Red Hat Enterprise Linux 6

Identity Management Guide

Managing Identity and Authorization Policies for Linux-Based Infrastructures

Ella Deon Ballard

Red Hat Customer Content Services

Tomáš Čapek

Red Hat Customer Content Services

Legal Notice

Copyright © 2013 Red Hat.
This document is licensed by Red Hat under the Creative Commons Attribution-ShareAlike 3.0 Unported License. If you distribute this document, or a modified version of it, you must provide attribution to Red Hat, Inc. and provide a link to the original. If the document is modified, all Red Hat trademarks must be removed.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, Red Hat Enterprise Linux, the Shadowman logo, JBoss, MetaMatrix, Fedora, the Infinity Logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.
Linux® is the registered trademark of Linus Torvalds in the United States and other countries.
Java® is a registered trademark of Oracle and/or its affiliates.
XFS® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries.
MySQL® is a registered trademark of MySQL AB in the United States, the European Union and other countries.
Node.js® is an official trademark of Joyent. Red Hat Software Collections is not formally related to or endorsed by the official Joyent Node.js open source or commercial project.
The OpenStack® Word Mark and OpenStack Logo are either registered trademarks/service marks or trademarks/service marks of the OpenStack Foundation, in the United States and other countries and are used with the OpenStack Foundation's permission. We are not affiliated with, endorsed or sponsored by the OpenStack Foundation, or the OpenStack community.
All other trademarks are the property of their respective owners.


Identity and policy management — for both users and machines — is a core function for almost any enterprise environment. IPA provides a way to create an identity domain that allows machines to enroll to a domain and immediately access identity information required for single sign-on and authentication services, as well as policy settings that govern authorization and access. This manual covers all aspects of installing, configuring, and managing IPA domains, including both servers and clients. This guide is intended for IT and systems administrators.
1. Introduction to Identity Management
1.1. IdM v. LDAP: A More Focused Type of Service
1.1.1. A Working Definition for Identity Management
1.1.2. Contrasting Identity Management with a Standard LDAP Directory
1.2. Bringing Linux Services Together
1.2.1. Authentication: Kerberos KDC
1.2.2. Data Storage: 389 Directory Server
1.2.3. Authentication: Dogtag Certificate System
1.2.4. Server/Client Discovery: DNS
1.2.5. Management: SSSD
1.2.6. Management: NTP
1.3. Relationships Between Servers and Clients
1.3.1. About IdM Servers and Replicas
1.3.2. About IdM Clients
I. Installing Identity Management Servers and Services
2. Prerequisites for Installation
2.1. Supported Server Platforms
2.2. Hardware Recommendations
2.3. Software Requirements
2.4. System Prerequisites
2.4.1. DNS Records
2.4.2. Hostname and IP Address Requirements
2.4.3. Directory Server
2.4.4. System Files
2.4.5. System Ports
2.4.6. NTP
2.4.7. NSCD
2.4.8. Networking
3. Installing an IdM Server
3.1. Installing the IdM Server Packages
3.2. About ipa-server-install
3.3. Example: Running the Script Interactively and Silently
3.3.1. Basic Interactive Installation
3.3.2. Silent (Non-Interactive) Installation
3.4. Examples: Installing with Different CA Configurations
3.4.1. Installing with an Internal Root CA
3.4.2. Installing Using an External CA
3.4.3. Installing without a CA
3.5. Example: Configuring DNS Services within the IdM Domain
3.5.1. DNS Notes
3.5.2. Installing with an Integrated DNS
4. Setting up IdM Replicas
4.1. Planning the Server/Replica Topologies
4.2. Prerequisites for Installing a Replica Server
4.3. Installing the Replica Packages
4.4. Creating the Replica
