Red Hat Enterprise Linux 7

Linux Domain Identity, Authentication, and Policy Guide

Using Red Hat Identity Management in Linux Environments

Aneta Šteflová Petrová

Red Hat Customer Content Services

Marc Muehlfeld

Red Hat Customer Content Services

Tomáš Čapek

Red Hat Customer Content Services

Ella Deon Ballard

Red Hat Customer Content Services

Legal Notice

Copyright © 2017 Red Hat, Inc.
This document is licensed by Red Hat under the Creative Commons Attribution-ShareAlike 3.0 Unported License. If you distribute this document, or a modified version of it, you must provide attribution to Red Hat, Inc. and provide a link to the original. If the document is modified, all Red Hat trademarks must be removed.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, Red Hat Enterprise Linux, the Shadowman logo, JBoss, OpenShift, Fedora, the Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.
Linux® is the registered trademark of Linus Torvalds in the United States and other countries.
Java® is a registered trademark of Oracle and/or its affiliates.
XFS® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries.
MySQL® is a registered trademark of MySQL AB in the United States, the European Union and other countries.
Node.js® is an official trademark of Joyent. Red Hat Software Collections is not formally related to or endorsed by the official Joyent Node.js open source or commercial project.
The OpenStack® Word Mark and OpenStack logo are either registered trademarks/service marks or trademarks/service marks of the OpenStack Foundation, in the United States and other countries and are used with the OpenStack Foundation's permission. We are not affiliated with, endorsed or sponsored by the OpenStack Foundation, or the OpenStack community.
All other trademarks are the property of their respective owners.

Abstract

Identity and policy management, for both users and machines, is a core function for most enterprise environments. Identity Management provides a way to create an identity domain that allows machines to enroll to a domain and immediately access identity information required for single sign-on and authentication services, as well as policy settings that govern authorization and access.
In addition to this guide, you can find documentation on other features and services related to Red Hat Enterprise Linux Identity Management in the following guides:
The System-Level Authentication Guide documents different applications and services available to configure authentication on local systems, including the authconfig utility, the System Security Services Daemon (SSSD) service, the Pluggable Authentication Module (PAM) framework, Kerberos, the certmonger utility, and single sign-on (SSO) for applications.
The Windows Integration Guide documents how to integrate Linux domains with Microsoft Windows Active Directory (AD) using Identity Management. Among other topics, the guide covers various aspects of direct and indirect AD integration, using SSSD to access a Common Internet File System (CIFS), and the realmd system.
1. Introduction to Red Hat Identity Management
1.1. The Goal of Red Hat Identity Management
1.1.1. Examples of Benefits Brought by IdM
1.1.2. Contrasting Identity Management with a Standard LDAP Directory
1.2. The Identity Management Domain
1.2.1. Identity Management Servers
1.2.1.1. Services Hosted by IdM Servers
1.2.2. Identity Management Clients
1.2.2.1. Services Hosted by IdM Clients
I. Installing Identity Management
2. Installing and Uninstalling an Identity Management Server
2.1. Prerequisites for Installing a Server
2.1.1. Hardware Recommendations
2.1.2. System Requirements
2.1.3. Host Name and DNS Configuration
2.1.4. Port Requirements
2.2. Packages Required to Install an IdM Server
2.3. Installing an IdM Server: Introduction
2.3.1. Determining Whether to Use Integrated DNS
2.3.2. Determining What CA Configuration to Use
2.3.3. Installing a Server with Integrated DNS
2.3.4. Installing a Server Without Integrated DNS
2.3.5. Installing a Server with an External CA as the Root CA
2.3.6. Installing Without a CA
2.3.7. Installing a Server Non-Interactively
2.4. Uninstalling an IdM Server
2.5. Renaming a Server
3. Installing and Uninstalling Identity Management Clients
3.1. Prerequisites for Installing a Client
3.2. Packages Required to Install a Client
3.3. Installing a Client
3.3.1. Installing a Client Interactively
3.3.2. Installing a Client Non-interactively
3.4. Setting up an IdM Client Through Kickstart
3.4.1. Pre-creating a Client Host Entry on the IdM Server
3.4.2. Creating a Kickstart File for the Client
3.5. Post-installation Considerations for Clients
3.5.1. Removing Pre-Identity Management Configuration
3.6. Testing the New Client
3.7. Uninstalling a Client
3.8. Re-enrolling a Client into the IdM Domain
3.8.1. Re-enrolling a Client Interactively Using the Administrator Account
3.8.2. Re-enrolling a Client Non-interactively Using the Client Keytab
3.9. Renaming Client Machines
4. Installing and Uninstalling Identity Management Replicas
4.1. Explaining IdM Replicas
4.2. Deployment Considerations for Replicas
4.2.1. Distribution of Server Services in the Topology
4.2.2. Replica Topology Recommendations
4.2.2.1. Tight Cell Topology
4.3. Prerequisites for Installing a Replica
4.4. Packages Required to Install a Replica
4.5. Creating the Replica: Introduction
4.5.1. Promoting a Client to a Replica Using a Host Keytab
4.5.2. Installing a Replica Using a Random Password
4.5.3. Installing a Replica with DNS
4.5.4. Installing a Replica with a CA
4.5.5. Installing a Replica from a Server without a CA
4.6. Testing the New Replica
4.7. Uninstalling a Replica
II. The Basics of Managing an Identity Management Domain
5. The Basics of Managing the IdM Server and Services
5.1. Starting and Stopping the IdM Server
5.2. Logging into IdM Using Kerberos
5.3. The IdM Command-Line Utilities
5.3.1. Getting Help for ipa Commands
5.3.2. Setting a List of Values
5.3.3. Using Special Characters
5.3.4. Searching IdM Entries
5.3.4.1. Adjusting the Search Size and Time Limit
5.4. The IdM Web UI
5.4.1. Accessing the Web UI and Authenticating
5.4.2. Configuring the Browser for Kerberos Authentication
5.4.3. Configuring an External System for Kerberos Authentication to the Web UI
5.4.4. Proxy Servers and Port Forwarding in the Web UI
6. Managing Replication Topology
6.1. Explaining Replication Agreements, Topology Suffixes, and Topology Segments
6.2. Web UI: Using the Topology Graph to Manage Replication Topology
6.2.1. Setting up Replication Between Two Servers
6.2.2. Stopping Replication Between Two Servers
6.3. Command Line: Managing Topology Using the ipa topology* Commands
6.3.1. Getting Help for Topology Management Commands
6.3.2. Setting up Replication Between Two Servers
6.3.3. Stopping Replication Between Two Servers
6.4. Removing a Server from the Topology
6.4.1. Web UI: Removing a Server from the Topology
6.4.2. Command Line: Removing a Server from the Topology
6.5. Managing Server Roles
6.5.1. Viewing Server Roles
6.5.2. Promoting a Replica to a Master CA Server
6.5.2.1. Changing the Current CA Renewal Master
6.5.2.2. Changing Which Server Generates CRLs
6.5.2.3. Verifying That the New Master CA Server Is Configured Correctly
7. Displaying and Raising the Domain Level
7.1. Displaying the Current Domain Level
7.2. Raising the Domain Level
8. Updating and Migrating Identity Management
8.1. Updating Identity Management
8.1.1. Considerations for Updating Identity Management
8.1.2. Using yum to Update the Identity Management Packages
8.2. Migrating Identity Management from Red Hat Enterprise Linux 6 to Version 7
8.2.1. Prerequisites for Migrating Identity Management from Red Hat Enterprise Linux 6 to 7
8.2.2. Updating the Identity Management Schema on Red Hat Enterprise Linux 6
8.2.3. Installing the Red Hat Enterprise Linux 7 Replica
8.2.4. Transitioning the CA Services to the Red Hat Enterprise Linux 7 Server
8.2.5. Stop the Red Hat Enterprise Linux 6 Server
8.2.6. Next Steps After Migrating the Master CA Server
9. Backing Up and Restoring Identity Management
9.1. Full-Server Backup and Data-Only Backup
9.1.1. Creating a Backup
9.1.2. Encrypting Backup
9.1.3. List of Directories and Files Copied During Backup
9.2. Restoring a Backup
9.2.1. Restoring from the Full-Server or Data-Only Backup
9.2.2. Restoring with Multiple Master Servers
9.2.3. Restoring from an Encrypted Backup
III. Managing User and System Identities in a Linux Domain
10. Managing User Accounts
10.1. Setting up User Home Directories
10.1.1. Mounting Home Directories Automatically Using the PAM Home Directory Module
10.1.2. Mounting Home Directories Manually
10.2. User Life Cycle
10.2.1. Adding Stage or Active Users
10.2.1.1. User Name Requirements
10.2.1.2. Defining a Custom UID or GID Number
10.2.2. Listing Users and Searching for Users
10.2.3. Activating, Preserving, Deleting, and Restoring Users
10.3. Editing Users
10.4. Enabling and Disabling User Accounts
10.5. Allowing Non-admin Users to Manage User Entries
10.6. Using an External Provisioning System for Users and Groups
10.6.1. Configuring User Accounts to Be Used by the External Provisioning System
10.6.2. Configuring IdM to Automatically Activate Stage User Accounts
10.6.3. Configuring the LDAP Provider of the External Provisioning System to Manage the IdM Identities
11. User Authentication
11.1. User Passwords
11.1.1. Changing and Resetting User Passwords
11.1.1.1. Web UI: Changing Your Own Personal Password
11.1.1.2. Web UI: Resetting Another User's Password
11.1.1.3. Command Line: Changing or Resetting Another User's Password
11.1.2. Enabling Password Reset Without Prompting for a Password Change at the Next Login
11.1.3. Unlocking User Accounts After Password Failures
11.1.3.1. Checking the Status of a User Account
11.2. One-Time Passwords
11.2.1. How OTP Authentication Works in IdM
11.2.1.1. OTP Tokens Supported in IdM
11.2.1.2. Available OTP Authentication Methods
11.2.1.3. GNOME Keyring Service Support
11.2.1.4. Offline Authentication with OTP
11.2.2. Enabling OTP Authentication
11.2.3. Adding a User-Managed Software Token
11.2.4. Adding a User-Managed YubiKey Hardware Token
11.2.5. Adding a Token for a User as the Administrator
11.2.6. Migrating from a Proprietary OTP Solution
11.2.7. Promoting the Current Credentials to Two-Factor Authentication
11.2.8. Resynchronizing an OTP Token
11.3. Restricting Access to Services and Hosts Based on How Users Authenticate
11.3.1. Configuring a Host or a Service to Require a Specific Authentication Method
11.4. Managing Public SSH Keys for Users
11.4.1. Generating an SSH Key
11.4.2. Uploading User SSH Keys
11.4.2.1. Web UI: Uploading User SSH Keys
11.4.2.2. Command Line: Uploading User SSH Keys
11.4.3. Deleting User Keys
11.4.3.1. Web UI: Deleting User SSH Keys
11.4.3.2. Command Line: Deleting User SSH Keys
11.5. Smart Cards
11.5.1. Smart Card and Smart Card Reader Support in Identity Management
11.5.2. Exporting a Certificate From a Smart Card
11.5.3. Storing Smart Card Certificates for IdM Users
11.5.4. Smart Card Certificates in a Trusted Active Directory Environment
11.5.5. Smart Card Authentication on Identity Management Clients
11.5.5.1. Configuring Smart Card Authentication on an IdM Client
11.5.5.2. SSH Log in Using a Smart Card
11.6. User Certificates
12. Managing Hosts
12.1. About Hosts, Services, and Machine Identity and Authentication
12.2. About Host Entry Configuration Properties
12.3. Adding Host Entries
12.3.1. Adding Host Entries from the Web UI
12.3.2. Adding Host Entries from the Command Line
12.4. Disabling and Re-enabling Host Entries
12.4.1. Disabling Host Entries
12.4.2. Re-enabling Hosts
12.5. Managing Public SSH Keys for Hosts
12.5.1. About the SSH Key Format
12.5.2. About ipa-client-install and OpenSSH
12.5.3. Uploading Host SSH Keys Through the Web UI
12.5.4. Adding Host Keys from the Command Line
12.5.5. Removing Host Keys
12.6. Setting ethers Information for a Host
13. Managing User and Host Groups
13.1. How User and Host Groups Work in IdM
13.1.1. What User and Host Groups Are
13.1.2. Supported Group Members
13.1.3. Direct and Indirect Group Members
13.1.4. User Group Types in IdM
13.1.5. User and Host Groups Created by Default
13.2. Adding and Removing User or Host Groups
13.3. Adding and Removing User or Host Group Members
13.4. Disabling User Private Groups
13.4.1. Creating a User without a User Private Group
13.4.2. Disabling User Private Groups Globally for All Users
13.4.3. Adding a User with User Private Groups Disabled
13.5. Setting Search Attributes for Users and User Groups
13.6. Defining Automatic Group Membership for Users and Hosts
13.6.1. How Automatic Group Membership Works in IdM
13.6.1.1. What Automatic Group Membership Is
13.6.1.2. Benefits of Automatic Group Membership
13.6.1.3. Automember Rules
13.6.2. Adding an Automember Rule
13.6.3. Applying Automember Rules to Existing Users and Hosts
13.6.4. Configuring a Default Automember Group
14. Unique UID and GID Number Assignments
14.1. ID Ranges
14.2. ID Range Assignments During Installation
14.3. Displaying Currently Assigned ID Ranges
14.4. Automatic ID Range Extension After Deleting a Replica
14.5. Manual ID Range Extension and Assigning a New ID Range
14.6. Ensuring That ID Values Are Unique
14.7. Repairing Changed UID and GID Numbers
15. User and Group Schema
15.1. About Changing the Default User and Group Schema
15.2. Applying Custom Object Classes to New User Entries
15.2.1. From the Web UI
15.2.2. From the Command Line
15.3. Applying Custom Object Classes to New Group Entries
15.3.1. From the Web UI
15.3.2. From the Command Line
15.4. Specifying Default User and Group Attributes
15.4.1. Viewing Attributes from the Web UI
15.4.2. Viewing Attributes from the Command Line
16. ID Views
16.1. Attributes an ID View Can Override
16.2. Getting Help for ID View Commands
16.3. Defining a Different Attribute Value for a User Account on Different Hosts
16.3.1. Web UI: Overriding an Attribute Value for a Specific Host
16.3.2. Command Line: Overriding an Attribute Value for a Specific Host
17. Managing Services
17.1. Adding and Editing Service Entries and Keytabs
17.1.1. Adding Services and Keytabs from the Web UI
17.1.2. Adding Services and Keytabs from the Command Line
17.2. Configuring Clustered Services
17.3. Using the Same Service Principal for Multiple Services
17.4. Retrieve Existing Keytabs for Multiple Servers
17.5. Disabling and Re-enabling Service Entries
17.5.1. Disabling Service Entries
17.5.2. Re-enabling Services
18. Delegating User Access to Hosts and Services
18.1. Delegating Service Management
18.2. Delegating Host Management
18.3. Delegating Host or Service Management in the Web UI
18.4. Accessing Delegated Services
19. Performance Tuning for Bulk Provisioning of Entries
20. Managing Certificates for Users, Hosts, and Services
20.1. Managing Certificates with the Integrated IdM CAs
20.1.1. Requesting New Certificates for a User, Host, or Service
20.1.2. Revoking Certificates with the Integrated IdM CAs
20.1.3. Restoring Certificates with the Integrated IdM CAs
20.2. Managing Certificates Issued by External CAs
20.2.1. Command Line: Adding and Removing Certificates Issued by External CAs
20.2.2. Web UI: Adding and Removing Certificates Issued by External CAs
20.3. Listing and Displaying Certificates
20.4. Certificate Profiles
20.4.1. Certificate Profile Management from the Command Line
20.4.2. Certificate Profile Management from the Web UI
20.4.3. Upgrading IdM Servers with Certificate Profiles
20.5. Certificate Authority ACL Rules
20.5.1. CA ACL Management from the Command Line
20.5.2. CA ACL Management from the Web UI
20.6. Using Certificate Profiles and ACLs to Issue User Certificates with the IdM CAs
21. Managing Kerberos Flags and Principal Aliases
21.1. Kerberos Flags for Services and Hosts
21.1.1. Setting Kerberos Flags from the Web UI
21.1.2. Setting Kerberos Flags from the Command Line
21.2. Managing Kerberos Principal Aliases for Users, Hosts, and Services
21.2.1. Kerberos Principal Alias
21.2.2. Kerberos Enterprise Principal Alias
22. Storing Authentication Secrets with Vaults
22.1. How Vaults Work
22.1.1. Vault Owners, Members, and Administrators
22.1.2. Standard, Symmetric, and Asymmetric Vaults
22.1.3. User, Service, and Shared Vaults
22.1.4. Vault Containers
22.2. Prerequisites for Using Vaults
22.3. Getting Help for Vault Commands
22.4. Storing a User's Personal Secret
22.4.1. Archiving a User's Personal Secret
22.4.2. Retrieving a User's Personal Secret
22.5. Storing a Service Secret in a Vault
22.5.1. Creating a User Vault to Store a Service Password
22.5.2. Provisioning a Service Password from a User Vault to Service Instances
22.5.3. Retrieving a Service Password for a Service Instance
22.5.4. Changing Service Vault Password
22.6. Storing a Common Secret for Multiple Users
22.6.1. Creating the Shared Vault with the Common Secret
22.6.2. Retrieving a Secret from a Shared Vault as a Member User
23. Integrating with NIS Domains and Netgroups
23.1. About NIS and Identity Management
23.2. Setting the NIS Port for Identity Management
23.3. Creating Netgroups
23.3.1. Adding Netgroups
23.3.1.1. With the Web UI
23.3.1.2. With the Command Line
23.3.2. Adding Netgroup Members
23.3.2.1. With the Web UI
23.3.2.2. With the Command Line
23.4. Exposing Automount Maps to NIS Clients
23.5. Migrating from NIS to IdM
23.5.1. Preparing Netgroup Entries in IdM
23.5.2. Enabling the NIS Listener in Identity Management
23.5.3. Exporting and Importing the Existing NIS Data
23.5.3.1. Importing User Entries
23.5.3.2. Importing Group Entries
23.5.3.3. Importing Host Entries
23.5.3.4. Importing Netgroup Entries
23.5.3.5. Importing Automount Maps
23.5.4. Setting Weak Password Encryption for NIS User Authentication to IdM
24. Managing DNS
24.1. BIND in Identity Management
24.2. Supported DNS Zone Types
24.3. DNS Configuration Priorities
24.4. Managing Master DNS Zones
24.4.1. Adding and Removing Master DNS Zones
24.4.2. Adding Additional Configuration for Master DNS Zones
24.4.3. Enabling Zone Transfers
24.4.4. Adding Records to DNS Zones
24.4.5. Examples of Adding or Modifying DNS Resource Records from the Command Line
24.4.6. Deleting Records from DNS Zones
24.4.7. Disabling and Enabling Zones
24.5. Managing Dynamic DNS Updates
24.5.1. Enabling Dynamic DNS Updates
24.5.1.1. Configuring the DNS Zone to Allow Dynamic Updates
24.5.1.2. Configuring the Clients to Send Dynamic Updates
24.5.2. Synchronizing A/AAAA and PTR Records
24.5.3. Updating DNS Dynamic Update Policies
24.6. Managing DNS Forwarding
24.6.1. Configuring Global Forwarders
24.6.2. Configuring Forward Zones
24.7. Managing Reverse DNS Zones
24.8. Defining DNS Query Policy
24.9. DNS Locations
24.9.1. DNS-based Service Discovery
24.9.2. Deployment Considerations for DNS Locations
24.9.2.1. DNS Time to Live (TTL)
24.9.3. Creating DNS Locations
24.9.4. Assigning an IdM Server to a DNS Location
24.10. Installing DNS Services Into an Existing Server
24.10.1. Setting up Additional Name Servers
IV. Defining Domain-wide System Policies
25. Using Automount
25.1. About Automount and IdM
25.2. Configuring Automount
25.2.1. Configuring NFS Automatically
25.2.2. Configuring autofs Manually to Use SSSD and Identity Management
25.2.3. Configuring Automount on Solaris
25.3. Setting up a Kerberos-aware NFS Server
25.3.1. Setting up a Kerberos-aware NFS Server
25.3.2. Setting up a Kerberos-aware NFS Client
25.4. Configuring Locations
25.4.1. Configuring Locations through the Web UI
25.4.2. Configuring Locations through the Command Line
25.5. Configuring Maps
25.5.1. Configuring Direct Maps
25.5.1.1. Configuring Direct Maps from the Web UI
25.5.1.2. Configuring Direct Maps from the Command Line
25.5.2. Configuring Indirect Maps
25.5.2.1. Configuring Indirect Maps from the Web UI
25.5.2.2. Configuring Indirect Maps from the Command Line
25.5.3. Importing Automount Maps
26. Defining Password Policies
26.1. What Are Password Policies and Why Are They Useful
26.2. How Password Policies Work in IdM
26.2.1. Supported Password Policy Attributes
26.2.2. Global and Group-specific Password Policies
26.2.3. Password Policy Priorities
26.3. Adding a New Password Policy
26.4. Modifying Password Policy Attributes
26.5. Changing Password Expiration Date with Immediate Effect
27. Managing the Kerberos Domain
27.1. Managing Kerberos Ticket Policies
27.1.1. Global and User-specific Kerberos Ticket Policies
27.1.2. Configuring the Global Kerberos Ticket Policy
27.1.3. Configuring User-specific Kerberos Ticket Policies
27.2. Rekeying Kerberos Principals
27.3. Protecting Keytabs
27.4. Removing Keytabs
27.5. Additional Resources
28. Using sudo
28.1. The sudo Utility in Identity Management
28.1.1. The Identity Management LDAP Schema for sudo
28.1.2. NIS Domain Name Requirements
28.2. sudo Rules in Identity Management
28.2.1. External Users and Hosts in sudo Rules
28.2.2. User Group Support for sudo Rules
28.2.3. Support for sudoers Options
28.3. Configuring the Location for Looking up sudo Policies
28.3.1. Configuring Hosts to Use IdM sudo Policies in Earlier Versions of IdM
28.3.1.1. Applying the sudo Policies to Hosts Using SSSD
28.3.1.2. Applying the sudo Policies to Hosts Using LDAP
28.4. Adding sudo Commands, Command Groups, and Rules
28.4.1. Adding sudo Commands
28.4.2. Adding sudo Command Groups
28.4.3. Adding sudo Rules
28.5. Modifying sudo Commands and Command Groups
28.6. Modifying sudo Rules
28.7. Listing and Displaying sudo Commands, Command Groups, and Rules
28.8. Disabling and Enabling sudo Rules
28.9. Removing sudo Commands, Command Groups, and Rules
29. Configuring Host-Based Access Control
29.1. How Host-Based Access Control Works in IdM
29.2. Configuring Host-based Access Control in an IdM Domain
29.2.1. Creating HBAC Rules
29.2.2. Testing HBAC Rules
29.2.3. Disabling HBAC Rules
29.3. Adding HBAC Service Entries for Custom HBAC Services
29.4. Adding HBAC Service Groups
30. Defining SELinux User Maps
30.1. About Identity Management, SELinux, and Mapping Users
30.2. Configuring SELinux User Map Order and Defaults
30.2.1. In the Web UI
30.2.2. In the CLI
30.3. Mapping SELinux Users and IdM Users
30.3.1. In the Web UI
30.3.2. In the CLI
V. Configuring the Identity Management Server
31. Defining Access Control for IdM Users
31.1. Access Controls for IdM Entries
31.1.1. Access Control Methods in Identity Management
31.2. Defining Self-Service Settings
31.2.1. Creating Self-Service Rules from the Web UI
31.2.2. Creating Self-Service Rules from the Command Line
31.2.3. Editing Self-Service Rules
31.3. Delegating Permissions over Users
31.3.1. Delegating Access to User Groups in the Web UI
31.3.2. Delegating Access to User Groups in the Command Line
31.4. Defining Role-Based Access Controls
31.4.1. Roles
31.4.1.1. Creating Roles in the Web UI
31.4.1.2. Creating Roles in the Command Line
31.4.2. Permissions
31.4.2.1. Creating New Permissions from the Web UI
31.4.2.2. Creating New Permissions from the Command Line
31.4.2.3. Default Managed Permissions
31.4.2.4. Permissions in Earlier Versions of Identity Management
31.4.3. Privileges
31.4.3.1. Creating New Privileges from the Web UI
31.4.3.2. Creating New Privileges from the Command Line
32. Identity Management Files and Logs
32.1. A Reference of IdM Server Configuration Files and Directories
32.2. IdM Domain Services and Log Rotation
32.3. About default.conf and Context Configuration Files
32.4. Checking IdM Server Logs
32.4.1. Enabling Server Debug Logging
32.4.2. Debugging Command-Line Operations
33. Managing Certificates and Certificate Authorities
33.1. Lightweight Sub-CAs
33.1.1. Creating a Lightweight Sub-CA
33.1.2. Removing a Lightweight Sub-CA
33.2. Renewing Certificates
33.2.1. Renewing Certificates Automatically
33.2.2. Renewing CA Certificates Manually
33.2.2.1. Renewing a Self-Signed IdM CA Certificate Manually
33.2.2.2. Renewing an Externally-Signed IdM CA Certificate Manually
33.3. Installing a CA Certificate Manually
33.4. Changing the Certificate Chain
33.5. Allowing IdM to Start with Expired Certificates
33.6. Installing Third-Party Certificates for HTTP or LDAP
33.7. Configuring OCSP Responders
33.7.1. Changing the CRL Update Interval
33.8. Installing a CA Into an Existing IdM Domain
33.9. Replacing the Web Server's and LDAP Server's Certificate
34. Disabling Anonymous Binds
35. Configuring TLS for Identity Management
35.1. Configuring the httpd Daemon
35.2. Configuring the Directory Server Component
35.3. Configuring the Certificate Server Component
35.4. Result
36. Migrating from an LDAP Directory to IdM
36.1. An Overview of an LDAP to IdM Migration
36.1.1. Planning the Client Configuration
36.1.1.1. Initial Client Configuration (Pre-Migration)
36.1.1.2. Recommended Configuration for Red Hat Enterprise Linux Clients
36.1.1.3. Alternative Supported Configuration
36.1.2. Planning Password Migration
36.1.2.1. Method 1: Using Temporary Passwords and Requiring a Change
36.1.2.2. Method 2: Using the Migration Web Page
36.1.2.3. Method 3: Using SSSD (Recommended)
36.1.2.4. Migrating Cleartext LDAP Passwords
36.1.2.5. Automatically Resetting Passwords That Do Not Meet Requirements
36.1.3. Migration Considerations and Requirements
36.1.3.1. LDAP Servers Supported for Migration
36.1.3.2. Migration Environment Requirements
36.1.3.3. Migration — IdM System Requirements
36.1.3.4. Migration Tools
36.1.3.5. Improving Migration Performance
36.1.3.6. Migration Sequence
36.2. Examples for Using ipa migrate-ds
36.2.1. Migrating Specific Subtrees
36.2.2. Specifically Including or Excluding Entries
36.2.3. Excluding Entry Attributes
36.2.4. Setting the Schema to Use
36.3. Migrating an LDAP Server Identity Management
36.4. Migrating over SSL
A. Troubleshooting Identity Management
A.1. Identity Management Servers
A.1.1. External CA Installation Fails
A.1.2. named Daemon Fails to Start
A.1.3. Installing a Server Fails on a System with IPv6 Disabled
A.2. Identity Management Replicas
A.2.1. Authenticating AD Users Against a New Replica Fails
A.2.2. Replica Starts with SASL, GSS-API, and Kerberos Errors in the Directory Server Logs
A.2.3. The DNS forward Record Does Not Match the Reverse Address
A.2.4. Serial Numbers Not Found Errors
A.2.5. Cleaning Replica Update Vector (RUV) Errors
A.2.6. Recovering a Lost CA Server
A.3. Identity Management Clients
A.3.1. The Client Is Unable to Resolve Reverse Lookups when Using an External DNS
A.3.2. The Client Is Not Added to the DNS Zone
A.3.3. Client Connection Problems
A.4. Logging In and Authentication Problems
A.4.1. Kerberos GSS Failures When Running ipa Commands
A.4.2. Kerberos Authentication Not Working in the UI
A.4.3. SSH Connection Fails when Using GSS-API
A.4.4. OTP Token Out of Sync
B. Managing Replicas at Domain Level 0
B.1. Replica Information File
B.2. Creating Replicas
B.2.1. Installing a Replica without DNS
B.2.2. Installing a Replica with DNS
B.2.3. Installing a Replica with Various CA Configurations
B.2.4. Adding Additional Replication Agreements
B.3. Managing Replicas and Replication Agreements
B.3.1. Explaining Replication Agreements
B.3.2. Listing Replication Agreements
B.3.3. Creating and Removing Replication Agreements
B.3.4. Initiating a Manual Replication Update
B.3.5. Re-initializing a Replica
B.3.6. Removing a Replica
B.4. Promoting a Replica to a Master CA Server
B.4.1. Changing Which Server Handles Certificate Renewal
C. Revision History

Chapter 1. Introduction to Red Hat Identity Management

This chapter explains the purpose of Red Hat Identity Management. It also provides basic information about the Identity Management domain, including the client and server machines that are part of the domain.

1.1. The Goal of Red Hat Identity Management

Red Hat Identity Management (IdM) provides a centralized and unified way to manage identity stores, authentication, policies, and authorization policies in a Linux-based domain. IdM significantly reduces the administrative overhead of managing different services individually and using different tools on different machines.
IdM is one of the few centralized identity, policy, and authorization software solutions that support:
  • Advanced features of Linux operating system environments
  • Unifying large groups of Linux machines
  • Native integration with Active Directory
IdM creates a Linux-based and Linux-controlled domain:
  • IdM builds on existing, native Linux tools and protocols. It has its own processes and configuration, but its underlying technologies are well-established on Linux systems and trusted by Linux administrators.
  • IdM servers and clients are Red Hat Enterprise Linux machines. However, even though IdM does not support Windows clients directly, it allows integration with Active Directory environment.

    Note

    This guide describes using IdM in Linux environments only. For more information on integration with Active Directory, see the Windows Integration Guide.
    For information on the Samba suite, which allows integrating Linux machines into Active Directory environment, see the Using Samba, Kerberos, and Winbind chapter in the Windows Integration Guide.

1.1.1. Examples of Benefits Brought by IdM

Managing identities and policies with several Linux servers
Without IdM: Each server is administered separately. All passwords are saved on the local machines. The IT administrator manages users on every machine, sets authentication and authorization policies separately, and maintains local passwords.
With IdM: The IT administrator can:
  • Maintain the identities in one central place: the IdM server
  • Apply policies uniformly to multiples of machines at the same time
  • Set different access levels for users by using host-based access control, delegation, and other rules
  • Centrally manage privilege escalation rules
  • Define how home directories are mounted
Enterprise single sign-on
Without IdM: Users log in to the system and are prompted for a password every single time they access a service or application. These passwords might be different, and the users have to remember which credential to use for which application.
With IdM: After users log in to the system, they can access multiple services and applications without being repeatedly asked for their credentials. This helps:
  • Improve usability
  • Reduce the security risk of passwords being written down or stored insecurely
  • Boost user productivity
Managing a mixed Linux and Windows environment
Without IdM: Windows systems are managed in an Active Directory forest, but development, production, and other teams have many Linux systems. The Linux systems are excluded from the Active Directory environment.
With IdM: The IT administrator can:
  • Manage the Linux systems using native Linux tools
  • Integrate the Linux systems with the Windows systems, thus preserving a centralized user store
  • Expand the Linux base easily
  • Separate management of Linux and Active Directory machines and enable Linux and Windows admins to control their environment directly

1.1.2. Contrasting Identity Management with a Standard LDAP Directory

A standard LDAP directory, such as Red Hat Directory Server, is a general-purpose directory: it can be customized to fit a broad range of use cases.
  • Schema: a flexible schema that can be customized for a vast array of entries, such as users, machines, network entities, physical equipment, or buildings.
  • Typically used as: a back-end directory to store data for other applications, such as business applications that provide services on the Internet.
Identity Management (IdM) has a specific purpose: managing identities as well as authentication and authorization policies that relate to these identities.
  • Schema: a specific schema that defines a particular set of entries relevant to its purpose, such as entries for user or machine identities.
  • Typically used as: the identity and authentication server to manage identities within the boundaries of an enterprise or a project.
The underlying directory server technology is the same for both Red Hat Directory Server and IdM. However, IdM is optimized to manage identities. This limits its general extensibility, but also brings certain benefits: simpler configuration, better automation of resource management, and increased efficiency in managing identities.

Additional Resources

1.2. The Identity Management Domain

The Identity Management (IdM) domain consists of a group of machines that share the same configuration, policies, and identity stores. The shared properties allow the machines within the domain to be aware of each other and operate together.
From the perspective of IdM, the domain includes the following types of machines:
  • IdM servers, which work as domain controllers
  • IdM clients, which are enrolled with the servers
IdM servers are also IdM clients enrolled with themselves: server machines provide the same functionality as clients.
IdM supports Red Hat Enterprise Linux machines as the IdM servers and clients.

Note

This guide describes using IdM in Linux environments. For more information on integration with Active Directory, see the Windows Integration Guide.

1.2.1. Identity Management Servers

The IdM servers act as central repositories for identity and policy information. They also host the services used by domain members. IdM provides a set of management tools to manage all the IdM-associated services centrally: the IdM web UI and command-line utilities.
For information on installing IdM servers, see Chapter 2, Installing and Uninstalling an Identity Management Server.
To support redundancy and load balancing, the data and configuration can be replicated from one IdM server to another: a replica of the initial server. You can configure servers and their replicas to provide different services to clients. For more details on IdM replicas, see Chapter 4, Installing and Uninstalling Identity Management Replicas.

1.2.1.1. Services Hosted by IdM Servers

Most of the following services are not strictly required to be installed on the IdM server. For example, services such as a certificate authority (CA), a DNS server, or a Network Time Protocol (NTP) server can be installed on an external server outside the IdM domain.
Kerberos KDC
IdM uses the Kerberos protocol to support single sign-on. With Kerberos, the user only needs to present the correct user name and password once. Then the user can access IdM services without the system prompting for the credentials again.
LDAP directory server
IdM includes an internal LDAP directory server instance where it stores all the IdM information, such as information related to Kerberos, user accounts, host entries, services, policies, DNS, and others.
The LDAP directory server instance is based on the same technology as Red Hat Directory Server. However, it is tuned to IdM-specific tasks.

Note

This guide refers to this component as Directory Server.
Certificate authority
In most deployments, an integrated certificate authority (CA) is installed with the IdM server. You can also install the server without the integrated CA if you create and provide all required certificates independently.

Note

This guide refers to this component as Certificate System when addressing the implementation and as certificate authority when addressing the services provided by the implementation.
Domain Name System (DNS)
IdM uses DNS for dynamic service discovery. The IdM client installation utility can use information from DNS to automatically configure the client machine. After the client is enrolled in the IdM domain, it uses DNS to locate IdM servers and services within the domain.
Network Time Protocol
Many services require that servers and clients have the same system time, within a certain variance. For example, Kerberos tickets use time stamps to determine their validity and to prevent replay attacks. If the times between the server and client skew outside the allowed range, the Kerberos tickets are invalidated.
By default, IdM uses the Network Time Protocol (NTP) to synchronize clocks over a network. With NTP, a central server acts as an authoritative clock and the clients synchronize their times to match the server clock. The IdM server is configured as the NTP server for the IdM domain during the server installation process.

Note

Running an NTP server on an IdM server installed on a virtual machine can lead to inaccurate time synchronization in some environments. To avoid potential problems, do not run NTP on IdM servers installed on virtual machines. For more information on the reliability of an NTP server on a virtual machine, see this Knowledgebase solution.
The Identity Management Server: Unifying Services

Figure 1.1. The Identity Management Server: Unifying Services

1.2.2. Identity Management Clients

IdM clients are machines configured to operate within the IdM domain. They interact with the IdM servers to access domain resources. For example, they belong to the Kerberos domains configured on the servers, receive certificates and tickets issued by the servers, and use other centralized services for authentication and authorization.
An IdM client does not require dedicated client software to interact as a part of the domain. It only requires proper system configuration of certain services and libraries, such as Kerberos or DNS. This configuration directs the client machine to use IdM services.
For information on installing IdM clients, see Chapter 3, Installing and Uninstalling Identity Management Clients.

1.2.2.1. Services Hosted by IdM Clients

System Security Services Daemon
The System Security Services Daemon (SSSD) is a client-side application for caching credentials. Using SSSD on client machines is recommended because it simplifies the required client configuration. SSSD also provides additional features, for example:
  • Offline client authentication, ensured by caching credentials from centralized identity and authentication stores locally
  • Improved consistency of the authentication process, because it is not necessary to maintain both a central account and a local user account for offline authentication
  • Integration with other services, such as sudo
  • Host-based access control (HBAC) authorization
With SSSD, the IdM administrators can define all identity configuration centrally in the IdM server. Caching enables the local system to continue normal authentication operations if the IdM server becomes unavailable or if the client becomes offline.
For more information about SSSD, see the System-Level Authentication Guide. SSSD also supports Windows Active Directory (AD). For more information about using SSSD with AD, see the Windows Integration Guide.
certmonger
The certmonger service monitors and renews the certificates on the client. It can request new certificates for the services on the system.
For more information about certmonger, see the System-Level Authentication Guide.
Interactions Between IdM Services

Figure 1.2. Interactions Between IdM Services

Part I. Installing Identity Management

Table of Contents

2. Installing and Uninstalling an Identity Management Server
2.1. Prerequisites for Installing a Server
2.1.1. Hardware Recommendations
2.1.2. System Requirements
2.1.3. Host Name and DNS Configuration
2.1.4. Port Requirements
2.2. Packages Required to Install an IdM Server
2.3. Installing an IdM Server: Introduction
2.3.1. Determining Whether to Use Integrated DNS
2.3.2. Determining What CA Configuration to Use
2.3.3. Installing a Server with Integrated DNS
2.3.4. Installing a Server Without Integrated DNS
2.3.5. Installing a Server with an External CA as the Root CA
2.3.6. Installing Without a CA
2.3.7. Installing a Server Non-Interactively
2.4. Uninstalling an IdM Server
2.5. Renaming a Server
3. Installing and Uninstalling Identity Management Clients
3.1. Prerequisites for Installing a Client
3.2. Packages Required to Install a Client
3.3. Installing a Client
3.3.1. Installing a Client Interactively
3.3.2. Installing a Client Non-interactively
3.4. Setting up an IdM Client Through Kickstart
3.4.1. Pre-creating a Client Host Entry on the IdM Server
3.4.2. Creating a Kickstart File for the Client
3.5. Post-installation Considerations for Clients
3.5.1. Removing Pre-Identity Management Configuration
3.6. Testing the New Client
3.7. Uninstalling a Client
3.8. Re-enrolling a Client into the IdM Domain
3.8.1. Re-enrolling a Client Interactively Using the Administrator Account
3.8.2. Re-enrolling a Client Non-interactively Using the Client Keytab
3.9. Renaming Client Machines
4. Installing and Uninstalling Identity Management Replicas
4.1. Explaining IdM Replicas
4.2. Deployment Considerations for Replicas
4.2.1. Distribution of Server Services in the Topology
4.2.2. Replica Topology Recommendations
4.2.2.1. Tight Cell Topology
4.3. Prerequisites for Installing a Replica
4.4. Packages Required to Install a Replica
4.5. Creating the Replica: Introduction
4.5.1. Promoting a Client to a Replica Using a Host Keytab
4.5.2. Installing a Replica Using a Random Password
4.5.3. Installing a Replica with DNS
4.5.4. Installing a Replica with a CA
4.5.5. Installing a Replica from a Server without a CA
4.6. Testing the New Replica
4.7. Uninstalling a Replica

Chapter 2. Installing and Uninstalling an Identity Management Server

An Identity Management (IdM) server is a domain controller: it defines and manages the IdM domain. To set set up an IdM server, you must:
  1. Install the necessary packages
  2. Configure the machine using setup scripts
Red Hat strongly recommends to set up multiple domain controllers within your domain for load balancing and redundancy. These additional servers are replicas of the initial master IdM server.
This chapter describes installing the first, initial IdM server. For information on installing a replica from the initial server, see Chapter 4, Installing and Uninstalling Identity Management Replicas.

2.1. Prerequisites for Installing a Server

2.1.1. Hardware Recommendations

RAM is the most important hardware feature to size properly. To determine how much RAM you require, consider these recommendations:
  • For 10,000 users and 100 groups: at least 2 GB of RAM and 1 GB swap space
  • For 100,000 users and 50,000 groups: at least 16 GB of RAM and 4 GB of swap space

Note

A basic user entry or a simple host entry with a certificate is approximately 5 - 10 KiB in size.
For larger deployments, it is more effective to increase the RAM than to increase disk space because much of the data is stored in cache.
To increase performance, you can tune the underlying Directory Server to increase performance. For details, see Optimizing System Performance in the Directory Server Performance Tuning Guide.

2.1.2. System Requirements

Identity Management 4.4 is supported on Red Hat Enterprise Linux 7. Install an IdM server on a clean system without any custom configuration for services such as DNS, Kerberos, or Directory Server.
The IdM server installation overwrites system files to set up the IdM domain. IdM backs up the original system files to /var/lib/ipa/sysrestore/.
FIPS requirements
Installing and running IdM in the Federal Information Processing Standard (FIPS) mode is not supported. Disable FIPS on your system before installing an IdM server, replica, or client, and do not enable it after the installation.
NSCD requirements
Red Hat recommends to disable the Name Service Cache Daemon (NSCD) on Identity Management machines. Alternatively, if disabling NSCD is not possible, only enable NSCD for maps that SSSD does not cache.
Both NSCD and the SSSD service perform caching, and problems can occur when systems use both services simultaneously. See the System-Level Authentication Guide for information on how to avoid conflicts between NSCD and SSSD.
IPv6 must be enabled on the system
Installing and running an IdM server requires IPv6 to be enabled on the network. Note that IPv6 is enabled by default on Red Hat Enterprise Linux 7 systems.
If you disabled IPv6 before, re-enable it as described in How do I disable or enable the IPv6 protocol in Red Hat Enterprise Linux? in Red Hat Knowledgebase.

2.1.3. Host Name and DNS Configuration

Warning

Be extremely cautious and ensure that:
  • you have a tested and functional DNS service available
  • the service is properly configured
This requirement applies to IdM servers with integrated DNS services as well as to IdM servers installed without DNS. DNS records are vital for nearly all IdM domain functions, including running LDAP directory services, Kerberos, and Active Directory integration.
Note that the primary DNS domain and Kerberos realm cannot be changed after the installation.
The server host must have DNS properly configured regardless of whether the DNS server is integrated within IdM or hosted externally.
Identity Management requires one separate DNS domain to be used for service records. To avoid conflicts on the DNS level, the primary DNS domain used for IdM cannot be shared with any other system.
Note that host names of IdM clients are not required to be part of the primary DNS domain.

Note

For information on configuring users to access an IdM client using a host name from the Active Directory DNS domain, while the client itself is joined to IdM, see IdM clients in an Active Directory DNS Domain in the Windows Integration Guide.

Verifying the Server Host Name

The host name must be a fully qualified domain name, such as server.example.com. To verify your machine's host name, use the hostname utility:
[root@server ~]# hostname
server.example.com
The output of hostname must not be localhost or localhost6.

Important

The fully qualified domain name must be a valid DNS name, which means only numbers, alphabetic characters, and hyphens (-) are allowed. Other characters, like underscores, in the host name cause DNS failures. Additionally, the host name must be all lower-case; no capital letters are allowed.
For other recommended naming practices, see the Red Hat Enterprise Linux Security Guide.
The fully qualified domain name must not resolve to the loopback address. It must resolve to the machine's public IP address, not to 127.0.0.1.

Verifying the Forward and Reverse DNS Configuration

  1. Obtain the IP address of the server. The ip addr show command displays both the IPv4 and IPv6 addresses:
    • The IPv4 address is displayed on the line starting with inet. In the following example, the configured IPv4 address is 192.0.2.1.
    • The IPv6 address is displayed on the line starting with inet6. Only IPv6 addresses with scope global are relevant for this procedure. In the following example, the returned IPv6 address is 2001:DB8::1111.
    [root@server ~]# ip addr show
    ...
    2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    	link/ether 00:1a:4a:10:4e:33 brd ff:ff:ff:ff:ff:ff
    	inet 192.0.2.1/24 brd 192.0.2.255 scope global dynamic eth0
    		valid_lft 106694sec preferred_lft 106694sec
    	inet6 2001:DB8::1111/32 scope global dynamic 
     		valid_lft 2591521sec preferred_lft 604321sec
    	inet6 fe80::56ee:75ff:fe2b:def6/64 scope link 
    	       valid_lft forever preferred_lft forever
    
  2. Verify the forward DNS configuration by using the dig utility and adding the host name.
    1. Run the dig +short server.example.com A command. The returned IPv4 address must match the IP address returned by ip addr show:
      [root@server ~]# dig +short server.example.com A
      192.0.2.1
      
    2. Run the dig +short server.example.com AAAA command. If the command returns an address, it must match the IPv6 address returned by ip addr show:
      [root@server ~]# dig +short server.example.com AAAA
      2001:DB8::1111
      

      Note

      If no output is returned for the AAAA record, it does not indicate incorrect configuration; no output only means that no IPv6 address is configured in DNS for the server machine. If you do not intend to use the IPv6 protocol in your network, you can proceed with the installation in this situation.
  3. Verify the reverse DNS configuration (PTR records) by using the dig utility and adding the IP address.
    1. Run the dig +short -x IPv4 address command. The server host name must be displayed in the command output. For example:
      [root@server ~]# dig +short -x 192.0.2.1
      server.example.com
      
    2. Use dig to query the IPv6 address as well if the dig +short -x server.example.com AAAA command in the previous step returned an IPv6 address. Again, the server host name must be displayed in the command output. For example:
      [root@server ~]# dig +short -x 2001:DB8::1111
      server.example.com
      

      Note

      If dig +short server.example.com AAAA in the previous step did not display any IPv6 address, querying the AAAA record does not output anything. In this case, this is normal behavior and does not indicate incorrect configuration.
    If a different host name or no host name is displayed, even though dig +short server.example.com in the previous step returned an IP address, it indicates that the reverse DNS configuration is incorrect.

