements
28.5.2. Creating and Removing Replication Agreements
28.5.3. Forcing Replication
28.5.4. Reinitializing IdM Servers
28.5.5. Resolving Replication Conflicts Solving Naming Conflicts Solving Orphan Entry Conflicts
28.6. Removing a Replica
28.7. Renaming a Server or Replica Host System
29. Migrating from an LDAP Directory to IdM
29.1. An Overview of LDAP to IdM Migration
29.1.1. Planning the Client Configuration Initial Client Configuration (Pre-Migration) Recommended Configuration for Red Hat Enterprise Linux Clients Alternative Supported Configuration
29.1.2. Planning Password Migration Method 1: Using Temporary Passwords and Requiring a Change Method 2: Using the Migration Web Page Method 3: Using SSSD (Recommended) Migrating Cleartext LDAP Passwords Automatically Resetting Passwords That Do Not Meet Requirements
29.1.3. Migration Considerations and Requirements LDAP Servers Supported for Migration Migration Environment Requirements Migration Tools Migration Sequence
29.2. Examples for Using migrate-ds
29.2.1. Migrating Specific Subtrees
29.2.2. Specifically Including or Excluding Entries
29.2.3. Excluding Entry Attributes
29.2.4. Setting the Schema to Use
29.3. Scenario 1: Using SSSD as Part of Migration
29.4. Scenario 2: Migrating an LDAP Server Directly to Identity Management
A. Troubleshooting Identity Management
A.1. Installation Issues
A.1.1. Server Installation
A.1.1.1. GSS Failures When Running IPA Commands
A.1.1.2. named Daemon Fails to Start
A.1.2. Replica Installation
A.1.2.1. Certificate System setup failed.
A.1.2.2. There are SASL, GSS-API, and Kerberos errors in the 389 Directory Server logs when the replica starts.
A.1.2.3. The DNS forward record does not match the reverse address
A.1.3. Client Installations
A.1.3.1. The client can't resolve reverse hostnames when using an external DNS.
A.1.3.2. The client is not added to the DNS zone.
A.1.4. Uninstalling an IdM Client
A.2. UI Connection Problems
A.3. IdM Server Problems
A.3.1. There are SASL, GSS-API, and Kerberos errors in the 389 Directory Server logs when the replica starts.
A.4. Host Problems
A.4.1. Certificate Not Found/Serial Number Not Found Errors
A.4.2. Debugging Client Connection Problems
A.5. Kerberos Errors
A.5.1. Problems making connections with SSH when using GSS-API
A.5.2. There are problems connecting to an NFS server after changing a keytab
A.6. SELinux Login Problems
B. Working with certmonger
B.1. Requesting a Certificate with certmonger
B.2. Storing Certificates in NSS Databases
B.3. Tracking Certificates with certmonger
C. Revision History