4.5. Alternate Options for Creating a Replica
4.5.1. Different DNS Settings
4.5.2. Different CA Settings
4.5.3. Different Services
5. Setting up Systems as IdM Clients
5.1. What Happens in Client Setup
5.2. System Ports
5.3. Configuring a Linux System as an IdM Client
5.3.1. Installing the Client (Full Example)
5.3.2. Examples of Other Client Installation Options
5.4. Manually Configuring a Linux Client
5.4.1. Setting up an IdM Client (Full Procedure)
5.4.2. Other Examples of Adding a Host Entry Adding Host Entries from the Web UI Adding Host Entries from the Command Line
5.5. Setting up a Linux Client Through Kickstart
5.6. Performing a Two-Administrator Enrollment
5.7. Manually Unconfiguring Client Machines
6. Upgrading Identity Management
6.1. Upgrade Notes
6.2. Upgrading Packages
6.3. Removing Browser Configuration for Ticket Delegation (For Upgrading from 6.2)
6.4. Testing Before Upgrading the IdM Server (Recommended)
7. Uninstalling IdM Servers and Replicas
8. The Basics of Managing the IdM Server and Services
8.1. Starting and Stopping the IdM Domain
8.2. About the IdM Client Tools
8.2.1. The Structure of the ipa Command Adding, Editing, and Deleting Entries with ipa Finding and Displaying Entries with ipa Adding Members to Groups and Containers with ipa
8.2.2. Positional Elements in ipa Commands
8.2.3. Managing Entry Attributes with --setattr, --addattr, and --delattr
8.2.4. Using Special Characters with IdM Tools
8.2.5. Logging into the IdM Domain Before Running
8.3. Logging into IdM
8.3.1. Logging into IdM
8.3.2. Logging in When an IdM User Is Different Than the System User
8.3.3. Checking the Current Logged in User
8.3.4. Caching User Kerberos Tickets
8.4. Using the IdM Web UI
8.4.1. Supported Web Browsers
8.4.2. About the Web UI
8.4.3. Opening the IdM Web UI
8.4.4. Configuring the Browser
8.4.5. Using a Browser on Another System
8.4.6. Logging in with Simple Username/Password Credentials
8.4.7. Using the UI with Proxy Servers
9. Identity: Managing Users and User Groups
9.1. Setting up User Home Directories
9.1.1. About Home Directories
9.1.2. Enabling the PAM Home Directory Module
9.1.3. Manually Mounting Home Directories
9.2. Managing User Entries
9.2.1. About Username Formats
9.2.2. Adding Users From the Web UI From the Command Line
9.2.3. Editing Users From the Web UI From the Command Line
9.2.4. Deleting Users With the Web UI From the Command Line
9.3. Managing Public SSH Keys for Users
9.3.1. About the SSH Key Format
9.3.2. Uploading User SSH Keys Through the Web UI
9.3.3. Uploading User SSH Keys Through the Command Line
9.3.4. Deleting User Keys
9.4. Changing Passwords
9.4.1. From the Web UI
9.4.2. From the Command Line
9.5. Enabling and Disabling User Accounts
9.5.1. From the Web UI
9.5.2. From the Command Line
9.6. Unlocking User Accounts After Password Failures
9.7. Managing User Private Groups
9.7.1. Listing User Private Groups
9.7.2. Disabling Private Groups for a Specific User
9.7.3. Disabling Private Groups Globally
9.8. Managing Unique UID and GID Number Assignments
9.8.1. About ID Number Ranges
9.8.2. About ID Range Assignments During Installation
9.8.3. A Note on Bad ID Ranges
9.8.4. Adding New Ranges
9.8.5. Repairing Changed UID and GID Numbers
9.9. Managing User and Group Schema
9.9.1. About Changing the Default User and Group Schema
9.9.2. Applying Custom Object Classes to New User Entries From the Web UI From the Command Line
9.9.3. Applying Custom Object Classes to New Group Entries From the Web UI From the Command Line
9.9.4. Specifying Default User and Group Attributes Viewing Attributes from the Web UI Viewing Attributes from the Command Line
9.10. Managing User Groups
9.10.1. Types of Groups in IdM
9.10.2. Group Object Classes Creating User Groups Adding Group Members Deleting User Groups
9.10.3. Searching for Users and Groups Setting Search Limits Setting Search Attributes Searching for Groups Based on Type
10. Identity: Managing Hosts