Verifying the Standards-compliance of DNS Forwarders

When configuring IdM with integrated DNS, verify that all DNS forwarders you want to use with the IdM DNS server comply with the Extension Mechanisms for DNS (EDNS0) and DNS Security Extensions (DNSSEC) standards. To do this, inspect the output of the following command for each forwarder separately:
$ dig +dnssec @IP_address_of_the_DNS_forwarder . SOA
The expected output displayed by the command contains the following information:
  • status: NOERROR
  • flags: ra
  • EDNS flags: do
  • The RRSIG record must be present in the ANSWER section
If any of these items is missing from the output, inspect the documentation of your DNS forwarder and verify that EDNS0 and DNSSEC are supported and enabled. In latest versions of the BIND server, the dnssec-enable yes; option must be set in the /etc/named.conf file.
For example, the expected output can look like this:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48655
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096

;; ANSWER SECTION:
. 31679 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2015100701 1800 900 604800 86400
. 31679 IN RRSIG SOA 8 0 86400 20151017170000 20151007160000 62530 . GNVz7SQs [...]

The /etc/hosts File

Important

Do not modify the /etc/hosts file manually. If /etc/hosts has been modified, make sure its contents conform to the following rules.
The following is an example of a correctly configured /etc/hosts file. It properly lists the IPv4 and IPv6 localhost entries for the host, followed by the IdM server IP address and host name as the first entry. Note that the IdM server host name cannot be part of the localhost entry.
127.0.0.1	localhost.localdomain	localhost
::1		localhost6.localdomain6	localhost6
192.0.2.1	server.example.com	server
2001:DB8::1111	server.example.com	server

2.1.4. Port Requirements

IdM uses a number of ports to communicate with its services. These ports must be open and available for IdM to work. They cannot be in use by another service or blocked by a firewall.

List of Required Ports

Table 2.1. Identity Management Ports

Service Ports Protocol
HTTP/HTTPS 80, 443 TCP
LDAP/LDAPS 389, 636 TCP
Kerberos 88, 464 TCP and UDP
DNS 53 TCP and UDP
NTP 123 UDP

Note

Do not be concerned that IdM uses ports 80 and 389.
  • Port 80 (HTTP) is used to provide Online Certificate Status Protocol (OCSP) responses and Certificate Revocation Lists (CRL). Both are digitally signed and therefore secured against man-in-the-middle attacks.
  • Port 389 (LDAP) uses STARTTLS and GSSAPI for encryption.
In addition, IdM can listen on port 8080 and in some installations also on ports 8443 and 749. However, these three ports are only used internally: even though IdM keeps them open, they are not required to be accessible from outside. It is recommended that you do not open ports 8080, 8443, and 749 and instead leave them blocked by a firewall.

List of firewalld Services

Table 2.2. firewalld Services

Service name For details, see:
freeipa-ldap /usr/lib/firewalld/services/freeipa-ldap.xml
freeipa-ldaps /usr/lib/firewalld/services/freeipa-ldaps.xml
dns /usr/lib/firewalld/services/dns.xml

Opening the Required Ports

  1. Make sure the firewalld service is running.
    • To find out if firewalld is currently running:
      # systemctl status firewalld.service
    • To start firewalld and configure it to start automatically when the system boots:
      # systemctl start firewalld.service
      # systemctl enable firewalld.service
  2. Open the required ports using the firewall-cmd utility. Choose one of the following options:
    1. Add the individual ports to the firewall by using the firewall-cmd --add-port command. For example, to open the ports in the default zone:
      # firewall-cmd --permanent --add-port={80/tcp,443/tcp,list_of_ports}
    2. Add the firewalld services to the firewall by using the firewall-cmd --add-service command. For example, to open the ports in the default zone:
      # firewall-cmd --permanent --add-service={freeipa-ldap,list_of_services}
    For details on using firewall-cmd to open ports on a system, see the Security Guide or the firewall-cmd(1) man page.
  3. Reload the firewall-cmd configuration to ensure that the change takes place immediately:
    # firewall-cmd --reload
  4. Optional. To verify that the ports are available now, use the nc, telnet, or nmap utilities to connect to a port or run a port scan.

2.2. Packages Required to Install an IdM Server

To install the packages required for a server without integrated DNS services:
# yum install ipa-server
To install the packages required for a server with integrated DNS services:
# yum install ipa-server ipa-server-dns

Note

To determine whether DNS is right for your use case, see Section 2.3.1, “Determining Whether to Use Integrated DNS”.
The ipa-server packages automatically installs other required packages as dependencies, such as:
  • 389-ds-base for the Directory Server LDAP service
  • krb5-server package for the Kerberos service
  • various IdM-specific tools

2.3. Installing an IdM Server: Introduction

Note

The installation procedures and examples in the following sections are not mutually exclusive: you can combine them to achieve the required result. For example, you can install a server with integrated DNS and with an externally hosted root CA.
The ipa-server-install utility installs and configures an IdM server.
Before installing a server, see these sections:
The ipa-server-install utility provides a non-interactive installation mode which allows automated and unattended server setup. For details, see Section 2.3.7, “Installing a Server Non-Interactively”
The ipa-server-install installation script creates a log file at /var/log/ipaserver-install.log. If the installation fails, the log can help you identify the problem.

2.3.1. Determining Whether to Use Integrated DNS

IdM supports installing a server with integrated DNS or without integrated DNS.
An IdM server with integrated DNS services
The integrated DNS server provided by IdM is not designed to be used as a general-purpose DNS server. It only supports features related to IdM deployment and maintenance. It does not support some of the advanced DNS features.
Red Hat strongly recommends IdM-integrated DNS for basic usage within the IdM deployment: When the IdM server also manages DNS, there is tight integration between DNS and native IdM tools which enables automating some of the DNS record management.
Note that even if an IdM server is used as a master DNS server, other external DNS servers can still be used as slave servers.
For example, if your environment is already using another DNS server, such as an Active Directory-integrated DNS server, you can delegate only the IdM primary domain to the IdM-integrated DNS. You are not required to migrate DNS zones over to the IdM-integrated DNS.
To install a server with integrated DNS, see Section 2.3.3, “Installing a Server with Integrated DNS”
An IdM server without integrated DNS services
An external DNS server is used to provide the DNS services. Consider installing an IdM server without DNS in these situations:
  • If you require advanced DNS features beyond the scope of the IdM DNS
  • In environments with a well-established DNS infrastructure which allows you to use external DNS servers
To install a server without integrated DNS, see Section 2.3.4, “Installing a Server Without Integrated DNS”

Important

Make sure your system meets the DNS requirements described in Section 2.1.3, “Host Name and DNS Configuration”.

Maintenance Requirements for Integrated or External DNS

When using an integrated DNS server, most of the DNS record maintenance is automated. You only must:
  • set up correct delegation from the parent domain to the IdM servers
    For example, if the IdM domain name is ipa.example.com, it must be properly delegated from the example.com domain.

    Note

    You can verify the delegation using the following command:
    # dig @IP_address +norecurse +short ipa.example.com. NS
    IP_address is the IP address of the server that manages the example.com DNS domain. If the delegation is correct, the command lists the IdM servers that have a DNS server installed.
When using an external DNS server, you must:
  • manually create the new domain on the DNS server
  • fill the new domain manually with records from the zone file that is generated by the IdM installer
  • manually update the records after installing or removing a replica, as well as after any changes in the service configuration, such as after an Active Directory trust is configured

Preventing DNS Amplification Attacks

The default configuration of the IdM-integrated DNS server allows all clients to issue recursive queries to the DNS server. If your server is deployed in a network with an untrusted client, change the server's configuration to limit recursion to authorized clients only. [1]
To ensure that only authorized clients are allowed to issue recursive queries, add the appropriate access control list (ACL) statements to the /etc/named.conf file on your server. For example:
acl authorized { 192.0.2.0/24; 198.51.100.0/24; };
options {
  allow-query { any; };
  allow-recursion { authorized; };
};

2.3.2. Determining What CA Configuration to Use

IdM supports installing a server with an integrated IdM certificate authority (CA) or without a CA.
Server with an integrated IdM CA
This is the default configuration suitable for most deployments. Certificate System uses a CA signing certificate to create and sign the certificates in the IdM domain.

Warning

Red Hat strongly recommends to keep the CA services installed on more than one server. For information on installing a replica of the initial server including the CA services, see Section 4.5.4, “Installing a Replica with a CA”.
If you install the CA on only one server, you risk losing the CA configuration without a chance of recovery if the CA server fails. See Section A.2.6, “Recovering a Lost CA Server” for details.
The CA signing certificate must signed by a root CA, which is the highest CA in the CA hierarchy. The root CA can be the IdM CA itself or an externally-hosted CA.
The IdM CA is the root CA
This is the default configuration.
An external CA is the root CA
The IdM CA is subordinate to an external CA. However, all certificates for the IdM domain are still issued by the Certificate System instance.
The external CA can be a corporate CA or a third-party CA, such as Verisign or Thawte. The certificates issued within the IdM domain are potentially subject to restrictions set by the external root CA for attributes like the validity period.
To install a server with an externally-hosted root CA, see Section 2.3.5, “Installing a Server with an External CA as the Root CA”
Server without a CA
This configuration options is suitable for very rare cases when restrictions within the infrastructure do not allow to install certificate services with the server.
You must request these certificates from a third-party authority prior to the installation:
  • An LDAP server certificate and a private key
  • An Apache server certificate and a private key
  • Full CA certificate chain of the CA that issued the LDAP and Apache server certificates
Managing certificates without the integrated IdM CA presents a significant maintenance burden. Most notably:
  • Creating, uploading, and renewing certificates is a manual process.
  • The certmonger service is not used to track certificates. Therefore, it does not warn you of impending certificate expiration.
To install a server without an integrated CA, see Section 2.3.6, “Installing Without a CA”

2.3.3. Installing a Server with Integrated DNS

Note

To install a server with integrated DNS, you must provide the following information during the installation process:
DNS forwarders
The following DNS forwarder settings are supported:
  • one or more forwarders (the --forwarder option in non-interactive installation)
  • no forwarders (the --no-forwarders option in non-interactive installation)
If you are unsure whether to use DNS forwarding, see Section 24.6, “Managing DNS Forwarding”.
Reverse DNS zones
The following reverse DNS zone settings are supported:
  • automatic detection of the reverse zones that need to be created in IdM DNS (the default setting in interactive installation, the --auto-reverse option in non-interactive installation)
  • no reverse zone auto-detection (the --no-reverse option in interactive installation)
For non-interactive installation, add the --setup-dns option as well.

Example 2.1. Installing a Server with Integrated DNS

This procedure installs a server:
  • with integrated DNS
  • with integrated IdM CA as the root CA, which is the default CA configuration
  1. Run the ipa-server-install option.
    # ipa-server-install
  2. The script prompts to configure an integrated DNS service. Enter yes.
    Do you want to configure integrated DNS (BIND)? [no]: yes
  3. The script prompts for several required settings.
    • To accept the default values in brackets, press Enter.
    • To provide a value different than the proposed default value, enter the required value.
    Server host name [server.example.com]:
    Please confirm the domain name [example.com]:
    Please provide a realm name [EXAMPLE.COM]:

    Warning

    Red Hat strongly recommends that the Kerberos realm name is the same as the primary DNS domain name, with all letters uppercase. For example, if the primary DNS domain is ipa.example.com, use IPA.EXAMPLE.COM for the Kerberos realm name.
    Different naming practices will prevent you from using Active Directory trusts and can have other negative consequences.
  4. Enter the passwords for the Directory Server superuser, cn=Directory Manager, and for the admin IdM system user account.
    Directory Manager password:
    IPA admin password:
  5. The script prompts for DNS forwarders.
    Do you want to configure DNS forwarders? [yes]:
    • To configure DNS forwarders, enter yes, and then follow the instructions on the command line.
      The installation process will add the forwarder IP addresses to the /etc/named.conf file on the installed IdM server.
    • If you do not want to use DNS forwarding, enter no.
  6. The script prompts to check if any DNS reverse (PTR) records for the IP addresses associated with the server need to be configured.
    Do you want to search for missing reverse zones? [yes]:
    If you run the search and missing reverse zones are discovered, the script asks you whether to create the reverse zones along with the PTR records.
    Do you want to create reverse zone for IP 192.0.2.1 [yes]: 
    Please specify the reverse zone name [2.0.192.in-addr.arpa.]: 
    Using reverse zone(s) 2.0.192.in-addr.arpa.

    Note

    Using IdM to manage reverse zones is optional. You can use an external DNS service for this purpose instead.
  7. Enter yes to confirm the server configuration.
    Continue to configure the system with these values? [no]: yes
  8. The installation script now configures the server. Wait for the operation to complete.
  9. Add DNS delegation from the parent domain to the IdM DNS domain. For example, if the IdM DNS domain is ipa.example.com, add a name server (NS) record to the example.com parent domain.

    Important

    This step must be repeated each time an IdM DNS server is installed.
The script recommends you to back up the CA certificate and to make sure the required network ports are open. For information about IdM port requirements and instructions on how to open these ports, see Section 2.1.4, “Port Requirements”.
To test the new server:
  1. Authenticate to the Kerberos realm using the admin credentials. This verifies that admin is properly configured and the Kerberos realm is accessible.
    # kinit admin
  2. Run a command such as ipa user-find. On a new server, the command prints the only configured user: admin.
    # ipa user-find admin
    --------------
    1 user matched
    --------------
    User login: admin 
    Last name: Administrator 
    Home directory: /home/admin 
    Login shell: /bin/bash 
    UID: 939000000 
    GID: 939000000 
    Account disabled: False 
    Password: True 
    Kerberos keys available: True 
    ----------------------------
    Number of entries returned 1
    ----------------------------

2.3.4. Installing a Server Without Integrated DNS

Note

To install a server without integrated DNS, run the ipa-server-install utility without any DNS-related options.

Example 2.2. Installing a Server Without Integrated DNS

This procedure installs a server:
  • without integrated DNS
  • with integrated IdM CA as the root CA, which is the default CA configuration
  1. Run the ipa-server-install utility.
    # ipa-server-install
  2. The script prompts to configure an integrated DNS service. Press Enter to select the default no option.
    Do you want to configure integrated DNS (BIND)? [no]:
  3. The script prompts for several required settings.
    • To accept the default values in brackets, press Enter.
    • To provide a value different than the proposed default value, enter the required value.
    Server host name [server.example.com]:
    Please confirm the domain name [example.com]:
    Please provide a realm name [EXAMPLE.COM]:

    Warning

    Red Hat strongly recommends that the Kerberos realm name is the same as the primary DNS domain name, with all letters uppercase. For example, if the primary DNS domain is ipa.example.com, use IPA.EXAMPLE.COM for the Kerberos realm name.
    Different naming practices will prevent you from using Active Directory trusts and can have other negative consequences.
  4. Enter the passwords for the Directory Server superuser, cn=Directory Manager, and for the admin IdM system user account.
    Directory Manager password:
    IPA admin password:
  5. Enter yes to confirm the server configuration.
    Continue to configure the system with these values? [no]: yes
  6. The installation script now configures the server. Wait for the operation to complete.
  7. The installation script produces a file with DNS resource records: the /tmp/ipa.system.records.UFRPto.db file in the example output below. Add these records to the existing external DNS servers. The process of updating the DNS records varies depending on the particular DNS solution.
    ...
    Restarting the KDC
    Please add records in this file to your DNS system: /tmp/ipa.system.records.UFRBto.db
    Restarting the web server
    ...

    Important

    The server installation is not complete until you add the DNS records to the existing DNS servers.
The script recommends you to back up the CA certificate and to make sure the required network ports are open. For information about IdM port requirements and instructions on how to open these ports, see Section 2.1.4, “Port Requirements”.
To test the new server:
  1. Authenticate to the Kerberos realm using the admin credentials. This verifies that admin is properly configured and the Kerberos realm is accessible.
    # kinit admin
  2. Run a command such as ipa user-find. On a new server, the command prints the only configured user: admin.
    # ipa user-find admin
    --------------
    1 user matched
    --------------
    User login: admin 
    Last name: Administrator 
    Home directory: /home/admin 
    Login shell: /bin/bash 
    UID: 939000000 
    GID: 939000000 
    Account disabled: False 
    Password: True 
    Kerberos keys available: True 
    ----------------------------
    Number of entries returned 1
    ----------------------------

2.3.5. Installing a Server with an External CA as the Root CA

Note

To install a server and chain it with an external CA as the root CA, pass these options with the ipa-server-install utility:
  • --external-ca specifies that you want to use an external CA.
  • --external-ca-type specifies the type of the external CA. See the ipa-server-install(1) man page for details.
During the configuration of the Certificate System instance, the utility prints the location of the certificate signing request (CSR): /root/ipa.csr:
...

Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 seconds
  [1/8]: creating certificate server user
  [2/8]: configuring certificate server instance
The next step is to get /root/ipa.csr signed by your CA and re-run /sbin/ipa-server-install as: /sbin/ipa-server-install --external-cert-file=/path/to/signed_certificate --external-cert-file=/path/to/external_ca_certificate
When this happens:
  1. Submit the CSR located in /root/ipa.csr to the external CA. The process differs depending on the service to be used as the external CA.

    Important

    It might be necessary to request the appropriate extensions for the certificate. The CA signing certificate generated for the Identity Management server must be a valid CA certificate. This requires either that the Basic Constraint be set to CA=true or that the Key Usage Extension be set on the signing certificate to allow it to sign certificates.
  2. Retrieve the issued certificate and the CA certificate chain for the issuing CA in a base 64-encoded blob (either a PEM file or a Base_64 certificate from a Windows CA). Again, the process differs for every certificate service. Usually, a download link on a web page or in the notification email allows the administrator to download all the required certificates.

    Important

    Be sure to get the full certificate chain for the CA, not just the CA certificate.
  3. Run ipa-server-install again, this time specifying the locations and names of the newly-issued CA certificate and the CA chain files. For example:
    # ipa-server-install --external-cert-file=/tmp/servercert20110601.pem --external-cert-file=/tmp/cacert.pem

Note

The ipa-server-install --external-ca command can sometimes fail with the following error:
ipa         : CRITICAL failed to configure ca instance Command '/usr/sbin/pkispawn -s CA -f /tmp/configuration_file' returned non-zero exit status 1
Configuration of CA failed
This failure occurs when the *_proxy environmental variables are set. For a solution on how to fix this problem, see Section A.1.1, “External CA Installation Fails”

2.3.6. Installing Without a CA

Note

To install a server without a CA, you must provide the required certificates manually by adding options to the ipa-server-install utility. Other than that, most of the installation procedure is the same as in Section 2.3.3, “Installing a Server with Integrated DNS” or Section 2.3.4, “Installing a Server Without Integrated DNS”.

Important

You cannot install a server or replica using self-signed third-party server certificates.
To provide the LDAP server certificate and private key:
  • --dirsrv-cert-file for the certificate and private key files for the LDAP server certificate
  • --dirsrv-pin for the password to access the private key in the files specified in --dirsrv-cert-file
To provide the Apache server certificate and private key:
  • --http-cert-file for the certificate and private key files for the Apache server certificate
  • --http-pin for the password to access the private key in the files specified in --http-cert-file
To provide the full CA certificate chain of the CA that issued the LDAP and Apache server certificates:
  • --dirsrv-cert-file and --http-cert-file for the certificate files with the full CA certificate chain or a part of it
    You can add these options multiple times. They accept:
    • PEM-encoded and DER-encoded X.509 certificate files
    • PKCS#1 and PKCS#8 private key files
    • PKCS#7 certificate chain files
    • PKCS#12 files
    The files provided using --dirsrv-cert-file and --http-cert-file must contain exactly one server certificate and exactly one private key. The contents of the files provided using --dirsrv-cert-file and --http-cert-file are often identical.
  • If necessary, add --ca-cert-file for the certificate files to complete the full CA certificate chain.
    You can add this option multiple times. It accepts:
    • PEM-encoded and DER-encoded X.509 certificate files
    • PKCS#7 certificate chain files
    The files provided using --dirsrv-cert-file and --http-cert-file combined with the files provided using --ca-cert-file must contain the full CA certificate chain of the CA that issued the LDAP and Apache server certificates.
For example:
[root@server ~]# ipa-server-install \
    --http-cert-file /tmp/server.crt \
    --http-cert-file /tmp/server.key \
    --http-pin secret \
    --dirsrv-cert-file /tmp/server.crt \
    --dirsrv-cert-file /tmp/server.key \
    --dirsrv-pin secret \
    --ca-cert-file ca.crt
Note that the command-line options in this section are incompatible with the --external-ca option.

Note

Earlier versions of Identity Management used the --root-ca-file option to specify the PEM file of the root CA certificate. This is no longer necessary because the trusted CA is always the issuer of the DS and HTTP server certificates. IdM now automatically recognizes the root CA certificate from the certificates specified by --dirsrv-cert-file, --http-cert-file, and --ca-cert-file.

2.3.7. Installing a Server Non-Interactively

Note

The minimum required options for a non-interactive installation are:
  • --ds-password to provide the password for the Directory Manager (DM), the Directory Server super user
  • --admin-password to provide the password for admin, the IdM administrator
  • --realm to provide the Kerberos realm name
  • --unattended to let the installation process select default options for the host name and domain name
    Optionally, you can provide custom values for these settings:
    • --hostname for the server host name
    • --domain for the domain name

Warning

Red Hat strongly recommends that the Kerberos realm name is the same as the primary DNS domain name, with all letters uppercase. For example, if the primary DNS domain is ipa.example.com, use IPA.EXAMPLE.COM for the Kerberos realm name.
Different naming practices will prevent you from using Active Directory trusts and can have other negative consequences.
For a complete list of options accepted by ipa-server-install, run the ipa-server-install --help command.

Example 2.3. Basic Installation without Interaction

  1. Run the ipa-server-install utility, providing the required settings. For example, the following installs a server without integrated DNS and with an integrated CA:
    # ipa-server-install --realm EXAMPLE.COM --ds-password DM_password --admin-password admin_password --unattended
  2. The setup script now configures the server. Wait for the operation to complete.
  3. The installation script produces a file with DNS resource records: the /tmp/ipa.system.records.UFRPto.db file in the example output below. Add these records to the existing external DNS servers. The process of updating the DNS records varies depending on the particular DNS solution.
    ...
    Restarting the KDC
    Please add records in this file to your DNS system: /tmp/ipa.system.records.UFRBto.db
    Restarting the web server
    ...

    Important

    The server installation is not complete until you add the DNS records to the existing DNS servers.
The script recommends you to back up the CA certificate and to make sure the required network ports are open. For information about IdM port requirements and instructions on how to open these ports, see Section 2.1.4, “Port Requirements”.
To test the new server:
  1. Authenticate to the Kerberos realm using the admin credentials. This verifies that admin is properly configured and the Kerberos realm is accessible.
    # kinit admin
  2. Run a command such as ipa user-find. On a new server, the command prints the only configured user: admin.
    # ipa user-find admin
    --------------
    1 user matched
    --------------
    User login: admin 
    Last name: Administrator 
    Home directory: /home/admin 
    Login shell: /bin/bash 
    UID: 939000000 
    GID: 939000000 
    Account disabled: False 
    Password: True 
    Kerberos keys available: True 
    ----------------------------
    Number of entries returned 1
    ----------------------------

2.4. Uninstalling an IdM Server

Note

At domain level 0, the procedure is different. See Section B.3.6, “Removing a Replica”.
To uninstall server.example.com:
  1. On another server, use the ipa server-del command to delete server.example.com from the topology:
    [root@another_server ~]# ipa server-del server.example.com
  2. On server.example.com, use the ipa-server-install --uninstall command:
    [root@server ~]# ipa-server-install --uninstall
  3. Make sure all name server (NS) DNS records pointing to server.example.com are deleted from your DNS zones. This applies regardless of whether you use integrated DNS managed by IdM or external DNS.

2.5. Renaming a Server

It is not possible to change the host name of an IdM server after it was set up. However, you can replace the server with a replica with a different name.
  1. Create a new replica of the server, with a CA and with the new required host name or IP address. This is described in Chapter 4, Installing and Uninstalling Identity Management Replicas.
  2. Stop the initial IdM server instance.
    [root@old_server ~]# ipactl stop
  3. Verify that all other replicas and clients are working as before.
  4. Uninstall the initial IdM server, as described in Section 2.4, “Uninstalling an IdM Server”


[1] For details, see the DNS Amplification Attacks page.

Chapter 3. Installing and Uninstalling Identity Management Clients

This chapter explains how to configure a system to join an Identity Management (IdM) domain as a client machine enrolled with a server.

Note

See Section 1.2, “The Identity Management Domain” for details on clients and servers in the IdM domain.

3.1. Prerequisites for Installing a Client

DNS requirements
Employ proper DNS delegation. For details on DNS requirements in IdM, see Section 2.1.3, “Host Name and DNS Configuration”.
Do not alter the resolv.conf file on clients.
Port requirements
IdM clients connect to a number of ports on IdM servers to communicate with their services. These ports must be open on the IdM servers to work. For more information on which ports IdM requires, see Section 2.1.4, “Port Requirements”.
On a client, open these ports in the outgoing direction. If you are using a firewall that does not filter outgoing packets, such as firewalld, the ports are already available in the outgoing direction.
FIPS requirements
Installing and running IdM in the Federal Information Processing Standard (FIPS) mode is not supported. Disable FIPS on your system before installing an IdM server, replica, or client, and do not enable it after the installation.
NSCD requirements
Red Hat recommends to disable the Name Service Cache Daemon (NSCD) on Identity Management machines. Alternatively, if disabling NSCD is not possible, only enable NSCD for maps that SSSD does not cache.
Both NSCD and the SSSD service perform caching, and problems can occur when systems use both services simultaneously. See the System-Level Authentication Guide for information on how to avoid conflicts between NSCD and SSSD.

3.2. Packages Required to Install a Client

Install the ipa-client package:
# yum install ipa-client
The ipa-client package automatically installs other required packages as dependencies, such as the System Security Services Daemon (SSSD) packages.
To be able to manage the IdM domain from the client machine, install the ipa-admintools package as well. The package installs command-line tools for IdM administrators. If you want to use the client machine as a regular client system, ipa-admintools is not necessary.

3.3. Installing a Client

The ipa-client-install utility installs and configures an IdM client. The installation process requires you to provide credentials that can be used to enroll the client. The following authentication methods are supported:
Credentials of a user authorized to enroll clients, such as admin
By default, ipa-client-install expects this option. See Section 3.3.1, “Installing a Client Interactively” for an example.
To provide the user credentials directly to ipa-client-install, use the --principal and --password options.
A random, one-time password pre-generated on the server
To use this authentication method, add the --random option to ipa-client-install option. See Example 3.1, “Installing a Client Non-interactively Using a Random Password”.
A principal from a previous enrollment
To use this authentication method, add the --keytab option to ipa-client-install. See Section 3.8, “Re-enrolling a Client into the IdM Domain” for details.
See the ipa-client-install(1) man page for details.
The following sections document basic installation scenarios. For more details on using ipa-client-install and a complete list of the accepted options, see the ipa-client-install(1) man page.

3.3.1. Installing a Client Interactively

The following procedure installs a client while prompting the user for input when required. The user provides credentials of a user authorized to enroll clients into the domain, such as the admin user.
  1. Run the ipa-client-install utility.
    Add the --enable-dns-updates option to update the DNS records with the client machine's IP address if one of the following applies:
    • the IdM server the client will be enrolled with was installed with integrated DNS
    • the DNS server on the network accepts DNS entry updates with the GSS-TSIG protocol
    Add the --no-krb5-offline-passwords to disable storing Kerberos passwords in the SSSD cache.
  2. The installation script attempts to obtain all the required settings automatically.
    1. If your DNS zone and SRV records are set properly on your system, the script automatically discovers all the required values and prints them. Enter yes to confirm.
      Client hostname: client.example.com
      Realm: EXAMPLE.COM
      DNS Domain: example.com
      IPA Server: server.example.com
      BaseDN: dc=example,dc=com
      
      Continue to configure the system with these values? [no]: yes
      If you want to install the system with different values, cancel the current installation. Then run ipa-client-install again, and specify the required values using command-line options.
      For details, see the DNS Autodiscovery section in the ipa-client-install(1) man page.
    2. If the script fails to obtain some settings automatically, it prompts you for the values.

      Important

      The fully qualified domain name must be a valid DNS name, which means only numbers, alphabetic characters, and hyphens (-) are allowed. Other characters, like underscores, in the host name cause DNS failures. Additionally, the host name must be all lower-case; no capital letters are allowed.
      For other recommended naming practices, see the Red Hat Enterprise Linux Security Guide.
  3. The script prompts for a user whose identity will be used to enroll the client. By default, this is the admin user:
    User authorized to enroll computers: admin
    Password for admin@EXAMPLE.COM
  4. The installation script now configures the client. Wait for the operation to complete.
    Client configuration complete.
  5. Run the ipa-client-automount utility, which automatically configures NFS for IdM. See Section 25.2.1, “Configuring NFS Automatically” for details.

3.3.2. Installing a Client Non-interactively

For a non-interactive installation, provide all required information to the ipa-client-install utility using command-line options. The minimum required options for a non-interactive installation are:
  • options for specifying the credentials that will be used to enroll the client; see Section 3.3, “Installing a Client” for details
  • --unattended to let the installation run without requiring user confirmation
If your DNS zone and SRV records are set properly on your system, the script automatically discovers all the other required values. If the script cannot discover the values automatically, provide them using command-line options.
  • --hostname to specify a static host name for the client machine

    Important

    The fully qualified domain name must be a valid DNS name, which means only numbers, alphabetic characters, and hyphens (-) are allowed. Other characters, like underscores, in the host name cause DNS failures. Additionally, the host name must be all lower-case; no capital letters are allowed.
    For other recommended naming practices, see the Red Hat Enterprise Linux Security Guide.
  • --server to specify the host name of the IdM server the client will be enrolled with
  • --domain to specify the DNS domain name of the IdM server the client will be enrolled with
  • --realm to specify the Kerberos realm name
Add the --enable-dns-updates option to update the DNS records with the client machine's IP address if one of the following applies:
  • the IdM server the client will be enrolled with was installed with integrated DNS
  • the DNS server on the network accepts DNS entry updates with the GSS-TSIG protocol
Add the --no-krb5-offline-passwords to disable storing Kerberos passwords in the SSSD cache.
For a complete list of options accepted by ipa-client-install, see the ipa-client-install(1) man page.

Example 3.1. Installing a Client Non-interactively Using a Random Password

This procedure installs a client without prompting the user for any input. The process includes pre-generating a random one-time password on the server that is used to authorize the enrollment.
  1. On an existing server:
    1. Log in as the administrator:
      $ kinit admin
    2. Add the new machine as an IdM host. Use the --random option with the ipa host-add command to generate the random password.
      $ ipa host-add client.example.com --random
      --------------------------------------------------
      Added host "client.example.com"
      --------------------------------------------------
        Host name: client.example.com
        Random password: W5YpARl=7M.n
        Password: True
        Keytab: False
        Managed by: server.example.com
      The generated password will become invalid after you use it to enroll the machine into the IdM domain. It will be replaced with a proper host keytab after the enrollment is finished.
  2. On the machine where you want to install the client, run ipa-client-install, and use these options:
    • --password for the random password from the ipa host-add output

      Note

      The password often contains special characters. Therefore, enclose it in single quotes (').
    • --unattended to let the installation run without requiring user confirmation
    If your DNS zone and SRV records are set properly on your system, the script automatically discovers all the other required values. If the script cannot discover the values automatically, provide them using command-line options.
    For example:
    # ipa-client-install --password 'W5YpARl=7M.n' --domain d-abc.idm.lab.eng.brq.redhat.com --server vm-058-105.abc.idm.lab.eng.brq.redhat.com --unattended
  3. Run the ipa-client-automount utility, which automatically configures NFS for IdM. See Section 25.2.1, “Configuring NFS Automatically” for details.

3.4. Setting up an IdM Client Through Kickstart

A Kickstart enrollment automatically adds a new system to the IdM domain at the time Red Hat Enterprise Linux is installed. For details on Kickstart, see Kickstart Installations in the Installation Guide.
Preparing for a Kickstart client installation includes these steps:

3.4.1. Pre-creating a Client Host Entry on the IdM Server

  1. Log in as admin:
    $ kinit admin
  2. Create the host entry on the IdM server, and set a temporary password for the entry:
    $ ipa host-add client.example.com --password=secret
    The password is used by Kickstart to authenticate during the client installation and expires after the first authentication attempt. After the client is successfully installed, it authenticates using its keytab.

3.4.2. Creating a Kickstart File for the Client

A Kickstart file used to set up an IdM client must include the following:
  • The ipa-client package in the list of packages to be installed:
    %packages
    @ X Window System
    @ Desktop
    @ Sound and Video
    ipa-client
    ...
    See Package Selection in the Installation Guide for details.
  • Post-installation instructions that:
    • ensure SSH keys are generated before enrollment
    • runs the ipa-client-install utility, specifying:
      For example:
      %post --log=/root/ks-post.log
      
      # Generate SSH keys to ensure that ipa-client-install uploads them to the IdM server
      /usr/sbin/sshd-keygen
      
      # Run the client install script
      /usr/sbin/ipa-client-install --hostname=client.example.com --domain=EXAMPLE.COM --enable-dns-updates --mkhomedir -w secret --realm=EXAMPLE.COM --server=server.example.com
    For a non-interactive installation, add also the --unattended option.
    To let the client installation script request a certificate for the machine:
    • Add the --request-cert option to ipa-client-install.
    • Set the system bus address to /dev/null for both the getcert and ipa-client-install utility in the kickstart chroot environment. To do this, add these lines to the post-installation instruction file before the ipa-client-install instruction:
      # env DBUS_SYSTEM_BUS_ADDRESS=unix:path=/dev/null getcert list
      # env DBUS_SYSTEM_BUS_ADDRESS=unix:path=/dev/null ipa-client-install

    Note

    Red Hat recommends not to start the sshd service prior to the kickstart enrollment. While starting sshd before enrolling the client generates the SSH keys automatically, using the above script is the preferred solution.
    See Post-installation Script in the Installation Guide for details.
For details on using Kickstart, see How Do You Perform a Kickstart Installation? in the Installation Guide. For examples of Kickstart files, see Sample Kickstart Configurations.

3.5. Post-installation Considerations for Clients

3.5.1. Removing Pre-Identity Management Configuration

The ipa-client-install script does not remove any previous LDAP and SSSD configuration from the /etc/openldap/ldap.conf and /etc/sssd/sssd.conf files. If you modified the configuration in these files before installing the client, the script adds the new client values, but comments them out. For example:
BASE   dc=example,dc=com
URI    ldap://ldap.example.com

#URI ldaps://server.example.com # modified by IPA
#BASE dc=ipa,dc=example,dc=com # modified by IPA
To apply the new Identity Management configuration values:
  1. Open /etc/openldap/ldap.conf and /etc/sssd/sssd.conf.
  2. Delete the previous configuration.
  3. Uncomment the new Identity Management configuration.
  4. Server processes that rely on system-wide LDAP configuration might require a restart to apply the changes. Applications that use openldap libraries typically import the configuration when started.

3.6. Testing the New Client

Check that the client can obtain information about users defined on the server. For example, to check the default admin user:
[user@client ~]$ id admin
uid=1254400000(admin) gid=1254400000(admins) groups=1254400000(admins)

3.7. Uninstalling a Client

Uninstalling a client removes the client from the IdM domain, along with all of the IdM-specific configuration for system services, such as SSSD. This restores the client machine's previous configuration.
  1. Run the ipa-client-install --uninstall command:
    # ipa-client-install --uninstall
  2. Remove the DNS entries for the client host manually from the server. See Section 24.4.6, “Deleting Records from DNS Zones”.

3.8. Re-enrolling a Client into the IdM Domain

If a client virtual machine has been destroyed and you still have its keytab, you can re-enroll the client:

Note

You can only re-enroll clients whose domain entry is still active. If you uninstalled a client (using ipa-client-install --uninstall) or disabled its host entry (using ipa host-disable), you cannot re-enroll it.
During re-enrollment, IdM performs the following:
  • Revokes the original host certificate
  • Generates a new host certificate
  • Creates new SSH keys
  • Generates a new keytab

3.8.1. Re-enrolling a Client Interactively Using the Administrator Account

  1. Re-create the client machine with the same host name.
  2. Run the ipa-client-install --force-join command on the client machine:
    # ipa-client-install --force-join
  3. The script prompts for a user whose identity will be used to enroll the client. By default, this is the admin user:
    User authorized to enroll computers: admin
    Password for admin@EXAMPLE.COM

3.8.2. Re-enrolling a Client Non-interactively Using the Client Keytab

Re-enrollment using the client keytab is appropriate for automated installation or in other situations when using the administrator password is not feasible.
  1. Back up the original client's keytab file, for example in the /tmp or /root directory.
  2. Re-create the client machine with the same host name.
  3. Re-enroll the client, and specify the keytab location using the --keytab option:
    # ipa-client-install --keytab /tmp/krb5.keytab

    Note

    The keytab specified in the --keytab option is only used when authenticating to initiate the enrollment. During the re-enrollment, IdM generates a new keytab for the client.

3.9. Renaming Client Machines

This section explains how to rename an IdM client. The process involves:

Warning

Renaming a client is a manual procedure. Red Hat does not recommend it unless changing the host name is absolutely required.

Identifying Current Service and Keytab Configuration

Before uninstalling the current client, make note of certain settings for the client. You will apply this configuration after re-enrolling the machine with a new host name.
  1. Identify which services are running on the machine:
    1. Use the ipa service-find command, and identify services with certificates in the output:
      $ ipa service-find client.example.com
    2. In addition, each host has a default host service which does not appear in the ipa service-find output. The service principal for the host service, also called a host principal, is host/client.example.com.
  2. Identify all host groups to which the machine belongs.
    # ipa hostgroup-find client.example.com
  3. For all service principals displayed by ipa service-find client.example.com, determine the location of the corresponding keytabs on client.example.com.
    Each service on the client system has a Kerberos principal in the form service_name/hostname@REALM, such as ldap/client.example.com@EXAMPLE.COM.

Removing the Client Machine from the IdM Domain

  1. Unenroll the client machine from the IdM domain. See Section 3.7, “Uninstalling a Client”.
  2. For each identified keytab other than /etc/krb5.keytab, remove the old principals:
    [root@client ~]# ipa-rmkeytab -k /path/to/keytab -r EXAMPLE.COM
  3. On an IdM server, remove the host entry. This removes all services and revokes all certificates issued for that host:
    [root@server ~]# ipa host-del client.example.com
At this point, the host is completely removed from IdM.

Re-enrolling the Client with a New Host Name

  1. Rename the machine as required.
  2. Re-enroll the machine as an IdM client. See Section 3.8, “Re-enrolling a Client into the IdM Domain”.
  3. On an IdM server, add a new keytab for every service identified in Section 3.9, “Identifying Current Service and Keytab Configuration”.
    [root@server ~]# ipa service-add service_name/new_host_name
  4. Generate certificates for services that had a certificate assigned in Section 3.9, “Identifying Current Service and Keytab Configuration”. You can do this:

Chapter 4. Installing and Uninstalling Identity Management Replicas

Replicas are created by cloning the configuration of existing Identity Management servers. Therefore, servers and their replicas share identical core configuration. The replica installation process copies the existing server configuration and installs the replica based on that configuration.
Maintaining several server replicas is a recommended backup solution to avoid data loss, as described in the "Backup and Restore in IdM/IPA" Knowledgebase solution.

Note

Another backup solution, recommended primarily for situations when rebuilding the IdM deployment from replicas is not possible, is the ipa-backup utility, as described in Chapter 9, Backing Up and Restoring Identity Management.

4.1. Explaining IdM Replicas

Replicas are created as clones of the initial master servers. Once a replica is created, it is functionally identical to the master server: servers and replicas created from these servers share the same internal information about users, machines, certificates, and configured policies.

Note

For more information on the types of machines in the IdM topology, see Section 1.2, “The Identity Management Domain”.
Replication is the process of copying data between replicas. The information between replicas is shared using multi-master replication: all replicas joined through a replication agreement receive updates and are therefore considered data masters.
Server and Replica Agreements

Figure 4.1. Server and Replica Agreements

4.2. Deployment Considerations for Replicas

4.2.1. Distribution of Server Services in the Topology

IdM servers can run a number of services, such as a certificate authority (CA) or DNS. A replica can run the same services as the server it was created from, but it is not necessary.
For example, you can install a replica without DNS services, even if the initial server runs DNS. Similarly, you can set up a replica as a DNS server even if the initial server was installed without DNS.
Replicas with Different Services

Figure 4.2. Replicas with Different Services

CA Services on Replicas

If you set up a replica without a CA, it will forward all requests for certificate operations to the CA server in your topology.

Warning

Red Hat strongly recommends to keep the CA services installed on more than one server. For information on installing a replica of the initial server including the CA services, see Section 4.5.4, “Installing a Replica with a CA”.
If you install the CA on only one server, you risk losing the CA configuration without a chance of recovery if the CA server fails. See Section A.2.6, “Recovering a Lost CA Server” for details.
If you set up a CA on the replica, its configuration must mirror the CA configuration of the initial server.

4.2.2. Replica Topology Recommendations

Red Hat recommends to follow these guidelines:
Configure no more than 60 replicas in a single IdM domain
Red Hat guarantees to support environments with 60 replicas or less.
Configure at least two, but no more than four replication agreements per each replica
Configuring additional replication agreements ensures that information is replicated not just between the initial replica and the master server, but between other replicas as well.
  • If you create replica B from server A and then replica C from server A, replicas B and C are not directly joined, so data from replica B must first be replicated to server A before propagating to replica C.
    Replicas B and C Are Not Joined in a Replication Agreement

    Figure 4.3. Replicas B and C Are Not Joined in a Replication Agreement

    Setting up an additional replication agreement between replica B and replica C ensures the data is replicated directly, which improves data availability, consistency, failover tolerance, and performance.
    Replicas B and C Are Joined in a Replication Agreement

    Figure 4.4. Replicas B and C Are Joined in a Replication Agreement

    See Chapter 6, Managing Replication Topology for details on managing replication agreements.
Configuring more than four replication agreements per replica is unnecessary. A large number of replication agreements per server does not bring significant additional benefits, because one consumer server can only be updated by one master at a time, so the other agreements are meanwhile idle and waiting. Additionally, configuring too many replication agreements can have a negative impact on overall performance.

Note

The ipa topologysuffix-verify command checks if your topology meets the most important recommendations. Run ipa topologysuffix-verify --help for details.
The command requires you to specify the topology suffix. See Section 6.1, “Explaining Replication Agreements, Topology Suffixes, and Topology Segments” for details.
Topology Example

Figure 4.5. Topology Example

4.2.2.1. Tight Cell Topology

One of the most resilient topologies is to create a cell configuration for the servers and replicas with a small number of servers in a cell:
  • Each of the cells is a tight cell, where all servers have replication agreements with each other.
  • Each server has one replication agreement with another server outside the cell. This ensures that every cell is loosely coupled to every other cell in the domain.
To accomplish a tight cell topology:
  • Have at least one IdM server in each main office, data center, or locality. Preferably, have two IdM servers.
  • Do not have more than four servers per data center.
  • In small offices, rather than using a replica, use SSSD to cache credentials and an off-site IdM server as the data back end.

4.3. Prerequisites for Installing a Replica

The installation requirements for replicas are the same as for IdM servers. Make sure that the replica machine meets all of the prerequisites listed in Section 2.1, “Prerequisites for Installing a Server”.
In addition to the general server requirements, you must also meet the following conditions:
The replica must be running the same or later version of IdM
For example, if the master server is running on Red Hat Enterprise Linux 7 and uses the IdM 4.4 packages, then the replica must also run on Red Hat Enterprise Linux 7 or later and use IdM version 4.4 or later. This ensures that configuration can be properly copied from the server to the replica.

Important

IdM does not support creating a replica of an earlier version than the version of the master. If you try to create a replica using an earlier version, the installation fails.
The replica needs additional ports to be open
In addition to the standard IdM server port requirements described in Section 2.1.4, “Port Requirements”, make sure you also meet the following:
  • At domain level 0, keep the TCP port 22 open during the replica setup process. This port is required in order to use SSH to connect to the master server.

    Note

    For details on domain levels, see Chapter 7, Displaying and Raising the Domain Level.
  • If one of the servers is running Red Hat Enterprise Linux 6 and has a CA installed, keep also TCP port 7389 open during and after the replica configuration. In a purely Red Hat Enterprise Linux 7 environment, port 7389 is not required.

Note

The ipa-replica-install script includes the ipa-replica-conncheck utility that verifies the status of the required ports. You can also run ipa-replica-conncheck separately for troubleshooting purposes. For information on how to use the utility, see the ipa-replica-conncheck(1) man page.
For information on how to open ports using the firewall-cmd utility, see Section 2.1.4, “Port Requirements”.

4.4. Packages Required to Install a Replica

Replica package requirements are the same as server package requirements. See Section 2.2, “Packages Required to Install an IdM Server”.

4.5. Creating the Replica: Introduction

The ipa-replica-install utility is used to install a new replica from an existing IdM server.

Note

This chapter describes the simplified replica installation introduced in Red Hat Enterprise Linux 7.3. The procedures require domain level 1 (see Chapter 7, Displaying and Raising the Domain Level).
For documentation on installing a replica at domain level 0, see Appendix B, Managing Replicas at Domain Level 0.
You can install a new replica:
In both of these situations, you can customize your replica by adding options to ipa-replica-install: see Section 4.5, “Using ipa-replica-install to Configure the Replica for Your Use Case”.

Important

If the IdM server you are replicating has a trust with Active Directory, set up the replica as a trust agent after running ipa-replica-install. See Trust Controllers and Trust Agents in the Windows Integration Guide.