10.1. About Hosts, Services, and Machine Identity and Authentication
10.2. About Host Entry Configuration Properties
10.3. Disabling and Re-enabling Host Entries
10.3.1. Disabling Host Entries
10.3.2. Re-enabling Hosts
10.4. Managing Public SSH Keys for Hosts
10.4.1. About the SSH Key Format
10.4.2. About ipa-client-install and OpenSSH
10.4.3. Uploading Host SSH Keys Through the Web UI
10.4.4. Adding Host Keys from the Command Line
10.4.5. Removing Host Keys
10.5. Setting Ethers Information for a Host
10.6. Renaming Machines and Reconfiguring IdM Client Configuration
10.7. Managing Host Groups
10.7.1. Creating Host Groups Creating Host Groups from the Web UI Creating Host Groups from the Command Line
10.7.2. Adding Host Group Members Showing and Changing Group Members Adding Host Group Members from the Web UI Adding Host Group Members from the Command Line
11. Identity: Managing Services
11.1. Adding and Editing Service Entries and Keytabs
11.1.1. Adding Services and Keytabs from the Web UI
11.1.2. Adding Services and Keytabs from the Command Line
11.2. Adding Services and Certificates for Services
11.2.1. Adding Services and Certificates from the Web UI
11.2.2. Adding Services and Certificates from the Command Line
11.3. Storing Certificates in NSS Databases
11.4. Configuring Clustered Services
11.5. Using the Same Service Principal for Multiple Services
11.6. Disabling and Re-enabling Service Entries
11.6.1. Disabling Service Entries
11.6.2. Re-enabling and Services
12. Identity: Delegating Access to Hosts and Services
12.1. Delegating Service Management
12.2. Delegating Host Management
12.3. Delegating Host or Service Management in the Web UI
12.4. Accessing Delegated Services
13. Identity: Integrating with NIS Domains and Netgroups
13.1. About NIS and Identity Management
13.2. Setting the NIS Port for Identity Management
13.3. Creating Netgroups
13.3.1. Adding Netgroups With the Web UI With the Command Line
13.3.2. Adding Netgroup Members With the Web UI With the Command Line
13.4. Exposing Automount Maps to NIS Clients
13.5. Migrating from NIS to IdM
13.5.1. Preparing Netgroup Entries in IdM
13.5.2. Enabling the NIS Listener in Identity Management
13.5.3. Exporting and Importing the Existing NIS Data Importing User Entries Importing Group Entries Importing Host Entries Importing Netgroup Entries Importing Automount Maps
13.5.4. Setting Weak Password Encryption for NIS User Authentication to IdM
14. Identity: Integrating with Active Directory Through Cross-Realm Kerberos Trusts (TECH PREVIEW)
14.1. The Meaning of "Trust"
14.1.1. How Trust Works: Transparency Between Kerberos and DNS Realms Components Involved in Trusts Active Directory and Identity Management Directories Different DNS-Trust Scenarios Kerberos Realms, Authentication, and Authorization
14.1.2. Trust in Contrast to Synchronization
14.1.3. Active Directory Users and IdM Administration
14.2. Potential Behavior Issues with Active Directory Trust
14.2.1. Credential Cache and Selecing Active Directory Principals
14.2.2. Active Directory Users and IdM Features: sudo and Host-Based Access Control Policies
14.2.3. Potential Issues with Group Mapping and SIDs
14.3. Environment and Machine Requirements to Set Up Trusts
14.3.1. Supported Windows Platforms
14.3.2. Domain and Realm Names
14.3.3. NetBIOS Names
14.3.4. Integrated DNS
14.3.5. Firewalls and Ports
14.3.6. Clock Settings
14.3.7. Supported Username Formats
14.4. Setting up Trust with IdM as a DNS Subdomain of Active Directory
14.5. Setting up Trust with IdM and Active Directory in Different DNS Domains
14.6. Verifying That IdM Machines Have Resolvable Names
14.7. Creating IdM Groups for Active Directory Users
14.8. Setting PAC Types for Services
14.8.1. Setting Default PAC Types
14.8.2. Setting PAC Types for a Service
14.9. Using SSH from Active Directory Machines for IdM Resources
14.9.1. Username Requirements for SSH
14.9.2. Using SSH Without Passwords