Promoting an Existing Client to a Replica

To install the replica on an existing client, you must make sure the client is authorized to be promoted. To achieve this, choose one of the following:
Provide a privileged user's credentials
The default privileged user is admin. There are multiple ways to provide the user's credentials. You can:
  • let IdM prompt you to get the credentials interactively

    Note

    This is the default way to provide the privileged user's credentials. If no credentials are available when ipa-replica-install runs, the installation automatically prompts you.
  • log in as the user before running ipa-replica-install on the client:
    $ kinit admin
  • add the user's principal name and password to ipa-replica-install directly:
    # ipa-replica-install --principal admin --admin-password admin_password
Add the client to the ipaservers host group
Membership in ipaservers grants the machine elevated privileges analogous to a privileged user's credentials. You will not be required to provide the user's credentials.

Installing a Replica on a Machine That Is Not a Client

When run on a machine that has not yet been enrolled in the IdM domain, ipa-replica-install first enrolls the machine as a client and then installs the replica components.
To install a replica in this situation, choose one of the following:
Provide a privileged user's credentials
The default privileged user is admin. To provide the credentials, add the principal name and password to ipa-replica-install directly:
# ipa-replica-install --principal admin --admin-password admin_password
Provide a random password for the client
You must generate the random password on a server before installing the replica. You will not be required to provide the user's credentials during the installation.
By default, the replica is installed against the first IdM server discovered by the client installer. To install the replica against a particular server, add the following options to ipa-replica-install:
  • --server for the server's fully qualified domain name (FQDN)
  • --domain for the IdM DNS domain

Using ipa-replica-install to Configure the Replica for Your Use Case

When run without any options, ipa-replica-install only sets up basic server services. To install additional services, such as DNS or a certificate authority (CA), add options to ipa-replica-install.

Warning

Red Hat strongly recommends to keep the CA services installed on more than one server. For information on installing a replica of the initial server including the CA services, see Section 4.5.4, “Installing a Replica with a CA”.
If you install the CA on only one server, you risk losing the CA configuration without a chance of recovery if the CA server fails. See Section A.2.6, “Recovering a Lost CA Server” for details.
For example scenarios of installing a replica with the most notable options, see:
For a complete list of the options used to configure the replica, see the ipa-replica-install(1) man page.

4.5.1. Promoting a Client to a Replica Using a Host Keytab

In this procedure, an existing IdM client is promoted to a replica using its own host keytab to authorize the promotion.
The procedure does not require you to provide the administrator or Directory Manager (DM) credentials. It is therefore more secure because no sensitive information is exposed on the command line.
  1. On an existing server:
    1. Log in as the administrator.
      $ kinit admin
    2. Add the client machine to the ipaservers host group.
      $ ipa hostgroup-add-member ipaservers --hosts client.example.com
        Host-group: ipaservers
        Description: IPA server hosts
        Member hosts: server.example.com, client.example.com
      -------------------------
      Number of members added 1
      -------------------------
      Membership in ipaservers grants the machine elevated privileges analogous to the administrator's credentials.
  2. On the client, run the ipa-replica-install utility.
    # ipa-replica-install

4.5.2. Installing a Replica Using a Random Password

In this procedure, a replica is installed from scratch on a machine that is not yet an IdM client. To authorize the enrollment, a client-specific random password valid for one client enrollment only is used.
The procedure does not require you to provide the administrator or Directory Manager (DM) credentials. It is therefore more secure because no sensitive information is exposed on the command line.
  1. On an existing server:
    1. Log in as the administrator.
      $ kinit admin
    2. Add the new machine as an IdM host. Use the --random option with the ipa host-add command to generate a random one-time password to be used for the replica installation.
      $ ipa host-add client.example.com --random
      --------------------------------------------------
      Added host "client.example.com"
      --------------------------------------------------
        Host name: client.example.com
        Random password: W5YpARl=7M.n
        Password: True
        Keytab: False
        Managed by: server.example.com
      The generated password will become invalid after you use it to enroll the machine into the IdM domain. It will be replaced with a proper host keytab after the enrollment is finished.
    3. Add the machine to the ipaservers host group.
      $ ipa hostgroup-add-member ipaservers --hosts client.example.com
        Host-group: ipaservers
        Description: IPA server hosts
        Member hosts: server.example.com, client.example.com
      -------------------------
      Number of members added 1
      -------------------------
      Membership in ipaservers grants the machine elevated privileges required to set up the necessary server services.
  2. On the machine where you want to install the replica, run ipa-replica-install, and provide the random password using the --password option. Enclose the password in single quotes (') because it often contains special characters:
    # ipa-replica-install --password 'W5YpARl=7M.n'

4.5.3. Installing a Replica with DNS

This procedure works for installing a replica on a client as well as on a machine that is not part of the IdM domain yet. See Section 4.5, “Creating the Replica: Introduction” for details.
  1. Run ipa-replica-install with these options:
    • --setup-dns to create a DNS zone if it does not exist already and configure the replica as the DNS server
    • --forwarder to specify a forwarder, or --no-forwarder if you do not want to use any forwarders
      To specify multiple forwarders for failover reasons, use --forwarder multiple times.
    For example:
    # ipa-replica-install --setup-dns --forwarder 192.0.2.1

    Note

    The ipa-replica-install utility accepts a number of other options related to DNS settings, such as --no-reverse or --no-host-dns. For more information about them, see the ipa-replica-install(1) man page.
  2. If the initial server was created with DNS enabled, the replica is automatically created with the proper DNS entries. The entries ensure that IdM clients will be able to discover the new server.
    If the initial server did not have DNS enabled, add the DNS records manually. The following DNS records are necessary for the domain services:
    • _ldap._tcp
    • _kerberos._tcp
    • _kerberos._udp
    • _kerberos-master._tcp
    • _kerberos-master._udp
    • _ntp._udp
    • _kpasswd._tcp
    • _kpasswd._udp
    This example shows how to verify that the entries are present:
    1. Set the appropriate values for the DOMAIN and NAMESERVER variables:
      # DOMAIN=example.com
      # NAMESERVER=replica
    2. Use the following command to check for the DNS entries:
      # for i in _ldap._tcp _kerberos._tcp _kerberos._udp _kerberos-master._tcp _kerberos-master._udp _ntp._udp ; do
      dig @${NAMESERVER} ${i}.${DOMAIN} srv +nocmd +noquestion +nocomments +nostats +noaa +noadditional +noauthority
      done | egrep "^_"
      
      _ldap._tcp.example.com. 86400     IN    SRV     0 100 389 server1.example.com.
      _ldap._tcp.example.com. 86400     IN    SRV     0 100 389 server2.example.com.
      _kerberos._tcp.example.com. 86400 IN    SRV     0 100 88  server1.example.com.
      ...
  3. Optional, but recommended. Manually add other DNS servers as backup servers in case the replica becomes unavailable. See Section 24.10.1, “Setting up Additional Name Servers”. This is recommended especially for situations when the new replica is your first DNS server in the IdM domain.

4.5.4. Installing a Replica with a CA

This procedure works for installing a replica on a client as well as on a machine that is not part of the IdM domain yet. See Section 4.5, “Creating the Replica: Introduction” for details.
  1. Run ipa-replica-install with the --setup-ca option.
    [root@replica ~]# ipa-replica-install --setup-ca
  2. The --setup-ca option copies the CA configuration from the initial server's configuration, regardless of whether the IdM CA on the server is a root CA or whether it is subordinated to an external CA.

    Note

    For details on the supported CA configurations, see Section 2.3.2, “Determining What CA Configuration to Use”.

4.5.5. Installing a Replica from a Server without a CA

This procedure works for installing a replica on a client as well as on a machine that is not part of the IdM domain yet. See Section 4.5, “Creating the Replica: Introduction” for details.

Important

You cannot install a server or replica using self-signed third-party server certificates.
  • Run ipa-replica-install, and provide the required certificate files by adding these options:
    • --dirsrv-cert-file
    • --dirsrv-pin
    • --http-cert-file
    • --http-pin
    For details about the files that are provided using these options, see Section 2.3.6, “Installing Without a CA”.
    For example:
    [root@replica ~]# ipa-replica-install \
        --dirsrv-cert-file /tmp/server.crt \
        --dirsrv-cert-file /tmp/server.key \
        --dirsrv-pin secret \
        --http-cert-file /tmp/server.crt \
        --http-cert-file /tmp/server.key \
        --http-pin secret

    Note

    Do not add the --ca-cert-file option. The ipa-replica-install utility takes this part of the certificate information automatically from the master server.

4.6. Testing the New Replica

To check if replication works as expected after creating a replica:
  1. Create a user on one of the servers:
    [admin@server1 ~]$ ipa user-add test_user --first=Test --last=User
  2. Make sure the user is visible on the other server:
    [admin@server2 ~]$ ipa user-show test_user

4.7. Uninstalling a Replica

Part II. The Basics of Managing an Identity Management Domain

Table of Contents

5. The Basics of Managing the IdM Server and Services
5.1. Starting and Stopping the IdM Server
5.2. Logging into IdM Using Kerberos
5.3. The IdM Command-Line Utilities
5.3.1. Getting Help for ipa Commands
5.3.2. Setting a List of Values
5.3.3. Using Special Characters
5.3.4. Searching IdM Entries
5.3.4.1. Adjusting the Search Size and Time Limit
5.4. The IdM Web UI
5.4.1. Accessing the Web UI and Authenticating
5.4.2. Configuring the Browser for Kerberos Authentication
5.4.3. Configuring an External System for Kerberos Authentication to the Web UI
5.4.4. Proxy Servers and Port Forwarding in the Web UI
6. Managing Replication Topology
6.1. Explaining Replication Agreements, Topology Suffixes, and Topology Segments
6.2. Web UI: Using the Topology Graph to Manage Replication Topology
6.2.1. Setting up Replication Between Two Servers
6.2.2. Stopping Replication Between Two Servers
6.3. Command Line: Managing Topology Using the ipa topology* Commands
6.3.1. Getting Help for Topology Management Commands
6.3.2. Setting up Replication Between Two Servers
6.3.3. Stopping Replication Between Two Servers
6.4. Removing a Server from the Topology
6.4.1. Web UI: Removing a Server from the Topology
6.4.2. Command Line: Removing a Server from the Topology
6.5. Managing Server Roles
6.5.1. Viewing Server Roles
6.5.2. Promoting a Replica to a Master CA Server
6.5.2.1. Changing the Current CA Renewal Master
6.5.2.2. Changing Which Server Generates CRLs
6.5.2.3. Verifying That the New Master CA Server Is Configured Correctly
7. Displaying and Raising the Domain Level
7.1. Displaying the Current Domain Level
7.2. Raising the Domain Level
8. Updating and Migrating Identity Management
8.1. Updating Identity Management
8.1.1. Considerations for Updating Identity Management
8.1.2. Using yum to Update the Identity Management Packages
8.2. Migrating Identity Management from Red Hat Enterprise Linux 6 to Version 7
8.2.1. Prerequisites for Migrating Identity Management from Red Hat Enterprise Linux 6 to 7
8.2.2. Updating the Identity Management Schema on Red Hat Enterprise Linux 6
8.2.3. Installing the Red Hat Enterprise Linux 7 Replica
8.2.4. Transitioning the CA Services to the Red Hat Enterprise Linux 7 Server
8.2.5. Stop the Red Hat Enterprise Linux 6 Server
8.2.6. Next Steps After Migrating the Master CA Server
9. Backing Up and Restoring Identity Management
9.1. Full-Server Backup and Data-Only Backup
9.1.1. Creating a Backup
9.1.2. Encrypting Backup
9.1.3. List of Directories and Files Copied During Backup
9.2. Restoring a Backup
9.2.1. Restoring from the Full-Server or Data-Only Backup
9.2.2. Restoring with Multiple Master Servers
9.2.3. Restoring from an Encrypted Backup

Chapter 5. The Basics of Managing the IdM Server and Services

This chapter describes the Identity Management command-line and UI tools that are available to manage the IdM server and services, including methods for authenticating to IdM.

5.1. Starting and Stopping the IdM Server

A number of different services are installed together with an IdM server, including Directory Server, Certificate Authority (CA), DNS, Kerberos, and others. Use the ipactl utility to stop, start, or restart the entire IdM server along with all the installed services.
To start the entire IdM server:
# ipactl start
To stop the entire IdM server:
# ipactl stop
To restart the entire IdM server:
# ipactl restart
If you only want to stop, start, or restart an individual service, use the systemctl utility, described in the System Administrator's Guide. For example, using systemctl to manage individual services is useful when customizing the Directory Server behavior: the configuration changes require restarting the Directory Server instance, but it is not necessary to restart all the IdM services.

Important

To restart multiple IdM domain services, Red Hat always recommends to use ipactl. Because of dependencies between the services installed with the IdM server, the order in which they are started and stopped is critical. The ipactl utility ensures that the services are started and stopped in the appropriate order.

5.2. Logging into IdM Using Kerberos

IdM uses the Kerberos protocol to support single sign-on. With Kerberos, the user only needs to present the correct user name and password once. Then the user can access IdM services without the system prompting for the credentials again.
By default, only machines that are members of the IdM domain can use Kerberos to authenticate to IdM. However, it is possible to configure external systems for Kerberos authentication as well; for more information, see Section 5.4.3, “Configuring an External System for Kerberos Authentication to the Web UI”.

Using kinit

To log in to IdM from the command line, use the kinit utility.

Note

To use kinit, the krb5-workstation package must be installed.
When run without specifying a user name, kinit logs into IdM under the user name of the user that is currently logged-in on the local system. For example, if you are logged-in as local_user on the local system, running kinit attempts to authenticate you as the local_user IdM user:
[local_user@server ~]$ kinit
Password for local_user@EXAMPLE.COM:

Note

If the user name of the local user does not match any user entry in IdM, the authentication attempt fails.
To log in as a different IdM user, pass the required user name as a parameter to the kinit utility. For example, to log in as the admin user:
[local_user@server ~]$ kinit admin
Password for admin@EXAMPLE.COM:

Obtaining Kerberos Tickets Automatically

The pam_krb5 pluggable authentication module (PAM) and SSSD can be configured to automatically obtain a TGT for a user after a successful login in to the desktop environment on an IdM client machine. This ensures that after logging in, the user is not required to run kinit.
On IdM systems that have IdM configured in SSSD as the identity and authentication provider, SSSD obtains the TGT automatically after the user logs in with the corresponding Kerberos principal name.
For information on configuring pam_krb5, see the pam_krb5(8) man page. For general information about PAM, see the System-Level Authentication Guide.

Storing Multiple Kerberos Tickets

By default, Kerberos only stores one ticket per logged-in user in the credential cache. Whenever a user runs kinit, Kerberos overwrites the currently-stored ticket with the new ticket. For example, if you use kinit to authenticate as user_A, the ticket for user_A will be lost after you authenticate again as user_B.
To obtain and store another TGT for a user, set a different credential cache, which ensures the contents of the previous cache are not overwritten. You can do this in one of the following two ways:
  • Run the export KRB5CCNAME=path_to_different_cache command, and then use kinit to obtain the ticket.
  • Run the kinit -c path_to_different_cache command, and then reset the KRB5CCNAME variable.
To restore the original TGT stored in the default credential cache:
  1. Run the kdestroy command.
  2. Restore the default credential cache location using the unset $KRB5CCNAME command.

Checking the Current Logged-in User

To verify what TGT is currently stored and used for authentication, use the klist utility to list cached tickets. In the following example, the cache contains a ticket for user_A, which means that only user_A is currently allowed to access IdM services:
$ klist
Ticket cache: KEYRING:persistent:0:0
Default principal: user_A@EXAMPLE.COM

Valid starting     	Expires            	Service principal
11/10/2015 08:35:45  	11/10/2015 18:35:45  	krbtgt/EXAMPLE.COM@EXAMPLE.COM

5.3. The IdM Command-Line Utilities

The basic command-line script for IdM is named ipa. The ipa script is a parent script for a number of subcommands. These subcommands are then used to manage IdM. For example, the ipa user-add command adds a new user:
$ ipa user-add user_name
Command-line management has certain benefits over management in UI; for example, the command-line utilities allow management tasks to be automated and performed repeatedly in a consistent way without manual intervention. Additionally, while most management operations are available both from the command line and in the web UI, some tasks can only be performed from the command line.

Note

This section only provides a general overview of the ipa subcommands. More information is available in the other sections dedicated to specific areas of managing IdM. For example, for information about managing user entries using the ipa subcommands, see Chapter 10, Managing User Accounts.

5.3.1. Getting Help for ipa Commands

The ipa script can display help about a particular set of subcommands: a topic. To display the list of available topics, use the ipa help topics command:
$ ipa help topics

automember         Auto Membership Rule.
automount          Automount
caacl              Manage CA ACL rules.
...
To display help for a particular topic, use the ipa help topic_name command. For example, to display information about the automember topic:
$ ipa help automember

Auto Membership Rule.

Bring clarity to the membership of hosts and users by configuring inclusive
or exclusive regex patterns, you can automatically assign a new entries into
a group or hostgroup based upon attribute information.

...

EXAMPLES:

 Add the initial group or hostgroup:
   ipa hostgroup-add --desc="Web Servers" webservers
   ipa group-add --desc="Developers" devel
...
The ipa script can also display a list of available ipa commands. To do this, use the ipa help commands command:
$ ipa help commands
automember-add                         Add an automember rule.
automember-add-condition               Add conditions to an automember rule.
...
For detailed help on the individual ipa commands, add the --help option to a command. For example:
$ ipa automember-add --help

Usage: ipa [global-options] automember-add AUTOMEMBER-RULE [options]

Add an automember rule.
Options:
  -h, --help            show this help message and exit
  --desc=STR            A description of this auto member rule
...
For more information about the ipa utility, see the ipa(1) man page.

5.3.2. Setting a List of Values

IdM stores entry attributes in lists. For example:
ipaUserSearchFields: uid,givenname,sn,telephonenumber,ou,title
Any update to a list of attributes overwrites the previous list. For example, an attempt to add a single attribute by only specifying this attribute replaces the whole previously-defined list with the single new attribute. Therefore, when changing a list of attributes, you must specify the whole updated list.
IdM supports the following methods of supplying a list of attributes:
  • Using the same command-line argument multiple times within the same command invocation. For example:
    $ ipa permission-add --permissions=read --permissions=write --permissions=delete
  • Enclosing the list in curly braces, which allows the shell to do the expansion. For example:
    $ ipa permission-add --permissions={read,write,delete}

5.3.3. Using Special Characters

When passing command-line arguments in ipa commands that include special characters, such as angle brackets (< and >), ampersand (&), asterisk (*), or vertical bar (|), you must escape these characters by using a backslash (\). For example, to escape an asterisk (*):
$ ipa certprofile-show certificate_profile --out=exported\*profile.cfg
Commands containing unescaped special characters do not work as expected because the shell cannot properly parse such characters.

5.3.4. Searching IdM Entries

Listing IdM Entries

Use the ipa *-find commands to search for a particular type of IdM entries. For example:
  • To list all users:
    $ ipa user-find
    ---------------
    4 users matched
    ---------------
      ...
  • To list user groups whose specified attributes contain keyword:
    $ ipa group-find keyword
    ----------------
    2 groups matched
    ----------------
      ...
    To configure the attributes IdM searches for users and user groups, see Section 13.5, “Setting Search Attributes for Users and User Groups”.
When searching user groups, you can also limit the search results to groups that contain a particular user:
$ ipa group-find --user=user_name
You can also search for groups that do not contain a particular user:
$ ipa group-find --no-user=user_name

Showing Details for a Particular Entry

Use the ipa *-show command to display details about a particular IdM entry. For example:
$ ipa host-show server.example.com
 Host name: server.example.com
 Principal name: host/server.example.com@EXAMPLE.COM
 ...

5.3.4.1. Adjusting the Search Size and Time Limit

Some search results, such as viewing lists of users, can return a very large number of entries. By tuning these search operations, you can improve overall server performance when running the ipa *-find commands, such as ipa user-find, and when displaying corresponding lists in the web UI.
The search size limit:
  • Defines the maximum number of entries returned for a request sent to the server from a client, the IdM command-line tools, or the IdM web UI.
  • Default value: 100 entries.
The search time limit:
  • Defines the maximum time that the server waits for searches to run. Once the search reaches this limit, the server stops the search and returns the entries that discovered in that time.
  • Default value: 2 seconds.
If you set the values to -1, IdM will not apply any limits when searching.

Important

Setting search size or time limits too high can negatively affect server performance.

Web UI: Adjusting the Search Size and Time Limit

To adjust the limits globally for all queries:
  1. Select IPA ServerConfiguration.
  2. Set the required values in the Search Options area.
  3. Click Save at the top of the page.

Command Line: Adjusting the Search Size and Time Limit

To adjust the limits globally for all queries, use the ipa config-mod command and add the --searchrecordslimit and --searchtimelimit options. For example:
$ ipa config-mod --searchrecordslimit=500 --searchtimelimit=5
From the command line, you can also adjust the limits only for a specific query. To do this, add the --sizelimit or --timelimit options to the command. For example:
$ ipa user-find --sizelimit=200 --timelimit=120

5.4. The IdM Web UI

The Identity Management web UI is a web application for IdM administration. It has most of the capabilities of the ipa command-line utility. Therefore, the users can choose whether they want to manage IdM from the UI or from the command line.

Note

Management operations available to the logged-in user depend on the user's access rights. For the admin user and other users with administrative privileges, all management tasks are available. For regular users, only a limited set of operations related to their own user account is available.

Supported Web Browsers

Identity Management supports the following browsers for connecting to the web UI:
  • Mozilla Firefox 38 and later
  • Google Chrome 46 and later

5.4.1. Accessing the Web UI and Authenticating

The web UI can be accessed both from IdM server and client machines, as well as from machines outside of the IdM domain. However, to access the UI from a non-domain machine, you must first configure the non-IdM system to be able to connect to the IdM Kerberos domain; see Section 5.4.3, “Configuring an External System for Kerberos Authentication to the Web UI” for more details.

Accessing the Web UI

To access the web UI, type the IdM server URL into the browser address bar:
https://server.example.com
This opens the IdM web UI login screen in your browser.
Web UI Login Screen

Figure 5.1. Web UI Login Screen

Available Login Methods

The user can authenticate to the web UI in two ways:
With an active Kerberos ticket
If the user has a valid TGT obtained with the kinit utility, clicking Login automatically authenticates the user. Note that the browser must be configured properly to support Kerberos authentication.
For information on obtaining a Kerberos TGT, see Section 5.2, “Logging into IdM Using Kerberos”. For information on configuring the browser, see Section 5.4.2, “Configuring the Browser for Kerberos Authentication”.
By providing user name and password
To authenticate using a user name and password, enter the user name and password on the web UI login screen.
IdM also supports one-time password (OTP) authentication. For more information, see Section 11.2, “One-Time Passwords”.
After the user authenticates successfully, the IdM management window opens.
The IdM Web UI Layout

Figure 5.2. The IdM Web UI Layout

Web UI Session Length

The default web UI session expiration period is 20 minutes. If the user does not perform any action for 20 minutes, the web UI logs the user out. However, if the user was logged in using Kerberos, the web UI automatically logs the user in again.

5.4.2. Configuring the Browser for Kerberos Authentication

To enable authentication with Kerberos credentials, you must configure your browser to support Kerberos negotiation for accessing the IdM domain. Note that if your browser is not configured properly for Kerberos authentication, an error message appears after clicking Login on the IdM web UI login screen.
Kerberos Authentication Error

Figure 5.3. Kerberos Authentication Error

You can configure your browser for Kerberos authentication in three ways:

Note

The System-Level Authentication Guide includes a troubleshooting guide for Kerberos authentication in Firefox. If Kerberos authentication is not working as expected, see this troubleshooting guide for more advice.

Automatic Firefox Configuration in the Web UI

To automatically configure Firefox from the IdM web UI:
  1. Click the link for browser configuration on the web UI login screen.
    Link to Configuring the Browser in the Web UI

    Figure 5.4. Link to Configuring the Browser in the Web UI

  2. Choose the link for Firefox configuration to open the Firefox configuration page.
    Link to the Firefox Configuration Page

    Figure 5.5. Link to the Firefox Configuration Page

  3. Follow the steps on the Firefox configuration page.

Automatic Firefox Configuration from the Command Line

Firefox can be configured from the command line during IdM client installation. To do this, use the --configure-firefox option when installing the IdM client with the ipa-client-install utility:
# ipa-client-install --configure-firefox
The --configure-firefox option creates a global configuration file with default Firefox settings that enable Kerberos for single sign-on (SSO).

Manual Browser Configuration

To manually configure your browser:
  1. Click the link for browser configuration on the web UI login screen.
    Link to Configuring the Browser in the Web UI

    Figure 5.6. Link to Configuring the Browser in the Web UI

  2. Choose the link for manual browser configuration.
    Link to the Manual Configuration Page

    Figure 5.7. Link to the Manual Configuration Page

  3. Look for the instructions to configure your browser and follow the steps.

5.4.3. Configuring an External System for Kerberos Authentication to the Web UI

To enable Kerberos authentication to the web UI from a system that is not a member of the IdM domain, you must define an IdM-specific Kerberos configuration file on the external machine. Enabling Kerberos authentication on external systems is especially useful when your infrastructure includes multiple realms or overlapping domains.
To create the Kerberos configuration file:
  1. Copy the /etc/krb5.conf file from the IdM server to the external machine. For example:
    # scp /etc/krb5.conf root@externalmachine.example.com:/etc/krb5_ipa.conf

    Warning

    Do not overwrite the existing krb5.conf file on the external machine.
  2. On the external machine, set the terminal session to use the copied IdM Kerberos configuration file:
    $ export KRB5_CONFIG=/etc/krb5_ipa.conf
  3. Configure the browser on the external machine as described in Section 5.4.2, “Configuring the Browser for Kerberos Authentication”.
Users on the external system can now use the kinit utility to authenticate against the IdM server domain.

5.4.4. Proxy Servers and Port Forwarding in the Web UI

Using proxy servers to access the web UI does not require any additional configuration in IdM.
Port forwarding is not supported with the IdM server. However, because it is possible to use proxy servers, an operation similar to port forwarding can be configured using proxy forwarding with OpenSSH and the SOCKS option. This can be configured using the -D option of the ssh utility; for more information on using -D, see the ssh(1) man page.

Chapter 6. Managing Replication Topology

This chapter describes how to manage replication between servers in an Identity Management (IdM) domain.

Note

This chapter describes simplified topology management introduced in Red Hat Enterprise Linux 7.3. The procedures require domain level 1 (see Chapter 7, Displaying and Raising the Domain Level).
For documentation on managing topology at domain level 0, see Section B.3, “Managing Replicas and Replication Agreements”.
For details on installing an initial replica and basic information on replication, see Chapter 4, Installing and Uninstalling Identity Management Replicas.

6.1. Explaining Replication Agreements, Topology Suffixes, and Topology Segments

Replication Agreements

Data stored on an IdM server is replicated based on replication agreements: when two servers have a replication agreement configured, they share their data.
Replication agreements are always bilateral: the data is replicated from the first replica to the other one as well as from the other replica to the first one.

Note

For additional details, see Section 4.1, “Explaining IdM Replicas”.

Topology Suffixes

Topology suffixes store the data that is replicated. IdM supports two types of topology suffixes: domain and ca. Each suffix represents a separate back end, a separate replication topology.
When a replication agreement is configured, it joins two topology suffixes of the same type on two different servers.
The domain suffix: dc=example,dc=com
The domain suffix contains all domain-related data.
When two replicas have a replication agreement between their domain suffixes, they share directory data, such as users, groups, and policies.
The ca suffix: o=ipaca
The ca suffix contains data for the Certificate System component. It is only present on servers with a certificate authority (CA) installed.
When two replicas have a replication agreement between their ca suffixes, they share certificate data.
Topology Suffixes

Figure 6.1. Topology Suffixes

An initial topology segment is set up between two servers by the ipa-replica-install script when installing a new replica.

Example 6.1. Viewing Topology Suffixes

The ipa topologysuffix-find command displays a list of topology suffixes:
$ ipa topologysuffix-find
---------------------------
2 topology suffixes matched
---------------------------
  Suffix name: ca
  Managed LDAP suffix DN: o=ipaca

  Suffix name: domain
  Managed LDAP suffix DN: dc=example,dc=com
----------------------------
Number of entries returned 2
----------------------------

Topology Segments

When two replicas have a replication agreement between their suffixes, the suffixes form a topology segment. Each topology segment consists of a left node and a right node. The nodes represent the servers joined in the replication agreement.
Topology segments in IdM are always bidirectional. Each segment represents two replication agreements: from server A to server B, and from server B to server A. The data is therefore replicated in both directions.
Topology Segments

Figure 6.2. Topology Segments

Example 6.2. Viewing Topology Segments

The ipa topologysegment-find command shows the current topology segments configured for the domain or CA suffixes. For example, for the domain suffix:
$ ipa topologysegment-find
Suffix name: domain
-----------------
1 segment matched
-----------------
  Segment name: server1.example.com-to-server2.example.com
  Left node: server1.example.com
  Right node: server2.example.com
  Connectivity: both
----------------------------
Number of entries returned 1
----------------------------
In this example, domain-related data is only replicated between two servers: server1.example.com and server1.example.com.
To display details for a particular segment only, use the ipa topologysegment-show command:
$ ipa topologysegment-show
Suffix name: domain
Segment name: server1.example.com-to-server2.example.com
  Segment name: server1.example.com-to-server2.example.com
  Left node: server1.example.com
  Right node: server2.example.com
  Connectivity: both

6.2. Web UI: Using the Topology Graph to Manage Replication Topology

Accessing the Topology Graph

The topology graph in the web UI shows the relationships between the servers in the domain:
  1. Select IPA ServerTopologyTopology Graph.
  2. If you make any changes to the topology that are not immediately reflected in the graph, click Refresh.

Customizing the Topology View

You can move individual topology nodes by dragging the mouse:
Moving Topology Graph Nodes

Figure 6.3. Moving Topology Graph Nodes

You can zoom in and zoom out the topology graph using the mouse wheel:
Zooming the Topology Graph

Figure 6.4. Zooming the Topology Graph

You can move the canvas of the topology graph by holding the left mouse button:
Moving the Topology Graph Canvas

Figure 6.5. Moving the Topology Graph Canvas

Interpreting the Topology Graph

Servers joined in a domain replication agreement are connected by an orange arrow. Servers joined in a CA replication agreement are connected by a blue arrow.
Topology graph example: recommended topology
Figure 6.6, “Recommended Topology Example” shows one of the possible recommended topologies for four servers: each server is connected to at least two other servers, and more than one server is a CA master.
Recommended Topology Example

Figure 6.6. Recommended Topology Example

Topology graph example: discouraged topology
In Figure 6.7, “Discouraged Topology Example: Single Point of Failure”, server1 is a single point of failure. All the other servers have replication agreements with this server, but not with any of the other servers. Therefore, if server1 fails, all the other servers will become isolated.
Avoid creating topologies like this.
Discouraged Topology Example: Single Point of Failure

Figure 6.7. Discouraged Topology Example: Single Point of Failure

For details on topology recommendations, see Section 4.2, “Deployment Considerations for Replicas”.

6.2.1. Setting up Replication Between Two Servers

  1. In the topology graph, hover your mouse over one of the server nodes.
    Domain or CA Options

    Figure 6.8. Domain or CA Options

  2. Click on the domain or the ca part of the circle depending on what type of topology segment you want to create.
  3. A new arrow representing the new replication agreement appears under your mouse pointer. Move your mouse to the other server node, and click on it.
    Creating a New Segment

    Figure 6.9. Creating a New Segment

  4. In the Add Topology Segment window, click Add to confirm the properties of the new segment.
IdM creates a new topology segment between the two servers, which joins them in a replication agreement. The topology graph now shows the updated replication topology:
New Segment Created

Figure 6.10. New Segment Created

6.2.2. Stopping Replication Between Two Servers

  1. Click on an arrow representing the replication agreement you want to remove. This highlights the arrow.
    Topology Segment Highlighted

    Figure 6.11. Topology Segment Highlighted

  2. Click Delete.
  3. In the Confirmation window, click OK.
IdM removes the topology segment between the two servers, which deletes their replication agreement. The topology graph now shows the updated replication topology:
Topology Segment Deleted

Figure 6.12. Topology Segment Deleted

6.3. Command Line: Managing Topology Using the ipa topology* Commands

6.3.1. Getting Help for Topology Management Commands

To display all commands used to manage replication topology:
$ ipa help topology
To display detailed help for a particular command, run it with the --help option:
$ ipa topologysuffix-show --help

6.3.2. Setting up Replication Between Two Servers

  1. Use the ipa topologysegment-add command to create a topology segment for the two servers. When prompted, provide:
    For example:
    $ ipa topologysegment-add
    Suffix name: domain
    Left node: server1.example.com
    Right node: server2.example.com
    Segment name [server1.example.com-to-server2.example.com]: new_segment
    ---------------------------
    Added segment "new_segment"
    ---------------------------
      Segment name: new_segment
      Left node: server1.example.com
      Right node: server2.example.com
      Connectivity: both
    Adding the new segment joins the servers in a replication agreement.
  2. Optional. Use the ipa topologysegment-show command to verify that the new segment is configured.
    $ ipa topologysegment-show
    Suffix name: domain
    Segment name: new_segment
      Segment name: new_segment
      Left node: server1.example.com
      Right node: server2.example.com
      Connectivity: both

6.3.3. Stopping Replication Between Two Servers

  1. To stop replication, you must delete the corresponding replication segment between the servers. To do that, you need to know the segment name.
    If you do not know the name, use the ipa topologysegment-find command to display all segments, and locate the required segment in the output. When prompted, provide the required topology suffix: domain or ca. For example:
    $ ipa topologysegment-find
    Suffix name: domain
    ------------------
    8 segments matched
    ------------------
      Segment name: new_segment
      Left node: server1.example.com
      Right node: server2.example.com
      Connectivity: both
    
    ...
    
    ----------------------------
    Number of entries returned 8
    ----------------------------
  2. Use the ipa topologysegment-del command to remove the topology segment joining the two servers.
    $ ipa topologysegment-del
    Suffix name: domain
    Segment name: new_segment
    -----------------------------
    Deleted segment "new_segment"
    -----------------------------
    Deleting the segment removes the replication agreement.
  3. Optional. Use the ipa topologysegment-find command to verify that the segment is no longer listed.
    $ ipa topologysegment-find
    Suffix name: domain
    ------------------
    7 segments matched
    ------------------
      Segment name: server2.example.com-to-server3.example.com
      Left node: server2.example.com
      Right node: server3.example.com
      Connectivity: both
    
    ...
    
    ----------------------------
    Number of entries returned 7
    ----------------------------

6.4. Removing a Server from the Topology

IdM does not allow removing a server from the topology if one of the following applies:
  • the server being removed is the only server connecting other servers with the rest of the topology; this would cause the other servers to become isolated, which is not allowed
  • the server being removed is your last CA or DNS server
In these situations, the attempt fails with an error. For example, on the command line:
$ ipa server-del
Server name: server1.example.com
Removing server1.example.com from replication topology, please wait...
ipa: ERROR: Server removal aborted:

Removal of 'server1.example.com' leads to disconnected topology in suffix 'domain':
Topology does not allow server server2.example.com to replicate with servers:
  server3.example.com
  server4.example.com
...

6.4.1. Web UI: Removing a Server from the Topology

To remove a server from the topology without uninstalling the server components from the machine:
  1. Select IPA ServerTopologyIPA Servers.
  2. Click on the name of the server you want to delete.
    Selecting a Server

    Figure 6.13. Selecting a Server

  3. Click Delete Server.

6.4.2. Command Line: Removing a Server from the Topology

Important

Removing a server is an irreversible action. If you remove a server, the only way to introduce it back into the topology is to install a new replica on the machine.
To remove server1.example.com:
  1. On another server, run the ipa server-del command to remove server1.example.com. The command removes all topology segments pointing to the server:
    [user@server2 ~]$ ipa server-del
    Server name: server1.example.com
    Removing server1.example.com from replication topology, please wait...
    ----------------------------------------------------------
    Deleted IPA server "server1.example.com"
    ----------------------------------------------------------
  2. On server1.example.com, run the ipa server-install --uninstall command to uninstall the server components from the machine.
    [root@server1 ~]# ipa server-install --uninstall

6.5. Managing Server Roles

Based on the services installed on an IdM server, it can perform various server roles. For example: CA server, DNS server, or key recovery authority (KRA) server.

6.5.1. Viewing Server Roles

Web UI: Viewing Server Roles

For a complete list of the supported server roles, see IPA ServerTopologyServer Roles.
  • Role status absent means that no server in the topology is performing the role.
  • Role status enabled means that one or more servers in the topology are performing the role.
Server Roles in the Web UI

Figure 6.14. Server Roles in the Web UI

Command Line: Viewing Server Roles

The ipa config-show command displays all CA servers, NTP servers, and the current CA renewal master:
$ ipa config-show
  ...
  IPA masters: server1.example.com, server2.example.com, server3.example.com
  IPA CA servers: server1.example.com, server2.example.com
  IPA NTP servers: server1.example.com, server2.example.com, server3.example.com
  IPA CA renewal master: server1.example.com
The ipa server-show command displays a list of roles enabled on a particular server. For example, for a list of roles enabled on server.example.com:
$ ipa server-show
Server name: server.example.com
  ...
  Enabled server roles: CA server, DNS server, NTP server, KRA server
The ipa server-find --servrole searches for all servers with a particular server role enabled. For example, to search for all CA servers:
$ ipa server-find --servrole "CA server"
---------------------
2 IPA servers matched
---------------------
  Server name: server1.example.com
  ...

  Server name: server2.example.com
  ...
----------------------------
Number of entries returned 2
----------------------------

6.5.2. Promoting a Replica to a Master CA Server

Note

This section describes changing the CA renewal master at domain level 1 (see Chapter 7, Displaying and Raising the Domain Level). For documentation on changing the CA renewal master at domain level 0, see Section B.4, “Promoting a Replica to a Master CA Server”.
In a topology that includes multiple replicas, one of them acts as the master CA server: it manages the renewal of CA subsystem certificates and generates certificate revocation lists (CRLs). By default, the master CA is the initial server from which replicas were created.
If you plan to take the master CA server offline or decommission it, promote another CA server to take the its place as the new CA renewal master:
  1. Configure the replica to handle CA subsystem certificate renewal.
  2. Configure the replica to generate CRLs. See Section 6.5.2.2, “Changing Which Server Generates CRLs”.
  3. Before decommissioning the previous master CA server, make sure the new master works properly. See Section 6.5.2.3, “Verifying That the New Master CA Server Is Configured Correctly”.

6.5.2.1. Changing the Current CA Renewal Master

Web UI: Changing the Current CA Renewal Master

  1. Select IPA ServerConfiguration.
  2. In the IPA CA renewal master field, select the new CA renewal master.

Command Line: Changing the Current CA Renewal Master

Use the ipa config-mod --ca-renewal-master-server command:
$ ipa config-mod --ca-renewal-master-server new_ca_renewal_master.example.com
  ...
  IPA masters: old_ca_renewal_master.example.com, new_ca_renewal_master.example.com
  IPA CA servers: old_ca_renewal_master.example.com, new_ca_renewal_master.example.com
  IPA NTP servers: old_ca_renewal_master.example.com, new_ca_renewal_master.example.com
  IPA CA renewal master: new_ca_renewal_master.example.com
The output confirms that the update was successful.

6.5.2.2. Changing Which Server Generates CRLs

To change which server generates CRLs, stop CRL generation on the current CRL generation master, and then enable it on the other server.

Identifying the Current CRL Generation Master

Examine the /etc/pki/pki-tomcat/ca/CS.cfg file on each server with a CA installed:
  • On the CRL generation master, the ca.crl.MasterCRL.enableCRLUpdates parameter is set to true:
    # grep ca.crl.MasterCRL.enableCRLUpdates /etc/pki/pki-tomcat/ca/CS.cfg
    ca.crl.MasterCRL.enableCRLUpdates=true
  • On CRL generation clones, the parameter is set to false.

Stopping CRL Generation on the Current CRL Generation Master

  1. Stop the CA service:
    # systemctl stop pki-tomcatd@pki-tomcat.service
  2. Disable CRL generation on the server. Open the /etc/pki/pki-tomcat/ca/CS.cfg file, and set the values of the ca.crl.MasterCRL.enableCRLCache and ca.crl.MasterCRL.enableCRLUpdates parameters to false:
    ca.crl.MasterCRL.enableCRLCache=false
    ca.crl.MasterCRL.enableCRLUpdates=false
  3. Start the CA service:
    # systemctl start pki-tomcatd@pki-tomcat.service
  4. Configure Apache to redirect CRL requests to the new master. Open the /etc/httpd/conf.d/ipa-pki-proxy.conf file, and uncomment the RewriteRule argument:
    # Only enable this on servers that are not generating a CRL
    RewriteRule ^/ipa/crl/MasterCRL.bin https://server.example.com/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL [L,R=301,NC]
  5. Restart Apache:
    # systemctl restart httpd.service
Before, this server responded to CRL requests. Now, all CRL requests are routed to the previous CA master.

Configure a Server to Generate CRLs

  1. Stop the CA service:
    # systemctl stop pki-tomcatd@pki-tomcat.service
  2. Enable CRL generation on the server. Set the values of the ca.crl.MasterCRL.enableCRLCache and ca.crl.MasterCRL.enableCRLUpdates parameters to true:
    ca.crl.MasterCRL.enableCRLCache=true
    ca.crl.MasterCRL.enableCRLUpdates=true
  3. Start the CA service:
    # systemctl start pki-tomcatd@pki-tomcat.service
  4. Configure Apache to disable redirecting CRL requests. Open the /etc/httpd/conf.d/ipa-pki-proxy.conf file, and comment out the RewriteRule argument:
    #RewriteRule ^/ipa/crl/MasterCRL.bin https://server.example.com/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL [L,R=301,NC]
    Before, all CRL requests were routed to the previous CA master. Now, this server will respond to CRL requests.
  5. Restart Apache:
    # systemctl restart httpd.service

6.5.2.3. Verifying That the New Master CA Server Is Configured Correctly

Make sure the /var/lib/ipa/pki-ca/publish/MasterCRL.bin file exists on the new master CA server.
The file is generated based on the time interval defined in the /etc/pki/pki-tomcat/ca/CS.cfg file using the ca.crl.MasterCRL.autoUpdateInterval parameter. The default value is 240 minutes (4 hours).
If the file exists, the new master CA server is configured correctly, and you can safely dismiss the previous CA master system.

Chapter 7. Displaying and Raising the Domain Level

The domain level indicates what operations and capabilities are available in the IdM topology.
Domain level 1
Examples of available functionality:

Important

Domain level 1 was introduced in Red Hat Enterprise Linux 7.3 with IdM version 4.4. To use the domain level 1 features, all your replicas must be running Red Hat Enterprise Linux 7.3 or later.
If your first server was installed with Red Hat Enterprise Linux 7.3, the domain level for your domain is automatically set to 1.
If you upgrade all servers to IdM version 4.4 from earlier versions, the domain level is not raised automatically. If you want to use domain level 1 features, raise the domain level manually, as described in Section 7.2, “Raising the Domain Level”.
Domain level 0
Examples of available functionality:

7.1. Displaying the Current Domain Level

Command Line: Displaying the Current Domain Level

  1. Log in as the administrator:
    $ kinit admin
  2. Run the ipa domainlevel-get command:
    $ ipa domainlevel-get
    -----------------------
    Current domain level: 0
    -----------------------

Web UI: Displaying the Current Domain Level

Select IPA ServerDomain Level.

7.2. Raising the Domain Level

Important

This is a non-reversible operation. If you raise the domain level from 0 to 1, you cannot downgrade from 1 to 0 again.

Command Line: Raising the Domain Level

  1. Log in as the administrator:
    $ kinit admin
  2. Run the ipa domainlevel-set command and provide the required level:
    $ ipa domainlevel-set 1
    -----------------------
    Current domain level: 1
    -----------------------

Web UI: Raising the Domain Level

  1. Select IPA ServerDomain Level.
  2. Click Set Domain Level.

Chapter 8. Updating and Migrating Identity Management

8.1. Updating Identity Management

You can use the yum utility to update the Identity Management packages on the system.
Additionally, if a new minor Red Hat Enterprise Linux version is available, such as 7.3, yum upgrades the Identity Management server or client to this version.

Note

This section does not describe migrating Identity Management from Red Hat Enterprise Linux 6 to Red Hat Enterprise Linux 7. If you want to migrate, see Section 8.2, “Migrating Identity Management from Red Hat Enterprise Linux 6 to Version 7”.

8.1.1. Considerations for Updating Identity Management

  • After you update the Identity Management packages on at least one server, all other servers in the topology receive the updated schema, even if you do not update their packages. This ensures that any new entries which use the new schema can be replicated among the other servers.
  • Downgrading Identity Management packages is not supported.

    Important

    Do not run the yum downgrade command on any of the ipa-* packages.

8.1.2. Using yum to Update the Identity Management Packages

To update all Identity Management packages on a server or client:
# yum update ipa-*

Warning

When upgrading multiple Identity Management servers, wait at least 10 minutes between each upgrade.
When two or more servers are upgraded simultaneously or with only short intervals between the upgrades, there is not enough time to replicate the post-upgrade data changes throughout the topology, which can result in conflicting replication events.

Related Information

  • For details on using the yum utility, see Yum in the System Administrator's Guide.

Important

Due to CVE-2014-3566, the Secure Socket Layer version 3 (SSLv3) protocol needs to be disabled in the mod_nss module. You can ensure that by following these steps:
  1. Edit the /etc/httpd/conf.d/nss.conf file and set the NSSProtocol parameter to TLSv1.0 (for backward compatibility), TLSv1.1, and TLSv1.2.
    NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2
  2. Restart the httpd service.
    # systemctl restart httpd.service
Note that Identity Management in Red Hat Enterprise Linux 7 automatically performs the above steps when the yum update ipa-* command is launched to upgrade the main packages.

8.2. Migrating Identity Management from Red Hat Enterprise Linux 6 to Version 7

This procedure describes how to migrate all data and configuration from Red Hat Enterprise Linux 6 Identity Management to Red Hat Enterprise Linux 7 servers. The migration procedure includes:
  • Migrating the Red Hat Enterprise Linux 6-based certificate authority (CA) master server to Red Hat Enterprise Linux 7.
  • Transitioning all services to the new Red Hat Enterprise Linux 7 server. These services include CRL and certificate creating, DNS management, or Kerberos KDC administration.
  • Decommissioning the original Red Hat Enterprise Linux 6 CA master.
In the following procedures:
  • rhel7.example.com is the Red Hat Enterprise Linux 7 system that will become the new CA master.
  • rhel6.example.com is the original Red Hat Enterprise Linux 6 CA master.

    Note

    To identify which Red Hat Enterprise Linux 6 server is the master CA server, determine on which server the certmonger service tracks the renew_ca_cert command. Run this command on every Red Hat Enterprise Linux 6 server:
    [root@rhel6 ~]# getcert list -d /var/lib/pki-ca/alias -n "subsystemCert cert-pki-ca" | grep post-save
    post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca"
    The post-save action that executes renew_ca_cert is defined only for the CA master.

8.2.1. Prerequisites for Migrating Identity Management from Red Hat Enterprise Linux 6 to 7

8.2.2. Updating the Identity Management Schema on Red Hat Enterprise Linux 6

The copy-schema-to-ca.py schema update script prepares rhel6.example.com for the installation of the rhel7.example.com replica. Updating the schema is necessary due to schema changes between Identity Management version 3.1 and later versions.
  1. Copy the copy-schema-to-ca.py schema update script from the rhel7.example.com system to the rhel6.example.com system. For example:
    [root@rhel7 ~]# scp /usr/share/ipa/copy-schema-to-ca.py root@rhel6:/root/
  2. Run the updated copy-schema-to-ca.py script on rhel6.example.com.
    [root@rhel6 ~]# python copy-schema-to-ca.py
    ipa         : INFO     Installed /etc/dirsrv/slapd-PKI-IPA//schema/60kerberos.ldif
    [... output truncated ...]
    ipa         : INFO     Schema updated successfully

8.2.3. Installing the Red Hat Enterprise Linux 7 Replica

  1. On the rhel6.example.com system, create the replica file you will use to install the rhel7.example.com replica. For example, to create a replica file for rhel7.example.com whose IP address is 192.0.2.1:
    [root@rhel6 ~]# ipa-replica-prepare rhel7.example.com --ip-address 192.0.2.1
    
    Directory Manager (existing master) password:
    Preparing replica for rhel7.example.com from rhel6.example.com
    [... output truncated ...]
    The ipa-replica-prepare command was successful
  2. Copy the replica information file from rhel6.example.com to rhel7.example.com.
    [root@rhel6 ~]# scp /var/lib/ipa/replica-info-replica.example.com.gpg root@rhel7:/var/lib/ipa/
  3. Install the rhel7.example.com replica using the replica file. For example, the following command uses these options:
    • --setup-ca to set up the Certificate System component
    • --setup-dns and --forwarder to configure an integrated DNS server and set a forwarder
    • --ip-address to specify the IP address of the rhel7.example.com system
    [root@rhel7 ~]# ipa-replica-install /var/lib/ipa/replica-info-rhel7.example.com.gpg --setup-ca --ip-address 192.0.2.1 --setup-dns --forwarder 192.0.2.20
    Directory Manager (existing master) password: 
    
    Checking DNS forwarders, please wait ...
    Run connection check to master
    [... output truncated ...]
    Client configuration complete.
    See also:
  4. Verify that the Identity Management services are running on rhel7.example.com.
    [root@rhel7 ~]# ipactl status
    Directory Service: RUNNING
    [... output truncated ...]
    ipa: INFO: The ipactl command was successful

8.2.4. Transitioning the CA Services to the Red Hat Enterprise Linux 7 Server

Before you begin:
  • Verify that rhel6.example.com and rhel7.example.com CAs are both configured as master servers.
    [root@rhel7 ~]$ kinit admin
    [root@rhel7 ~]$ ipa-csreplica-manage list
    rhel6.example.com: master
    rhel7.example.com: master
    To display details about a replication agreement:
    [root@rhel7 ~]# ipa-csreplica-manage list --verbose rhel7.example.com
    rhel7.example.com
    last init status: None
    last init ended: 1970-01-01 00:00:00+00:00
    last update status: Error (0) Replica acquired successfully: Incremental update succeeded
    last update ended: 2017-02-13 13:55:13+00:00
On the rhel6.example.com original master CA, stop the CA subsystem certificate renewal:
  1. Disable tracking for the original CA certificates.
    [root@rhel6 ~]# getcert stop-tracking -d /var/lib/pki-ca/alias -n "auditSigningCert cert-pki-ca"
    Request "20171127184547" removed.
    [root@rhel6 ~]# getcert stop-tracking -d /var/lib/pki-ca/alias -n "ocspSigningCert cert-pki-ca"
    Request "20171127184548" removed.
    [root@rhel6 ~]# getcert stop-tracking -d /var/lib/pki-ca/alias -n "subsystemCert cert-pki-ca"
    Request "20171127184549" removed.
    [root@rhel6 ~]# getcert stop-tracking -d /etc/httpd/alias -n ipaCert
    Request "20171127184550" removed.
  2. Reconfigure rhel6.example.com to retrieve renewed certificates from a new master CA.
    1. Copy the renewal helper script into the certmonger service directory, and set the appropriate permissions.
      [root@rhel6 ~]# cp /usr/share/ipa/ca_renewal /var/lib/certmonger/cas/
      [root@rhel6 ~]# chmod 0600 /var/lib/certmonger/cas/ca_renewal
    2. Update the SELinux configuration.
      [root@rhel6 ~]# restorecon /var/lib/certmonger/cas/ca_renewal
    3. Restart certmonger.
      [root@rhel6 ~]# service certmonger restart
    4. Check that the CA is listed to retrieve certificates.
      [root@rhel6 ~]# getcert list-cas
      ...
      CA 'dogtag-ipa-retrieve-agent-submit':
              is-default: no
              ca-type: EXTERNAL
      	helper-location: /usr/libexec/certmonger/dogtag-ipa-retrieve-agent-submit
    5. Obtain the CA certificate database PIN.
      [root@rhel6 ~]# grep internal= /var/lib/pki-ca/conf/password.conf
    6. Configure certmonger to track the certificates for external renewal. This requires the database PIN.
      [root@rhel6 ~]# getcert start-tracking \
          -c dogtag-ipa-retrieve-agent-submit \
          -d /var/lib/pki-ca/alias \
          -n "auditSigningCert cert-pki-ca" \
          -B /usr/lib64/ipa/certmonger/stop_pkicad \
          -C '/usr/lib64/ipa/certmonger/restart_pkicad \
          "auditSigningCert cert-pki-ca"' \
          -T "auditSigningCert cert-pki-ca" \
          -P database_pin
      New tracking request "20171127184743" added.
      [root@rhel6 ~]# getcert start-tracking \
          -c dogtag-ipa-retrieve-agent-submit \
          -d /var/lib/pki-ca/alias \
          -n "ocspSigningCert cert-pki-ca" \
          -B /usr/lib64/ipa/certmonger/stop_pkicad \
          -C '/usr/lib64/ipa/certmonger/restart_pkicad \
          "ocspSigningCert cert-pki-ca"' \
          -T "ocspSigningCert cert-pki-ca" \
          -P database_pin
      New tracking request "20171127184744" added.
      [root@rhel6 ~]# getcert start-tracking \
          -c dogtag-ipa-retrieve-agent-submit \
          -d /var/lib/pki-ca/alias \
          -n "subsystemCert cert-pki-ca" \
          -B /usr/lib64/ipa/certmonger/stop_pkicad \
          -C '/usr/lib64/ipa/certmonger/restart_pkicad \
          "subsystemCert cert-pki-ca"' \
          -T "subsystemCert cert-pki-ca" \
          -P database_pin
      New tracking request "20171127184745" added.
      [root@rhel6 ~]# getcert start-tracking \
          -c dogtag-ipa-retrieve-agent-submit \
          -d /etc/httpd/alias \
          -n ipaCert \
          -C /usr/lib64/ipa/certmonger/restart_httpd \
          -T ipaCert \
          -p /etc/httpd/alias/pwdfile.txt
      New tracking request "20171127184746" added.
Move CRL generation from the original rhel6.example.com CA master to rhel7.example.com.
  1. On rhel6.example.com, stop CRL generation:
    1. Stop the CA service.
      [root@rhel6 ~]# service pki-cad stop
    2. Disable CRL generation on rhel6.example.com. Open the /var/lib/pki-ca/conf/CS.cfg file, and set the values of the ca.crl.MasterCRL.enableCRLCache and ca.crl.MasterCRL.enableCRLUpdates parameters to false.
      ca.crl.MasterCRL.enableCRLCache=false
      ca.crl.MasterCRL.enableCRLUpdates=false
    3. Start the CA service.
      [root@rhel6 ~]# service pki-cad start
  2. On rhel6.example.com, configure Apache to redirect CRL requests to the new master, rhel7.example.com.
    1. Open the /etc/httpd/conf.d/ipa-pki-proxy.conf file. Uncomment the RewriteRule argument, and replace the server host name with the rhel7.example.com host name in the server URL:
      RewriteRule ^/ipa/crl/MasterCRL.bin https://rhel7.example.com/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL [L,R=301,NC]
    2. Restart Apache.
      [root@rhel6 ~]# service httpd restart
  3. On rhel7.example.com, configure rhel7.example.com as the new CA master:
    1. Configure rhel7.example.com to handle CA subsystem certificate renewal, as described in Section B.4.1, “Changing Which Server Handles Certificate Renewal”.
    2. Configure rhel7.example.com to general certificate revocation lists (CRLs), as described in Section 6.5.2.2, “Configure a Server to Generate CRLs”.

Related Information

8.2.5. Stop the Red Hat Enterprise Linux 6 Server

Stop all service on rhel6.example.com to force domain discovery to the new rhel7.example.com server.
[root@rhel6 ~]# ipactl stop
Stopping CA Service
Stopping pki-ca:                                           [  OK  ]
Stopping HTTP Service
Stopping httpd:                                            [  OK  ]
Stopping MEMCACHE Service
Stopping ipa_memcached:                                    [  OK  ]
Stopping DNS Service
Stopping named: .                                          [  OK  ]
Stopping KPASSWD Service
Stopping Kerberos 5 Admin Server:                          [  OK  ]
Stopping KDC Service
Stopping Kerberos 5 KDC:                                   [  OK  ]
Stopping Directory Service
Shutting down dirsrv:
    EXAMPLE-COM...                                         [  OK  ]
    PKI-IPA...                                             [  OK  ]
After this, using the ipa utility will contact the new server through a remote procedure call (RPC).

8.2.6. Next Steps After Migrating the Master CA Server

For each Red Hat Enterprise Linux 6 server in your topology:
  1. Create a replica file from rhel7.example.com.

    Note

    After installing a Red Hat Enterprise Linux 7 replica from a Red Hat Enterprise Linux 6 server, the domain level for the Identity Management domain is automatically set to 0.
    Red Hat Enterprise Linux 7.3 introduced an easier way to install and manage replicas. To use these features, your topology must be at domain level 1. See Chapter 7, Displaying and Raising the Domain Level.
  2. Use the replica file to install a new replica on another Red Hat Enterprise Linux 7 system.
To decommission a Red Hat Enterprise Linux 6 server:
  • Remove the server from the topology by executing the removal commands on a Red Hat Enterprise Linux 7 server.

Chapter 9. Backing Up and Restoring Identity Management

Red Hat Enterprise Linux Identity Management provides a solution to manually back up and restore the IdM system, for example when a server stops performing correctly or data loss occurs. During backup, the system creates a directory containing information on your IdM setup and stores it. During restore, you can use this backup directory to bring your original IdM setup back.

Important

Use the backup and restore procedures described in this chapter only if you cannot rebuild the lost part of the IdM server group from the remaining servers in the deployment, by reinstalling the lost replicas as replicas of the remaining ones.
The "Backup and Restore in IdM/IPA" Knowledgebase solution describes how to avoid losses by maintaining several server replicas. Rebuilding from an existing replica with the same data is preferable, because the backed-up version usually contains older, thus potentially outdated, information.
The potential threat scenarios that backup and restore can prevent include:
  • Catastrophic hardware failure on a machine occurs and the machine becomes incapable of further functioning. In this situation, you can reinstall the operating system from scratch, configure the machine with the same fully qualified domain name (FQDN) and host name, install the IdM packages as well as all other optional packages relating to IdM that were present on the original system, and restore the full backup of the IdM server.
  • An upgrade on an isolated machine fails. The operating system remains functional, but the IdM data is corrupted, which is why you want to restore the IdM system to a known good state.

    Important

    In cases of hardware or upgrade failure, such as the two mentioned above, restore from backup only if all replicas or a replica with a special role, such as the only certificate authority (CA), were lost. If a replica with the same data still exists, it is recommended to delete the lost replica and then rebuild it from the remaining one.
  • Undesirable changes were made to the LDAP content, for example entries were deleted, and you want to revert them. Restoring backed-up LDAP data returns the LDAP entries to the previous state without affecting the IdM system itself.
The restored server becomes the only source of information for IdM; other master servers are re-initialized from the restored server. Any data created after the last backup was made are lost. Therefore you should not use the backup and restore solution for normal system maintenance. If possible, always rebuild the lost server by reinstalling it as a replica.
The backup and restore features can be managed only from the command line and are not available in the IdM web UI.

9.1. Full-Server Backup and Data-Only Backup

IdM offers two backup options:
Full-IdM server backup
Full-server backup creates a backup copy of all the IdM server files as well as LDAP data, which makes it a standalone backup. IdM affects hundreds of files; the files that the backup process copies is a mix of whole directories and specific files, such as configuration files or log files, and relate directly to IdM or to various services that IdM depends on. Because the full-server backup is a raw file backup, it is performed offline. The script that performs the full-server backup stops all IdM services to ensure a safe course of the backup process.
For the full list of files and directories that the full-server backup copies, see Section 9.1.3, “List of Directories and Files Copied During Backup”.
Data-only Backup
The data-only backup only creates a backup copy of LDAP data and the changelog. The process backs up the IPA-REALM instance and can also back up multiple back ends or only a single back end; the back ends include the IPA back end and the CA Dogtag back end. This type of backup also backs up a record of the LDAP content stored in LDIF (LDAP Data Interchange Format). The data-only backup can be performed both online and offline.
By default, IdM stores the created backups in the /var/lib/ipa/backup/ directory. The naming conventions for the subdirectories containing the backups are:
  • ipa-full-YEAR-MM-DD-HH-MM-SS in the GMT time zone for the full-server backup
  • ipa-data-YEAR-MM-DD-HH-MM-SS in the GMT time zone for the data-only backup

9.1.1. Creating a Backup

Both full-server and data-only backups are created using the ipa-backup utility which must always be run as root.
To create a full-server backup, run ipa-backup.

Important

Performing a full-server backup stops all IdM services because the process must run offline. The IdM services will start again after the backup is finished.
To create a data-only backup, run the ipa-backup --data command.
You can add several additional options to ipa-backup:
  • --online performs an online backup; this option is only available with data-only backups
  • --logs includes the IdM service log files in the backup
For further information on using ipa-backup, see the ipa-backup(1) man page.

9.1.2. Encrypting Backup

You can encrypt the IdM backup using the GNU Privacy Guard (GPG) encryption.
To create a GPG key:
  1. Create a keygen file containing the key details, for example, by running cat >keygen <<EOF and providing the required encryption details to the file from the command line:
    [root@server ~]# cat >keygen <<EOF
    > %echo Generating a standard key
    > Key-Type: RSA
    > Key-Length:2048
    > Name-Real: IPA Backup
    > Name-Comment: IPA Backup
    > Name-Email: root@example.com
    > Expire-Date: 0
    > %pubring /root/backup.pub
    > %secring /root/backup.sec
    > %commit
    > %echo done
    > EOF
    [root@server ~]#
  2. Generate a new key pair called backup and feed the contents of keygen to the command. The following example generates a key pair with the path names /root/backup.sec and /root/backup.pub:
    [root@server ~]# gpg --batch --gen-key keygen
    [root@server ~]# gpg --no-default-keyring --secret-keyring /root/backup.sec \
    		     --keyring /root/backup.pub --list-secret-keys
To create a GPG-encrypted backup, pass the generated backup key to ipa-backup by supplying the following options:
  • --gpg, which instructs ipa-backup to perform the encrypted backup
  • --gpg-keyring=GPG_KEYRING, which provides the full path to the GPG keyring without the file extension.
For example:
[root@server ~]# ipa-backup --gpg --gpg-keyring=/root/backup

Note

You might experience problems if your system uses the gpg2 utility to generate GPG keys because gpg2 requires an external program to function. To generate the key purely from console in this situation, add the pinentry-program /usr/bin/pinentry-curses line to the .gnupg/gpg-agent.conf file before generating a key.

9.1.3. List of Directories and Files Copied During Backup

Directories:
/usr/share/ipa/html
/root/.pki
/etc/pki-ca
/etc/pki/pki-tomcat
/etc/sysconfig/pki
/etc/httpd/alias
/var/lib/pki
/var/lib/pki-ca
/var/lib/ipa/sysrestore
/var/lib/ipa-client/sysrestore
/var/lib/ipa/dnssec
/var/lib/sss/pubconf/krb5.include.d/
/var/lib/authconfig/last
/var/lib/certmonger
/var/lib/ipa
/var/run/dirsrv
/var/lock/dirsrv
Files:
/etc/named.conf
/etc/named.keytab
/etc/resolv.conf
/etc/sysconfig/pki-ca
/etc/sysconfig/pki-tomcat
/etc/sysconfig/dirsrv
/etc/sysconfig/ntpd
/etc/sysconfig/krb5kdc
/etc/sysconfig/pki/ca/pki-ca
/etc/sysconfig/ipa-dnskeysyncd
/etc/sysconfig/ipa-ods-exporter
/etc/sysconfig/named
/etc/sysconfig/ods
/etc/sysconfig/authconfig
/etc/ipa/nssdb/pwdfile.txt
/etc/pki/ca-trust/source/ipa.p11-kit
/etc/pki/ca-trust/source/anchors/ipa-ca.crt
/etc/nsswitch.conf
/etc/krb5.keytab
/etc/sssd/sssd.conf
/etc/openldap/ldap.conf
/etc/security/limits.conf
/etc/httpd/conf/password.conf
/etc/httpd/conf/ipa.keytab
/etc/httpd/conf.d/ipa-pki-proxy.conf
/etc/httpd/conf.d/ipa-rewrite.conf
/etc/httpd/conf.d/nss.conf
/etc/httpd/conf.d/ipa.conf
/etc/ssh/sshd_config
/etc/ssh/ssh_config
/etc/krb5.conf
/etc/ipa/ca.crt
/etc/ipa/default.conf
/etc/dirsrv/ds.keytab
/etc/ntp.conf
/etc/samba/smb.conf
/etc/samba/samba.keytab
/root/ca-agent.p12
/root/cacert.p12
/var/kerberos/krb5kdc/kdc.conf
/etc/systemd/system/multi-user.target.wants/ipa.service
/etc/systemd/system/multi-user.target.wants/sssd.service
/etc/systemd/system/multi-user.target.wants/certmonger.service
/etc/systemd/system/pki-tomcatd.target.wants/pki-tomcatd@pki-tomcat.service
/var/run/ipa/services.list
/etc/opendnssec/conf.xml
/etc/opendnssec/kasp.xml
/etc/ipa/dnssec/softhsm2.conf
/etc/ipa/dnssec/softhsm_pin_so
/etc/ipa/dnssec/ipa-ods-exporter.keytab
/etc/ipa/dnssec/ipa-dnskeysyncd.keytab
/etc/idm/nssdb/cert8.db
/etc/idm/nssdb/key3.db
/etc/idm/nssdb/secmod.db
/etc/ipa/nssdb/cert8.db
/etc/ipa/nssdb/key3.db
/etc/ipa/nssdb/secmod.db
Log files and directories:
/var/log/pki-ca
/var/log/pki/
/var/log/dirsrv/slapd-PKI-IPA
/var/log/httpd
/var/log/ipaserver-install.log
/var/log/kadmind.log
/var/log/pki-ca-install.log
/var/log/messages
/var/log/ipaclient-install.log
/var/log/secure
/var/log/ipaserver-uninstall.log
/var/log/pki-ca-uninstall.log
/var/log/ipaclient-uninstall.log
/var/named/data/named.run

9.2. Restoring a Backup

If you have a directory with a backup created using ipa-backup, you can restore your IdM server or the LDAP content to the state in which they were when the backup was performed. You cannot restore a backup on a host different from the host on which the backup was originally created.

Note

Uninstalling an IdM server does not automatically remove the backup of this server.

9.2.1. Restoring from the Full-Server or Data-Only Backup

Important

It is recommended that you uninstall a server before performing a full-server restore on it.
Both full-server and data-only backups are restored using the ipa-restore utility which must always be run as root. Pass the backup to the command:
  • Pass only the name of the directory with the backup if it is located in the default /var/lib/ipa/backup/ directory.
  • Pass the full path to the backup if the directory containing the backup is not located in the default directory. For example:
    [root@server ~]# ipa-restore /path/to/backup
The ipa-restore utility automatically detects what type of backup the backup directory contains and by default performs the same type of restore.
You can add the following options to ipa-restore:
  • --data performs a data-only restore from a full-server backup, that is, restores only the LDAP data component from a backup directory containing the full-server backup
  • --online restores the LDAP data in a data-only restore online
  • --instance specifies which 389 DS instance is restored. IdM in Red Hat Enterprise Linux 7 only uses the IPA-REALM instance, but it might be possible, for example, to create a backup on a system with separate instances; in such cases, --instance allows you to restore only IPA-REALM. For example:
    [root@server ~]# ipa-restore --instance=IPA-REALM /path/to/backup
    You can use this option only when performing a data-only restore.
  • --backend specifies which back end is restored; without this option, ipa-restore restores all back ends it discovers. The arguments defining the possible back ends are userRoot, which restores the IPA data back end, and ipaca, which restores the CA back end.
    You can use this option only when performing a data-only restore.
  • --no-logs restores the backup without restoring the log files
To avoid authentication problems on an IdM master, clear the SSSD cache after a restore:
  1. Stop the SSSD service:
    [root@server ~]# systemctl stop sssd
  2. Remove all cached content from SSSD:
    [root@server ~]# find /var/lib/sss/ ! -type d | xargs rm -f
  3. Start the SSSD service:
    [root@server ~]# systemctl start sssd

Note

It is recommended that you reboot your system after restoring from backup.
For further information on using ipa-restore, see the ipa-restore(1) man page.

9.2.2. Restoring with Multiple Master Servers

Restoring from backup sets the restored server as the new data master, and you will be required to reinitialize all other masters after the restore. To reinitialize the other masters, run the ipa-replica-manage command and, on masters that have a CA installed, the ipa-csreplica-manage command. For example:
[root@server ~]# ipa-replica-manage re-initialize --from=restored_master_FQDN
For further information on replication during restore and on restoration on other masters, see the ipa-restore(1) man page.

9.2.3. Restoring from an Encrypted Backup

If you want to restore from a backup encrypted with GPG, provide the full path to the private and public keys using the --gpg-keyring option. For example:
[root@server ~]# ipa-restore --gpg-keyring=/root/backup /path/to/backup

Part III. Managing User and System Identities in a Linux Domain

Table of Contents

10. Managing User Accounts
10.1. Setting up User Home Directories
10.1.1. Mounting Home Directories Automatically Using the PAM Home Directory Module
10.1.2. Mounting Home Directories Manually
10.2. User Life Cycle
10.2.1. Adding Stage or Active Users
10.2.1.1. User Name Requirements
10.2.1.2. Defining a Custom UID or GID Number
10.2.2. Listing Users and Searching for Users
10.2.3. Activating, Preserving, Deleting, and Restoring Users
10.3. Editing Users
10.4. Enabling and Disabling User Accounts
10.5. Allowing Non-admin Users to Manage User Entries
10.6. Using an External Provisioning System for Users and Groups
10.6.1. Configuring User Accounts to Be Used by the External Provisioning System
10.6.2. Configuring IdM to Automatically Activate Stage User Accounts
10.6.3. Configuring the LDAP Provider of the External Provisioning System to Manage the IdM Identities
11. User Authentication
11.1. User Passwords
11.1.1. Changing and Resetting User Passwords
11.1.1.1. Web UI: Changing Your Own Personal Password
11.1.1.2. Web UI: Resetting Another User's Password
11.1.1.3. Command Line: Changing or Resetting Another User's Password
11.1.2. Enabling Password Reset Without Prompting for a Password Change at the Next Login
11.1.3. Unlocking User Accounts After Password Failures
11.1.3.1. Checking the Status of a User Account
11.2. One-Time Passwords
11.2.1. How OTP Authentication Works in IdM
11.2.1.1. OTP Tokens Supported in IdM
11.2.1.2. Available OTP Authentication Methods
11.2.1.3. GNOME Keyring Service Support
11.2.1.4. Offline Authentication with OTP
11.2.2. Enabling OTP Authentication
11.2.3. Adding a User-Managed Software Token
11.2.4. Adding a User-Managed YubiKey Hardware Token
11.2.5. Adding a Token for a User as the Administrator
11.2.6. Migrating from a Proprietary OTP Solution
11.2.7. Promoting the Current Credentials to Two-Factor Authentication
11.2.8. Resynchronizing an OTP Token
11.3. Restricting Access to Services and Hosts Based on How Users Authenticate
11.3.1. Configuring a Host or a Service to Require a Specific Authentication Method
11.4. Managing Public SSH Keys for Users
11.4.1. Generating an SSH Key
11.4.2. Uploading User SSH Keys
11.4.2.1. Web UI: Uploading User SSH Keys
11.4.2.2. Command Line: Uploading User SSH Keys
11.4.3. Deleting User Keys
11.4.3.1. Web UI: Deleting User SSH Keys
11.4.3.2. Command Line: Deleting User SSH Keys
11.5. Smart Cards
11.5.1. Smart Card and Smart Card Reader Support in Identity Management
11.5.2. Exporting a Certificate From a Smart Card
11.5.3. Storing Smart Card Certificates for IdM Users
11.5.4. Smart Card Certificates in a Trusted Active Directory Environment
11.5.5. Smart Card Authentication on Identity Management Clients
11.5.5.1. Configuring Smart Card Authentication on an IdM Client
11.5.5.2. SSH Log in Using a Smart Card
11.6. User Certificates
12. Managing Hosts
12.1. About Hosts, Services, and Machine Identity and Authentication
12.2. About Host Entry Configuration Properties
12.3. Adding Host Entries
12.3.1. Adding Host Entries from the Web UI
12.3.2. Adding Host Entries from the Command Line
12.4. Disabling and Re-enabling Host Entries
12.4.1. Disabling Host Entries
12.4.2. Re-enabling Hosts
12.5. Managing Public SSH Keys for Hosts
12.5.1. About the SSH Key Format
12.5.2. About ipa-client-install and OpenSSH
12.5.3. Uploading Host SSH Keys Through the Web UI
12.5.4. Adding Host Keys from the Command Line
12.5.5. Removing Host Keys
12.6. Setting ethers Information for a Host
13. Managing User and Host Groups
13.1. How User and Host Groups Work in IdM
13.1.1. What User and Host Groups Are
13.1.2. Supported Group Members
13.1.3. Direct and Indirect Group Members
13.1.4. User Group Types in IdM
13.1.5. User and Host Groups Created by Default
13.2. Adding and Removing User or Host Groups
13.3. Adding and Removing User or Host Group Members
13.4. Disabling User Private Groups
13.4.1. Creating a User without a User Private Group
13.4.2. Disabling User Private Groups Globally for All Users
13.4.3. Adding a User with User Private Groups Disabled
13.5. Setting Search Attributes for Users and User Groups
13.6. Defining Automatic Group Membership for Users and Hosts
13.6.1. How Automatic Group Membership Works in IdM
13.6.1.1. What Automatic Group Membership Is
13.6.1.2. Benefits of Automatic Group Membership
13.6.1.3. Automember Rules
13.6.2. Adding an Automember Rule
13.6.3. Applying Automember Rules to Existing Users and Hosts
13.6.4. Configuring a Default Automember Group
14. Unique UID and GID Number Assignments
14.1. ID Ranges
14.2. ID Range Assignments During Installation
14.3. Displaying Currently Assigned ID Ranges
14.4. Automatic ID Range Extension After Deleting a Replica
14.5. Manual ID Range Extension and Assigning a New ID Range
14.6. Ensuring That ID Values Are Unique
14.7. Repairing Changed UID and GID Numbers
15. User and Group Schema
15.1. About Changing the Default User and Group Schema
15.2. Applying Custom Object Classes to New User Entries
15.2.1. From the Web UI
15.2.2. From the Command Line
15.3. Applying Custom Object Classes to New Group Entries
15.3.1. From the Web UI
15.3.2. From the Command Line
15.4. Specifying Default User and Group Attributes
15.4.1. Viewing Attributes from the Web UI
15.4.2. Viewing Attributes from the Command Line
16. ID Views
16.1. Attributes an ID View Can Override
16.2. Getting Help for ID View Commands
16.3. Defining a Different Attribute Value for a User Account on Different Hosts
16.3.1. Web UI: Overriding an Attribute Value for a Specific Host
16.3.2. Command Line: Overriding an Attribute Value for a Specific Host
17. Managing Services
17.1. Adding and Editing Service Entries and Keytabs
17.1.1. Adding Services and Keytabs from the Web UI
17.1.2. Adding Services and Keytabs from the Command Line
17.2. Configuring Clustered Services
17.3. Using the Same Service Principal for Multiple Services
17.4. Retrieve Existing Keytabs for Multiple Servers
17.5. Disabling and Re-enabling Service Entries
17.5.1. Disabling Service Entries
17.5.2. Re-enabling Services
18. Delegating User Access to Hosts and Services
18.1. Delegating Service Management
18.2. Delegating Host Management
18.3. Delegating Host or Service Management in the Web UI
18.4. Accessing Delegated Services
19. Performance Tuning for Bulk Provisioning of Entries
20. Managing Certificates for Users, Hosts, and Services
20.1. Managing Certificates with the Integrated IdM CAs
20.1.1. Requesting New Certificates for a User, Host, or Service
20.1.2. Revoking Certificates with the Integrated IdM CAs
20.1.3. Restoring Certificates with the Integrated IdM CAs
20.2. Managing Certificates Issued by External CAs
20.2.1. Command Line: Adding and Removing Certificates Issued by External CAs
20.2.2. Web UI: Adding and Removing Certificates Issued by External CAs
20.3. Listing and Displaying Certificates
20.4. Certificate Profiles
20.4.1. Certificate Profile Management from the Command Line
20.4.2. Certificate Profile Management from the Web UI
20.4.3. Upgrading IdM Servers with Certificate Profiles
20.5. Certificate Authority ACL Rules
20.5.1. CA ACL Management from the Command Line
20.5.2. CA ACL Management from the Web UI
20.6. Using Certificate Profiles and ACLs to Issue User Certificates with the IdM CAs
21. Managing Kerberos Flags and Principal Aliases
21.1. Kerberos Flags for Services and Hosts
21.1.1. Setting Kerberos Flags from the Web UI
21.1.2. Setting Kerberos Flags from the Command Line
21.2. Managing Kerberos Principal Aliases for Users, Hosts, and Services
21.2.1. Kerberos Principal Alias
21.2.2. Kerberos Enterprise Principal Alias
22. Storing Authentication Secrets with Vaults
22.1. How Vaults Work
22.1.1. Vault Owners, Members, and Administrators
22.1.2. Standard, Symmetric, and Asymmetric Vaults
22.1.3. User, Service, and Shared Vaults
22.1.4. Vault Containers
22.2. Prerequisites for Using Vaults
22.3. Getting Help for Vault Commands
22.4. Storing a User's Personal Secret
22.4.1. Archiving a User's Personal Secret
22.4.2. Retrieving a User's Personal Secret
22.5. Storing a Service Secret in a Vault
22.5.1. Creating a User Vault to Store a Service Password
22.5.2. Provisioning a Service Password from a User Vault to Service Instances
22.5.3. Retrieving a Service Password for a Service Instance
22.5.4. Changing Service Vault Password
22.6. Storing a Common Secret for Multiple Users
22.6.1. Creating the Shared Vault with the Common Secret
22.6.2. Retrieving a Secret from a Shared Vault as a Member User
23. Integrating with NIS Domains and Netgroups
23.1. About NIS and Identity Management
23.2. Setting the NIS Port for Identity Management
23.3. Creating Netgroups
23.3.1. Adding Netgroups
23.3.1.1. With the Web UI
23.3.1.2. With the Command Line
23.3.2. Adding Netgroup Members
23.3.2.1. With the Web UI
23.3.2.2. With the Command Line
23.4. Exposing Automount Maps to NIS Clients
23.5. Migrating from NIS to IdM
23.5.1. Preparing Netgroup Entries in IdM
23.5.2. Enabling the NIS Listener in Identity Management
23.5.3. Exporting and Importing the Existing NIS Data
23.5.3.1. Importing User Entries
23.5.3.2. Importing Group Entries
23.5.3.3. Importing Host Entries
23.5.3.4. Importing Netgroup Entries
23.5.3.5. Importing Automount Maps
23.5.4. Setting Weak Password Encryption for NIS User Authentication to IdM
24. Managing DNS
24.1. BIND in Identity Management
24.2. Supported DNS Zone Types
24.3. DNS Configuration Priorities
24.4. Managing Master DNS Zones
24.4.1. Adding and Removing Master DNS Zones
24.4.2. Adding Additional Configuration for Master DNS Zones
24.4.3. Enabling Zone Transfers
24.4.4. Adding Records to DNS Zones
24.4.5. Examples of Adding or Modifying DNS Resource Records from the Command Line
24.4.6. Deleting Records from DNS Zones
24.4.7. Disabling and Enabling Zones
24.5. Managing Dynamic DNS Updates
24.5.1. Enabling Dynamic DNS Updates
24.5.1.1. Configuring the DNS Zone to Allow Dynamic Updates
24.5.1.2. Configuring the Clients to Send Dynamic Updates
24.5.2. Synchronizing A/AAAA and PTR Records
24.5.3. Updating DNS Dynamic Update Policies
24.6. Managing DNS Forwarding
24.6.1. Configuring Global Forwarders
24.6.2. Configuring Forward Zones
24.7. Managing Reverse DNS Zones
24.8. Defining DNS Query Policy
24.9. DNS Locations
24.9.1. DNS-based Service Discovery
24.9.2. Deployment Considerations for DNS Locations
24.9.2.1. DNS Time to Live (TTL)
24.9.3. Creating DNS Locations
24.9.4. Assigning an IdM Server to a DNS Location
24.10. Installing DNS Services Into an Existing Server
24.10.1. Setting up Additional Name Servers

Chapter 10. Managing User Accounts

This chapter covers general management and configuration of user accounts.

10.1. Setting up User Home Directories

It is recommended that every user has a home directory configured. The default expected location for user home directories is in the /home/ directory. For example, IdM expects a user with the user_login login to have a home directory set up at /home/user_login.

Note

You can change the default expected location for user home directories using the ipa config-mod command.
IdM does not automatically create home directories for users. However, you can configure a PAM home directory module to create a home directory automatically when a user logs in. Alternatively, you can add home directories manually using NFS shares and the automount utility.

10.1.1. Mounting Home Directories Automatically Using the PAM Home Directory Module

Supported PAM Home Directory Modules

To configure a PAM home directory module to create home directories for users automatically when they log in to the IdM domain, use one of the following PAM modules:
  • pam_oddjob_mkhomedir
  • pam_mkhomedir
IdM first attempts to use pam_oddjob_mkhomedir. If this module is not installed, IdM attempts to use pam_mkhomedir instead.

Configuring the PAM Home Directory Module

Enabling the PAM home directory module has local effect. Therefore, you must enable the module individually on each client and server where it is required.
To configure the module during the installation of the server or client, use the --mkhomedir option with the ipa-server-install or ipa-client-install utility when installing the machine.
To configure the module on an already installed server or client, use the authconfig utility. For example:
# authconfig --enablemkhomedir --update
For more information on using authconfig to create home directories, see the System-Level Authentication Guide.

10.1.2. Mounting Home Directories Manually

You can use an NFS file server to provide a /home/ directory that will be available to all machines in the IdM domain, and then mount the directory on an IdM machine using the automount utility.

Potential Problems When Using NFS

Using NFS can potentially have negative impact on performance and security. For example, using NFS can lead to security vulnerabilities resulting from granting root access to the NFS user, performance issues with loading the entire /home/ directory tree, or network performance issues for using remote servers for home directories.
To reduce the effect of these problems, it is recommended to follow these guidelines:
  • Use automount to mount only the user's home directory and only when the user logs in. Do not use it to load the entire /home/ tree.
  • Use a remote user who has limited permissions to create home directories, and mount the share on the IdM server as this user. Because the IdM server runs as an httpd process, it is possible to use sudo or a similar program to grant limited access to the IdM server to create home directories on the NFS server.

Configuring Home Directories Using NFS and automount

To manually add home directories to the IdM server from separate locations using NFS shares and automount:
  1. Create a new location for the user directory maps.
    $ ipa automountlocation-add userdirs
    Location: userdirs
  2. Add a direct mapping to the new location's auto.direct file. The auto.direct file is the automount map automatically created by the ipa-server-install utility. In the following example, the mount point is /share:
    $ ipa automountkey-add userdirs auto.direct --key=/share --info="-ro,soft, server.example.com:/home/share"
    
    Key: /share
    Mount information: -ro,soft, server.example.com:/home/share
For more details on using automount with IdM, see Chapter 25, Using Automount.

10.2. User Life Cycle

Identity Management supports three user account states: stage, active, and preserved.
  • Stage users are not allowed to authenticate. This is an initial state. Some of the user account properties required for active users might not yet be set.
  • Active users are allowed to authenticate. All required user account properties must be set in this state.
  • Preserved users are former active users. They are considered inactive and cannot authenticate to IdM. Preserved users retain most of the account properties they had as active users, but they are not part of any user groups.

    Note

    The list of users in the preserved state can provide a history of past user accounts.
User entries can also be permanently deleted from the IdM database. Deleting a user entry permanently removes the entry itself and all its information from IdM, including group memberships and passwords. Any external configuration for the user, such as the system account and home directory, is not deleted, but is no longer accessible through IdM.

Important

Deleted user accounts cannot be restored. When you delete a user account, all the information associated with the account is lost permanently.
A new administrator user can only be created by another administrator, such as the default admin user. If you accidentally delete all administrator accounts, the Directory Manager must create a new administrator manually in the Directory Server.

User Life Cycle Management Operations

To manage user provisioning, the administrator can move user accounts from one state to another. New user accounts can be added as either active or stage, but not as preserved.
IdM supports the following operations for user life cycle management:
stage → active
When an account in the stage state is ready to be properly activated, the administrator moves it to the active state.
active → preserved
After the user leaves the company, the administrator moves the account to the preserved state.
preserved → active
A former user joins the company again. The administrator restores the user account by moving it from the preserved state back to the active state.
preserved → stage
A former user is planning to join the company again. The administrator moves the account from the preserved state to the stage state to prepare the account for later reactivation.
You can also permanently delete active, stage, and preserved users from IdM. Note that you cannot move stage users to the preserved state, you can only delete them permanently.
User Life Cycle Operations

Figure 10.1. User Life Cycle Operations

10.2.1. Adding Stage or Active Users

Adding Users in the Web UI

  1. Select the IdentityUsers tab.
  2. Select the Active users or Stage users category, depending on whether you want to add a user in the active or stage state.
    Selecting User Category

    Figure 10.2. Selecting User Category

    For more information about the active or stage user life cycle states, see Section 10.2, “User Life Cycle”.
  3. Click Add at the top of the users list.
    Adding a User

    Figure 10.3. Adding a User

  4. Fill in the Add User form.
    Note that if you do not set a user login manually, IdM generates the login automatically based on the specified first name and last name.
  5. Click Add.
    Alternatively, click Add and Add Another to start adding another user or Add and Edit to start editing the new user entry. For information on editing user entries, see Section 10.3, “Editing Users”.

Adding Users from the Command Line

To add a new user in the active state, use the ipa user-add command. To add a new user in the stage state, use the ipa stageuser-add command.

Note

For more information about the active or stage user life cycle states, see Section 10.2, “User Life Cycle”.
When run without any options, ipa user-add and ipa stageuser-add prompt you for the minimum required user attributes and use default values for the other attributes. Alternatively, you can add options specifying various attributes directly to the commands.
In the interactive session, after you run the command without any options, IdM proposes an automatically generated user login based on the provided first name and last name and displays it in brackets ([ ]). To accept the default login, confirm by pressing Enter. To specify a custom login, do not confirm the default and specify the custom login instead.
$ ipa user-add
First name: first_name
Last name: last_name
User login [default_login]: custom_login
Adding options to ipa user-add and ipa stageuser-add enables you to define custom values for many of the user attributes. This means that you can specify more information than in the interactive session. For example, to add a stage user:
$ ipa stageuser-add stage_user_login --first=first_name --last=last_name --email=email_address
For a complete list of options accepted by ipa user-add and ipa stageuser-add, run the commands with the --help option added.

10.2.1.1. User Name Requirements

IdM supports user names that can be described by the following regular expression:
[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?

Note

User names ending with the trailing dollar sign ($) are supported to enable Samba 3.x machine support.
If you add a user whose user name contains uppercase characters, IdM automatically converts the name to lowercase when saving it. Therefore, IdM always requires users to enter their user names all lowercase when logging in. Additionally, it is not possible to add users whose user names only differ in letter casing, such as user and User.
The default maximum length for user names is 32 characters. To change it, use the ipa config-mod --maxusername command. For example, to increase the maximum user name length to 64 characters:
$ ipa config-mod --maxusername=64
  Maximum username length: 64
  ...

10.2.1.2. Defining a Custom UID or GID Number

If you add a new user entry without specifying a custom UID or GID number, IdM automatically assigns an ID number that is next available in the ID range. This means that users' ID numbers are always unique. For more information about ID ranges, see Chapter 14, Unique UID and GID Number Assignments.
When you specify a custom ID number, the server does not validate whether the custom ID number is unique. Due to this, multiple user entries might have the same ID number assigned. Red Hat recommends to prevent having multiple entries with the same ID number.

10.2.2. Listing Users and Searching for Users

Listing Users in the Web UI

  1. Select the IdentityUsers tab.
  2. Select the Active users, Stage users, or Preserved users category.
    Listing Users

    Figure 10.4. Listing Users

Displaying Information About a User in the Web UI

To display detailed information about a user, click the name of the user in the list of users:
Displaying User Information

Figure 10.5. Displaying User Information

Listing Users from the Command Line

To list all active users run the ipa user-find command. To list all stage users, use the ipa stageuser-find command. To list preserved users, run the ipa user-find --preserved=true command.
For example:
$ ipa user-find
---------------
23 users matched
---------------
  User login: admin
  Last name: Administrator
  Home directory: /home/admin
  Login shell: /bin/bash
  UID: 1453200000
  GID: 1453200000
  Account disabled: False
  Password: True
  Kerberos keys available: True

  User login: user
...
By adding options and arguments to ipa user-find and ipa stageuser-find, you can define the search criteria and filter the search results. For example, to display all active users with a specific title defined:
$ ipa user-find --title=user_title
---------------
2 users matched
---------------
  User login: user
...
  Job Title: Title
...

  User login: user2
...
  Job Title: Title
...
Similarly, to display all stage users whose login contains user:
$ ipa user-find user
---------------
3 users matched
---------------
User login: user
...

User login: user2
...

User login: user3
...
For a complete list of options accepted by ipa user-find and ipa stageuser-find, run the commands with the --help option added.

Displaying Information about a User from the Command Line

To display information about an active or preserved user, use the ipa user-show command:
$ ipa user-show user_login
  User login: user_login
  First name: first_name
  Last name: last_name
...
To display information about a stage user, use the ipa stageuser-show command:

10.2.3. Activating, Preserving, Deleting, and Restoring Users

This section describes moving user accounts between different user life cycle states. For details on the life cycle states in IdM, see Section 10.2, “User Life Cycle”.

Managing User Life Cycle in the Web UI

To activate a stage user:
  • In the Stage users list, select the user to activate, and click Activate.
    Activating a User

    Figure 10.6. Activating a User

To preserve or delete a user:
  1. In the Active users or Stage users lists, select the user. Click Delete.
    Deleting a User

    Figure 10.7. Deleting a User

  2. If you selected an active user, select delete or preserve. If you selected a stage user, you can only delete the user. The default UI option is delete.
    For example, to preserve an active user:
    Selecting the Delete Mode in the Web UI

    Figure 10.8. Selecting the Delete Mode in the Web UI

    To confirm, click the Delete button.
To restore a preserved user:
  • In the Preserved users list, select the user to restore, and click Restore.
    Restoring a User

    Figure 10.9. Restoring a User

Note

Restoring a user does not restore all of the account's previous attributes. For example, the user's password is not restored and must be defined again.
Note that in the web UI, it is not possible to move a user from the preserved state to the stage state.

Managing User Life Cycle from the Command Line

To activate a user account by moving it from stage to active, use the ipa stageuser-activate command.
$ ipa stageuser-activate user_login
-------------------------
Stage user user_login activated
-------------------------
...
To preserve or delete a user account, use the ipa user-del or ipa stageuser-del commands.
  • To remove an active user permanently from the IdM database, run ipa user-del without any options.
    $ ipa user-del user_login
    --------------------
    Deleted user "user3"
    --------------------
    
  • To preserve an active user account, run ipa user-del with the --preserve option.
    $ ipa user-del --preserve user_login
    --------------------
    Deleted user "user_login"
    --------------------
    
  • To remove a stage user permanently from the IdM database, run ipa stageuser-del.
    $ ipa stageuser-del user_login
    --------------------------
    Deleted stage user "user_login"
    --------------------------
    

Note

When deleting multiple users, use the --continue option to force the command to continue regardless of errors. A summary of the successful and failed operations is printed to the stdout standard output stream when the command completes.
$ ipa user-del --continue user1 user2 user3
If --continue is not used, the command proceeds with deleting users until it encounters an error, after which it stops and exits.
To restore a preserved user account by moving it from preserved to active, use the ipa user-undel command.
$ ipa user-undel user_login
------------------------------
Undeleted user account "user_login"
------------------------------
To restore a preserved user account by moving it from preserved to stage, use the ipa user-stage command.
$ ipa user-stage user_login
------------------------------
Staged user account "user_login"
------------------------------

Note

Restoring a user account does not restore all of the account's previous attributes. For example, the user's password is not restored and must be defined again.
For more information about these commands and the options they accept, run them with the --help option added.