14.10. Using Trust with Kerberized Web Applications
15. Identity: Integrating with Microsoft Active Directory Through Synchronization
15.1. Supported Windows Platforms
15.2. About Active Directory and Identity Management
15.3. About Synchronized Attributes
15.3.1. User Schema Differences between Identity Management and Active Directory Values for cn Attributes Values for street and streetAddress Constraints on the initials Attribute Requiring the surname (sn) Attribute
15.3.2. Active Directory Entries and RFC 2307 Attributes
15.4. Setting up Active Directory for Synchronization
15.4.1. Creating an Active Directory User for Sync
15.4.2. Setting up an Active Directory Certificate Authority
15.5. Managing Synchronization Agreements
15.5.1. Trusting the Active Directory and IdM CA Certificates
15.5.2. Creating Synchronization Agreements
15.5.3. Changing the Behavior for Syncing User Account Attributes
15.5.4. Changing the Synchronized Windows Subtree
15.5.5. Configuring Uni-Directional Sync
15.5.6. Deleting Synchronization Agreements
15.5.7. Winsync Agreement Failures
15.6. Managing Password Synchronization
15.6.1. Setting up the Windows Server for Password Synchronization
15.6.2. Setting up Password Synchronization
15.6.3. Allowing Uers to Change Other Users' Passwords Cleanly
16. Identity: Managing DNS
16.1. About DNS in IdM
16.2. Using IdM and DNS Service Discovery with an Existing DNS Configuration
16.3. DNS Notes
16.4. Adding or Updating DNS Services After Installation
16.5. Setting up the rndc Service
16.6. Managing DNS Zone Entries
16.6.1. Adding Forward DNS Zones From the Web UI From the Command Line
16.6.2. Adding Additional Configuration for DNS Zones DNS Zone Configuration Attributes Editing the Zone Configuration in the Web UI Editing the Zone Configuration in the Command Line
16.6.3. Adding Reverse DNS Zones
16.6.4. Enabling and Disabling Zones Disabling Zones in the Web UI Disabling Zones in the Command Line
16.6.5. Enabling Dynamic DNS Updates Enabling Dynamic DNS Updates in the Web UI Enabling Dynamic DNS Updates in the Command Line
16.6.6. Configuring Forwarders and Forward Policy Configuring Forwarders in the UI Configuring Forwarders in the Command Line
16.6.7. Enabling Zone Transfers Enabling Zone Transfers in the UI Enabling Zone Transfers in the Command Line
16.6.8. Defining DNS Queries
16.6.9. Synchronizing Forward and Reverse Zone Entries Configuring Zone Entry Sync in the UI Configuring Zone Entry Sync in the Command Line
16.6.10. Setting DNS Access Policies Setting DNS Access Policies in the UI Setting DNS Access Policies in the Command Line
16.7. Managing DNS Record Entries
16.7.1. Adding Records to DNS Zones Adding DNS Resource Records from the Web UI Adding DNS Resource Records from the Command Line
16.7.2. Deleting Records from DNS Zones Deleting Records with the Web UI Deleting Records with the Command Line
16.8. Configuring the bind-dyndb-ldap Plug-in
16.8.1. Changing the DNS Cache Setting
16.8.2. Disabling Persistent Searches
16.9. Changing Recursive Queries Against Forwarders
16.10. Resolving Hostnames in the IdM Domain
17. Policy: Using Automount
17.1. About Automount and IdM
17.2. Configuring Automount
17.2.1. Configuring NFS Automatically
17.2.2. Configuring autofs Manually to Use SSSD and Identity Management
17.2.3. Configuring Automount on Solaris
17.3. Setting up a Kerberized NFS Server
17.3.1. Setting up a Kerberized NFS Server
17.3.2. Setting up a Kerberized NFS Client
17.4. Configuring Locations
17.4.1. Configuring Locations through the Web UI
17.4.2. Configuring Locations through the Command Line
17.5. Configuring Maps
17.5.1. Configuring Direct Maps Configuring Direct Maps from the Web UI Configuring Direct Maps from the Command Line
17.5.2. Configuring Indirect Maps Configuring Indirect Maps from the Web UI Configuring Indirect Maps from the Command Line
17.5.3. Importing Automount Maps
18. Policy: Defining Password Policies
18.1. About Password Policies and Policy Attributes