10.3. Editing Users

Editing Users in the Web UI

  1. Select the IdentityUsers tab.
  2. Search the Active users, Stage users, or Preserved users category to find the user to edit.
  3. Click the name of the user to edit.
    Selecting a User to Edit

    Figure 10.10. Selecting a User to Edit

  4. Edit the user attribute fields as required.
  5. Click Save at the top of the page.
    Save Modified User Attributes

    Figure 10.11. Save Modified User Attributes

After you update user details in the web UI, the new values are not synchronized immediately. It might take up to approximately 5 minutes before the new values are reflected at the client system.

Editing Users from the Command Line

To modify a user in the active or preserved states, use the ipa user-mod command. To modify a user in the stage state, use the ipa stageuser-mod command.
The ipa user-mod and ipa stageuser-mod commands accept the following options:
  • the user login, which identifies the user account to be modified
  • options specifying the new attribute values
For a complete list of user entry attributes that can be modified from the command line, see the list of options accepted by ipa user-mod and ipa stageuser-mod. To display the list of options, run the commands with the --help option added.
Simply adding an attribute option to ipa user-mod or ipa stageuser-mod overwrites the current attribute value. For example, the following changes a user's title or adds a new title if the user did not yet have a title specified:
$ ipa user-mod user_login --title=new_title
For LDAP attributes that are allowed to have multiple values, IdM also accepts multiple values. For example, a user can have two email addresses saved in their user account. To add an additional attribute value without overwriting the existing value, use the --addattr option together with the option to specify the new attribute value. For example, to add a new email address to a user account that already has an email address specified:
$ ipa user-mod user --addattr=mobile=new_mobile_number
--------------------
Modified user "user"
--------------------
  User login: user
...
  Mobile Telephone Number: mobile_number, new_mobile_number
...
To set two attribute values at the same time, use the --addattr option twice:
$ ipa user-mod user --addattr=mobile=mobile_number_1 --addattr=mobile=mobile_number_2
The ipa user-mod command also accepts the --setattr option for setting attribute values and the --delattr option for deleting attribute values. These options are used in a way similar to using --addattr. For details, see the output of the ipa user-mod --help command.

Note

To overwrite the current email address for a user, use the --email option. However, to add an additional email address, use the mail option with the --addattr option:
$ ipa user-mod user --email=email@example.com

$ ipa user-mod user --addattr=mail=another_email@example.com

10.4. Enabling and Disabling User Accounts

The administrator can disable and enable active user accounts. Disabling a user account deactivates the account. Disabled user accounts cannot be used to authenticate. A user whose account has been disabled cannot log into IdM and cannot use IdM services, such as Kerberos, or perform any tasks.
Disabled user accounts still exist within IdM and all of the associated information remains unchanged. Unlike preserved user accounts, disabled user accounts remain in the active state. Therefore, they are displayed in the output of the ipa user-find command. For example:
$ ipa user-find
...
  User login: user
  First name: User
  Last name: User
  Home directory: /home/user
  Login shell: /bin/sh
  UID: 1453200009
  GID: 1453200009
  Account disabled: True
  Password: False
  Kerberos keys available: False
...
Any disabled user account can be enabled again.

Note

After disabling a user account, existing connections remain valid until the user's Kerberos TGT and other tickets expire. After the ticket expires, the user will not be able renew it.

Enabling and Disabling User Accounts in the Web UI

  1. Select the IdentityUsers tab.
  2. From the Active users list, select the required user or users, and then click Disable or Enable.
    Disabling or Enabling a User Account

    Figure 10.12. Disabling or Enabling a User Account

Disabling and Enabling User Accounts from the Command Line

To disable a user account, use the ipa user-disable command.
$ ipa user-disable user_login
----------------------------
Disabled user account "user_login"
----------------------------
To enable a user account, use the ipa user-enable command.
$ ipa user-enable user_login
----------------------------
Enabled user account "user_login"
----------------------------

10.5. Allowing Non-admin Users to Manage User Entries

By default, only the admin user is allowed to manage user life cycle and disable or enable user accounts. To allow another, non-admin user to do this, create a new role, add the relevant permissions to this role, and assign the non-admin user to the role.
By default, IdM includes the following privileges related to managing user accounts:
Modify Users and Reset passwords
This privilege includes permissions to modify various user attributes.
User Administrators
This privilege includes permissions to add active users, activate non-active users, remove users, modify user attributes, and other permissions.
Stage User Provisioning
This privilege includes a permission to add stage users.
Stage User Administrator
This privilege includes permissions to perform a number of life cycle operations, such as adding stage users or moving users between life cycle states. However, it does not include permissions to move users to the active state.
For information on defining roles, permissions, and privileges, see Section 31.4, “Defining Role-Based Access Controls”.

Allowing Different Users to Perform Different User Management Operations

The different privileges related to managing user accounts can be added to different users. For example, you can separate privileges for employee account entry and activation by:
  • Configuring one user as a stage user administrator, who is allowed to add future employees to IdM as stage users, but not to activate them.
  • Configuring another user as a security administrator, who is allowed to activate the stage users after their employee credentials are verified on the first day of employment.
To allow a user to perform certain user management operations, create a new role with the required privilege or privileges, and assign the user to that role.

Example 10.1. Allowing a Non-admin User to Add Stage Users

This example shows how to create a user who is only allowed to add new stage users, but not to perform any other stage user management operations.
  1. Log in as the admin user or another user allowed to manage role-based access control.
    $ kinit admin
    
  2. Create a new custom role to manage adding stage users.
    1. Create the System Provisioning role.
      $ ipa role-add --desc "Responsible for provisioning stage users" "System Provisioning"
      --------------------------------
      Added role "System Provisioning"
      --------------------------------
      Role name: System Provisioning
      Description: Responsible for provisioning stage users
      
    2. Add the Stage User Provisioning privilege to the role. This privilege provides the ability to add stage users.
      $ ipa role-add-privilege "System Provisioning" --privileges="Stage User Provisioning"
      Role name: System Provisioning
      Description: Responsible for provisioning stage users
      Privileges: Stage User Provisioning
      ----------------------------
      Number of privileges added 1
      ----------------------------
      
  3. Grant a non-admin user the rights to add stage users.
    1. If the non-admin user does not yet exist, create a new user. In this example, the user is named stage_user_admin.
      $ ipa user-add stage_user_admin --password
      First name: first_name
      Last name: last_name
      Password:
      Enter password again to verify:
      ...
      
    2. Assign the stage_user_admin user to the System Provisioning role.
      $ ipa role-add-member "System Provisioning" --users=stage_user_admin
      Role name: System Provisioning
      Description: Responsible for provisioning stage users
      Member users: stage_user_admin
      Privileges: Stage User Provisioning
      -------------------------
      Number of members added 1
      -------------------------
      
    3. To make sure the System Provisioning role is configured correctly, you can use the ipa role-show command to display the role settings.
      $ ipa role-show "System Provisioning"
      --------------
      1 role matched
      --------------
      Role name: System provisioning
      Description: Responsible for provisioning stage users
      Member users: stage_user_admin
      Privileges: Stage User Provisioning
      ----------------------------
      Number of entries returned 1
      ----------------------------
      
  4. Test adding a new stage user as the stage_user_admin user.
    1. Log in as stage_user_admin. Note that if you created stage_user_admin as a new user in one of the previous steps, IdM will ask you to change the initial password set by admin.
      $ kinit stage_user_admin
      Password for stage_user_admin@EXAMPLE.COM:
      Password expired.  You must change it now.
      Enter new password: 
      Enter it again:
      
    2. To make sure your Kerberos ticket for admin has been replaced with a Kerberos ticket for stage_user_admin, you can use the klist utility.
      $ klist
      Ticket cache: KEYRING:persistent:0:krb_ccache_xIlCQDW
      Default principal: stage_user_admin@EXAMPLE.COM
      
      Valid starting       Expires              Service principal
      02/25/2016 11:42:20  02/26/2016 11:42:20  krbtgt/EXAMPLE.COM
      
    3. Add a new stage user.
      $ ipa stageuser-add stage_user
      First name: first_name
      Last name: last_name
      ipa: ERROR: stage_user: stage user not found
      

      Note

      The error that IdM reports after adding a stage user is expected. The stage_user_admin is only allowed to add stage users, not to display information about them. Therefore, instead of displaying a summary of the newly added stage_user settings, IdM displays the error.
The stage_user_admin user is not allowed to display information about stage users. Therefore, an attempt to display information about the new stage_user user while logged in as stage_user_admin fails:
$ ipa stageuser-show stage_user
ipa: ERROR: stage_user: stage user not found
To display information about stage_user, you can log in as admin:
$ kinit admin
Password for admin@EXAMPLE.COM:
$ ipa stageuser-show stage_user
  User login: stage_user
  First name: Stage
  Last name: User
...

10.6. Using an External Provisioning System for Users and Groups

Identity Management supports configuring your environment, so that an external solution for managing identities is used to provision user and group identities in IdM. This section describes an example of such configuration. The example includes:

10.6.1. Configuring User Accounts to Be Used by the External Provisioning System

This procedure shows how to configure two IdM user accounts to be used by the external provisioning system. By adding the accounts to a group with an appropriate password policy, you enable the external provisioning system to manage user provisioning in IdM.
  1. Create a user, provisionator, with the privileges to add stage users. The user account will be used by the external provisioning system to add new stage users.
    1. Add the provisionator user account:
      $ ipa user-add provisionator --first=provisioning --last=account --password
    2. Grant the provisionator user the required privileges.
      Create a custom role, System Provisioning, to manage adding stage users:
      $ ipa role-add --desc "Responsible for provisioning stage users" "System Provisioning"
      Add the Stage User Provisioning privilege to the role. This privilege provides the ability to add stage users:
      $ ipa role-add-privilege "System Provisioning" --privileges="Stage User Provisioning"
      Add the provisionator user to the role:
      $ ipa role-add-member --users=provisionator "System Provisioning"
  2. Create a user, activator, with the privileges to manage user accounts. The user account will be used to automatically activate stage users added by the external provisioning system.
    1. Add the activator user account:
      $ ipa user-add activator --first=activation --last=account --password
    2. Grant the activator user the required privileges.
      Add the user to the default User Administrator role:
      $ ipa role-add-member --users=activator "User Administrator"
  3. Create a user group for service and application accounts:
    $ ipa group-add service-accounts
  4. Update the password policy for the group. The following policy prevents password expiration and lockout for the account but compensates the potential risks by requiring complex passwords:
    $ ipa pwpolicy-add service-accounts --maxlife=10000 --minlife=0 --history=0 --minclasses=4 --minlength=20 --priority=1 --maxfail=0 --failinterval=1 --lockouttime=0
  5. Add the provisioning and activation accounts to the group for service and application accounts:
    $ ipa group-add-member service-accounts --users={provisionator,activator}
  6. Change the passwords for the user accounts:
    $ kpasswd provisionator
    $ kpasswd activator
    Changing the passwords is necessary because passwords of new IdM users expire immediately.
Additional resources:

10.6.2. Configuring IdM to Automatically Activate Stage User Accounts

This procedure shows how to create a script for activating stage users. The system runs the script automatically at specified time intervals. This ensures that new user accounts are automatically activated and available for use shortly after they are created.

Important

The procedure assumes that the new user accounts do not require validation before the script adds them to IdM. For example, validation is not required when the users have already been validated by the owner of the external provisioning system.
It is sufficient to enable the activation process on only one of your IdM servers.
  1. Generate a keytab file for the activation account:
    # ipa-getkeytab -s example.com -p "activator" -k /etc/krb5.ipa-activation.keytab
    If you want to enable the activation process on more than one IdM server, generate the keytab file on one server only. Then copy the keytab file to the other servers.
  2. Create a script, /usr/local/sbin/ipa-activate-all, with the following contents to activate all users:
    #!/bin/bash
    
    kinit -k -i activator
    
    ipa stageuser-find --all --raw | grep "  uid:" | cut -d ":" -f 2 | while read uid; do ipa stageuser-activate ${uid}; done
  3. Edit the permissions and ownership for the ipa-activate-all script to make it executable:
    # chmod 755 /usr/local/sbin/ipa-activate-all
    # chown root:root /usr/local/sbin/ipa-activate-all
  4. Create a systemd unit file, /etc/systemd/system/ipa-activate-all.service, with the following contents:
    [Unit]
    Description=Scan IdM every minute for any stage users that must be activated
    
    [Service]
    Environment=KRB5_CLIENT_KTNAME=/etc/krb5.ipa-activation.keytab
    Environment=KRB5CCNAME=FILE:/tmp/krb5cc_ipa-activate-all
    ExecStart=/usr/local/sbin/ipa-activate-all
  5. Create a systemd timer, /etc/systemd/system/ipa-activate-all.timer, with the following contents:
    [Unit]
    Description=Scan IdM every minute for any stage users that must be activated
    
    [Timer]
    OnBootSec=15min
    OnUnitActiveSec=1min
    
    [Install]
    WantedBy=multi-user.target
  6. Enable ipa-activate-all.timer:
    # systemctl enable ipa-activate-all.timer
Additional resources:

10.6.3. Configuring the LDAP Provider of the External Provisioning System to Manage the IdM Identities

This section shows templates for various user and group management operations. Using these templates, you can configure the LDAP provider of your provisioning system to manage IdM user accounts. For example, you can configure the system to inactivate a user account after the employee has left the company.

Managing User Accounts Using LDAP

You can add new user entries, modify existing entries, move users between different life cycle states, or delete users by editing the underlying Directory Server database. To edit the database, use the ldapmodify utility.
The following LDIF-formatted templates provide information on what attributes to modify using ldapmodify. For detailed example procedures, see Example 10.2, “Adding a Stage User with ldapmodify and Example 10.3, “Preserving a User with ldapmodify.
Adding a new stage user
Adding a user with UID and GID automatically assigned:
dn: uid=user_login,cn=staged users,cn=accounts,cn=provisioning,dc=example,dc=com
changetype: add
objectClass: top
objectClass: inetorgperson
uid: user_login
sn: surname
givenName: first_name
cn: full_name
Adding a user with UID and GID statically assigned:
dn: uid=user_login,cn=staged users,cn=accounts,cn=provisioning,dc=example,dc=com
changetype: add
objectClass: top
objectClass: person
objectClass: inetorgperson
objectClass: organizationalperson
objectClass: posixaccount
uid: user_login
uidNumber: UID_number
gidNumber: GID_number
sn: surname
givenName: first_name
cn: full_name
homeDirectory: /home/user_login
You are not required to specify any IdM object classes when adding stage users. IdM adds these classes automatically after the users are activated.
Note that the distinguished name (DN) of the created entry must start with uid=user_login.
Modifying existing users
Before modifying a user, obtain the user's distinguished name (DN) by searching by the user's login. In the following example, the user_allowed_to_read user in the following example is a user allowed to read user and group information, and password is this user's password:
# ldapsearch -LLL -x -D "uid=user_allowed_to_read,cn=users,cn=accounts,dc=example, dc=com" -w "password" -H ldap://server.example.com -b "cn=users, cn=accounts, dc=example, dc=com" uid=user_login
To modify a user's attribute:
dn: distinguished_name
changetype: modify
replace: attribute_to_modify
attribute_to_modify: new_value
To disable a user:
dn: distinguished_name
changetype: modify
replace: nsAccountLock
nsAccountLock: TRUE
To enable a user:
dn: distinguished_name
changetype: modify
replace: nsAccountLock
nsAccountLock: FALSE
To preserve a user:
dn: distinguished_name
changetype: modrdn
newrdn: uid=user_login
deleteoldrdn: 0
newsuperior: cn=deleted users,cn=accounts,cn=provisioning,dc=example
Updating the nssAccountLock attribute has no effect on stage and preserved users. Even though the update operation completes successfully, the attribute value remains nssAccountLock: TRUE.
Creating a new group
To create a new group:
dn: cn=group_distinguished_name,cn=groups,cn=accounts,dc=example,dc=com
changetype: add
objectClass: top
objectClass: ipaobject
objectClass: ipausergroup
objectClass: groupofnames
objectClass: nestedgroup
objectClass: posixgroup
cn: group_name
gidNumber: GID_number
Modifying groups
Before modifying a group, obtain the group's distinguished name (DN) by searching by the group's name.
# ldapsearch -YGSSAPI  -H ldap://server.example.com -b "cn=groups,cn=accounts,dc=example,dc=com" "cn=group_name"
To delete an existing group:
dn: group_distinguished_name
changetype: delete
To add a member to a group:
dn: group_distinguished_name
changetype: modify
add: member
member: uid=user_login,cn=users,cn=accounts,dc=example,dc=com
To remove a member from a group:
dn: distinguished_name
changetype: modify
delete: member
member: uid=user_login,cn=users,cn=accounts,dc=example,dc=com
Do not add stage or preserved users to groups. Even though the update operation completes successfully, the users will not be updated as members of the group. Only active users can belong to groups.

Example 10.2. Adding a Stage User with ldapmodify

To add a new stageuser user using the standard interorgperson object class:
  1. Use ldapmodify to add the user.
    # ldapmodify -Y GSSAPI
    SASL/GSSAPI authentication started
    SASL username: admin@EXAMPLE
    SASL SSF: 56
    SASL data security layer installed.
    dn: uid=stageuser,cn=staged users,cn=accounts,cn=provisioning,dc=example
    changetype: add
    objectClass: top
    objectClass: inetorgperson
    cn: Stage
    sn: User
    
    adding new entry "uid=stageuser,cn=staged users,cn=accounts,cn=provisioning,dc=example"
    
  2. Consider validating the contents of the stage entry to make sure your provisioning system added all required POSIX attributes and the stage entry is ready to be activated. To display the new stage user's LDAP attributes using the ipa stageuser-show --all --raw command. Note that the user is explicitly disabled by the nsaccountlock attribute:
    $ ipa stageuser-show stageuser --all --raw
      dn: uid=stageuser,cn=staged users,cn=accounts,cn=provisioning,dc=example
      uid: stageuser
      sn: User
      cn: Stage
      has_password: FALSE
      has_keytab: FALSE
      nsaccountlock: TRUE
      objectClass: top
      objectClass: inetorgperson
      objectClass: organizationalPerson
      objectClass: person
    

Example 10.3. Preserving a User with ldapmodify

To preserve user by using the LDAP modrdn operation:
  1. Use the ldapmodify utility to modify the user entry.
    $ ldapmodify -Y GSSAPI
    SASL/GSSAPI authentication started
    SASL username: admin@EXAMPLE
    SASL SSF: 56
    SASL data security layer installed.
    dn: uid=user1,cn=users,cn=accounts,dc=example
    changetype: modrdn
    newrdn: uid=user1
    deleteoldrdn: 0
    newsuperior: cn=deleted users,cn=accounts,cn=provisioning,dc=example
    
    modifying rdn of entry "uid=user1,cn=users,cn=accounts,dc=example"
    
  2. Optionally, verify the user has been preserved by listing all preserved users.
    $ ipa user-find --preserved=true
    ---------------
    1 user matched
    ---------------
      User login: user1
      First name: first_name
      Last name: last_name
    ...
    ----------------------------
    Number of entries returned 1
    ----------------------------
    

Chapter 11. User Authentication

11.1. User Passwords
11.1.1. Changing and Resetting User Passwords
11.1.1.1. Web UI: Changing Your Own Personal Password
11.1.1.2. Web UI: Resetting Another User's Password
11.1.1.3. Command Line: Changing or Resetting Another User's Password
11.1.2. Enabling Password Reset Without Prompting for a Password Change at the Next Login
11.1.3. Unlocking User Accounts After Password Failures
11.1.3.1. Checking the Status of a User Account
11.2. One-Time Passwords
11.2.1. How OTP Authentication Works in IdM
11.2.1.1. OTP Tokens Supported in IdM
11.2.1.2. Available OTP Authentication Methods
11.2.1.3. GNOME Keyring Service Support
11.2.1.4. Offline Authentication with OTP
11.2.2. Enabling OTP Authentication
11.2.3. Adding a User-Managed Software Token
11.2.4. Adding a User-Managed YubiKey Hardware Token
11.2.5. Adding a Token for a User as the Administrator
11.2.6. Migrating from a Proprietary OTP Solution
11.2.7. Promoting the Current Credentials to Two-Factor Authentication
11.2.8. Resynchronizing an OTP Token
11.3. Restricting Access to Services and Hosts Based on How Users Authenticate
11.3.1. Configuring a Host or a Service to Require a Specific Authentication Method
11.4. Managing Public SSH Keys for Users
11.4.1. Generating an SSH Key
11.4.2. Uploading User SSH Keys
11.4.2.1. Web UI: Uploading User SSH Keys
11.4.2.2. Command Line: Uploading User SSH Keys
11.4.3. Deleting User Keys
11.4.3.1. Web UI: Deleting User SSH Keys
11.4.3.2. Command Line: Deleting User SSH Keys
11.5. Smart Cards
11.5.1. Smart Card and Smart Card Reader Support in Identity Management
11.5.2. Exporting a Certificate From a Smart Card
11.5.3. Storing Smart Card Certificates for IdM Users
11.5.4. Smart Card Certificates in a Trusted Active Directory Environment
11.5.5. Smart Card Authentication on Identity Management Clients
11.5.5.1. Configuring Smart Card Authentication on an IdM Client
11.5.5.2. SSH Log in Using a Smart Card
11.6. User Certificates
This chapter describes managing user authentication mechanisms, including information on how to manage users' passwords, SSH keys, and certificates, or how to configure one-time password (OTP) and smart card authentication.

Note

For documentation on how to log in to Identity Management (IdM) using Kerberos, see Chapter 5, The Basics of Managing the IdM Server and Services.

11.1. User Passwords

11.1.1. Changing and Resetting User Passwords

Regular users without the permission to change other users' passwords can change only their own personal password. Personal passwords changed in this way:
Administrators and users with password change rights can set initial passwords for new users and reset passwords for existing users. Passwords changed in this way:

Note

The LDAP Directory Manager (DM) user can change user passwords using LDAP tools. The new password can override any IdM password policies. Passwords set by DM do not expire after the first login.

11.1.1.1. Web UI: Changing Your Own Personal Password

  1. In the top right corner, click User nameChange password.
    Resetting Password

    Figure 11.1. Resetting Password

  2. Enter the new password.

11.1.1.2. Web UI: Resetting Another User's Password

  1. Select IdentityUsers.
  2. Click the name of the user to edit.
  3. Click ActionsReset password.
    Resetting Password

    Figure 11.2. Resetting Password

  4. Enter the new password, and click Reset Password.
    Confirming New Password

    Figure 11.3. Confirming New Password

11.1.1.3. Command Line: Changing or Resetting Another User's Password

To change your own personal password or to change or reset another user's password, add the --password option to the ipa user-mod command. The command will prompt you for the new password.
$ ipa user-mod user --password
Password: 
Enter Password again to verify: 
--------------------
Modified user "user"
--------------------
...

11.1.2. Enabling Password Reset Without Prompting for a Password Change at the Next Login

By default, when an administrator resets another user's password, the password expires after the first successful login. See Section 11.1.1, “Changing and Resetting User Passwords” for details.
To ensure that passwords set by administrators do not expire when used for the first time, make these changes on every Identity Management server in the domain:
  • Edit the password synchronization entry: cn=ipa_pwd_extop,cn=plugins,cn=config.
  • Specify the administrative user accounts in the passSyncManagersDNs attribute. The attribute is multi-valued.
For example, to specify the admin user by using the ldapmodify utility:
$ ldapmodify -x -D "cn=Directory Manager" -W -h ldap.example.com -p 389

dn: cn=ipa_pwd_extop,cn=plugins,cn=config
changetype: modify
add: passSyncManagersDNs
passSyncManagersDNs: uid=admin,cn=users,cn=accounts,dc=example,dc=com

Warning

Specify only the users who require these additional privileges. All users listed under passSyncManagerDNs can:
  • Perform password change operations without requiring a subsequent password reset
  • Bypass the password policy so that no strength or history enforcement is applied

11.1.3. Unlocking User Accounts After Password Failures

If a user attempts to log in using an incorrect password a certain number of times, IdM will lock the user account, which prevents the user from logging in. Note that IdM does not display any warning message that the user account has been locked.

Note

For information on setting the exact number of allowed failed attempts and the duration of the lockout, see Chapter 26, Defining Password Policies.
IdM automatically unlocks the user account after a specified amount of time has passed. Alternatively, the administrator can unlock the user account manually.

Unlocking a User Account Manually

To unlock a user account, use the ipa user-unlock command.
$ ipa user-unlock user
-----------------------
Unlocked account "user"
-----------------------
After this, the user is able to log in again.

11.1.3.1. Checking the Status of a User Account

To display the number of failed login attempts for a user, use the ipa user-status command. If the displayed number exceeds the number of allowed failed login attempts, the user account is locked.
$ ipa user-status user
-----------------------
Account disabled: False
-----------------------
  Server: example.com
  Failed logins: 8
  Last successful authentication: 20160229080309Z
  Last failed authentication: 20160229080317Z
  Time now: 2016-02-29T08:04:46Z
----------------------------
Number of entries returned 1
----------------------------

11.2. One-Time Passwords

Important

The IdM solution for OTP authentication is only supported for clients running Red Hat Enterprise Linux 7.1 or later.
One-time password (OTP) is a password valid for only one authentication session and becomes invalid after use. Unlike a traditional static password, OTP generated by an authentication token keeps changing. OTPs are used as part of two-factor authentication:
  1. The user authenticates with a traditional password.
  2. The user provides an OTP code generated by a recognized OTP token.
Two-factor authentication is considered safer than authentication using a traditional password alone. Even if a potential intruder intercepts the OTP during login, the intercepted OTP will already be invalid by that point because it can only be used for successful authentication once.

Warning

The following security and other limitations currently relate to the OTP support in IdM:
  • The most important security limitation is the potential vulnerability to replay attacks across the system. Replication is asynchronous, and an OTP code can therefore be reused during the replication period. A user might be able to log on to two servers at the same time. However, this vulnerability is usually difficult to exploit due to comprehensive encryption.
  • It is not possible to obtain a ticket-granting ticket (TGT) using a client that does not support OTP authentication. This might affect certain use cases, such as authentication using the mod_auth_kerb module or the Generic Security Services API (GSSAPI).

11.2.1. How OTP Authentication Works in IdM

11.2.1.1. OTP Tokens Supported in IdM

Software and Hardware Tokens

IdM supports both software and hardware tokens.

User-managed and Administrator-managed Tokens

Users can manage their own tokens, or the administrator can manage their tokens for them:
User-managed tokens
Users have full control over user-managed tokens in Identity Management: they are allowed to create, edit, or delete their tokens.
Administrator-managed tokens
The administrator adds administrator-managed tokens to the users' accounts. Users themselves have read-only access for such tokens: they do not have the permission to manage or modify the tokens and they are not required to configure them in any way.
Note that users cannot delete or deactivate a token if it is their only active token at the moment. As an administrator, you cannot delete or deactivate your last active token, but you can delete or deactivate the last active token of another user.

Supported OTP Algorithms

Identity Management supports the following two standard OTP mechanisms:
  • The HMAC-Based One-Time Password (HOTP) algorithm is based on a counter. HMAC stands for Hashed Message Authentication Code.
  • The Time-Based One-Time Password (TOTP) algorithm is an extension of HOTP to support time-based moving factor.

11.2.1.2. Available OTP Authentication Methods

When enabling OTP authentication, you can choose from the following authentication methods:
Two-factor authentication (password + OTP)
With this method, the user is always required to enter both a standard password and an OTP code.
Password
With this method, the user still has the option to authenticate using a standard password only.
RADIUS proxy server authentication
For information on configuring a RADIUS server for OTP validation, see Section 11.2.6, “Migrating from a Proprietary OTP Solution”.

Global and User-specific Authentication Methods

You can configure these authentication methods either globally or for individual users:
  • By default, user-specific authentication method settings take precedence over global settings. If no authentication method is set for a user, the globally-defined methods apply.
  • You can disable per-user authentication method settings for any user. This ensures IdM ignores the per-user settings and always applies the global settings for the user.

Combining Multiple Authentication Methods

If you set multiple methods at once, either one of them will be sufficient for successful authentication. For example:
  • If you configure both two-factor and password authentication, the user must provide the password (first factor), but providing the OTP (second factor) is optional when using the command line:
    First Factor: 
    Second Factor (optional):
  • In the web UI, the user must still provide both factors.

Note

Individual hosts or services might be configured to require a certain authentication method, for example OTP. If you attempt to authenticate to such hosts or services using the first factor only, you will be denied access. See Section 11.3, “Restricting Access to Services and Hosts Based on How Users Authenticate”.
However, a minor exception exists when RADIUS and another authentication method are configured:
  • Kerberos will always use RADIUS, but LDAP will not. LDAP only recognizes the password and two-factor authentication methods.
  • If you use an external two-factor authentication provider, use Kerberos from your applications. If you want to let users authenticate with a password only, use LDAP. It is recommended that the applications leverage Apache modules and SSSD, which allows to configure either Kerberos or LDAP.

11.2.1.3. GNOME Keyring Service Support

IdM integrates OTP authentication with the GNOME Keyring service. Note that GNOME Keyring integration requires the user to enter the first and second factors separately:
First factor: static_password
Second factor: one-time_password

11.2.1.4. Offline Authentication with OTP

IdM supports offline OTP authentication. However, to be able to log in offline, the user must first authenticate when the system is online by entering the static password and OTP separately:
First factor: static_password
Second factor: one-time_password
If both passwords are entered separately like this when logging in online, the user will subsequently be able to authenticate even if the central authentication server is unavailable. Note that IdM only prompts for the first-factor traditional static password when the user authenticates offline.
IdM also supports entering both the static password and OTP together in one string in the First factor prompt. However, note that this is not compatible with offline OTP authentication. If the user enters both factors in a single prompt, IdM will always have to contact the central authentication server when authenticating, which requires the system to be online.

Important

If you use OTP authentication on devices that also operate offline, such as laptops, Red Hat recommends to enter the static password and OTP separately to make sure offline authentication will be available. Otherwise, IdM will not allow you to log in after the system goes offline.
If you want to benefit from OTP offline authentication, apart from entering the static and OTP passwords separately, also make sure to meet the following conditions:
  • The cache_credentials option in the /etc/sssd/sssd.conf file is set to True, which enables caching the first factor password.
  • The first-factor static password meets the password length requirement defined in the cache_credentials_minimal_first_factor_length option set in /etc/sssd/sssd.conf. The default minimal length is 8 characters. For more information about the option, see the sssd.conf(5) man page.
Note that even if the krb5_store_password_if_offline option is set to true in /etc/sssd/sssd.conf, SSSD does not attempt to refresh the Kerberos ticket-granting ticket (TGT) when the system goes online again because the OTP might already be invalid at that point. To obtain a TGT in this situation, the user must authenticate again using both factors.

11.2.2. Enabling OTP Authentication

For details on the available authentication methods related to OTP, see Section 11.2.1.2, “Available OTP Authentication Methods”.
To enable OTP authentication using:

Web UI: Enabling OTP Authentication

To set authentication methods globally for all users:
  1. Select IPA ServerConfiguration.
  2. In the User Options area, select the required Default user authentication types.
    User Authentication Methods

    Figure 11.4. User Authentication Methods

To ensure the global settings are not overridden with per-user settings, select Disable per-user override. If you do not select Disable per-user override, authentication methods configured per user take precedence over the global settings.
To set authentication methods individually on a per-user basis:
  1. Select IdentityUsers, and click the name of the user to edit.
  2. In the Account Settings area, select the required User authentication types.
    User Authentication Methods

    Figure 11.5. User Authentication Methods

Command Line: Enabling OTP Authentication

To set authentication methods globally for all users:
  1. Run the ipa config-mod --user-auth-type command. For example, to set the global authentication method to two-factor authentication:
    $ ipa config-mod --user-auth-type=otp
    For a list of values accepted by --user-auth-type, run the ipa config-mod --help command.
  2. To disable per-user overrides, thus ensuring the global settings are not overridden with per-user settings, add the --user-auth-type=disabled option as well. For example, to set the global authentication method to two-factor authentication and disable per-user overrides:
    $ ipa config-mod --user-auth-type=otp --user-auth-type=disabled
    If you do not set --user-auth-type=disabled, authentication methods configured per user take precedence over the global settings.
To set authentication methods individually for a specified user:
  • Run the ipa user-mod --user-auth-type command. For example, to set that user will be required to use two-factor authentication:
    $ ipa user-mod user --user-auth-type=otp
To set multiple authentication methods, add --user-auth-type multiple times. For example, to configure both password and two-factor authentication globally for all users:
$ ipa config-mod --user-auth-type=otp --user-auth-type=password

11.2.3. Adding a User-Managed Software Token

  1. Log in with your standard password.
  2. Make sure the FreeOTP Authenticator application is installed on your mobile device. To download FreeOTP Authenticator, see the FreeOTP source page.
  3. Create the software token in the IdM web UI or from the command line.
    • To create the token in the web UI, click Add under the OTP tokens tab. If you are logged-in as the administrator, the OTP Tokens tab is accessible through the Authentication tab.
      Adding an OTP Token for a User

      Figure 11.6. Adding an OTP Token for a User

    • To create the token from the command line, run the ipa otptoken-add command.
      $ ipa otptoken-add
      ------------------
      Added OTP token ""
      ------------------
        Unique ID: 7060091b-4e40-47fd-8354-cb32fecd548a
        Type: TOTP
      ...
      
      For more information about ipa otptoken-add, run the command with the --help option added.
  4. A QR code is displayed in the web UI or on the command line. Scan the QR code with FreeOTP Authenticator to provision the token to the mobile device.

11.2.4. Adding a User-Managed YubiKey Hardware Token

A programmable hardware token, such as a YubiKey token, can only be added from the command line. To add a YubiKey hardware token as the user owning the token:
  1. Log in with your standard password.
  2. Insert your YubiKey token.
  3. Run the ipa otptoken-add-yubikey command.
    • If the YubiKey has an empty slot available, the command will select the empty slot automatically.
    • If no empty slot is available, you must select a slot manually using the --slot option.For example:
      $ ipa otptoken-add-yubikey --slot=2
      Note that this overwrites the selected slot.

11.2.5. Adding a Token for a User as the Administrator

To add a software token as the administrator:
  1. Make sure you are logged-in as the administrator.
  2. Make sure the FreeOTP Authenticator application is installed on the mobile device. To download FreeOTP Authenticator, see the FreeOTP source page.
  3. Create the software token in the IdM web UI or from the command line.
    • To create the token in the web UI, select AuthenticationOTP Tokens and click Add at the top of the list of OTP tokens. In the Add OTP Token form, select the owner of the token.
      Adding an Administrator-Managed Software Token

      Figure 11.7. Adding an Administrator-Managed Software Token

    • To create the token from the command line, run the ipa otptoken-add command with the --owner option. For example:
      $ ipa otptoken-add --owner=user
      ------------------
      Added OTP token ""
      ------------------
        Unique ID: 5303baa8-08f9-464e-a74d-3b38de1c041d
        Type: TOTP
      ...
      
  4. A QR code is displayed in the web UI or on the command line. Scan the QR code with FreeOTP Authenticator to provision the token to the mobile device.
To add a programmable hardware token, such as a YubiKey token, as the administrator:
  1. Make sure you are logged-in as the administrator.
  2. Insert the YubiKey token.
  3. Run the ipa otptoken-add-yubikey command with the --owner option. For example:
    $ ipa otptoken-add-yubikey --owner=user

11.2.6. Migrating from a Proprietary OTP Solution

To enable migrating a large deployment from a proprietary OTP solution to the IdM-native OTP solution, IdM offers a way to offload OTP validation to a third-party RADIUS server for a subset of users. The administrator creates a set of RADIUS proxies where each proxy can contain multiple individual RADIUS servers. The administrator then assigns one of these proxy sets to a user. As long as the user has a RADIUS proxy set assigned, IdM bypasses all other authentication mechanisms.

Note

IdM does not provide any token management or synchronization support for tokens in the third-party system.
To configure a RADIUS server for OTP validation and to add a user to the proxy server:
  1. Make sure that the radius user authentication method is enabled. See Section 11.2.2, “Enabling OTP Authentication”.
  2. Run the ipa radiusproxy-add proxy_name command to add a RADIUS proxy. The command prompts you for the required information.
  3. Run the ipa user-mod radiususer --radius=proxy_name command to assign a user to the added proxy.
  4. If required, configure the user name to be sent to RADIUS by running the ipa user-mod radiususer --radius-username=radius_user command.
After this, the user OTP authentication will now be processed through the RADIUS proxy server.
When the user is ready to be migrated to the IdM native OTP system, you can simply remove the RADIUS proxy assignment for the user.

11.2.7. Promoting the Current Credentials to Two-Factor Authentication

If both password and two-factor authentication are configured, but you only authenticated using the password, you might be denied access to certain services or hosts (see Section 11.3, “Restricting Access to Services and Hosts Based on How Users Authenticate”). In this situation, promote your credentials from one-factor to two-factor authentication by authenticating again:
  1. Lock your screen. The default keyboard shortcut to lock the screen is Super key+L.
  2. Unlock your screen. When asked for credentials, use both password and OTP.

11.2.8. Resynchronizing an OTP Token

11.3. Restricting Access to Services and Hosts Based on How Users Authenticate

The authentication mechanisms supported by IdM vary in their authentication strength. For example, authentication using a one-time password (OTP) in combination with a standard password is considered safer than authentication using a standard password only. This section shows how to limit access to services and hosts based on how the user authenticates.
For example, you can configure:
  • services critical to security, such as VPN, to require a strong authentication method
  • noncritical services, such as local logins, to allow authentication using a weaker, but more convenient authentication method
Example of Authenticating Using Different Methods

Figure 11.8. Example of Authenticating Using Different Methods

Authentication Indicators

Access to services and hosts is defined by authentication indicators:
  • Indicators included in a service or host entry define what authentication methods the user can use to access that service or host.
  • Indicators included in the user's ticket-granting ticket (TGT) show what authentication method was used to obtain the ticket.
If the indicator in the principal does not match the indicator in the TGT, the user is denied access.

11.3.1. Configuring a Host or a Service to Require a Specific Authentication Method

To configure a host or a service using:

Web UI: Configuring a Host or a Service to Require a Specific Authentication Method

  1. Select IdentityHosts or IdentityServices.
  2. Click the name of the required host or service.
  3. Under Authentication indicators, select the required authentication method.
    • For example, selecting OTP ensures that only users who used a valid OTP code with their password will be allowed to access the host or service.
    • If you select both OTP and RADIUS, either OTP or RADIUS will be sufficient to allow access.
  4. Click Save at the top of the page.

Command Line: Configuring a Host or a Service to Require a Specific Authentication Method

  1. Optional. Use the ipa host-find or ipa service-find commands to identify the host or service.
  2. Use the ipa host-mod or the ipa service-mod command with the --auth-ind option to add the required authentication indicator. For a list of the values accepted by --auth-ind, see the output of the ipa host-mod --help or ipa service-mod --help commands.
    For example, --auth-ind=otp ensures that only users who used a valid OTP code with their password will be allowed to access the host or service:
    $ ipa host-mod server.example.com --auth-ind=otp
    ---------------------------------------------------------
    Modified host "server.example.com"
    ---------------------------------------------------------
      Host name: server.example.com
      ...
      Authentication Indicators: otp
      ...
    If you add indicators for both OTP and RADIUS, either OTP or RADIUS will be sufficient to allow access.

11.4. Managing Public SSH Keys for Users

Identity Management allows you to upload a public SSH key to a user entry. The user who has access to the corresponding private SSH key can use ssh to log into an IdM machine without using Kerberos credentials. If pam_krb5 is configured properly or if SSSD is used as the IdM server's identity provider, the user also receives a Kerberos ticket-granting ticket (TGT) after login; see Section 5.2, “Obtaining Kerberos Tickets Automatically” for more details.
Note that users can still authenticate by providing their Kerberos credentials if they are logging in from a machine where their private SSH key file is not available.

Caching and Retrieving SSH Keys Automatically

During an IdM server or client installation, SSSD is automatically configured on the machine to cache and retrieve user and host SSH keys. This allows IdM to serve as a universal and centralized repository of SSH keys.
If the server or client was not configured during installation, you can configure SSSD on the machine manually. For information on how to do this, see the System-Level Authentication Guide. Note that caching SSH keys by SSSD requires administrative privileges on the local machines.

SSH Key Format Requirements

IdM accepts the following two SSH key formats:
OpenSSH-style key
See RFC 4716 for more details about this format.
Raw RFC 4253-style key
See RFC 4253 for more details about this format.
Note that IdM automatically converts RFC 4253-style keys into OpenSSH-style keys before saving them into the IdM LDAP server.
A key file, such as id_rsa.pub, consists of three parts: the key type, the key itself, and an additional comment or identifier. In the following example, the key type is RSA and the comment associates the key with the client.example.com host name:
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDMM4xPu54Kf2dx7C4Ta2F7vnIzuL1i6P21TTKniSkjFuA+r
qW06588e7v14Im4VejwnNk352gp49A62qSVOzp8IKA9xdtyRmHYCTUvmkcyspZvFRI713zfRKQVFyJOqHmW/m
dCmak7QBxYou2ELSPhH3pe8MYTQIulKDSu5Zbsrqedg1VGkSJxf7mDnCSPNWWzAY9AFB9Lmd2m2xZmNgVAQEQ
nZXNMaIlroLD/51rmMSkJGHGb1O68kEq9Z client.example.com
When uploading a key to IdM, you can either upload all three key parts, or only the key itself. If you only upload the key itself, IdM automatically identifies the key type, such as RSA or DSA, from the uploaded key.

11.4.1. Generating an SSH Key

You can generate an SSH key using the OpenSSH ssh-keygen utility. The utility displays information about the location of the public key. For example:
$ ssh-keygen -t rsa -C user@example.com
Generating public/private rsa key pair.
Enter file in which to save the key (/home/user/.ssh/id_rsa):
Created directory '/home/user/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/user/.ssh/id_rsa.
Your public key has been saved in /home/user/.ssh/id_rsa.pub.
The key fingerprint is:
a5:fd:ac:d3:9b:39:29:d0:ab:0e:9a:44:d1:78:9c:f2 user@example.com
The key's randomart image is:
+--[ RSA 2048]----+
|                 |
|     + .         |
|    + =   .      |
|     =   +       |
|    . E S..      |
|   .    . .o     |
|    . .  . oo.   |
|   . o .  +.+o   |
|    o  .o..o+o   |
+-----------------+
To upload an SSH key for a user, use the public key string stored in the displayed file.

11.4.2. Uploading User SSH Keys

11.4.2.1. Web UI: Uploading User SSH Keys

  1. Select IdentityUsers.
  2. Click the name of the user to edit.
  3. Under the Settings tab in the Account Settings area, click SSH public keys: Add.
    SSH public keys in the Account Settings

    Figure 11.9. SSH public keys in the Account Settings

  4. Paste in the Base 64-encoded public key string, and click Set.
    Pasting in the Public Key

    Figure 11.10. Pasting in the Public Key

  5. Click Save at the top of the page.

11.4.2.2. Command Line: Uploading User SSH Keys

Use the ipa user-mod command and pass the Base 64-encoded public key string using the --sshpubkey option.
For example, to upload the key type, the key itself, and the host name identifier:
$ ipa user-mod user --sshpubkey="ssh-rsa AAAAB3Nza...SNc5dv== client.example.com"
To upload multiple keys, use --sshpubkey multiple times. For example, to upload two SSH keys:
--sshpubkey="AAAAB3Nza...SNc5dv==" --sshpubkey="RjlzYQo...ZEt0TAo="

Note

Instead of pasting the key string manually into the command line, you can use command redirection and point to the file containing the key. For example:
$ ipa user-mod user --sshpubkey="$(cat ~/.ssh/id_rsa.pub)" --sshpubkey="$(cat ~/.ssh/id_rsa2.pub)"

11.4.3. Deleting User Keys

To delete an SSH key:

11.4.3.1. Web UI: Deleting User SSH Keys

  1. Select IdentityUsers.
  2. Click the name of the user to edit.
  3. Under the Settings tab in the Account Settings area, click Delete next to the key you want to remove.
    Deleting User SSH Public Key

    Figure 11.11. Deleting User SSH Public Key

  4. Click Save at the top of the page.

11.4.3.2. Command Line: Deleting User SSH Keys

To delete all SSH keys assigned to a user account, add the --sshpubkey option to the ipa user-mod command without specifying any key:
$ ipa user-mod user --sshpubkey=
If you only want to delete a specific SSH key or keys, use the --sshpubkey option to specify the key or keys you want to keep.

11.5. Smart Cards

Authentication based on smart cards is an alternative to passwords. User credentials are stored on the smart card, and special software and hardware is used to access them. In order to authenticate this way, the user must place the smart card into a reader and then supply the PIN code for the smart card.

11.5.1. Smart Card and Smart Card Reader Support in Identity Management

If your smart card is supported by the opensc or coolkey package, the required PKCS #11 module is already present in the central /etc/pki/nssdb/ NSS database after the installation of these packages.
If your smart card is not supported:
  1. Add the required PKCS #11 module manually using the modutil utility. For example:
    [root@ipaclient ~]# modutil -dbdir /etc/pki/nssdb/ -add "My PKCS#11 module" -libfile libmypkcs11.so
    ...
    Module "My PKCS#11 Module" added to database.
    For detailed information on using modutil, see the modutil(1) man page.
  2. Add all certificate authority (CA) certificates to the NSS database that are required to validate the certificate on the smart card. For example, to add the CA certificate in the ca_certificate.pem file to the NSS database:
    [root@ipaclient ~]# certutil -A -d /etc/pki/nssdb/ -n 'CA certificate' -t CT,C,C -a -i ca_certificate.pem
    For detailed information on using certutil, see the certutil(1) man page.

11.5.2. Exporting a Certificate From a Smart Card

  1. Place the smart card into the reader.
  2. Enter the following command to list the certificates on the smart card:
    [user@ipaclient ~]$ certutil -L -d /etc/pki/nssdb/ -h all
    Certificate Nickname         Trust Attributes
                                 SSL,S/MIME,JAR/XPI
    
    my_certificate               CT,C,C
    In the output, locate the certificate to use for authentication, and note its nickname.
  3. To extract the certificate in Base 64 format to user.crt, use the nickname from the previous step:
    [user@ipaclient ~]$ certutil -L -d /etc/pki/nssdb/ -n 'my_certificate' -r | base64 -w 0 > user.crt
    The base64 utility is part of the coreutils package.

11.5.3. Storing Smart Card Certificates for IdM Users

To add a smart card certificate to an IdM user account, see Section 20.2, “Managing Certificates Issued by External CAs”.

11.5.4. Smart Card Certificates in a Trusted Active Directory Environment

For information on where to store certificates in a trusted Active Directory environment, see Smart Card Certificates in a Trusted Active Directory Environment in the Windows Integration Guide.

11.5.5. Smart Card Authentication on Identity Management Clients

Red Hat Identity Management (IdM) supports two smart card-based authentication options:
Local authentication
  • Text console
  • Graphical console, such as the Gnome Display Manager (GDM)
  • Local authentication services, like su, or sudo
Remote authentication with ssh
Certificates on a smart card are stored together with the PIN-protected SSH private key.

Note

IdM only supports the above-mentioned local authentication services and ssh for smart card authentication. Other services, such as FTP, are not supported.
With SSSD-based smart card authentication configured, the system prompts for the smart card PIN code after the user attempts to log in. The user is successfully authenticated if the supplied PIN is correct, the certificate on the smart card is valid,and belongs to the user attempting to log in, and other configurable criteria are met.

11.5.5.1. Configuring Smart Card Authentication on an IdM Client

To be able to authenticate using smart cards on a client:
  1. Set the following option in your /etc/sssd/sssd.conf to true:
    [pam]
    pam_cert_auth=true
  2. Restart SSSD:
    [root@ipaclient ~]# systemctl restart sssd

11.5.5.2. SSH Log in Using a Smart Card

If you are logging in with ssh when authenticating with a smart card, specify also the path to the smart card reader module. For example:
$ ssh -I /usr/lib/libmypkcs11.so -l user@example.com host.example.com
Enter PIN for 'Smart Card':

11.6. User Certificates

For information on user certificates, see Chapter 20, Managing Certificates for Users, Hosts, and Services.

Chapter 12. Managing Hosts

Both DNS and Kerberos are configured as part of the initial client configuration. This is required because these are the two services that bring the machine within the IdM domain and allow it to identify the IdM server it will connect with. After the initial configuration, IdM has tools to manage both of these services in response to changes in the domain services, changes to the IT environment, or changes on the machines themselves which affect Kerberos, certificate, and DNS services, like changing the client host name.
This chapter describes how to manage identity services that relate directly to the client machine:
  • DNS entries and settings
  • Machine authentication
  • Host name changes (which affect domain services)

12.1. About Hosts, Services, and Machine Identity and Authentication

The basic function of an enrollment process is to create a host entry for the client machine in the IdM directory. This host entry is used to establish relationships between other hosts and even services within the domain. These relationships are part of delegating authorization and control to hosts within the domain.
A host entry contains all of the information about the client within IdM:
  • Service entries associated with the host
  • The host and service principal
  • Access control rules
  • Machine information, such as its physical location and operating system
Some services that run on a host can also belong to the IdM domain. Any service that can store a Kerberos principal or an SSL certificate (or both) can be configured as an IdM service. Adding a service to the IdM domain allows the service to request an SSL certificate or keytab from the domain. (Only the public key for the certificate is stored in the service record. The private key is local to the service.)
An IdM domain establishes a commonality between machines, with common identity information, common policies, and shared services. Any machine which belongs to a domain functions as a client of the domain, which means it uses the services that the domain provides. An IdM domain (as described in Chapter 1, Introduction to Red Hat Identity Management) provides three main services specifically for machines:
  • DNS
  • Kerberos
  • Certificate management
Machines are treated as another identity that is managed by IdM. Clients use DNS to identify IdM servers, services, and domain members — which, like user identities are stored in the 389 Directory Server instance for the IdM server. Like users, machines can be authenticated to the domain using Kerberos or certificates to verify the machine's identity.
From the machine perspective, there are several tasks that can be performed that access these domain services:
  • Joining the DNS domain (machine enrollment)
  • Managing DNS entries and zones
  • Managing machine authentication
Authentication in IdM includes machines as well as users. Machine authentication is required for the IdM server to trust the machine and to accept IdM connections from the client software installed on that machine. After authenticating the client, the IdM server can respond to its requests. IdM supports three different approaches to machine authentication:
  • SSH keys. The SSH public key for the host is created and uploaded to the host entry. From there, the System Security Services Daemon (SSSD) uses IdM as an identity provider and can work in conjunction with OpenSSH and other services to reference the public keys located centrally in Identity Management. This is described in Section 12.5, “Managing Public SSH Keys for Hosts”.
  • Key tables (or keytabs, a symmetric key resembling to some extent a user password) and machine certificates. Kerberos tickets are generated as part of the Kerberos services and policies defined by the server. Initially granting a Kerberos ticket, renewing the Kerberos credentials, and even destroying the Kerberos session are all handled by the IdM services. Managing Kerberos is covered in Chapter 27, Managing the Kerberos Domain.
  • Machine certificates. In this case, the machine uses an SSL certificate that is issued by the IdM server's certificate authority and then stored in IdM's Directory Server. The certificate is then sent to the machine to present when it authenticates to the server. On the client, certificates are managed by a service called certmonger.

12.2. About Host Entry Configuration Properties

A host entry can contain information about the host that is outside its system configuration, such as its physical location, MAC address, keys, and certificates.
This information can be set when the host entry is created if it is created manually; otherwise, most of that information needs to be added to the host entry after the host is enrolled in the domain.

Table 12.1. Host Configuration Properties

UI Field Command-Line Option Description
Description --desc=description A description of the host.
Locality --locality=locality The geographic location of the host.
Location --location=location The physical location of the host, such as its data center rack.
Platform --platform=string The host hardware or architecture.
Operating system --os=string The operating system and version for the host.
MAC address --macaddress=address The MAC address for the host. This is a multi-valued attribute. The MAC address is used by the NIS plug-in to create a NIS ethers map for the host.
SSH public keys --sshpubkey=string The full SSH public key for the host. This is a multi-valued attribute, so multiple keys can be set.
Principal name (not editable) --principalname=principal The Kerberos principal name for the host. This defaults to the host name during the client installation, unless a different principal is explicitly set in the -p. This can be changed using the command-line tools, but cannot be changed in the UI.
Set One-Time Password --password=string Sets a password for the host which can be used in bulk enrollment.
- --random Generates a random password to be used in bulk enrollment.
- --certificate=string A certificate blob for the host.
- --updatedns This sets whether the host can dynamically update its DNS entries if its IP address changes.

12.3. Adding Host Entries

12.3.1. Adding Host Entries from the Web UI

  1. Open the Identity tab, and select the Hosts subtab.
  2. Click Add at the top of the hosts list.
    Adding Host Entries

    Figure 12.1. Adding Host Entries

  3. Fill in the machine name and select the domain from the configured zones in the drop-down list. If the host has already been assigned a static IP address, then include that with the host entry so that the DNS entry is fully created.
    Add Host Wizard

    Figure 12.2. Add Host Wizard

    DNS zones can be created in IdM, which is described in Section 24.4.1, “Adding and Removing Master DNS Zones”. If the IdM server does not manage the DNS server, the zone can be entered manually in the menu area, like a regular text field.

    Note

    Select the Force check box to add the host DNS record, even if the host name cannot be resolved.
    This is useful for hosts which use DHCP and do not have a static IP address. This essentially creates a placeholder entry in the IdM DNS service. When the DNS service dynamically updates its records, the host's current IP address is detected and its DNS record is updated.
  4. Click the Add and Edit button to go directly to the expanded entry page and fill in more attribute information. Information about the host hardware and physical location can be included with the host entry.
    Expanded Entry Page

    Figure 12.3. Expanded Entry Page

12.3.2. Adding Host Entries from the Command Line

Host entries are created using the host-add command. This commands adds the host entry to the IdM Directory Server. The full list of options with host-add are listed in the ipa host manpage. At its most basic, an add operation only requires the client host name to add the client to the Kerberos realm and to create an entry in the IdM LDAP server:
$ ipa host-add client1.example.com
If the IdM server is configured to manage DNS, then the host can also be added to the DNS resource records using the --ip-address and --force options.

Example 12.1. Creating Host Entries with Static IP Addresses

$ ipa host-add --force --ip-address=192.168.166.31 client1.example.com
Commonly, hosts may not have a static IP address or the IP address may not be known at the time the client is configured. For example, laptops may be preconfigured as Identity Management clients, but they do not have IP addresses at the time they are configured. Hosts which use DHCP can still be configured with a DNS entry by using --force. This essentially creates a placeholder entry in the IdM DNS service. When the DNS service dynamically updates its records, the host's current IP address is detected and its DNS record is updated.

Example 12.2. Creating Host Entries with DHCP

$ ipa host-add --force client1.example.com
Host records are deleted using the host-del command. If the IdM domain uses DNS, then the --updatedns option also removes the associated records of any kind for the host from the DNS.
$ ipa host-del --updatedns client1.example.com

12.4. Disabling and Re-enabling Host Entries

Active hosts can be accessed by other services, hosts, and users within the domain. There can be situations when it is necessary to remove a host from activity. However, deleting a host removes the entry and all the associated configuration, and it removes it permanently.

12.4.1. Disabling Host Entries

Disabling a host prevents domain users from access it without permanently removing it from the domain. This can be done by using the host-disable command.
For example:
[jsmith@ipaserver ~]$ kinit admin
[jsmith@ipaserver ~]$ ipa host-disable server.example.com

Important

Disabling a host entry not only disables that host. It disables every configured service on that host as well.

12.4.2. Re-enabling Hosts

Disabling a host essentially kills its current, active keytabs. Removing the keytabs effectively removes the host from the IdM domain without otherwise touching its configuration entry.
To re-enable a host, simply use the ipa-getkeytab command. The -s option sets which IdM server to request the keytab, -p gives the principal name, and -k gives the file to which to save the keytab.
For example, requesting a new host keytab:
[jsmith@ipaserver ~]$  ipa-getkeytab -s ipaserver.example.com -p host/server.example.com -k /etc/krb5.keytab -D fqdn=server.example.com,cn=computers,cn=accounts,dc=example,dc=com -w password
If the ipa-getkeytab command is run on an active IdM client or server, then it can be run without any LDAP credentials (-D and -w). The IdM user uses Kerberos credentials to authenticate to the domain. To run the command directly on the disabled host, then supply LDAP credentials to authenticate to the IdM server. The credentials should correspond to the host or service which is being re-enabled.

12.5. Managing Public SSH Keys for Hosts

OpenSSH uses public keys to authenticate hosts. One machine attempts to access another machine and presents its key pair. The first time the host authenticates, the administrator on the target machine has to approve the request manually. The machine then stores the host's public key in a known_hosts file. Any time that the remote machine attempts to access the target machine again, the target machine simply checks its known_hosts file and then grants access automatically to approved hosts.
There are a few problems with this system:
  • The known_hosts file stores host entries in a triplet of the host IP address, host name, and key. This file can rapidly become out of date if the IP address changes (which is common in virtual environments and data centers) or if the key is updated.
  • SSH keys have to be distributed manually and separately to all machines in an environment.
  • Administrators have to approve host keys to add them to the configuration, but it is difficult to verify either the host or key issuer properly, which can create security problems.
On Red Hat Enterprise Linux, the System Security Services Daemon (SSSD) can be configured to cache and retrieve host SSH keys so that applications and services only have to look in one location for host keys. Because SSSD can use Identity Management as one of its identity information providers, Identity Management provides a universal and centralized repository of keys. Administrators do not need to worry about distributing, updating, or verifying host SSH keys.

12.5.1. About the SSH Key Format

When keys are uploaded to the IdM entry, the key format can be either an OpenSSH-style key or a raw RFC 4253-style blob. Any RFC 4253-style key is automatically converted into an OpenSSH-style key before it is imported and saved into the IdM LDAP server.
The IdM server can identify the type of key, such as an RSA or DSA key, from the uploaded key blob. However, in a key file such as ~/.ssh/known_hosts, a key entry is identified by the host name and IP address of the server, its type, then lastly the key itself. For example:
host.example.com,1.2.3.4 ssh-rsa AAA...ZZZ==
This is slightly different than a user public key entry, which has the elements in the order type key== comment:
"ssh-rsa ABCD1234...== ipaclient.example.com"
All three parts from the key file can be uploaded to and viewed for the host entry. In that case, the host public key entry from the ~/.ssh/known_hosts file needs to be reordered to match the format of a user key, type key== comment:
ssh-rsa AAA...ZZZ== host.example.com,1.2.3.4
The key type can be determined automatically from the content of the public key, and the comment is optional, to make identifying individual keys easier. The only required element is the public key blob itself.

12.5.2. About ipa-client-install and OpenSSH

The ipa-client-install script, by default, configures an OpenSSH server and client on the IdM client machine. It also configures SSSD to perform host and user key caching. Essentially, simply configuring the client does all of the configuration necessary for the host to use SSSD, OpenSSH, and Identity Management for key caching and retrieval.
If the SSH service is enabled with the client installation (which is the default), then an RSA key is created when the ssh service is first started.

Note

When the machine is added as an IdM client using ipa-client-install, the client is created with two SSH keys, RSA and DSS.
There is an additional client configuration option, --ssh-trust-dns, which can be run with ipa-client-install and automatically configures OpenSSH to trust the IdM DNS records, where the key fingerprints are stored.
Alternatively, it is possible to disable OpenSSH at the time the client is installed, using the --no-sshd option. This prevents the install script from configuring the OpenSSH server.
Another option, --no-dns-sshfp, prevents the host from creating DNS SSHFP records with its own DNS entries. This can be used with or without the --no-sshd option.

12.5.3. Uploading Host SSH Keys Through the Web UI

  1. The key for a host can probably be retrieved from a ~/.ssh/known_hosts. For example:
    server.example.com,1.2.3.4 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEApvjBvSFSkTU0WQW4eOweeo0DZZ08F9Ud21xlLy6FOhzwpXFGIyxvXZ52+siHBHbbqGL5+14N7UvElruyslIHx9LYUR/pPKSMXCGyboLy5aTNl5OQ5EHwrhVnFDIKXkvp45945R7SKYCUtRumm0Iw6wq0XD4o+ILeVbV3wmcB1bXs36ZvC/M6riefn9PcJmh6vNCvIsbMY6S+FhkWUTTiOXJjUDYRLlwM273FfWhzHK+SSQXeBp/zIn1gFvJhSZMRi9HZpDoqxLbBB9QIdIw6U4MIjNmKsSI/ASpkFm2GuQ7ZK9KuMItY2AoCuIRmRAdF8iYNHBTXNfFurGogXwRDjQ==
    If necessary, generate a host key. When using the OpenSSH tools, make sure to use a blank passphrase and to save the key to a different location than the user's ~/.ssh/ directory, so it will not overwrite any existing keys.
    [jsmith@server ~]$ ssh-keygen -t rsa -C "server.example.com,1.2.3.4"
    Generating public/private rsa key pair.
    Enter file in which to save the key (/home/jsmith/.ssh/id_rsa): /home/jsmith/.ssh/host_keys
    Enter passphrase (empty for no passphrase):
    Enter same passphrase again:
    Your identification has been saved in /home/jsmith/.ssh/host_keys.
    Your public key has been saved in /home/jsmith/.ssh/host_keys.pub.
    The key fingerprint is:
    4f:61:ee:2c:f7:d7:da:41:17:93:de:1d:19:ac:2e:c8 server.example.com
    The key's randomart image is:
    +--[ RSA 2048]----+
    |              .. |
    |               .+|
    |          o   .* |
    |         o . .. *|
    |        S + .  o+|
    |         E . .. .|
    |        . = .  o |
    |         o .  ..o|
    |            .....|
    +-----------------+
  2. Copy the public key from the key file. The full key entry has the form host name,IP type key==. Only the key== is required, but the entire entry can be stored. To use all elements in the entry, rearrange the entry so it has the order type key== [host name,IP]
    [jsmith@server ~]$ cat /home/jsmith/.ssh/host_keys.pub
    
    ssh-rsa AAAAB3NzaC1yc2E...tJG1PK2Mq++wQ== server.example.com,1.2.3.4
  3. Open the Identity tab, and select the Hosts subtab.
  4. Click the name of the host to edit.
    List of Hosts

    Figure 12.4. List of Hosts

  5. In the Host Settings area of the Settings tab, click Add next to SSH public keys.
    Adding an SSH Key

    Figure 12.5. Adding an SSH Key

  6. Paste in the public key for the host, and click Set.
    Setting an SSH Key

    Figure 12.6. Setting an SSH Key

    The SSH public keys area now shows the new key. Clicking Show/Set key opens the submitted key.
  7. To upload multiple keys, click the Add link below the list of public keys, and upload the other keys.
  8. When all the keys have been submitted, click Save at the top of the host's page to save the changes.
When the public key is saved, the entry is displayed as the key fingerprint, the comment (if one was included), and the key type[2].
After uploading the host keys, configure SSSD to use Identity Management as one of its identity domains and set up OpenSSH to use the SSSD tooling for managing host keys. This is covered in the "Configuring Services: OpenSSH and Cached Keys" in the System-Level Authentication Guide.

12.5.4. Adding Host Keys from the Command Line

Host SSH keys are added to host entries in IdM, either when the host is created using host-add or by modifying the entry later.

Note

RSA and DSS host keys are created by the ipa-client-install command, unless the SSH service is explicitly disabled in the installation script.
  1. Run the host-mod command with the --sshpubkey option to upload the base64-encoded public key to the host entry.
    Adding a host key also changes the DNS SSHFP entry for the host, so also use the --updatedns option to update the host's DNS entry.
    For example:
    [jsmith@server ~]$ ipa host-mod --sshpubkey="ssh-rsa RjlzYQo==" --updatedns host1.example.com
    A real key also usually ends with an equal sign (=) but is longer.
    To upload more than one key, enter multiple --sshpubkey command-line parameters:
    --sshpubkey="RjlzYQo==" --sshpubkey="ZEt0TAo=="

    Note

    A host can have multiple public keys.
  2. After uploading the host keys, configure SSSD to use Identity Management as one of its identity domains and set up OpenSSH to use the SSSD tooling for managing host keys. This is covered in the "Configuring Services: OpenSSH and Cached Keys" in the System-Level Authentication Guide.

12.5.5. Removing Host Keys

Host keys can be removed once they expire or are no longer valid.
To remove an individual host key, it is easiest to remove the key through the web UI:
  1. Open the Identity tab, and select the Hosts subtab.
  2. Click the name of the host to edit.
    List of Hosts

    Figure 12.7. List of Hosts

  3. In the SSH public keys area, click Delete by the fingerprint of the key to remove it.
    Public Key Deletion

    Figure 12.8. Public Key Deletion

  4. Click Save at the top of the host's page to save the changes.
The command-line tools can be used to remove all keys. This is done by running ipa host-mod with the --sshpubkey= set to a blank value; this removes all public keys for the host. Also, use the --updatedns option to update the host's DNS entry. For example:
[jsmith@server ~]$ kinit admin
[jsmith@server ~]$ ipa host-mod --sshpubkey= --updatedns host1.example.com

12.6. Setting ethers Information for a Host

NIS can host an ethers table which can be used to manage DHCP configuration files for systems based on their platform, operating system, DNS domain, and MAC address — all information stored in host entries in IdM.
In Identity Management, each system is created with a corresponding ethers entry in the directory, in the ou=ethers subtree.
cn=server,ou=ethers,dc=example,dc=com
This entry is used to create a NIS map for the ethers service which can be managed by the NIS compatibility plug-in in IdM.
To configure NIS maps for ethers entries:
  1. Add the MAC address attribute to a host entry. For example:
    [jsmith@server ~]$ kinit admin
    [jsmith@server ~]$ ipa host-mod --macaddress=12:34:56:78:9A:BC server.example.com
  2. Open the nsswitch.conf file.
  3. Add a line for the ethers service, and set it to use LDAP for its lookup.
    ethers: ldap
  4. Check that the ethers information is available for the client.
    [root@server ~]# getent ethers server.example.com


[2] The key type is determined automatically from the key itself, if it is not included in the uploaded key.

Chapter 13. Managing User and Host Groups

13.1. How User and Host Groups Work in IdM

13.1.1. What User and Host Groups Are

A user group is a set of users with common privileges, password policies, and other characteristics.
A host group is a set of IdM hosts with common access control rules and other characteristics.
For example, you can define groups around company departments, physical locations, or access control requirements.

13.1.2. Supported Group Members

A user group in IdM can include:
  • IdM users
  • other IdM user groups
  • external users, which are users that exist outside IdM
A host group in IdM can include:
  • IdM servers and clients
  • other IdM host groups

13.1.3. Direct and Indirect Group Members

User and host group attributes in IdM apply to both direct and indirect members: when group B is a member of group A, all users in group B are considered members of group A.
  • User 1 and User 2 are direct members of group A.
  • User 3, User 4, and User 5 are indirect members of group A.
Direct and Indirect Group Membership

Figure 13.1. Direct and Indirect Group Membership

If you set a password policy for user group A, the policy applies to all users in user group B as well.

Example 13.1. Viewing Direct and Indirect Group Members

  1. Create two groups: group_A and group_B. See Section 13.2, “Adding and Removing User or Host Groups”.
  2. Add:
    • one user as a member of group_A
    • another user as a member of group_B
    • group_B as a member of group_A
  3. In the web UI: Select IdentityUser Groups, and click the name of group_A. Switch between Direct Membership and Indirect Membership.
    Indirect and Direct Members

    Figure 13.2. Indirect and Direct Members

  4. From the command line: Use the ipa group-show command:
    $ ipa group-show group_A
      ...
      Member users: user_1
      Member groups: group_B
      Indirect Member users: user_2

13.1.4. User Group Types in IdM

POSIX groups (the default)
POSIX groups support POSIX attributes for their members. Note that groups that interact with Active Directory cannot use POSIX attributes.
Non-POSIX groups
All group members of this type of group must belong to the IdM domain.
External groups
External groups allow adding group members that exist in an identity store outside of the IdM domain. The external store can be a local system, an Active Directory domain, or a directory service.
Non-POSIX and external groups do not support POSIX attributes. For example, these groups do not have a GID defined.

Example 13.2. Searching for Different Types of User Groups

  1. Run the ipa group-find command to display all user groups.
  2. Run the ipa group-find --posix command to display all POSIX groups.
  3. Run the ipa group-find --nonposix command to display all non-POSIX groups.
  4. Run the ipa group-find --external command to display all external groups.

13.1.5. User and Host Groups Created by Default

Table 13.1. User and Host Groups Created by Default

Group Name User or Host Default Group Members
ipausers User group All IdM users
admins User group Users with administrative privileges, initially the default admin user
editors User group Users allowed to edit other IdM users in the web UI, without all the rights of an administrative user
trust admins User group Users with privileges to manage Active Directory trusts
ipaservers Host group All IdM server hosts
Adding a user to a user group applies the privileges and policies associated with the group. For example, adding a user to the admins group grants the user administrative privileges.

Warning

Be careful when adding hosts to the ipaservers host group. All hosts in ipaservers have the ability to promote themselves to an IdM server.
In addition, IdM creates user private groups by default whenever a new user is created in IdM.
  • The user private group has the same name as the user for which it was created.
  • The user is the only member of the user private group.
  • GID of the private groups matches the UID of the user.

Example 13.3. Viewing User Private Groups

Run the ipa group-find --private command to display all user private groups:
$ ipa group-find --private
----------------
2 groups matched
----------------
  Group name: user1
  Description: User private group for user1
  GID: 830400006
  
  Group name: user2
  Description: User private group for user2
  GID: 830400004
----------------------------
Number of entries returned 2
----------------------------
In some situations, it is better to avoid creating user private groups, such as when a NIS group or another system group already uses the GID that would be assigned to the user private group. See Section 13.4, “Disabling User Private Groups”.

13.2. Adding and Removing User or Host Groups

To add a group, you can use:
IdM enables specifying a custom GID when creating a user group. If you do this, be careful to avoid ID conflicts. See Section 14.6, “Ensuring That ID Values Are Unique”. If you do not specify a custom GID, IdM automatically assigns a GID from the available ID range.
To remove a group, you can use:
Note that removing a group does not delete the group members from IdM.

Web UI: Adding a User or Host Group

  1. Click IdentityUser Groups or IdentityHost Groups.
  2. Click Add to start adding the group.
  3. Fill out the information about the group.
    For details on user group types, see Section 13.1.4, “User Group Types in IdM”.
  4. Click Add to confirm.

Command Line: Adding a User or Host Group

  1. Log in as the administrator:
    $ kinit admin
  2. To add a user group, use the ipa group-add command. To add a host group, use the ipa hostgroup-add command.
    $ ipa group-add group_name
    -----------------------
    Added group "group_name"
    ------------------------
By default, ipa group-add adds a POSIX user group. To specify a different group type, add options to ipa group-add:
  • --nonposix to create a non-POSIX group
  • --external to create an external group
For details on group types, see Section 13.1.4, “User Group Types in IdM”.

Web UI: Removing a User or Host Group

  1. Click IdentityUser Groups or IdentityHost Groups.
  2. Select the group to remove, and click Delete.

Command Line: Removing a User or Host Group

  1. Log in as the administrator:
    $ kinit admin
  2. To delete a user group, use the ipa group-del group_name command. To delete a host group, use the ipa hostgroup-del group_name command.
    $ ipa group-del group_name
    --------------------------
    Deleted group "group_name"
    --------------------------

13.3. Adding and Removing User or Host Group Members

To add members to user groups, you can use:

Important

When adding another user group as a member, do not create recursive groups. For example, if Group A is a member of Group B, do not add Group B as a member of Group A. Recursive groups can cause unpredictable behavior.
To remove members from user groups, you can use:

Web UI: Adding a Member to a User or Host Group

  1. Click IdentityUser Groups or IdentityHost Groups.
  2. Click the name of the group.
  3. Select the type of group member you want to add. For example, Users, User Groups, or External for user groups.
    Adding User Group Members

    Figure 13.3. Adding User Group Members

  4. Click Add.
  5. Select the member you want to add, and click Add to confirm.

Command Line: Adding a Member to a User Group

  1. Optional. Use the ipa group-find or ipa hostgroup-find command to find the group.
  2. To add a member to a user group, use the ipa group-add-member command. To add a member to a host group, use the ipa hostgroup-add-member command.
    When adding a user group member, specify the member using these options:
    • --users adds an IdM user
    • --external adds a user that exists outside the IdM domain, in the format of DOMAIN\user_name or user_name@domain
    • --groups adds an IdM user group
    When adding a host group member, specify the member using these options:
    • --hosts adds an IdM host
    • --groups adds an IdM host group
    For example, to add user1, user2, and group1 to a group called group_name:
    $ ipa group-add-member group_name --users=user1 --users=user2 --groups=group1

Web UI: Removing a Member from a User Group

  1. Click IdentityUser Groups or IdentityHost Groups.
  2. Click the name of the group.
  3. Select the type of group member you want to remove. For example, Users, User Groups, or External for user groups.
    Removing User Group Members

    Figure 13.4. Removing User Group Members

  4. Select the check box next to the required member.
  5. Click Delete.

Command Line: Removing a Member from a User Group

  1. Optional. Use the ipa group-show or ipa hostgroup-show command to confirm that the group includes the member you want to remove.
  2. To remove a user group member, use the ipa group-remove-member command. To remove a host group member, use the ipa hostgroup-remove-member command.
    When removing a user group member, specify the member using these options:
    • --users removes an IdM user
    • --external removes a user that exists outside the IdM domain, in the format of DOMAIN\user_name or user_name@domain
    • --groups removes an IdM user group
    When removing a host group member, specify the member using these options:
    • --hosts removes an IdM host
    • --groups removes an IdM host group
    For example, to remove user1, user2, and group1 from a group called group_name:
    $ ipa group-remove-member group_name --users=user1 --users=user2 --groups=group1

13.4. Disabling User Private Groups

To ensure that IdM does not create a default user private group for a new user, choose one of the following:
Even after you disable creating default user private groups, IdM will still require a GID when adding new users. To ensure that adding the user succeeds, see Section 13.4.3, “Adding a User with User Private Groups Disabled”.

Note

If you want to disable creating default user private groups because of GID conflicts, consider changing the default UID and GID assignment ranges. See Chapter 14, Unique UID and GID Number Assignments.

13.4.1. Creating a User without a User Private Group

Add the --noprivate option to the ipa user-add command. Note that for the command to succeed, you must specify a custom private group. See Section 13.4.3, “Adding a User with User Private Groups Disabled”.

13.4.2. Disabling User Private Groups Globally for All Users

  1. Log in as the administrator:
    $ kinit admin
  2. IdM uses the Directory Server Managed Entries Plug-in to manage user private groups. List the instances of the plug-in:
    $ ipa-managed-entries --list
  3. To ensure IdM does not create user private groups, disabling the plug-in instance responsible for managing user private groups:
    $ ipa-managed-entries -e "UPG Definition" disable
    Disabling Plugin

    Note

    To re-enable the UPG Definition instance later, use the ipa-managed-entries -e "UPG Definition" enable command.
  4. Restart Directory Server to load the new configuration.
    # systemctl restart dirsrv.target

13.4.3. Adding a User with User Private Groups Disabled

To make sure adding a new user succeeds when creating default user private groups is disabled, choose one of the following:

13.5. Setting Search Attributes for Users and User Groups

When searching entries for a specified keyword using the ipa user-find keyword and ipa group-find keyword commands, IdM only searches certain attributes. Most notably:
  • In user searches: first name, last name, user name (login ID), job title, organization unit, phone number, UID, email address.
  • In group searches: group name, description.
The following procedure shows how to configure IdM to search other attributes as well. Note that IdM always searches the default attributes. For example, even if you remove the job title attribute from the list of user search attributes, IdM will still search user titles.

Prerequisites

Before adding a new attribute, make sure that a corresponding index exists within the LDAP directory for this attribute. Most standard LDAP attributes have indexes in LDAP, but if you want to add a custom attribute, you must create an index manually. See Creating Standard Indexes in the Directory Server Administration Guide.

Web UI: Setting Search Attributes

  1. Select IPA ServerConfiguration.
  2. In the User Options area, set the user search attributes in User search fields.
  3. In the Group Options area, set the group search attributes in Group search fields.
  4. Click Save at the top of the page.

Command Line: Setting Search Attributes

Use the ipa config-mod command with these options:
  • --usersearch defines a new list of search attributes for users
  • --groupsearch defines a new list of search attributes for groups
For example:
$ ipa config-mod --usersearch={uid,givenname,sn,telephonenumber,ou,title}
$ ipa config-mod --groupsearch={cn,description}

13.6. Defining Automatic Group Membership for Users and Hosts

13.6.1. How Automatic Group Membership Works in IdM

13.6.1.1. What Automatic Group Membership Is

Using automatic group membership, you can assign users and hosts to groups automatically based on their attributes. For example, you can:
  • Divide employees' user entries into groups based on the employees' manager, location, or any other attribute.
  • Divide hosts based on their class, location, or any other attribute.
  • Add all users or all hosts to a single global group.

13.6.1.2. Benefits of Automatic Group Membership

Reduced overhead of managing group membership manually
With automatic group membership, the administrator no longer assigns users and hosts to groups manually.
Improved consistency in user and host management
With automatic group membership, users and hosts are assigned to groups based on strictly defined and automatically evaluated criteria.
Easier management of group-based settings
Various settings are defined for groups and then applied to individual group members, for example sudo rules, automount, or access control. When using automatic group membership, users and hosts are automatically added to specified groups, which makes managing group-based settings easier.

13.6.1.3. Automember Rules

When configuring automatic group membership, the administrator defines automember rules. An automember rule applies to a specific user or host group. It includes conditions that the user or host must meet to be included or excluded from the group:
Inclusive conditions
When a user or host entry meets an inclusive condition, it will be included in the group.
Exclusive conditions
When a user or host entry meets an exclusive condition, it will not be included in the group.
The conditions are specified as regular expressions in the Perl-compatible regular expressions (PCRE) format. For more information on PCRE, see the pcresyntax(3) man page.
IdM evaluates exclusive conditions before inclusive conditions. In case of a conflict, exclusive conditions take precedence over inclusive conditions.

13.6.2. Adding an Automember Rule

To add an automember rule using:
After you add an automember rule:

Web UI: Add an Automember Rule

  1. Select IdentityAutomemberUser group rules or Host group rules.
  2. Click Add.
  3. In the Automember rule field, select the group to which the rule will apply. Click Add and Edit.
  4. Define one or more inclusive and exclusive conditions. See Section 13.6.1.3, “Automember Rules” for details.
    1. In the Inclusive or Exclusive sections, click Add.
    2. In the Attribute field, select the required attribute.
    3. In the Expression field, define the regular expression.
    4. Click Add.
    For example, the following condition targets all users with any value (.*) in their user login attribute (uid).
    Adding Automember Rule Conditions

    Figure 13.5. Adding Automember Rule Conditions

Command Line: Add an Automember Rule

  1. Use the ipa automember-add command to add an automember rule. When prompted, specify:
    • Automember rule, which matches the target group name.
    • Grouping Type, which specifies whether the rule targets a user group or a host group. To target a user group, enter group. To target a host group, enter hostgroup.
    For example, to add an automember rule for a user group named user_group:
    $ ipa automember-add
    Automember Rule: user_group
    Grouping Type: group
    --------------------------------
    Added automember rule "user_group"
    --------------------------------
      Automember Rule: user_group
  2. Define one or more inclusive and exclusive conditions. See Section 13.6.1.3, “Automember Rules” for details.
    1. To add a condition, use the ipa automember-add-condition command. When prompted, specify:
      • Automember rule, which matches the target group name.
      • Attribute Key, which specifies the entry attribute to which the filter will apply. For example, manager for users.
      • Grouping Type, which specifies whether the rule targets a user group or a host group. To target a user group, enter group. To target a host group, enter hostgroup.
      • Inclusive regex and Exclusive regex, which specify one or more conditions as regular expressions. If you only want to specify one condition, press Enter when prompted for the other.
      For example, the following condition targets all users with any value (.*) in their user login attribute (uid).
      $ ipa automember-add-condition
      Automember Rule: user_group
      Attribute Key: uid
      Grouping Type: group
      [Inclusive Regex]: .*
      [Exclusive Regex]:
      ----------------------------------
      Added condition(s) to "user_group"
      ----------------------------------
        Automember Rule: user_group
        Inclusive Regex: uid=.*
      ----------------------------
      Number of conditions added 1
      ----------------------------
    2. To remove a condition, use the ipa automember-remove-condition command.

Example 13.4. Command Line: Creating an Automember Rule to Add All Entries to a Single Group

By creating an inclusive condition for an attribute that all user or host entries contain, such as cn or fqdn, you can ensure that all users or hosts created in the future will be added to a single group.
  1. Create the group, such as a host group named all_hosts. See Section 13.2, “Adding and Removing User or Host Groups”.
  2. Add an automember rule for the new host group. For example:
    $ ipa automember-add
    Automember Rule: all_hosts
    Grouping Type: hostgroup
    -------------------------------------
    Added automember rule "all_hosts"
    -------------------------------------
      Automember Rule: all_hosts
  3. Add an inclusive condition that targets all hosts. In the following example, the inclusive condition targets hosts that have any value (.*) in the fqdn attribute:
    $ ipa automember-add-condition
    Automember Rule: all_hosts
    Attribute Key: fqdn
    Grouping Type: hostgroup
    [Inclusive Regex]: .*
    [Exclusive Regex]:
    ---------------------------------
    Added condition(s) to "all_hosts"
    ---------------------------------
      Automember Rule: all_hosts
      Inclusive Regex: fqdn=.*
    ----------------------------
    Number of conditions added 1
    ----------------------------
All hosts added in the future will automatically become members of the all_hosts group.

Example 13.5. Command Line: Creating an Automember Rule for Synchronized AD Users

Windows users synchronized from Active Directory (AD) share the ntUser object class. By creating an automember condition that targets all users with ntUser in their objectclass attribute, you can ensure that all synchronized AD users created in the future will be included in a common group for AD users.
  1. Create a user group for the AD users, such as ad_users. See Section 13.2, “Adding and Removing User or Host Groups”.
  2. Add an automember rule for the new user group. For example:
    $ ipa automember-add
    Automember Rule: ad_users
    Grouping Type: group
    -------------------------------------
    Added automember rule "ad_users"
    -------------------------------------
      Automember Rule: ad_users
  3. Add an inclusive condition to filter the AD users. In the following example, the inclusive condition targets all users that have the ntUser value in the objectclass attribute:
    $ ipa automember-add-condition
    Automember Rule: ad_users
    Attribute Key: objectclass
    Grouping Type: group
    [Inclusive Regex]: ntUser
    [Exclusive Regex]:
    -------------------------------------
    Added condition(s) to "ad_users"
    -------------------------------------
      Automember Rule: ad_users
      Inclusive Regex: objectclass=ntUser
    ----------------------------
    Number of conditions added 1
    ----------------------------
All AD users added in the future will automatically become members of the ad_users user group.

13.6.3. Applying Automember Rules to Existing Users and Hosts

Automember rules apply automatically to user and hosts entries created after the rules were added. They are not applied retrospectively to entries that existed before the rules were added.
To apply automember rules to entries that existed before you added the rules, manually rebuild automatic membership. Rebuilding automatic membership re-evaluates all existing automember rules and applies them either to all entries or to specific entries.

Web UI: Rebuild Automatic Membership for Existing Entries

To rebuild automatic membership for all users or all hosts:
  1. Select IdentityUsers or Hosts.
  2. Click ActionsRebuild auto membership.
    Rebuilding Automatic Membership for All Users or Hosts

    Figure 13.6. Rebuilding Automatic Membership for All Users or Hosts

To rebuild automatic membership for a single user or host only:
  1. Select IdentityUsers or Hosts, and click on the required user login or host name.
  2. Click ActionsRebuild auto membership.
    Rebuilding Automatic Membership for a Single User or Host

    Figure 13.7. Rebuilding Automatic Membership for a Single User or Host

Command Line: Rebuild Automatic Memberhips for Existing Entries

To rebuild automatic membership for all users, use the ipa automember-rebuild --type=group command:
$ ipa automember-rebuild --type=group
--------------------------------------------------------
Automember rebuild task finished. Processed (9) entries.
--------------------------------------------------------
To rebuild automatic membership for all users, use the ipa automember-rebuild --type=hostgroup command.
To rebuild automatic membership for a specified user or users, use the ipa automember-rebuild --users=user command:
$ ipa automember-rebuild --users=user1 --users=user2
--------------------------------------------------------
Automember rebuild task finished. Processed (2) entries.
--------------------------------------------------------
To rebuild automatic membership for a specified host or hosts, use the ipa automember-rebuild --hosts=example.com command.

13.6.4. Configuring a Default Automember Group

When a default automember group is configured, user or host entries that do not match any automember rule are automatically added to the default group.
  1. Use the ipa automember-default-group-set command to configure a default automember group. When prompted, specify:
    • Default (fallback) Group, which specifies the target group name.
    • Grouping Type, which specifies whether the target is a user group or a host group. To target a user group, enter group. To target a host group, enter hostgroup.
    For example:
    $ ipa automember-default-group-set
    Default (fallback) Group: default_user_group
    Grouping Type: group
    ---------------------------------------------------
    Set default (fallback) group for automember "default_user_group"
    ---------------------------------------------------
      Default (fallback) Group: cn=default_user_group,cn=groups,cn=accounts,dc=example,dc=com
  2. To verify that the group is set correctly, use the ipa automember-default-group-show command. The command displays the current default automember group. For example:
    $ ipa automember-default-group-show
    Grouping Type: group
      Default (fallback) Group: cn=default_user_group,cn=groups,cn=accounts,dc=example,dc=com
To remove the current default automember group, use the ipa automember-default-group-remove command.

Chapter 14. Unique UID and GID Number Assignments

An IdM server generates user ID (UID) and group ID (GID) values and simultaneously ensures that replicas never generate the same IDs. The need for unique UIDs and GIDs might even be across IdM domains, if a single organization uses multiple separate domains.

14.1. ID Ranges

The UID and GID numbers are divided into ID ranges. By keeping separate numeric ranges for individual servers and replicas, the chances are minimal that an ID value issued for an entry is already used by another entry on another server or replica.
The Distributed Numeric Assignment (DNA) plug-in, as part of the back end 389 Directory Server instance for the domain, ensures that ranges are updated and shared between servers and replicas; the plug-in manages the ID ranges across all masters and replicas. Every server or replica has a current ID range and an additional next ID range that the server or replica uses after the current range has been depleted. For more information about the DNA Directory Server plug-in, see the Red Hat Directory Server Deployment Guide.

14.2. ID Range Assignments During Installation

During server installation, the ipa-server-install command by default automatically assigns a random current ID range to the installed server. The setup script randomly selects a range of 200,000 IDs from a total of 10,000 possible ranges. Selecting a random range in this way significantly reduces the probability of conflicting IDs in case you decide to merge two separate IdM domains in the future.
However, you can define a current ID range manually during server installation by using the following two options with ipa-server-install:
  • --idstart gives the starting value for UID and GID numbers; by default, the value is selected at random,
  • --idmax gives the maximum UID and GID number; by default, the value is the --idstart starting value plus 199,999.
If you have a single IdM server installed, a new user or group entry receives a random ID from the whole range. When you install a new replica and the replica requests its own ID range, the initial ID range for the server splits and is distributed between the server and replica: the replica receives half of the remaining ID range that is available on the initial master. The server and replica then use their respective portions of the original ID range for new entries. Also, if less than 100 IDs from the ID range that was assigned to a replica remain, meaning the replica is close to depleting its allocated ID range, the replica contacts the other available servers with a request for a new ID range.
A server receives an ID range the first time the DNA plug-in is used; until then, the server has no ID range defined. For example, when you create a replica from a master server, the replica does not receive an ID range immediately. The replica requests an ID range from the initial master only when the first ID is about to be assigned on the replica.

Note

If the initial master stops functioning before the replica requests an ID range from it, the replica is unable to contact the master with a request for the ID range. An attempt to add a new user on the replica fails. In such situations, you can find out what ID range is assigned to the disabled master and assign an ID range to the replica manually, which is described in Section 14.5, “Manual ID Range Extension and Assigning a New ID Range”.

14.3. Displaying Currently Assigned ID Ranges

To display which ID ranges are configured for a server, use the following commands:
  • ipa-replica-manage dnarange-show displays the current ID range that is set on all servers or, if you specify a server, only on the specified server, for example:
    # ipa-replica-manage dnarange-show
    masterA.example.com: 1001-1500
    masterB.example.com: 1501-2000
    masterC.example.com: No range set
    
    # ipa-replica-manage dnarange-show masterA.example.com
    masterA.example.com: 1001-1500
  • ipa-replica-manage dnanextrange-show displays the next ID range currently set on all servers or, if you specify a server, only on the specified server, for example:
    # ipa-replica-manage dnanextrange-show
    masterA.example.com: 1001-1500
    masterB.example.com: No on-deck range set
    masterC.example.com: No on-deck range set
    
    # ipa-replica-manage dnanextrange-show masterA.example.com
     masterA.example.com: 1001-1500
For more information about these two commands, see the ipa-replica-manage(1) man page.

14.4. Automatic ID Range Extension After Deleting a Replica

When you delete a functioning replica, the ipa-replica-manage del command retrieves the ID ranges that were assigned to the replica and adds them as a next range to other available IdM replicas. This ensures that ID ranges remain available to be used by other replicas.
After you delete a replica, you can verify which ID ranges are configured for other servers by using the ipa-replica-manage dnarange-show and ipa-replica-manage dnanextrange-show commands, described in Section 14.3, “Displaying Currently Assigned ID Ranges”.

14.5. Manual ID Range Extension and Assigning a New ID Range

In certain situations, it is necessary to manually adjust an ID range:
An assigned ID range has been depleted
A replica has exhausted the ID range that was assigned to it, and requesting additional IDs failed because no more free IDs are available in the ID ranges of other replicas. You want to extend the ID range assigned to the replica. This might involve splitting an existing ID range or extending it past the initial configured ID range for the server. Alternatively, you might want to assign a new ID range.

Note

If you assign a new ID range, the UIDs of the already existing entries on the server or replica stay the same. This does not pose a problem because even if you change the current ID range, IdM keeps a record of what ranges were assigned in the past.
A replica stopped functioning
ID range is not automatically retrieved when a replica dies and needs to be deleted, which means the ID range previously assigned to the replica becomes unavailable. You want to recover the ID range and make it available for other replicas.
If you want to recover the ID range belonging to a server that stopped functioning and assign it to another server, first find out what are the ID range values using the ipa-replica-manage dnarange-show command described in Section 14.3, “Displaying Currently Assigned ID Ranges”, and then manually assign that ID range to the server. Also, to avoid duplicate UIDs or GIDs, make sure that no ID value from the recovered range was previously assigned to a user or group; you can do this by examining the UIDs and GIDs of existent users and groups.
To manually define the ID ranges, use the following two commands:
  • ipa-replica-manage dnarange-set allows you to define the current ID range for a specified server:
    # ipa-replica-manage dnarange-set masterA.example.com 1250-1499
  • ipa-replica-manage dnanextrange-set allows you to define the next ID range for a specified server:
    # ipa-replica-manage dnanextrange-set masterB.example.com 1001-5000
For more information about these commands, see the ipa-replica-manage(1) man page.