18.2. Viewing Password Policies
18.2.1. Viewing the Global Password Policy With the Web UI With the Command Line
18.2.2. Viewing Group-Level Password Policies With the Web UI With the Command Line
18.2.3. Viewing the Password Policy in Effect for a User
18.3. Creating and Editing Password Policies
18.3.1. Creating Password Policies in the Web UI
18.3.2. Creating Password Policies with the Command Line
18.3.3. Editing Password Policies with the Command Line
18.4. Managing Password Expiration Limits
18.5. Changing the Priority of Group Password Policies
18.6. Setting Account Lockout Policies
18.6.1. In the UI
18.6.2. In the CLI
18.7. Enabling a Password Change Dialog
19. Policy: Managing the Kerberos Domain
19.1. About Kerberos
19.1.1. About Principal Names
19.1.2. About Protecting Keytabs
19.2. Setting Kerberos Ticket Policies
19.2.1. Setting Global Ticket Policies From the Web UI From the Command Line
19.2.2. Setting User-Level Ticket Policies
19.3. Refreshing Kerberos Tickets
19.4. Caching Kerberos Passwords
19.5. Removing Keytabs
20. Policy: Using sudo
20.1. About sudo and IPA
20.1.1. General sudo Configuration in Identity Management
20.1.2. sudo and Netgroups
20.1.3. Supported sudo Clients
20.2. Setting up sudo Commands and Command Groups
20.2.1. Adding sudo Commands Adding sudo Commands with the Web UI Adding sudo Commands with the Command Line
20.2.2. Adding sudo Command Groups Adding sudo Command Groups with the Web UI Adding sudo Command Groups with the Command Line
20.3. Defining sudo Rules
20.3.1. About External Users
20.3.2. About sudo Options Format
20.3.3. Defining sudo Rules in the Web UI
20.3.4. Defining sudo Rules in the Command Line
20.3.5. Suspending and Removing sudo Rules
20.4. Configuring Hosts to Use IdM sudo Policies
20.4.1. Applying the sudo Policies to Hosts Using LDAP
20.4.2. Applying the Configured sudo Policies to Hosts Using SSSD
21. Policy: Configuring Host-Based Access Control
21.1. About Host-Based Access Control
21.2. Creating Host-Based Access Control Entries for Services and Service Groups
21.2.1. Adding HBAC Services Adding HBAC Services in the Web UI Adding Services in the Command Line
21.2.2. Adding Service Groups Adding Service Groups in the Web UI Adding Service Groups in the Command Line
21.3. Defining Host-Based Access Control Rules
21.3.1. Setting Host-Based Access Control Rules in the Web UI
21.3.2. Setting Host-Based Access Control Rules in the Command Line
21.4. Testing Host-Based Access Control Rules
21.4.1. The Limits of Host-Based Access Control Configuration
21.4.2. Test Scenarios for Host-Based Access Control (CLI-Based)
21.4.3. Testing Host-Based Access Control Rules in the UI
22. Policy: Defining SELinux User Maps
22.1. About Identity Management, SELinux, and Mapping Users
22.2. Configuring SELinux User Map Order and Defaults
22.2.1. In the Web UI
22.2.2. In the CLI
22.3. Mapping SELinux Users and IdM Users
22.3.1. In the Web UI
22.3.2. In the CLI
23. Policy: Defining Automatic Group Membership for Users and Hosts
23.1. About Automembership
23.2. Defining Automembership Rules (Basic Procedure)
23.2.1. From the Web UI
23.2.2. From the CLI
23.3. Examples of Using Automember Groups
23.3.1. Setting an All Users/Hosts Rule
23.3.2. Defining Default Automembership Groups
23.3.3. Using Automembership Groups with Windows Users
24. Configuration: Defining Access Control for IdM Users
24.1. About Access Controls for IdM Entries
24.1.1. A Brief Look at Access Control Concepts
24.1.2. Access Control Methods in Identity Management
24.2. Defining Self-Service Settings
24.2.1. Creating Self-Service Rules from the Web UI
24.2.2. Creating Self-Service Rules from the Command Line
24.2.3. Editing Self-Service Rules
24.3. Delegating Permissions over Users
24.3.1. Delegating Access to User Groups in the Web UI
24.3.2. Delegating Access to User Groups in the Command Line
24.4. Defining Role-Based Access Controls
24.4.1. Creating Roles Creating Roles in the Web UI Creating Roles in the Command Line
24.4.2. Creating New Permissions Creating New Permissions from the Web UI Creating New Permissions from the Command Line
24.4.3. Creating New Privileges Creating New Privileges from the Web UI Creating New Privileges from the Command Line
25. Configuration: Configuring IdM Servers and Replicas
25.1. Identity Management Files and Logs
25.1.1. A Reference of IdM Server Configuration Files and Directories
25.1.2. IdM Domain Services and Log Rotation
25.1.3. About default.conf and Context Configuration Files
25.1.4. Checking IdM Server Logs Enabling Server Debug Logging Debugging Command-Line Operations
25.2. Managing Certificates and Certificate Authorities
25.2.1. Renewing CA Certificates Issued by External CAs The Renewal Procedure
25.2.2. Configuring Alternate Certificate Authorities
25.2.3. Changing Which Server Generates CRLs
25.2.4. Configuring OCSP Responders Using an OSCP Responder with SELinux Changing the CRL Update Interval Changing the OCSP Responder Location
25.3. Disabling Anonymous Binds
25.4. Changing Domain DNS Configuration
25.4.1. Setting DNS Entries for Multi-Homed Servers
25.4.2. Setting up Additional Name Servers
25.4.3. Changing Load Balancing for IdM Servers and Replicas
25.5. Managing Replication Agreements Between IdM Servers
25.5.1. Listing Replication Agreements
25.5.2. Creating and Removing Replication Agreements
25.5.3. Forcing Replication
25.5.4. Reinitializing IdM Servers
25.5.5. Resolving Replication Conflicts Solving Naming Conflicts Solving Orphan Entry Conflicts
25.6. Removing a Replica
25.7. Renaming a Server or Replica Host System
26. Migrating from an LDAP Directory to IdM
26.1. An Overview of LDAP to IdM Migration
26.1.1. Planning the Client Configuration Initial Client Configuration (Pre-Migration) Recommended Configuration for Red Hat Enterprise Linux Clients Alternative Supported Configuration
26.1.2. Planning Password Migration Method 1: Using Temporary Passwords and Requiring a Change Method 2: Using the Migration Web Page Method 3: Using SSSD (Recommended) Migrating Cleartext LDAP Passwords Automatically Resetting Passwords That Do Not Meet Requirements
26.1.3. Migration Considerations and Requirements LDAP Servers Supported for Migration Migration Environment Requirements Migration Tools Migration Sequence
26.2. Examples for Using migrate-ds
26.2.1. Migrating Specific Subtrees
26.2.2. Specifically Including or Excluding Entries
26.2.3. Excluding Entry Attributes
26.2.4. Setting the Schema to Use
26.3. Scenario 1: Using SSSD as Part of Migration
26.4. Scenario 2: Migrating an LDAP Server Directly to Identity Management
A. Troubleshooting Identity Management
A.1. Installation Issues
A.1.1. Server Installation
A.1.1.1. GSS Failures When Running IPA Commands
A.1.1.2. named Daemon Fails to Start
A.1.2. Replica Installation
A.1.2.1. Certificate System setup failed.
A.1.2.2. There are SASL, GSS-API, and Kerberos errors in the 389 Directory Server logs when the replica starts.
A.1.2.3. The DNS forward record does not match the reverse address
A.1.3. Client Installations
A.1.3.1. The client can't resolve reverse hostnames when using an external DNS.
A.1.3.2. The client is not added to the DNS zone.
A.1.4. Uninstalling an IdM Client
A.2. UI Connection Problems
A.3. IdM Server Problems
A.3.1. There are SASL, GSS-API, and Kerberos errors in the 389 Directory Server logs when the replica starts.
A.4. Host Problems
A.4.1. Certificate Not Found/Serial Number Not Found Errors
A.4.2. Debugging Client Connection Problems
A.5. Kerberos Errors
A.5.1. Problems making connections with SSH when using GSS-API
A.5.2. There are problems connecting to an NFS server after changing a keytab
A.6. SELinux Login Problems
B. Working with certmonger
B.1. Requesting a Certificate with certmonger
B.2. Storing Certificates in NSS Databases
B.3. Tracking Certificates with certmonger
C. Revision History