Important

Be careful not to create overlapping ID ranges. If any of the ID ranges you assign to servers or replicas overlap, it could result in two different servers assigning the same ID value to different entries.
Do not set ID ranges that include UID values of 1000 and lower; these values are reserved for system use. Also, do not set an ID range that would include the 0 value; the SSSD service does not handle the 0 ID value.
When extending an ID range manually, make sure that the newly extended range is included in the IdM ID range; you can check this using the ipa idrange-find command. Run the ipa idrange-find -h command to display help for how to use ipa idrange-find.

14.6. Ensuring That ID Values Are Unique

It is recommended to avoid conflicting UIDs or GIDs. UIDs and GIDs should always be unique: two users should not have the same UID, and two groups should not have the same GID.
Automatic ID assignment
When a user or a group is created interactively or without a manually specified ID number, the server assigns the next available ID number from the ID range to the user account. This ensures that the UID or GID is always unique.
Manual ID assignment
When you assign an ID to a user or a group entry manually, the server does not verify that the specified UID or GID is unique; it does not warn you of a conflict if you choose a value that is already used by another entry.
As explained in Section 14.7, “Repairing Changed UID and GID Numbers”, the SSSD service does not handle entries with identical IDs. If two entries share the same ID number, a search for this ID only returns the first entry. However, if you search for other attributes or run the ipa user-find --all command, both entries are returned.
UIDs and GIDs are both selected from the same ID range. A user and a group can have the same ID; no conflict arises in this situation because the UID and the GID are set in two different attributes: uidNumber and gidNumber.

Note

Setting the same ID for both a user and a group allows you to configure user private groups. To create a unique system group for a user in this way, set the same ID value for a user and also for a group, in which the only member is the mentioned user.

14.7. Repairing Changed UID and GID Numbers

When a user logs into an IdM system or service, SSSD on that system caches their user name together with the UID and GID of the user. SSSD then uses the UID as the identifying key for the user. If a user with the same user name but a different UID attempts to log into the system, SSSD registers two different UIDs and assumes that there are two different users with conflicting user names. This can pose a problem if a UID of a user changes. In such a situation, SSSD incorrectly interprets the user with a modified UID as a new user, instead of recognizing that it as the same user with a different UID. If the UID of an existing user changes, the user cannot log into SSSD and associated services and domains. This also affects client applications that use SSSD for identity information.
To work around this problem, if a UID or GID changes, clear the SSSD cache, which ensures that the user is able to log in again. For example, to clear the SSSD cache for a specified user, use the sss_cache utility as follows:
[root@server ~]# sss_cache -u user

Chapter 15. User and Group Schema

When a user entry is created, it is automatically assigned certain LDAP object classes which, in turn, make available certain attributes. LDAP attributes are the way that information is stored in the directory. (This is discussed in detail in the Directory Server Deployment Guide and the Directory Server Schema Reference.)

Table 15.1. Default Identity Management User Object Classes

Description Object Classes
IdM object classes
ipaobject
ipasshuser
Person object classes
person
organizationalperson
inetorgperson
inetuser
posixAccount
Kerberos object classes
krbprincipalaux
krbticketpolicyaux
Managed entries (template) object classes mepOriginEntry
A number of attributes are available to user entries. Some are set manually and some are set based on defaults if a specific value is not set. There is also an option to add any attributes available in the object classes in Table 15.1, “Default Identity Management User Object Classes”, even if there is not a UI or command-line argument for that attribute. Additionally, the values generated or used by the default attributes can be configured, as in Section 15.4, “Specifying Default User and Group Attributes”.

Table 15.2. Default Identity Management User Attributes

UI Field Command-Line Option Required, Optional, or Default[a]
User login username Required
First name --first Required
Last name --last Required
Full name --cn Optional
Display name --displayname Optional
Initials --initials Default
Home directory --homedir Default
GECOS field --gecos Default
Shell --shell Default
Kerberos principal --principal Default
Email address --email Optional
Password --password [b] Optional
User ID number --uid Default
Group ID number --gidnumber Default
Street address --street Optional
City --city Optional
State/Province --state Optional
Zip code --postalcode Optional
Telephone number --phone Optional
Mobile telephone number --mobile Optional
Pager number --pager Optional
Fax number --fax Optional
Organizational unit --orgunit- Optional
Job title --title Optional
Manager --manager Optional
Car license --carlicense Optional
--noprivate Optional
SSH Keys --sshpubkey Optional
Additional attributes --addattr Optional
[a] Required attributes must be set for every entry. Optional attributes may be set, while default attributes are automatically added with a predefined value unless a specific value is given.
[b] The script prompts for the new password, rather than accepting a value with the argument.

15.1. About Changing the Default User and Group Schema

It is possible to add or change the object classes and attributes used for user and group entries (Chapter 15, User and Group Schema).
The IdM configuration provides some validation when object classes are changed:
  • All of the object classes and their specified attributes must be known to the LDAP server.
  • All default attributes that are configured for the entry must be supported by the configured object classes.
There are limits to the IdM schema validation, however. Most important, the IdM server does not check that the defined user or group object classes contain all of the required object classes for IdM entries. For example, all IdM entries require the ipaobject object class. However, when the user or group schema is changed, the server does not check to make sure that this object class is included; if the object class is accidentally deleted, then future entry add operations will fail.
Also, all object class changes are atomic, not incremental. The entire list of default object classes has to be defined every time there is a change. For example, a company may create a custom object class to store employee information like birthdays and employment start dates. The administrator cannot simply add the custom object class to the list; he must set the entire list of current default object classes plus the new object class. The existing default object classes must always be included when the configuration is updated. Otherwise, the current settings will be overwritten, which causes serious performance problems.

15.2. Applying Custom Object Classes to New User Entries

User and group accounts are created with a predefined set of LDAP object classes applied to the entry. Any attributes which belong to the object class can be added to the user entry.
While the standard and IdM-specific LDAP object classes will cover most deployment scenarios, administrators may have custom object classes with custom attributes which should be applied to user entries.

15.2.1. From the Web UI

  1. Add all of the custom schema elements to the 389 Directory Server instance used by Identity Management. Adding schema elements is described in the schema chapter of the Directory Server Administrator's Guide.
  2. Open the IPA Server tab.
  3. Select the Configuration subtab.
  4. Scroll to the User Options area.
    User Options in Server Configuration

    Figure 15.1. User Options in Server Configuration

  5. At the bottom of the users area, click Add to include a new field for another object class.

    Important

    Always include the existing default object classes when the configuration is updated. Otherwise, the current settings will be overwritten. If any object classes required by Identity Management are not included, then subsequent attempts to add an entry will fail with object class violations.
    Changing Default User Object Classes

    Figure 15.2. Changing Default User Object Classes

  6. When the changes are complete, click Save at the top of the Configuration page.

15.2.2. From the Command Line

  1. Add all of the custom schema elements to the 389 Directory Server instance used by Identity Management. Adding schema elements is described in the schema chapter of the Directory Server Administrator's Guide.
  2. Add the new object class to the list of object classes added to entries. The option for user object classes is --userobjectclasses.

    Important

    Always include the existing default object classes when the configuration is updated. Otherwise, the current settings will be overwritten. If any object classes required by Identity Management are not included, then subsequent attempts to add an entry will fail with object class violations.
    All object classes must be included in the list of object classes. The information passed with the config-mod command overwrites the previous values. This can be done by specifying each object class with a --userobjectclasses argument or by listing all of the object classes in a comma-separated list inside curly braces, such as {attr1,attr2,attr3}. For long lists, it can be easier to use the curly braces than multiple options. For example:
    [bjensen@server ~]$ ipa config-mod --userobjectclasses={top,person,organizationalperson,inetorgperson,inetuser,posixaccount,krbprincipalaux,krbticketpolicyaux,ipaobject,ipasshuser,employeeinfo}

15.3. Applying Custom Object Classes to New Group Entries

As with user entries, administrators may have custom object classes with custom attributes which should be applied to group entries. These can be added automatically by adding the object classes to the IdM server configuration.

15.3.1. From the Web UI

  1. Add all of the custom schema elements to the 389 Directory Server instance used by Identity Management. Adding schema elements is described in the schema chapter of the Directory Server Administrator's Guide.
  2. Open the IPA Server tab.
  3. Select the Configuration subtab.
  4. Scroll to the Group Options area.
    Group Options in Server Configuration

    Figure 15.3. Group Options in Server Configuration

  5. Click Add to include a new field for another object class.

    Important

    Always include the existing default object classes when the configuration is updated. Otherwise, the current settings will be overwritten. If any object classes required by Identity Management are not included, then subsequent attempts to add an entry will fail with object class violations.
  6. When the changes are complete, click Save at the top of the Configuration page.

15.3.2. From the Command Line

  1. Add all of the custom schema elements to the 389 Directory Server instance used by Identity Management. Adding schema elements is described in the schema chapter of the Directory Server Administrator's Guide.
  2. Add the new object class to the list of object classes added to entries. The option for group object classes is --groupobjectclasses.

    Important

    Always include the existing default object classes when the configuration is updated. Otherwise, the current settings will be overwritten. If any object classes required by Identity Management are not included, then subsequent attempts to add an entry will fail with object class violations.
    All object classes must be included in the list of object classes. The information passed with the config-mod command overwrites the previous values. This can be done by specifying each object class with a --groupobjectclasses argument or by listing all of the object classes in a comma-separated list inside curly braces, such as {attr1,attr2,attr3}. For long lists, it can be easier to use the curly braces than multiple options. For example:
    [bjensen@server ~]$ ipa config-mod --groupobjectclasses={top,groupofnames,nestedgroup,ipausergroup,ipaobject,ipasshuser,employeegroup}

15.4. Specifying Default User and Group Attributes

Identity Management uses a template when it creates new entries.
For users, the template is very specific. Identity Management uses default values for several core attributes for IdM user accounts. These defaults can define actual values for user account attributes (such as the home directory location) or it can define the format of attribute values, such as the user name length. These settings also define the object classes assigned to users.
For groups, the template only defines the assigned object classes.
These default definitions are all contained in a single configuration entry for the IdM server, cn=ipaconfig,cn=etc,dc=example,dc=com.
The configuration can be changed using the ipa config-mod command.

Table 15.3. Default User Parameters

Field Command-Line Option Descriptions
Maximum user name length --maxusername Sets the maximum number of characters for user names. The default value is eight.
Root for home directories --homedirectory Sets the default directory to use for user home directories. The default value is /home.
Default shell --defaultshell Sets the default shell to use for users. The default value is /bin/sh.
Default user group --defaultgroup Sets the default group to which all newly created accounts are added. The default value is ipausers, which is automatically created during the IdM server installation process.
Default e-mail domain --emaildomain Sets the email domain to use to create email addresses based on the new accounts. The default is the IdM server domain.
Search time limit --searchtimelimit Sets the maximum amount of time, in seconds, to spend on a search before the server returns results.
Search size limit --searchrecordslimit Sets the maximum number of records to return in a search.
User search fields --usersearch Sets the fields in a user entry that can be used as a search string. Any attribute listed has an index kept for that attribute, so setting too many attributes could affect server performance.
Group search fields --groupsearch Sets the fields in a group entry that can be used as a search string.
Certificate subject base Sets the base DN to use when creating subject DNs for client certificates. This is configured when the server is set up.
Default user object classes --userobjectclasses Defines an object class that is used to create IdM user accounts. This can be invoked multiple times. The complete list of object classes must be given because the list is overwritten when the command is run.
Default group object classes --groupobjectclasses Defines an object class that is used to create IdM group accounts. This can be invoked multiple times. The complete list of object classes must be given because the list is overwritten when the command is run.
Password expiration notification --pwdexpnotify Sets how long, in days, before a password expires for the server to send a notification.
Password plug-in features Sets the format of passwords that are allowed for users.

15.4.1. Viewing Attributes from the Web UI

  1. Open the IPA Server tab.
  2. Select the Configuration subtab.
  3. The complete configuration entry is shown in three sections, one for all search limits, one for user templates, and one for group templates.
    Setting Search Limits

    Figure 15.4. Setting Search Limits

    User Attributes

    Figure 15.5. User Attributes

    Group Attributes

    Figure 15.6. Group Attributes

15.4.2. Viewing Attributes from the Command Line

The config-show command shows the current configuration which applies to all new user accounts. By default, only the most common attributes are displayed; use the --all option to show the complete configuration.
[bjensen@server ~]$ kinit admin
[bjensen@server ~]$ ipa config-show --all
dn: cn=ipaConfig,cn=etc,dc=example,dc=com 
Maximum username length: 32 
Home directory base: /home 
Default shell: /bin/sh 
Default users group: ipausers 
Default e-mail domain: example.com 
Search time limit: 2 
Search size limit: 100 
User search fields: uid,givenname,sn,telephonenumber,ou,title 
Group search fields: cn,description 
Enable migration mode: FALSE 
Certificate Subject base: O=EXAMPLE.COM 
Default group objectclasses: top, groupofnames, nestedgroup, ipausergroup, ipaobject 
Default user objectclasses: top, person, organizationalperson, inetorgperson, inetuser, posixaccount, krbprincipalaux, krbticketpolicyaux, ipaobject, ipasshuser 
Password Expiration Notification (days): 4 
Password plugin features: AllowNThash 
SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023 
Default SELinux user: unconfined_u:s0-s0:c0.c1023 
Default PAC types: MS-PAC, nfs:NONE 
cn: ipaConfig 
objectclass: nsContainer, top, ipaGuiConfig, ipaConfigObject

Chapter 16. ID Views

ID views enable you to specify new values for POSIX user or group attributes, as well as to define on which client host or hosts the new values will apply.
For example, you can use ID views to:

Important

You can apply ID views only to IdM clients, not to IdM servers.

Potential Negative Impact on SSSD Performance

Applying an ID view can have a negative impact on SSSD performance, because certain optimizations and ID views cannot run at the same time. For example, ID views prevent SSSD from optimizing the process of looking up groups on the server:
  • With ID views, SSSD must check every member on the returned list of group member names if the group name is overridden.
  • Without ID views, SSSD can only collect the user names from the member attribute of the group object.
This negative effect mostly becomes apparent when the SSSD cache is empty or after clearing the cache, which makes all entries invalid.

Additional Resources

ID views also have several use cases in environments involving Active Directory. For details, see the ID Views and Migrating Existing Environments to Trust chapter in the Windows Integration Guide.

16.1. Attributes an ID View Can Override

ID views consist of user and group ID overrides. The overrides define the new attribute values.
User and group ID overrides can define new values for the following attributes:
User attributes
  • Login name (uid)
  • GECOS entry (gecos)
  • UID number (uidNumber)
  • GID number (gidNumber)
  • Login shell (loginShell)
  • Home directory (homeDirectory)
  • SSH public keys (ipaSshPubkey)
  • Certificate (userCertificate)
Group attributes
  • Group name (cn)
  • Group GID number (gidNumber)

16.2. Getting Help for ID View Commands

To display all commands used to manage ID views and overrides:
$ ipa help idviews
To display detailed help for a particular command, add the --help option to the command:
$ ipa idview-add --help

16.3. Defining a Different Attribute Value for a User Account on Different Hosts

An administrator can create multiple ID views that override an attribute value used by a user account and apply these ID views to different client hosts. Example: A service account is configured to use different SSH public keys when authenticating on different hosts.
This section includes the following procedures:
The procedures show how to create an ID view for a client host named host1.example.com. To override the attribute values on the other hosts as well, use the procedures to create multiple ID views, one for each host.
In the following procedures:
  • user is the user account whose attribute needs to be overridden
  • host1.example.com is the host on which the ID view will be applied

Important

After you create a new ID view, restart SSSD on all clients where the ID view is applied.
If the new ID view changes a UID or GID, clear the SSSD cache on these clients as well.

16.3.1. Web UI: Overriding an Attribute Value for a Specific Host

Before managing ID views, log in to the IdM web UI as a user with the required privileges, such as admin.

Creating a New ID View

  1. Under the IPA Server tab, select the ID Views subtab.
  2. Click Add and provide a name for the ID view.
    Adding an ID View

    Figure 16.1. Adding an ID View

  3. Click Add to confirm.
The new ID view is now displayed in the list of ID views.
List of ID Views

Figure 16.2. List of ID Views

Adding a User Override to the ID View

  1. In the list of ID views, click the name of the ID view.
    Editing an ID View

    Figure 16.3. Editing an ID View

  2. Under the Users tab, click Add to add the user override.
  3. Select the user account whose attribute value to override, and click Add.
The user override is now displayed on the example_for_host1 ID view page.
List of Overrides

Figure 16.4. List of Overrides

Specifying the Attribute to Override

  1. Click the override that you want to use to change the attribute value.
    Editing an Override

    Figure 16.5. Editing an Override

  2. Define the new value for the attribute.
    For example, to override the SSH public key used by the user account:
    1. Click SSH public keys: Add.
      Adding an SSH Public Key

      Figure 16.6. Adding an SSH Public Key

    2. Paste in the public key.

    Note

    For details on adding SSH keys to IdM, see Section 11.4, “Managing Public SSH Keys for Users”.
  3. Click Save to update the override.

Applying the ID View to a Specific Host

  1. In the list of ID views, click the name of the ID view.
    Editing an ID View

    Figure 16.7. Editing an ID View

  2. Under the Hosts tab, click Apply to hosts.
  3. Select the host1.example.com host, and move it to the Prospective column.
  4. Click Apply.
The host is now displayed in the list of hosts to which the ID view applies.
Listing Hosts to Which an ID View Applies

Figure 16.8. Listing Hosts to Which an ID View Applies

16.3.2. Command Line: Overriding an Attribute Value for a Specific Host

Before managing ID views, request a ticket for a user with the required privileges. For example:
$ kinit admin
  1. Create a new ID view. For example, the create an ID view named example_for_host1:
    $ ipa idview-add example_for_host1
    ---------------------------
    Added ID View "example_for_host1"
    ---------------------------
      ID View Name: example_for_host1
  2. Add a user override to the example_for_host1 ID view. The ipa idoverrideuser-add command requires the name of the ID view and the user to override.
    • To specify the new attribute value, add the corresponding command-line option as well. For a list of the available options, run ipa idoverrideuser-add --help. For example, use the --sshpubkey option to override the SSH public key value:
      $ ipa idoverrideuser-add example_for_host1 user --sshpubkey="ssh-rsa AAAAB3NzaC1yrRqFE...gWRL71/miPIZ user@example.com"
      -----------------------------
      Added User ID override "user"
      -----------------------------
        Anchor to override: user
        SSH public key: ssh-rsa
                        AAAB3NzaC1yrRqFE...gWRL71/miPIZ
      		  user@example.com

      Note

      For details on adding SSH keys to IdM, see Section 11.4, “Managing Public SSH Keys for Users”.
    • The ipa idoverrideuser-add --certificate command replaces all existing certificates for the account in the specified ID view. To append an additional certificate, use the ipa idoverrideuser-add-cert command instead:
      $ ipa idoverrideuser-add-cert example_for_host1 user --certificate="MIIEATCC..."
    • Using the ipa idoverrideuser-mod command, you can also specify new attribute values for an existing user override.
  3. Apply example_for_host1 to the host1.example.com host:
    $ ipa idview-apply example_for_host1 --hosts=host1.example.com
    -----------------------------
    Applied ID View "example_for_host1"
    -----------------------------
    hosts: host1.example.com
    ---------------------------------------------
    Number of hosts the ID View was applied to: 1
    ---------------------------------------------

    Note

    The ipa idview-apply command also accepts the --hostgroups option. The option applies the ID view to hosts that belong to the specified host group, but does not associate the ID view with the host group itself. Instead, the --hostgroups option expands the members of the specified host group and applies the --hosts option individually to every one of them.

Chapter 17. Managing Services

Some services that run on a host can also belong to the IdM domain. Any service that can store a Kerberos principal or an SSL certificate (or both) can be configured as an IdM service. Adding a service to the IdM domain allows the service to request an SSL certificate or keytab from the domain. (Only the public key for the certificate is stored in the service record. The private key is local to the service.)
An IdM domain establishes a commonality between machines, with common identity information, common policies, and shared services. Any machine which belongs to a domain functions as a client of the domain, which means it uses the services that the domain provides. An IdM domain (as described in Chapter 1, Introduction to Red Hat Identity Management) provides three main services specifically for machines:
  • DNS
  • Kerberos
  • Certificate management

17.1. Adding and Editing Service Entries and Keytabs

As with host entries, service entries for the host (and any other services on that host which will belong to the domain) must be added manually to the IdM domain. This is a two step process. First, the service entry must be created, and then a keytab must be created for that service which it will use to access the domain.
By default, Identity Management saves its HTTP keytab to /etc/httpd/conf/ipa.keytab.

Note

This keytab is used for the web UI. If a key were stored in ipa.keytab and that keytab file is deleted, the IdM web UI will stop working, because the original key would also be deleted.
Similar locations can be specified for each service that needs to be made Kerberos aware. There is no specific location that must be used, but, when using ipa-getkeytab, you should avoid using /etc/krb5.keytab. This file should not contain service-specific keytabs; each service should have its keytab saved in a specific location and the access privileges (and possibly SELinux rules) should be configured so that only this service has access to the keytab.

17.1.1. Adding Services and Keytabs from the Web UI

  1. Open the Identity tab, and select the Services subtab.
  2. Click the Add button at the top of the services list.
  3. Select the service type from the drop-down menu, and give it a name.
  4. Select the host name of the IdM host on which the service is running. The host name is used to construct the full service principal name.
  5. Click the Add button to save the new service principal.
  6. Use the ipa-getkeytab command to generate and assign the new keytab for the service principal.
    [root@ipaserver ~]# # ipa-getkeytab -s ipaserver.example.com -p HTTP/server.example.com -k /etc/httpd/conf/krb5.keytab -e aes256-cts
    • The realm name is optional. The IdM server automatically appends the Kerberos realm for which it is configured. You cannot specify a different realm.
    • The host name must resolve to a DNS A record for it to work with Kerberos. You can use the --force flag to force the creation of a principal should this prove necessary.
    • The -e argument can include a list of encryption types to include in the keytab. This supersedes any default encryption type. Lists of entries can be set by using the option multiple times with the same command invocation or by listing the options in a comma-separated list inside curly braces, such as --option={val1,val2,val3}.

    Warning

    Creating a new key resets the secret for the specified principal. This means that all other keytabs for that principal are rendered invalid.

17.1.2. Adding Services and Keytabs from the Command Line

  1. Create the service principal. The service is recognized through a name like service/FQDN:
    # ipa service-add serviceName/hostname
    For example:
    $ ipa service-add HTTP/server.example.com
    -------------------------------------------------------
    Added service "HTTP/server.example.com@EXAMPLE.COM"
    -------------------------------------------------------
      Principal: HTTP/server.example.com@EXAMPLE.COM
      Managed by: ipaserver.example.com
    
  2. Create the service keytab file using the ipa-getkeytab command. This command is run on the client in the IdM domain. (Actually, it can be run on any IdM server or client, and then the keys copied to the appropriate machine. However, it is simplest to run the command on the machine with the service being created.)
    The command requires the Kerberos service principal (-p), the IdM server name (-s), the file to write (-k), and the encryption method (-e). Be sure to copy the keytab to the appropriate directory for the service.
    For example:
    # ipa-getkeytab -s server.example.com -p HTTP/server.example.com -k /etc/httpd/conf/krb5.keytab -e aes256-cts
    • The realm name is optional. The IdM server automatically appends the Kerberos realm for which it is configured. You cannot specify a different realm.
    • The host name must resolve to a DNS A record for it to work with Kerberos. You can use the --force flag to force the creation of a principal should this prove necessary.
    • The -e argument can include a comma-separated list of encryption types to include in the keytab. This supersedes any default encryption type. Lists of entries can be set by using the option multiple times with the same command invocation or by listing the options in a comma-separated list inside curly braces, such as --option={val1,val2,val3}.

    Warning

    The ipa-getkeytab command resets the secret for the specified principal. This means that all other keytabs for that principal are rendered invalid.

17.2. Configuring Clustered Services

The IdM server is not cluster aware. However, it is possible to configure a clustered service to be part of IdM by synchronizing Kerberos keys across all of the participating hosts and configuring services running on the hosts to respond to whatever names the clients use.
  1. Enroll all of the hosts in the cluster into the IdM domain.
  2. Create any service principals and generate the required keytabs.
  3. Collect any keytabs that have been set up for services on the host, including the host keytab at /etc/krb5.keytab.
  4. Use the ktutil command to produce a single keytab file that contains the contents of all of the keytab files.
    1. For each file, use the rkt command to read the keys from that file.
    2. Use the wkt command to write all of the keys which have been read to a new keytab file.
  5. Replace the keytab files on each host with the newly-created combined keytab file.
  6. At this point, each host in this cluster can now impersonate any other host.
  7. Some services require additional configuration to accommodate cluster members which do not reset host names when taking over a failed service.
    • For sshd, set GSSAPIStrictAcceptorCheck no in /etc/ssh/sshd_config.
    • For mod_auth_kerb, set KrbServiceName Any in /etc/httpd/conf.d/auth_kerb.conf.

Note

For SSL servers, the subject name or a subject alternative name for the server's certificate must appear correct when a client connects to the clustered host. If possible, share the private key among all of the hosts.
If each cluster member contains a subject alternative name which includes the names of all the other cluster members, that satisfies any client connection requirements.

17.3. Using the Same Service Principal for Multiple Services

Within a cluster, the same service principal can be used for multiple services, spread across different machines.
  1. Retrieve a service principal using the ipa-getkeytab command.
    # ipa-getkeytab -s kdc.example.com -p HTTP/server.example.com -k /etc/httpd/conf/krb5.keytab -e aes256-cts
  2. Either direct multiple servers or services to use the same file, or copy the file to individual servers as required.

17.4. Retrieve Existing Keytabs for Multiple Servers

In some scenarios, like in a cluster environment, the same keytab file is required for a service represented on one common host name by different machines. IdM commands can be used to retrieve the same keytab on each of the hosts.
To prepare the common host name and the service principal, run the following commands on an IdM server:
  1. Authenticate as admin user:
    [root@ipaserver ~]# kinit admin
  2. Add a common forward DNS record for all IP addresses that share this host name:
    [root@ipaserver ~]# ipa dnsrecord-add idm.example.com cluster --a-rec={192.0.2.40,192.0.2.41}
      Record name: cluster
        A record: 192.0.2.40, 192.0.2.41
  3. Create a new host entry object for the common DNS name:
    [root@ipaserver ~]# ipa host-add cluster.idm.example.com
    ------------------------------------
    Added host "cluster.idm.example.com"
    ------------------------------------
      Host name: cluster.idm.example.com
      Principal name: host/cluster.idm.example.com@IDM.EXAMPLE.COM
      Password: False
      Keytab: False
      Managed by: cluster.idm.example.com
  4. Add the service principal for the host:
    [root@ipaserver ~]# ipa service-add HTTP/cluster.idm.example.com
    ------------------------------------------------------------
    Added service "HTTP/cluster.idm.example.com@IDM.EXAMPLE.COM"
    ------------------------------------------------------------
      Principal: HTTP/cluster.idm.example.com@IDM.EXAMPLE.COM
      Managed by: cluster.idm.example.com
  5. Add the hosts to the service, that should be able to retrieve the keytab from IdM:
    [root@ipaserver ~]# ipa service-allow-retrieve-keytab HTTP/cluster.idm.example.com --hosts={node01.idm.example.com,node02.idm.example.com}
      Principal: HTTP/cluster.idm.example.com@IDM.EXAMPLE.COM
      Managed by: cluster.idm.example.com
      Hosts allowed to retrieve keytab: node01.idm.example.com, node02.idm.example.com
    -------------------------
    Number of members added 2
    -------------------------
  6. Grant permission to create a new keytab to one host:
    [root@ipaserver ~]# ipa service-allow-create-keytab HTTP/cluster.idm.example.com --hosts=node01.idm.example.com
    Principal: HTTP/cluster.idm.example.com@IDM.EXAMPLE.COM
    Managed by: cluster.idm.example.com
    Hosts allowed to retrieve keytab: node01.idm.example.com, node02.idm.example.com
    Hosts allowed to create keytab: node01.idm.example.com
    -------------------------
    Number of members added 1
    -------------------------
On the clients, follow these steps:
  1. Authenticate with the hosts Kerberos keytab:
    # kinit -kt /etc/krb5.keytab
    1. On the client you granted the respective permission to, generate a new keytab and store it in a file:
      [root@node01 ~]# ipa-getkeytab -s ipaserver.idm.example.com -p HTTP/cluster.idm.example.com -k /tmp/client.keytab
    2. On all other clients, retrieve the existing keytab from the IdM server by adding the -r option to the command:
      [root@node02 ~]# ipa-getkeytab -r -s ipaserver.idm.example.com -p HTTP/cluster.idm.example.com -k /tmp/client.keytab

      Warning

      Be aware that if you omit the -r option, a new keytab will be generated. This invalidates all previously retrieved keytabs for this service principal.

17.5. Disabling and Re-enabling Service Entries

Active services can be accessed by other services, hosts, and users within the domain. There can be situations when it is necessary to remove a host or a service from activity. However, deleting a service or a host removes the entry and all the associated configuration, and it removes it permanently.

17.5.1. Disabling Service Entries

Disabling a service prevents domain users from access it without permanently removing it from the domain. This can be done by using the service-disable command.
For a service, specify the principal for the service. For example:
[jsmith@ipaserver ~]$ kinit admin
[jsmith@ipaserver ~]$ ipa service-disable HTTP/server.example.com

Important

Disabling a host entry not only disables that host. It disables every configured service on that host as well.

17.5.2. Re-enabling Services

Disabling a service essentially kills its current, active keytabs. Removing the keytabs effectively removes the service from the IdM domain without otherwise touching its configuration entry.
To re-enable a service, simply use the ipa-getkeytab command. The -s option sets which IdM server to request the keytab, -p gives the principal name, and -k gives the file to which to save the keytab.
For example, requesting a new HTTP keytab:
[root@ipaserver ~]# ipa-getkeytab -s ipaserver.example.com -p HTTP/server.example.com -k /etc/httpd/conf/krb5.keytab -e aes256-cts

Chapter 18. Delegating User Access to Hosts and Services

Manage means being able to retrieve a keytab and certificates for another host or service. Every host and service has a managedby entry which lists what hosts or services can manage it. By default, a host can manage itself and all of its services. It is also possible to allow a host to manage other hosts, or services on other hosts, by updating the appropriate delegations or providing a suitable managedby entry.
An IdM service can be managed from any IdM host, as long as that host has been granted, or delegated, permission to access the service. Likewise, hosts can be delegated permissions to other hosts within the domain.
Host and Service Delegation

Figure 18.1. Host and Service Delegation

Note

If a host is delegated authority to another host through a managedBy entry, it does not mean that the host has also been delegated management for all services on that host. Each delegation has to be performed independently.

18.1. Delegating Service Management

A host is delegated control over a service using the service-add-host command. There are two parts to delegating the service: specifying the principal and identifying the hosts with the control:
# ipa service-add-host principal --hosts=hostnames
For example:
[root@server ~]# ipa service-add-host HTTP/web.example.com --hosts=client1.example.com
Once the host is delegated authority, the host principal can be used to manage the service:
[root@server ~]# kinit -kt /etc/krb5.keytab host/`hostname`
# ipa-getkeytab -s `hostname` -k /tmp/test.keytab -p HTTP/web.example.com
Keytab successfully retrieved and stored in: /tmp/test.keytab
To create a ticket for this service, create a certificate request on the host with the delegated authority and use the cert-request command to create a service entry and load the certification information:
[root@server ~]# ipa cert-request --add --principal=HTTP/web.example.com web.csr
  Certificate: MIICETCCAXqgA...[snip]
  Subject: CN=web.example.com,O=EXAMPLE.COM
  Issuer: CN=EXAMPLE.COM Certificate Authority
  Not Before: Tue Feb 08 18:51:51 2011 UTC
  Not After: Mon Feb 08 18:51:51 2016 UTC
  Fingerprint (MD5): c1:46:8b:29:51:a6:4c:11:cd:81:cb:9d:7c:5e:84:d5
  Fingerprint (SHA1):
  01:43:bc:fa:b9:d8:30:35:ee:b6:54:dd:a4:e7:d2:11:b1:9d:bc:38
  Serial number: 1005
For more information on creating certificate requests and using ipa cert-request, see Section 20.1.1, “Requesting New Certificates for a User, Host, or Service”.

18.2. Delegating Host Management

Hosts are delegated authority over other hosts through the host-add-managedby command. This creates a managedby entry. Once the managedby entry is created, then the host can retrieve a keytab for the host it has delegated authority over.
  1. Log in as the admin user.
    [root@server ~]# kinit admin
  2. Add the managedby entry. For example, this delegates authority over client2 to client1.
    [root@server ~]# ipa host-add-managedby client2.example.com --hosts=client1.example.com
  3. Obtain a ticket as the host client1 and then retrieve a keytab for client2:
    [root@server ~]# kinit -kt /etc/krb5.keytab host/`hostname`
    [root@server ~]# ipa-getkeytab -s `hostname` -k /tmp/client2.keytab -p host/client2.example.com
    Keytab successfully retrieved and stored in: /tmp/client2.keytab

18.3. Delegating Host or Service Management in the Web UI

Each host and service entry has a configuration tab that indicates what hosts have been delegated management control over that host or service.
  1. Open the Identity tab, and select the Hosts or Services subtab.
  2. Click the name of the host or service that you are going to grant delegated management to.
  3. Click the Hosts subtab on the far right of the host/service entry. This is the tab which lists hosts that can manage the selected host/service.
    Host Subtab

    Figure 18.2. Host Subtab

  4. Click the Add link at the top of the list.
  5. Click the check box by the names of the hosts to which to delegate management for the host/service. Click the right arrow button, >, to move the hosts to the selection box.
    Host/Service Delegation Management

    Figure 18.3. Host/Service Delegation Management

  6. Click the Add button to close the selection box and to save the delegation settings.

18.4. Accessing Delegated Services

For both services and hosts, if a client has delegated authority, it can obtain a keytab for that principal on the local machine. For services, this has the format service/hostname@REALM. For hosts, the service is host.
With kinit, use the -k option to load a keytab and the -t option to specify the keytab.
For example, to access a host:
[root@server ~]# kinit -kt /etc/krb5.keytab host/ipa.example.com@EXAMPLE.COM
To access a service:
[root@server ~]# kinit -kt /etc/httpd/conf/krb5.keytab HTTP/ipa.example.com@EXAMPLE.COM

Chapter 19. Performance Tuning for Bulk Provisioning of Entries

Adding a large number of entries using the usual workflow, such as Chapter 10, Managing User Accounts for adding users, can be very slow. This chapter describes how to tune the process to ensure the provisioning is completed as quickly as possible.
As part of the procedure:
  • Identity Management (IdM) reads entries to be provisioned from an LDIF file and then imports them to the target IdM LDAP instance.
  • The administrator sets custom values for certain attributes, such as cache sizes, and disables the MemberOf and Schema Compatibility plug-ins. The procedure includes running the fixup-memberof.pl plug-in on the provisioned entries to compensate for disabling MemberOf.
This procedure has been designed and tested to provision the following entry types: user, user group, host, host group, sudo rules, and host-based access control (HBAC) rules.

Recommendations and Prerequisites for Bulk Provisioning

Recommendations:
  • When provisioning a large number of entries (10,000 or more), do not allow any LDAP client to access the server on which the entries are provisioned or to rely on the information from the server. For example, you can achieve this by disabling ports 389 and 636 on the server and using LDAPI to work over Unix sockets.
    Reason: The MemberOf plug-in is disabled on the server, which means that membership information on the server is not valid.
  • Stop applications that are not required to be running during the provisioning.
    Reason: This helps free as much memory on the machine as possible. The free memory will be used by the file system cache, thus improving the performance of the provisioning.
    Note that the procedure below already includes steps to stop the IdM services, and restart only the Directory Server (DS) instance. IdM services, especially tomcat, consume a lot of memory, but are not used during the provisioning.
  • Run the procedure on a fresh IdM deployment with only one server. Create replicas only after the provisioning has been completed.
    Reason: The provisioning throughput is much faster than replication. In a deployment with more that one server, information on the replicas would become significantly outdated.
Prerequisites:
  • Generate an LDIF file containing the entries you want to provision. For example, if you are migrating an existing IdM deployment, create the LDIF file by exporting all the entries using the ldapsearch utility.
    For details on the LDIF format, see About the LDIF File Format in the Red Hat Directory Server Administration Guide.

Backing up the Current DS Tuning Parameter Values

  1. Retrieve the current values for the DS tuning parameters:
    • the database cache size and database locks:
      # ldapsearch -D "cn=directory manager" -w secret -b "cn=config,cn=ldbm database,cn=plugins,cn=config" nsslapd-dbcachesize nsslapd-db-locks
      						
      ...
      nsslapd-dbcachesize: 10000000
      nsslapd-db-locks: 50000
      ...
    • the entry cache size and DN cache size:
      # ldapsearch -D "cn=directory manager" -w secret -b "cn=userRoot,cn=ldbm database,cn=plugins,cn=config" nsslapd-cachememsize nsslapd-dncachememsize
      
      ...
      nsslapd-cachememsize: 10485760
      nsslapd-dncachememsize: 10485760
      ...
  2. Make note of the obtained values. You will reset the parameters back to these values after you finish the provisioning.

Adjusting the Database, Domain Entry, and DN Cache Size

For the database cache size:
  1. Determine the required value.
    The recommended value is typically between 200 MB and 500 MB. The value appropriate for your use case depends on the memory available on your system:
    • More than 8 GB of memory → 500 MB
    • 8 GB - 4 GB of memory → 200 MB
    • Less than 4 GB of memory → 100 MB
  2. Set the determined value by using this template:
    dn: cn=config,cn=ldbm database,cn=plugins,cn=config
    changetype: modify
    replace: nsslapd-dbcachesize
    nsslapd-dbcachesize: db_cache_size_in_bytes
    For an example of modifying LDAP attributes using the ldapmodify utility, see Example 19.1, “Using ldapmodify to Change an LDAP Attribute”.

Example 19.1. Using ldapmodify to Change an LDAP Attribute

  1. Run the ldapmodify command, and then add the statements to modify the attribute value. For example:
    # ldapmodify -D "cn=directory manager" -w secret -x
    dn: cn=config,cn=ldbm database,cn=plugins,cn=config
    changetype: modify
    replace: nsslapd-dbcachesize
    nsslapd-dbcachesize: 200000000
  2. Press Ctrl+D to confirm and send the changes to the server. If the operation finishes successfully, the following message is displayed:
    modifying entry "cn=config,cn=ldbm database,cn=plugins,cn=config"
For the domain entry cache size:
  1. Determine the required value.
    The recommended value is between 100 MB and 400 MB. The appropriate value depends on the memory available on your system:
    • More than 4 GB of memory → 400 MB
    • 2 GB - 4 GB of memory → 200 MB
    • Less than 2 GB of memory → 100 MB
    If you are provisioning a large static group, it is recommended that the entry cache is large enough to fit all entries: groups and members.
  2. Set the determined value by using this template:
    dn: cn=userRoot,cn=ldbm database,cn=plugins,cn=config
    changetype: modify
    replace: nsslapd-cachememsize
    nsslapd-cachememsize: entry_cache_size_in_bytes
For the domain name (DN) cache size:
  1. For the best possible performance, it is recommended that the DN cache fits all the DNs of the provisioned entries. To estimate the value appropriate for your use case:
    1. Determine the number of all DN entries in the file. The DN entries are on lines starting with dn: . For example, using # grep, sed, and wc:
      # grep '^dn: ' ldif_file | sed 's/^dn: //' | wc -l
      92200
    2. Determine the size of all DN entry strings in the LDIF file.
      # grep '^dn: ' ldif_file | sed 's/^dn: //' | wc -c
      9802460
    3. Get the average DN size: divide the size of all DN entry strings by the number of all the DN entries in the file.
      For example: 9,802,460 / 92,200 ≈ 106
    4. Get the average memory size: multiple the average DN size by 2, and then add 32 to the result.
      For example: (106 * 2) + 32 = 244
    5. Get the appropriate DN cache size: multiply the average memory size by the total number of DN entries in the LDIF file.
      For example: 244 * 92,200 = 22,496,800
  2. Set the determined value by using this template:
    dn: cn=userRoot,cn=ldbm database,cn=plugins,cn=config
    changetype: modify
    Replace: nsslapd-dncachememsize
    Nsslapd-dncachememsize: dn_cache_size

Disabling Unnecessary Services and Adjusting Database Locks

  1. Disable the MemberOf and Schema Compatibility plug-ins:
    dn: cn=MemberOf Plugin,cn=plugins,cn=config
    changetype: modify
    replace: nsslapd-pluginEnabled
    nsslapd-pluginEnabled: off
    dn: cn=Schema Compatibility,cn=plugins,cn=config
    changetype: modify
    replace: nsslapd-pluginEnabled
    nsslapd-pluginEnabled: off
    Disabling MemberOf significantly speeds up the provisioning. Disabling Schema Compatibility also helps reduce the duration of the operation.
    For an example of modifying LDAP attributes using the ldapmodify utility, see Example 19.1, “Using ldapmodify to Change an LDAP Attribute”.
  2. If no replicas are installed in your topology (as recommended in Section 19, “Recommendations and Prerequisites for Bulk Provisioning”), disable the Content Synchronization and Retro Changelog plug-ins:
    dn: cn=Content Synchronization,cn=plugins,cn=config
    changetype: modify
    replace: nsslapd-pluginEnabled
    nsslapd-pluginEnabled: off
    dn: cn=Retro Changelog Plugin,cn=plugins,cn=config
    changetype: modify
    replace: nsslapd-pluginEnabled
    nsslapd-pluginEnabled: off
    Disabling these additional plug-ins helps improve the performance of the provisioning.
  3. Stop the IdM server. This also stops the DS instance.
    # ipactl stop
    Stopping DS is required to set the number of database locks in the next step. You will restart it again later.
  4. Adjust the number of database locks. The appropriate value equals half the number of provisioned entries.
    • the minimum value is 10,000
    • the maximum value is 200,000
    Because DS is stopped, you must set the value by modifying the /etc/dirsrv/slapd-EXAMPLE-COM/dse.ldif file:
    dn: cn=config,cn=ldbm database,cn=plugins,cn=config
    ...
    nsslapd-db-locks: db_lock_number
    IdM accesses a large number of database pages when computing membership. The more pages it accesses, the more locks are required for the provisioning.
  5. Start DS:
    # systemctl start dirsrv.target

Importing the Entries

To import the new entries from the LDIF file to the IdM LDAP instance. For example, using the ldapadd utility:
# ldapadd -D "binddn" -y password_file -f ldif_file
For details on using ldapadd, see the ldapadd(1) man page.

Re-enabling the Disabled Services and Restoring the Original Attribute Values

  1. Enable MemberOf:
    dn: cn=MemberOf Plugin,cn=plugins,cn=config
    changetype: modify
    replace: nsslapd-pluginEnabled
    nsslapd-pluginEnabled: on
    For an example of modifying LDAP attributes using the ldapmodify utility, see Example 19.1, “Using ldapmodify to Change an LDAP Attribute”.
  2. Restart DS:
    # systemctl restart dirsrv.target
    Restarting DS at this point is required because you enabled MemberOf in the previous step.
  3. Run the fixup-memberof.pl script with the (objectClass=*) filter to regenerate and update the memberOf attribute on all provisioned entries. For example:
    # fixup-memberof.pl -D "cn=directory manager" -j password_file -Z server_id -b "suffix" -f "(objectClass=*)" -P LDAP
    Running fixup-memberof.pl is necessary because the MemberOf plug-in was disabled when you imported the entries. To be able to continue with the provisioning, the script must complete successfully.
    For details on fixup-memberof.pl, see the fixup-memberof.pl(8) man page.
  4. Enable the Schema Compatibility plug-in:
    dn: cn=Schema Compatibility,cn=plugins,cn=config
    changetype: modify
    replace: nsslapd-pluginEnabled
    nsslapd-pluginEnabled: on
  5. If you disabled the Content Synchronization and Retro Changelog plug-ins in Section 19, “Disabling Unnecessary Services and Adjusting Database Locks”, re-enable them:
    dn: cn=Content Synchronization,cn=plugins,cn=config
    changetype: modify
    replace: nsslapd-pluginEnabled
    nsslapd-pluginEnabled: on
    dn: cn=Retro Changelog Plugin,cn=plugins,cn=config
    changetype: modify
    replace: nsslapd-pluginEnabled
    nsslapd-pluginEnabled: on
  6. Restore the original values for the database cache, entry cache, and DN cache size that you backed up in Section 19, “Backing up the Current DS Tuning Parameter Values”:
    dn: cn=config,cn=ldbm database,cn=plugins,cn=config
    changetype: modify
    replace: nsslapd-dbcachesize
    nsslapd-dbcachesize: backup_db_cache_size
    
    dn: cn=userRoot,cn=ldbm database,cn=plugins,cn=config
    changetype: modify
    Replace: nsslapd-dncachememsize
    Nsslapd-dncachememsize: backup_dn_cache_size
    -
    replace: nsslapd-cachememsize
    nsslapd-cachememsize: backup_entry_cache_size
  7. Stop DS:
    # systemctl stop dirsrv.target
  8. Restore the original value for database locks that you backed up in Section 19, “Backing up the Current DS Tuning Parameter Values”. Because DS is stopped, you must set the value by modifying the /etc/dirsrv/slapd-EXAMPLE-COM/dse.ldif file:
    dn: cn=config,cn=ldbm database,cn=plugins,cn=config
    ...
    nsslapd-db-locks: backup_db_lock_number
  9. Start the IdM server:
    # ipactl start
    This starts all IdM services, including DS.

Chapter 20. Managing Certificates for Users, Hosts, and Services

Identity Management (IdM) supports two types of certificate authorities (CAs):
Integrated IdM CA
Integrated CAs can create, revoke, and issue certificates for users, hosts, and services. For more details, see Section 20.1, “Managing Certificates with the Integrated IdM CAs”.
IdM supports creating lightweight sub-CAs. For more details, see Section 33.1, “Lightweight Sub-CAs”
External CA
An external CA is a CA other than the integrated IdM CA.
Using IdM tools, you add certificates issued by these CAs to users, services, or hosts as well as remove them. For more details, see Section 20.2, “Managing Certificates Issued by External CAs”.
Each user, host, or service can have multiple certificates assigned.

Note

For more details on the supported CA configurations of the IdM server, see Section 2.3.2, “Determining What CA Configuration to Use”.

20.1. Managing Certificates with the Integrated IdM CAs

20.1.1. Requesting New Certificates for a User, Host, or Service

To request a certificate using:
Note that you must generate the certificate request itself with a third-party tool. The following procedures use the certutil utility.

Important

Services typically run on dedicated service nodes on which the private keys are stored. Copying a service's private key to the IdM server is considered insecure. Therefore, when requesting a certificate for a service, create the CSR on the service node.

Web UI: Requesting New Certificates

  1. Under the Identity tab, select the Users, Hosts, or Services subtab.
  2. Click the name of the user, host, or service to open its configuration page.
    List of Hosts

    Figure 20.1. List of Hosts

  3. Click ActionsNew Certificate.
  4. Optional: Select the issuing CA and profile ID.
  5. Follow the instructions on the screen for using certutil.
  6. Click Issue.

Command Line: Requesting New Certificates

  1. Generate a certificate request.
    1. Create a certificate database or use an existing one. To create a new database:
      # certutil -N -d path_to_database
    2. Create the certificate request and use output redirection to save it to a file.
      # certutil -R -d path_to_database -a -g key_size -s "CN=server.example.com,O=EXAMPLE.COM" > certificate_request.csr
  2. Submit the certificate request file to the server. Be sure to specify the Kerberos principal to associate with the newly-issued certificate.
    # ipa cert-request certificate_request.csr --principal=host/server.example.com
    IdM uses the following defaults:
    • Certificate profile: caIPAserviceCert
      To select a custom profile, use the --profile-id option with the ipa cert-request command.
    • Integrated CA: ipa (IdM root CA)
      To select a sub-CA, use the --ca option with the ipa cert-request command.

20.1.2. Revoking Certificates with the Integrated IdM CAs

If you need to invalidate the certificate before its expiration date, you can revoke it. To revoke a certificate using:
A revoked certificate is invalid and cannot be used for authentication. All revocations are permanent, except for reason 6: Certificate Hold.

Table 20.1. Revocation Reasons

ID Reason Explanation
0 Unspecified
1 Key Compromised
The key that issued the certificate is no longer trusted.
Possible causes: lost token, improperly accessed file.
2 CA Compromised The CA that issued the certificate is no longer trusted.
3 Affiliation Changed
Possible causes:
  • A person has left the company or moved to another department.
  • A host or service is being retired.
4 Superseded A newer certificate has replaced the current certificate.
5 Cessation of Operation The host or service is being decommissioned.
6 Certificate Hold The certificate is temporarily revoked. You can restore the certificate later.
8 Remove from CRL The certificate is not included in the certificate revocation list (CRL).
9 Privilege Withdrawn The user, host, or service is no longer permitted to use the certificate.
10 Attribute Authority (AA) Compromise The AA certificate is no longer trusted.

Web UI: Revoking Certificates

To revoke a certificate:
  1. Open the Authentication tab, and select the Certificates subtab.
  2. Click the serial number of the certificate to open the certificate information page.
    List of Certificates

    Figure 20.2. List of Certificates

  3. Click ActionsRevoke Certificate.
  4. Select the reason for revoking, and click Revoke. See Table 20.1, “Revocation Reasons” for details.

Command Line: Revoking Certificates

Use the ipa cert-revoke command, and specify:
For example, to revoke the certificate with serial number 1032 because of reason 1: Key Compromised:
$ ipa cert-revoke 1032 --revocation-reason=1

20.1.3. Restoring Certificates with the Integrated IdM CAs

If you have revoked a certificate because of reason 6: Certificate Hold, you can restore it again. To restore a certificate using:

Web UI: Restoring Certificates

  1. Open the Authentication tab, and select the Certificates subtab.
  2. Click the serial number of the certificate to open the certificate information page.
    List of Certificates

    Figure 20.3. List of Certificates

  3. Click ActionsRestore Certificate.

Command Line: Restoring Certificates

Use the ipa cert-remove-hold command and specify the certificate serial number. For example:
$ ipa cert-remove-hold 1032

20.2. Managing Certificates Issued by External CAs

20.2.1. Command Line: Adding and Removing Certificates Issued by External CAs

To add a certificate to a user, host, or service:
  • ipa user-add-cert
  • ipa host-add-cert
  • ipa service-add-cert
To remove a certificate from a user, host, or service:
  • ipa user-remove-cert
  • ipa host-remove-cert
  • ipa service-remove-cert
A certificate issued by an external CA is not revoked after you remove it from IdM. This is because the certificate does not exist in the IdM CA database. You can only revoke these certificates manually from the external CA side.
The commands require you to specify the following information:
  • the name of the user, host, or service
  • the Base64-encoded DER certificate
To run the commands interactively, execute them without adding any options.
To provide the required information directly with the command, use command-line arguments and options:
$ ipa user-add-cert user --certificate=MIQTPrajQAwg...

Note

Instead of copying and pasting the certificate contents into the command line, you can convert the certificate to the DER format and then re-encode it to base64. For example, to add the user_cert.pem certificate to user:
$ ipa user-add-cert user --certificate="$(openssl x509 -outform der -in user_cert.pem | base64 -w 0)"

20.2.2. Web UI: Adding and Removing Certificates Issued by External CAs

To add a certificate to a user, host, or service:
  1. Open the Identity tab, and select the Users, Hosts, or Services subtab.
  2. Click on the name of the user, host, or service to open its configuration page.
  3. Click Add, next to the Certificates entry.
    Adding a Certificate to a User Account

    Figure 20.4. Adding a Certificate to a User Account

  4. Paste the certificate in Base64 or PEM encoded format into the text field, and click Add.
  5. Click Save to store the changes.
To remove a certificate from a user, host, or service:
  1. Open the Identity tab, and select the Users, Hosts, or Services subtab.
  2. Click on the name of the user, host, or service to open its configuration page.
  3. Click the Actions next to the certificate to delete, and select Delete.
  4. Click Save to store the changes.

20.3. Listing and Displaying Certificates

Listing and Displaying Certificates in the Web UI

To list certificates assigned to a user, host, or service entry:
  1. Open the Identity tab, and select the Users, Hosts, or Services subtab.
  2. Click on the name of the user, host, or service to open its configuration page.
    List of Hosts

    Figure 20.5. List of Hosts

  3. The configuration page lists all certificates assigned to the entry. Additionally, clicking Show displays a particular certificate.
To list all certificates registered on the IdM server:
  1. Open the Authentication tab, and select the Certificates subtab.
  2. A list of all certificates is displayed in the Certificates section. To display a particular certificate, click on its serial number.
    List of Certificates

    Figure 20.6. List of Certificates

Listing Certificates from the Command Line

To list all certificates in the IdM database, run the ipa cert-find command.
$ ipa cert-find
-----------------------
10 certificates matched
-----------------------
  Serial number (hex): 0x1
  Serial number: 1
  Status: VALID
  Subject: CN=Certificate Authority,O=EXAMPLE.COM
...
-----------------------------
Number of entries returned 10
-----------------------------
You can filter the search results by specifying certain certificate properties, such as issue date or validity date. For example, to search by an issue date interval, use the --issuedon-from or --issuedon-to options to specify the start and end points or a period of time.
ipa cert-find --issuedon-from=2017-01-07 --issuedon-to=2017-02-07
For a complete list of options used to filter the search for a certificate, run ipa cert-find with the --help option added.

Displaying Certificates from the Command Line

To display a certificate, use the ipa cert-show command and specify the serial number.
$ ipa cert-show 132
Serial number: 132
  Certificate: MIIDtzCCAp+gAwIBAgIBATANBgkqhkiG9w0BAQsFADBBMR8wHQYDVQQKExZMQUIu
...
LxIQjrEFtJmoBGb/TWRlwGEWy1ayr4iTEf1ayZ+RGNylLalEAtk9RLjEjg==
  Subject: CN=Certificate Authority,O=EXAMPLE.COM
  Issuer: CN=Certificate Authority,O=EXAMPLE.COM
  Not Before: Sun Jun 08 05:51:11 2014 UTC
  Not After: Thu Jun 08 05:51:11 2034 UTC
  Fingerprint (MD5): 46:53:2b:e9:88:c8:6b:ca:ec:5b:81:80:af:17:ea:85
  Fingerprint (SHA1): 19:bc:93:e9:af:8c:ee:61:a3:10:07:6a:27:8b:5f:0a:25:d2:b0:72
  Serial number (hex): 0x132
  Serial number: 132
To display the certificates assigned to a user, host, or service entry, use ipa cert-show and specify the entry. For example, to display the certificate assigned to a user:
$ ipa user-show user
  User login: user
  ...
  Certificate: MIICfzCCAWcCAQA...
  ...
You can also save a certificate to a file by adding the --out option to ipa cert-show.
$ ipa cert-show certificate_serial_number --out=path_to_file
Note that if the user, host, or service has more than one certificate, the --out option exports all of them. The certificate or certificates are exported as PEM objects.

20.4. Certificate Profiles

A certificate profile defines the content of certificates belonging to the particular profile, as well as constraints for issuing the certificates, enrollment method, and input and output forms for enrollment. A single certificate profile is associated with issuing a particular type of certificate. Different certificate profiles can be defined for users, services, and hosts in IdM.
The CA uses certificate profiles in signing of certificates to determine:
  • whether the CA can accept a certificate signing request (CSR)
  • what features and extensions should be present on the certificate
IdM includes the following two certificate profiles by default: caIPAserviceCert and IECUserRoles. In addition, custom profiles can be imported.
Custom certificate profiles allow issuing certificates for specific, unrelated purposes. For example, it is possible to restrict use of a particular profile to only one user or one group, preventing other users and groups from using that profile to issue a certificate for authentication.
For details on supported certificate profile configuration, see Defaults Reference and Constraints Reference in the Red Hat Certificate System Administration Guide.

Note

By combining certificate profiles and CA ACLs, Section 20.5, “Certificate Authority ACL Rules”, the administrator can define and control access to custom certificate profiles. For a description of using profiles and CA ACLs to issue user certificates, see Section 20.6, “Using Certificate Profiles and ACLs to Issue User Certificates with the IdM CAs”.

20.4.1. Certificate Profile Management from the Command Line

The certprofile plug-in for management of IdM profiles allows privileged users to import, modify, or remove IdM certificate profiles. To display all commands supported by the plug-in, run the ipa certprofile command:
$ ipa certprofile
Manage Certificate Profiles

...

EXAMPLES:

  Import a profile that will not store issued certificates:
    ipa certprofile-import ShortLivedUserCert \
      --file UserCert.profile --desc "User Certificates" \
      --store=false

  Delete a certificate profile:
    ipa certprofile-del ShortLivedUserCert
...
Note that to perform the certprofile operations, you must be operating as a user who has the required permissions. IdM includes the following certificate profile-related permissions by default:
System: Read Certificate Profiles
Enables users to read all profile attributes.
System: Import Certificate Profile
Enables users to import a certificate profile into IdM.
System: Delete Certificate Profile
Enables users to delete an existing certificate profile.
System: Modify Certificate Profile
Enables users to modify the profile attributes and to disable or enable the profile.
All these permissions are included in the default CA Administrator privilege. For more information on IdM role-based access controls and managing permissions, see Section 31.4, “Defining Role-Based Access Controls”.

Note

When requesting a certificate, the --profile-id option can be added to the ipa cert-request command to specify which profile to use. If no profile ID is specified, the default caIPAserviceCert profile is used for the certificate.
This section only describes the most important aspects of using the ipa certprofile commands for profile management. For complete information about a command, run it with the --help option added, for example:
$ ipa certprofile-mod --help
Usage: ipa [global-options] certprofile-mod ID [options]

Modify Certificate Profile configuration.
Options:
  -h, --help     show this help message and exit
  --desc=STR     Brief description of this profile
  --store=BOOL   Whether to store certs issued using this profile
...

Importing Certificate Profiles

To import a new certificate profile to IdM, use the ipa certprofile-import command. Running the command without any options starts an interactive session in which the certprofile-import script prompts your for the information required to import the certificate.
$ ipa certprofile-import

Profile ID: smime
Profile description: S/MIME certificates
Store issued certificates [True]: TRUE
Filename of a raw profile. The XML format is not supported.: smime.cfg
------------------------
Imported profile "smime"
------------------------
  Profile ID: smime
  Profile description: S/MIME certificates
  Store issued certificates: TRUE
The ipa certprofile-import command accepts several command-line options. Most notably:
--file
This option passes the file containing the profile configuration directly to ipa certprofile-import. For example:
$ ipa certprofile-import --file=smime.cfg
--store
This option sets the Store issued certificates attribute. It accepts two values:
  • True, which delivers the issued certificates to the client and stores them in the target IdM principal's userCertificate attribute.
  • False, which delivers the issued certificates to the client, but does not store them in IdM. This option is most commonly-used when issuing multiple short-term certificates is required.
Import fails if the profile ID specified with ipa certprofile-import is already in use or if the profile content is incorrect. For example, the import fails if a required attribute is missing or if the profile ID value defined in the supplied file does not match the profile ID specified with ipa certprofile-import.
To obtain a template for a new profile, you can run the ipa certprofile-show command with the --out option, which exports a specified existing profile to a file. For example:
$ ipa certprofile-show caIPAserviceCert --out=file_name
You can then edit the exported file as required and import it as a new profile.

Displaying Certificate Profiles

To display all certificate profiles currently stored in IdM, use the ipa certprofile-find command:
$ ipa certprofile-find
------------------
3 profiles matched
------------------
  Profile ID: caIPAserviceCert
  Profile description: Standard profile for network services
  Store issued certificates: TRUE

  Profile ID: IECUserRoles
...
To display information about a particular profile, use the ipa certprofile-show command:
$ ipa certprofile-show profile_ID
  Profile ID: profile_ID
  Profile description: S/MIME certificates
  Store issued certificates: TRUE

Modifying Certificate Profiles

To modify an existing certificate profile, use the ipa certprofile-mod command. Pass the required modifications with the command using the command-line options accepted by ipa certprofile-mod. For example, to modify the description of a profile and change whether IdM stores the issued certificates:
$ ipa certprofile-mod profile_ID --desc="New description" --store=False
------------------------------------
Modified Certificate Profile "profile_ID"
------------------------------------
  Profile ID: profile_ID
  Profile description: New description
  Store issued certificates: FALSE
To update the certificate profile configuration, import the file containing the updated configuration using the --file option. For example:
$ ipa certprofile-mod profile_ID --file=new_configuration.cfg

Deleting Certificate Profiles

To remove an existing certificate profile from IdM, use the ipa certprofile-del command:
$ ipa certprofile-del profile_ID
-----------------------
Deleted profile "profile_ID"
-----------------------

20.4.2. Certificate Profile Management from the Web UI

To manage certificate profiles from the IdM web UI:
  1. Open the Authentication tab and the Certificates subtab.
  2. Open the Certificate Profiles section.
    Certificate Profile Management in the Web UI

    Figure 20.7. Certificate Profile Management in the Web UI

In the Certificate Profiles section, you can display information about existing profiles, modify their attributes, or delete selected profiles.
For example, to modify an existing certificate profile:
  1. Click on the name of the profile to open the profile configuration page.
  2. In the profile configuration page, fill in the required information.
  3. Click Save to confirm the new configuration.
    Modifying a Certificate Profile in the Web UI

    Figure 20.8. Modifying a Certificate Profile in the Web UI

If you enable the Store issued certificates option, the issued certificates are delivered to the client as well as stored in the target IdM principal's userCertificate attribute. If the option is disabled, the issued certificates are delivered to the client, but not stored in IdM. Storing certificates is often disabled when issuing multiple short-lived certificates is required.
Note that some certificate profile management operations are currently unavailable in the web UI:
  • It is not possible to import a certificate profile in the web UI. To import a certificate, use the ipa certprofile-import command.
  • It is not possible to set, add, or delete attribute and value pairs. To modify the attribute and value pairs, use the ipa certprofile-mod command.
  • It is not possible to import updated certificate profile configuration. To import a file containing updated profile configuration, use the ipa certprofile-mod --file=file_name command.
For more information about the commands used to manage certificate profiles, see Section 20.4.1, “Certificate Profile Management from the Command Line”.

20.4.3. Upgrading IdM Servers with Certificate Profiles

When upgrading an IdM server, the profiles included in the server are all imported and enabled.
If you upgrade multiple server replicas, the profiles of the first upgraded replica are imported. On the other replicas, IdM detects the presence of other profiles and does not import them or resolve any conflicts between the two sets of profiles. If you have custom profiles defined on replicas, make sure the profiles on all replicas are consistent before upgrading.

20.5. Certificate Authority ACL Rules

Certificate Authority access control list (CA ACL) rules define which profiles can be used to issue certificates to which users, services, or hosts. By associating profiles, principals, and groups, CA ACLs permit principals or groups to request certificates using particular profiles:
  • an ACL can permit access to multiple profiles
  • an ACL can have multiple users, services, hosts, user groups, and host groups associated with it
For example, using CA ACLs, the administrator can restrict use of a profile intended for employees working from an office located in London only to hosts that are members of the London office-related group.

Note

By combining certificate profiles, described in Section 20.4, “Certificate Profiles”, and CA ACLs, the administrator can define and control access to custom certificate profiles. For a description of using profiles and CA ACLs to issue user certificates, see Section 20.6, “Using Certificate Profiles and ACLs to Issue User Certificates with the IdM CAs”.

20.5.1. CA ACL Management from the Command Line

The caacl plug-in for management of CA ACL rules allows privileged users to add, display, modify, or delete a specified CA ACL. To display all commands supported by the plug-in, run the ipa caacl command:
$ ipa caacl
Manage CA ACL rules.

...

EXAMPLES:

  Create a CA ACL "test" that grants all users access to the
  "UserCert" profile:
    ipa caacl-add test --usercat=all
    ipa caacl-add-profile test --certprofiles UserCert

  Display the properties of a named CA ACL:
    ipa caacl-show test

  Create a CA ACL to let user "alice" use the "DNP3" profile on "DNP3-CA":
    ipa caacl-add alice_dnp3
    ipa caacl-add-ca alice_dnp3 --cas DNP3-CA
    ipa caacl-add-profile alice_dnp3 --certprofiles DNP3
    ipa caacl-add-user alice_dnp3 --user=alice
...
Note that to perform the caacl operations, you must be operating as a user who has the required permissions. IdM includes the following CA ACL-related permissions by default:
System: Read CA ACLs
Enables the user to read all attributes of the CA ACL.
System: Add CA ACL
Enables the user to add a new CA ACL.
System: Delete CA ACL
Enables the user to delete an existing CA ACL.
System: Modify CA ACL
Enables the user to modify an attribute of the CA ACL and to disable or enable the CA ACL.
System: Manage CA ACL membership
Enables the user to manage the CA, profile, user, host, and service membership in the CA ACL.
All these permissions are included in the default CA Administrator privilege. For more information on IdM role-based access controls and managing permissions, see Section 31.4, “Defining Role-Based Access Controls”.
This section describes only the most important aspects of using the ipa caacl commands for CA ACL management. For complete information about a command, run it with the --help option added, for example:
$ ipa caacl-mod --help
Usage: ipa [global-options] caacl-mod NAME [options]

Modify a CA ACL.
Options:
  -h, --help            show this help message and exit
  --desc=STR            Description
  --cacat=['all']       CA category the ACL applies to
  --profilecat=['all']  Profile category the ACL applies to
...

Creating CA ACLs

To create a new CA ACL, use the ipa caacl-add command. Running the command without any options starts an interactive session in which the ipa caacl-add script prompts your for the required information about the new CA ACL.
$ ipa caacl-add
ACL name: smime_acl
------------------------
Added CA ACL "smime_acl"
------------------------
  ACL name: smime_acl
  Enabled: TRUE
New CA ACLs are enabled by default.
The most notable options accepted by ipa caacl-add are the options that associate a CA ACL with a CA, certificate profile, user, host, or service category:
  • --cacat
  • --profilecat
  • --usercat
  • --hostcat
  • --servicecat
IdM only accepts the all value with these options, which associates the CA ACL with all CAs, profiles, users, hosts, or services. For example, to associate the CA ACL with all users and user groups:
$ ipa caacl-add ca_acl_name --usercat=all
CA, profile, user, host, and service categories are an alternative to adding particular objects or groups of objects to a CA ACL, which is described in Section 20.5.1, “Adding Entries to CA ACLs and Removing Entries from CA ACLs”. Note that it is not possible to use a category and also add objects or groups of the same type; for example, you cannot use the --usercat=all option and then add a user to the CA ACL with the ipa caacl-add-user --users=user_name command.

Note

Requesting a certificate for a user or group using a certificate profile fails if the user or group are not added to the corresponding CA ACL. For example:
$ ipa cert-request CSR-FILE --principal user --profile-id profile_id
ipa: ERROR Insufficient access: Principal 'user' is not permitted to use CA '.' with profile 'profile_id' for certificate issuance.
You must either add the user or group to the CA ACL, as described in Section 20.5.1, “Adding Entries to CA ACLs and Removing Entries from CA ACLs”, or associate the CA ACL with the all user category.

Displaying CA ACLs

To display all CA ACLs, use the ipa caacl-find command:
$ ipa caacl-find
-----------------
2 CA ACLs matched
-----------------
  ACL name: hosts_services_caIPAserviceCert
  Enabled: TRUE
...
Note that ipa caacl-find accepts the --cacat, --profilecat, --usercat, --hostcat, and --servicecat options, which can be used to filter the results of the search to CA ACLs with the corresponding CA, certificate profile, user, host, or service category. Note that IdM only accepts the all category with these options. For more information about the options, see Section 20.5.1, “Creating CA ACLs”.
To display information about a particular CA ACL, use the ipa caacl-show command:
$ ipa caacl-show ca_acl_name
  ACL name: ca_acl_name
  Enabled: TRUE
  Host category: all
...

Modifying CA ACLs

To modify an existing CA ACL, use the ipa caacl-mod command. Pass the required modifications using the command-line options accepted by ipa caacl-mod. For example, to modify the description of a CA ACL and associate the CA ACL with all certificate profiles:
$ ipa caacl-mod ca_acl_name --desc="New description" --profilecat=all
---------------------------
Modified CA ACL "ca_acl_name"
---------------------------
  ACL name: smime_acl
  Description: New description
  Enabled: TRUE
  Profile category: all
The most notable options accepted by ipa caacl-mod are the --cacat, --profilecat, --usercat, --hostcat, and --servicecat options. For a description of these options, see Section 20.5.1, “Creating CA ACLs”.

Disabling and Enabling CA ACLs

To disable a CA ACL, use the ipa caacl-disable command:
$ ipa caacl-disable ca_acl_name
---------------------------
Disabled CA ACL "ca_acl_name"
---------------------------
A disabled CA ACL is not applied and cannot be used to request a certificate. Disabling a CA ACL does not remove it from IdM.
To enable a disabled CA ACL, use the ipa caacl-enable command:
$ ipa caacl-enable ca_acl_name
---------------------------
Enabled CA ACL "ca_acl_name"
---------------------------

Deleting CA ACLs

To remove an existing CA ACL, use the ipa caacl-del command:
$ ipa caacl-del ca_acl_name

Adding Entries to CA ACLs and Removing Entries from CA ACLs

Using the ipa caacl-add-* and ipa caacl-remove-* commands, you can add new entries to a CA ACL or remove existing entries.
ipa caacl-add-ca and ipa caacl-remove-ca
Adds or removes a CA.
ipa caacl-add-host and ipa caacl-remove-host
Adds or removes a host or host group.
ipa caacl-add-profile and ipa caacl-remove-profile
Adds or removes a profile.
ipa caacl-add-service and ipa caacl-remove-service
Adds or removes a service.
ipa caacl-add-user and ipa caacl-remove-user
Adds or removes a user or group.
For example:
$ ipa caacl-add-user ca_acl_name --groups=group_name
Note that it is not possible to add an object or a group of objects to a CA ACL and also use a category of the same object, as described in Section 20.5.1, “Creating CA ACLs”; these settings are mutually exclusive. For example, if you attempt to run the ipa caacl-add-user --users=user_name command on a CA ACL specified with the --usercat=all option, the command fails:
$ ipa caacl-add-user ca_acl_name --users=user_name
ipa: ERROR: users cannot be added when user category='all'

Note

Requesting a certificate for a user or group using a certificate profile fails if the user or group are not added to the corresponding CA ACL. For example:
$ ipa cert-request CSR-FILE --principal user --profile-id profile_id
ipa: ERROR Insufficient access: Principal 'user' is not permitted to use CA '.' with profile 'profile_id' for certificate issuance.
You must either add the user or group to the CA ACL, or associate the CA ACL with the all user category, as described in Section 20.5.1, “Creating CA ACLs”.
For detailed information on the required syntax for these commands and the available options, run the commands with the --help option added. For example:
$ ipa caacl-add-user --help

20.5.2. CA ACL Management from the Web UI

To manage CA ACLs from the IdM web UI:
  1. Open the Authentication tab and the Certificates subtab.
  2. Open the CA ACLs section.
    CA ACL Rules Management in the Web UI

    Figure 20.9. CA ACL Rules Management in the Web UI

In the CA ACLs section, you can add new CA ACLs, display information about existing CA ACLs, modify their attributes, as well as enable, disable, or delete selected CA ACLs.
For example, to modify an existing CA ACL:
  1. Click on the name of the CA ACL to open the CA ACL configuration page.
  2. In the CA ACL configuration page, fill in the required information.
    The Profiles and Permitted to have certificates issued sections allow you to associate the CA ACL with certificate profiles, users or user groups, hosts or host groups, or services. You can either add these objects using the Add buttons, or select the Anyone option to associate the CA ACL with all users, hosts, or services.
  3. Click Save to confirm the new configuration.
    Modifying a CA ACL Rule in the Web UI

    Figure 20.10. Modifying a CA ACL Rule in the Web UI

20.6. Using Certificate Profiles and ACLs to Issue User Certificates with the IdM CAs

Users can request certificates for themselves when permitted by the Certificate Authority access control lists (CA ACLs). The following procedures use certificate profiles and CA ACLs, which are described separately in Section 20.4, “Certificate Profiles” and Section 20.5, “Certificate Authority ACL Rules”. For more details about using certificate profiles and CA ACLs, see these sections.

Issuing Certificates to Users from the Command Line

  1. Create or import a new custom certificate profile for handling requests for user certificates. For example:
    $ ipa certprofile-import certificate_profile --file=certificate_profile.cfg --store=True
    
  2. Add a new Certificate Authority (CA) ACL that will be used to permit requesting certificates for user entries. For example:
    $ ipa caacl-add users_certificate_profile --usercat=all
    
  3. Add the custom certificate profile to the CA ACL.
    $ ipa caacl-add-profile users_certificate_profile --certprofiles=certificate_profile
  4. Generate a certificate request for the user. For example, using OpenSSL:
    $ openssl req -new -newkey rsa:2048 -days 365 -nodes -keyout private.key -out cert.csr -subj '/CN=user'
    
  5. Run the ipa cert-request command to have the IdM CA issue a new certificate for the user.
    $ ipa cert-request cert.csr --principal=user --profile-id=certificate_profile
    Optionally pass the --ca sub-CA_name option to the command to request the certificate from a sub-CA instead of the root CA ipa.
To make sure the newly-issued certificate is assigned to the user, you can use the ipa user-show command:
$ ipa user-show user
  User login: user
  ...
  Certificate: MIICfzCCAWcCAQA...
  ...

Issuing Certificates to Users in the Web UI

  1. Create or import a new custom certificate profile for handling requests for user certificates. Importing profiles is only possible from the command line, for example:
    $ ipa certprofile-import certificate_profile --file=certificate_profile.txt --store=True
    
    For information about certificate profiles, see Section 20.4, “Certificate Profiles”.
  2. In the web UI, under the Authentication tab, open the CA ACLs section.
    CA ACL Rules Management in the Web UI

    Figure 20.11. CA ACL Rules Management in the Web UI

    Click Add at the top of the list of Certificate Authority (CA) ACLs to add a new CA ACL that permits requesting certificates for user entries.
    1. In the Add CA ACL window that opens, fill in the required information about the new CA ACL.
      Adding a New CA ACL

      Figure 20.12. Adding a New CA ACL

      Then, click Add and Edit to go directly to the CA ACL configuration page.
    2. In the CA ACL configuration page, scroll to the Profiles section and click Add at the top of the profiles list.
      Adding a Certificate Profile to the CA ACL

      Figure 20.13. Adding a Certificate Profile to the CA ACL

    3. Add the custom certificate profile to the CA ACL by selecting the profile and moving it to the Prospective column.
      Selecting a Certificate Profile

      Figure 20.14. Selecting a Certificate Profile

      Then, click Add.
    4. Scroll to the Permitted to have certificates issued section to associate the CA ACL with users or user groups.
      You can either add users or groups using the Add buttons, or select the Anyone option to associate the CA ACL with all users.
      Adding Users to the CA ACL

      Figure 20.15. Adding Users to the CA ACL

    5. In the Permitted to have certificates issued section, you can associate the CA ACL with one or more CAs.
      You can either add CAs using the Add button, or select the Any CA option to associate the CA ACL with all CAs.
      Adding CAs to the CA ACL

      Figure 20.16. Adding CAs to the CA ACL

    6. At the top of the CA ACL configuration page, click Save to confirm the changes to the CA ACL.
  3. Request a new certificate for the user.
    1. Under the Identity tab and the Users subtab, choose the user for whom the certificate will be requested. Click on the user's user name to open the user entry configuration page.
    2. Click Actions at the top of the user configuration page, and then click New Certificate.
      Requesting a Certificate for a User

      Figure 20.17. Requesting a Certificate for a User

    3. Fill in the required information.
      Issuing a Certificate for a User

      Figure 20.18. Issuing a Certificate for a User

      Then, click Issue.
After this, the newly issued certificate is visible in the user configuration page.

Chapter 21. Managing Kerberos Flags and Principal Aliases

21.1. Kerberos Flags for Services and Hosts

Various Kerberos flags can be used to define certain specific aspects of the Kerberos ticket behavior. You can add these flags to service and host Kerberos principals.
Principals in IdM accept the following two Kerberos flags:
OK_AS_DELEGATE
Use this flag to specify Kerberos tickets trusted for delegation.
AD clients check the OK_AS_DELEGATE flag on the Kerberos ticket to determine whether the user credentials can be forwarded or delegated to the specific server; AD forwards the TGT only to services or hosts with OK_AS_DELEGATE set. With this flag, SSSD can add the AD user TGT to the default Kerberos credentials cache on the IdM client machine.
REQUIRES_PRE_AUTH
Use this flag to specify that only pre-authenticated tickets are allowed to authenticate to the principal.
With the REQUIRES_PRE_AUTH flag set, the KDC requires additional authentication: the KDC issues the TGT for a principal with REQUIRES_PRE_AUTH only if the TGT has been pre-authenticated.
You can use REQUIRES_PRE_AUTH to disable pre-authentication for selected services or hosts, which lowers the load on the KDC but also slightly increases the possibility of a brute-force attack on a long-term key to succeed.

21.1.1. Setting Kerberos Flags from the Web UI

From the IdM web UI, you can currently only add the OK_AS_DELEGATE flag to a principal:
  1. Select the Services subtab, accessible through the Identity main tab.
    List of Services

    Figure 21.1. List of Services

  2. Click on the service to which you want to add the flag.
  3. Check the Trusted for delegation option.
    Adding the OK_AS_DELEGATE Flag

    Figure 21.2. Adding the OK_AS_DELEGATE Flag

21.1.2. Setting Kerberos Flags from the Command Line

To add a flag to a principal from the command line or to remove a flag, add one of the following options to the ipa service-mod command:
  • --ok-as-delegate for OK_AS_DELEGATE
  • --requires-pre-auth for REQUIRES_PRE_AUTH
To add a flag, set the corresponding option to 1. For example, to add the OK_AS_DELEGATE flag to the test/ipa.example.com@EXAMPLE.COM principal:
$ ipa service-mod test/ipa.example.com@EXAMPLE.COM --ok-as-delegate=1
To remove a flag or to disable it, set the corresponding option to 0. For example, to disable the REQUIRES_PRE_AUTH flag for the test/ipa.example.com@EXAMPLE.COM principal:
$ ipa service-mod test/ipa.example.com@EXAMPLE.COM --requires-pre-auth=0
To find out if OK_AS_DELEGATE is currently set for a principal, run the kvno utility and then the klist -f command. OK_AS_DELEGATE is represented by the O character in the klist -f output:
$ kvno test/ipa.example.com@EXAMPLE.COM
$ klist -f
Ticket cache: KEYRING:persistent:0:0
Default principal: admin@EXAMPLE.COM

Valid starting		Expires			Service principal
02/19/2014 09:59:02	02/20/2014 08:21:33	test/ipa/example.com@EXAMPLE.COM
    Flags: FATO
To find out what flags are currently set for a principal, use the kadmin.local utility. The current flags are displayed on the Attributes line of kadmin.local output, for example:
# kadmin.local
kadmin.local: getprinc test/ipa.example.com
Principal: test/ipa.example.com@EXAMPLE.COM
Expiration date: [never]
Last password change: Mon Sep 16 15:44:21 EDT 2013
Password expiration date: [none]
Maximum ticket life: 1 day 00:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Mon Oct 14 23:42:53 EDT 2013 (admin/admin@EXAMPLE.COM)
Last successful authentication: Wed Mar 11 08:01:03 EDT 2015
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 6
Key: vno 1, aes256-cts-hmac-sha1-96, no salt
Key: vno 1, aes128-cts-hmac-sha1-96, no salt
Key: vno 1, des3-cbc-sha1, no salt
Key: vno 1, arcfour-hmac, no salt
Key: vno 1, camellia128-cts-cmac, no salt
Key: vno 1, camellia256-cts-cmac, no salt
MKey: vno 1
Attributes: REQUIRES_PRE_AUTH OK_AS_DELEGATE OK_TO_AUTH_AS_DELEGATE
Policy: [none]

21.2. Managing Kerberos Principal Aliases for Users, Hosts, and Services

When you create a new user, host, or service, a Kerberos principal in the following format is automatically added:
  • user_name@REALM
  • host/host_name@REALM
  • service_name/host_name@REALM
In some scenarios, it is beneficial for the administrator to enable users, hosts, or services to authenticate against Kerberos applications using an alias, for example:
  • The user name changed, but the user should be able to login using both the previous and new user name.
  • The user needs to log in using the email address even if the IdM Kerberos realm differs from the email domain.
Note that if you rename a user, the object keeps the aliases and the previous canonical principal name.

21.2.1. Kerberos Principal Alias

Adding a Kerberos Principal Alias

To add the alias name useralias to the account user, enter:
[root@ipaserver ~]# ipa user-add-principal user useralias
--------------------------------
Added new aliases to user "user"
--------------------------------
         User login: user
    Principal alias: user@IDM.EXAMPLE.COM, useralias@IDM.EXAMPLE.COM
To add an alias to a host or service, use the ipa host-add-principal or ipa service-add-principal command respectively instead.
If you use an alias name to authenticate, pass the -C option to the kinit command:
[root@ipaserver ~]# kinit -C useralias
Password for user@IDM.EXAMPLE.COM:

Removing a Kerberos Principal Alias

To remove the alias useralias from the account user, enter:
[root@ipaserver ~]# ipa user-remove-principal user useralias
--------------------------------
Removed aliases from user "user"
--------------------------------
  User login: user
  Principal alias: user@IDM.EXAMPLE.COM
To remove an alias from a host or service, use the ipa host-remove-principal or ipa service-remove-principal command respectively instead.
Note that you cannot remove the canonical principal name:
[root@ipaserver ~]# ipa user-show user
  User login: user
  ...
  Principal name: user@IDM.EXAMPLE.COM
  ...

[root@ipaserver ~]# ipa user-remove-principal user user
ipa: ERROR: invalid 'krbprincipalname': at least one value equal to the canonical principal name must be present

21.2.2. Kerberos Enterprise Principal Alias

Enterprise principal aliases can use any domain suffix except for user principal name (UPN) suffixes, NetBIOS names, or domain names of trusted Active Directory forest domains.

Note

When adding or removing enterprise principal aliases, escape the @ symbol using two backslashes (\\). Otherwise, the shell interprets the @ symbol as part of the Kerberos realm name and leads to the following error:
ipa: ERROR: The realm for the principal does not match the realm for this IPA server

Adding a Kerberos Enterprise Principal Alias

To add the enterprise principal alias user@example.com to the user account:
[root@ipaserver ~]# ipa user-add-principal user user\\@example.com
--------------------------------
Added new aliases to user "user"
--------------------------------
         User login: user
    Principal alias: user@IDM.EXAMPLE.COM, user\@example.com@IDM.EXAMPLE.COM
To add an enterprise alias to a host or service, use the ipa host-add-principal or ipa service-add-principal command respectively instead.
If you use an enterprise principal name to authenticate, pass the -E option to the kinit command:
[root@ipaserver ~]# kinit -E user@example.com
Password for user\@example.com@IDM.EXAMPLE.COM:

Removing a Kerberos Enterprise Principal Alias

To remove the enterprise principal alias user@example.com from the account user, enter:
[root@ipaserver ~]# ipa user-remove-principal user user\\@example.com
--------------------------------
Removed aliases from user "user"
--------------------------------
  User login: user
  Principal alias: user@IDM.EXAMPLE.COM
To remove an alias from a host or service, use the ipa host-remove-principal or ipa service-remove-principal command respectively instead.

Chapter 22. Storing Authentication Secrets with Vaults

A vault is a secure location for storing, retrieving, sharing, and recovering secrets. A secret is security-sensitive data that should only be accessible by a limited group of people or entities. For example, secrets include:
  • passwords
  • PINs
  • private SSH keys
Users and services can access the secrets stored in a vault from any machine enrolled in the Identity Management (IdM) domain.

Note

Vault is only available from the command line, not from the IdM web UI.
Use cases for vaults include:
Storing personal secrets of a user
Storing a secret for a service
Storing a common secret used by multiple users
Note that to use vaults, you must meet the conditions described in Section 22.2, “Prerequisites for Using Vaults”.

22.1. How Vaults Work

22.1.1. Vault Owners, Members, and Administrators

IdM distinguishes the following vault user types:
Vault owner
A vault owner is a user or service with basic management privileges on the vault. For example, a vault owner can modify the properties of the vault or add new vault members.
Each vault must have at least one owner. A vault can also have multiple owners.
Vault member
A vault member is a user or service who can access a vault created by another user or service.
Vault administrator
Vault administrators have unrestricted access to all vaults and are allowed to perform all vault operations.

Note

Symmetric and asymmetric vaults are protected with a password or key and apply special access control rules (see Section 22.1.2, “Standard, Symmetric, and Asymmetric Vaults”). The administrator must meet these rules to:
  • access secrets in symmetric and asymmetric vaults
  • change or reset the vault password or key
A vault administrator is any user with the Vault Administrators privilege. See Section 31.4, “Defining Role-Based Access Controls” for information on defining user privileges.
Certain owner and member privileges depend on the type of the vault. See Section 22.1.2, “Standard, Symmetric, and Asymmetric Vaults” for details.

Vault User

The output of some commands, such as the ipa vault-show command, also displays Vault user for user vaults:
$ ipa vault-show my_vault
  Vault name: my_vault
  Type: standard
  Owner users: user
  Vault user: user
The vault user represents the user in whose container the vault is located. For details on vault containers and user vaults, see Section 22.1.4, “Vault Containers” and Section 22.1.3, “User, Service, and Shared Vaults”.

22.1.2. Standard, Symmetric, and Asymmetric Vaults

The following vault types are based on the level of security and access control:
Standard vault
Vault owners and vault members can archive and retrieve the secrets without having to use a password or key.
Symmetric vault
Secrets in the vault are protected with a symmetric key. Vault members and vault owners can archive and retrieve the secrets, but they must provide the vault password.
Asymmetric vault
Secrets in the vault are protected with an asymmetric key. Users archive the secret using a public key and retrieve it using a private key. Vault members can only archive secrets, while vault owners can both archive and retrieve secrets.

22.1.3. User, Service, and Shared Vaults

The following vault types are based on ownership:
User vault: a private vault for a user
Owner: a single user.
Any user can own one or more user vaults.
Service vault: a private vault for a service
Owner: a single service.
Any service can own one or more service vaults.
Shared vault
Owner: the vault administrator who created the vault. Other vault administrators also have full access to the vault.
Shared vaults can be used by multiple users or services.

22.1.4. Vault Containers

A vault container is a collection of vaults.
IdM provides the following default vault containers:
User container: a private container for a user
This container stores: user vaults for a particular user.
Service container: a private container for a service
This container stores: service vaults for a particular service.
Shared container
This container stores: vaults that can be shared by multiple users or services.
IdM creates user and service containers for each user or service automatically when the first private vault for the user or service is created. After the user or service is deleted, IdM removes the container and its contents.

22.2. Prerequisites for Using Vaults

To enable vaults, install the Key Recovery Authority (KRA) Certificate System component on one of the servers in your IdM domain:
# ipa-kra-install

22.3. Getting Help for Vault Commands

To display all commands used to manage vaults and vault containers:
$ ipa help vault
To display detailed help for a particular command, add the --help option to the command:
$ ipa vault-add --help

Vault Commands Fail with vault not found Error

Some commands require you to specify the owner or the type of the vault using the following options:
  • --user or --service specify the owner of the vault you want to view
    $ ipa vault-show user_vault --user user
  • --shared specify that the vault you want to view is a shared vault
For example, if you attempt to view another user's vault without adding --user, IdM informs you it did not find the vault:
[admin@server ~]$ ipa vault-show user_vault
ipa: ERROR: user_vault: vault not found

22.4. Storing a User's Personal Secret

This section shows how a user can create one or more private vaults to securely store personal secrets. The user then retrieves the secrets when required, on any machine in the domain. For example, the user can archive a personal certificate in a vault, thus storing the certificate securely in a centralized location.
This section includes these procedures:
In the procedures:
  • user is the user who wants to create the vault
  • my_vault is the vault used to store the user's certificate
  • the vault type is standard, so that accessing the archived certificate does not require the user to provide a vault password
  • secret.txt is the file containing the certificate that the user wants to store in the vault
  • secret_exported.txt is the file to which the user exports the archived certificate

22.4.1. Archiving a User's Personal Secret

Create a private user vault and store your certificate in it. The vault type is standard, which ensures you will not be required to authenticate when accessing the certificate.
  1. Log in as user:
    $ kinit user
  2. Use the ipa vault-add command to create a standard vault:
    $ ipa vault-add my_vault --type standard
    ----------------------
    Added vault "my_vault"
    ----------------------
      Vault name: my_vault
      Type: standard
      Owner users: user
      Vault user: user
  3. Use the ipa vault-archive --in command to archive the secret.txt file into the vault:
    $ ipa vault-archive my_vault --in secret.txt
    -----------------------------------
    Archived data into vault "my_vault"
    -----------------------------------

    Note

    One vault can only store one secret.

22.4.2. Retrieving a User's Personal Secret

Export the certificate from your private standard vault.
  1. Log in as user:
    $ kinit user
  2. Use the ipa vault-retrieve --out command to retrieve the contents of the vault and save them into the secret_exported.txt file.
    $ ipa vault-retrieve my_vault --out secret_exported.txt
    --------------------------------------
    Retrieved data from vault "my_vault"
    --------------------------------------

22.5. Storing a Service Secret in a Vault

This section shows how an administrator can use vaults to securely store a service secret in a centralized location. The service secret is encrypted with the service public key. The service then retrieves the secret using its private key on any machine in the domain. Only the service and the administrator are allowed to access the secret.
This section includes these procedures:
In the procedures:
  • admin is the administrator who manages the service password
  • http_password is the name of the private user vault created by the administrator
  • password.txt is the file containing the service password
  • password_vault is the vault created for the service
  • HTTP/server.example.com is the service whose password is being archived
  • service-public.pem is the service public key used to encrypt the password stored in password_vault

22.5.1. Creating a User Vault to Store a Service Password

Create an administrator-owned user vault, and use it to store the service password. The vault type is standard, which ensures the administrator is not required to authenticate when accessing the contents of the vault.
  1. Log in as the administrator:
    $ kinit admin
  2. Create a standard user vault:
    $ ipa vault-add http_password --type standard
    ---------------------------
    Added vault "http_password"
    ---------------------------
      Vault name: http_password
      Type: standard
      Owner users: admin
      Vault user: admin
  3. Archive the service password into the vault:
    $ ipa vault-archive http_password --in password.txt
    ----------------------------------------
    Archived data into vault "http_password"
    ----------------------------------------

    Warning

    After archiving the password into the vault, delete password.txt from your system.

22.5.2. Provisioning a Service Password from a User Vault to Service Instances

Using an asymmetric vault created for the service, provision the service password to a service instance.
  1. Log in as the administrator:
    $ kinit admin
  2. Obtain the public key of the service instance. For example, using the openssl utility:
    1. Generate the service-private.pem private key.
      $ openssl genrsa -out service-private.pem 2048
      Generating RSA private key, 2048 bit long modulus
      .+++
      ...........................................+++
      e is 65537 (0x10001)
    2. Generate the service-public.pem public key based on the private key.
      $ openssl rsa -in service-private.pem -out service-public.pem -pubout
      writing RSA key
  3. Create an asymmetric vault as the service instance vault, and provide the public key:
    $ ipa vault-add password_vault --service HTTP/server.example.com --type asymmetric --public-key-file service-public.pem
    ----------------------------
    Added vault "password_vault"
    ----------------------------
    Vault name: password_vault
    Type: asymmetric
    Public key: LS0tLS1C...S0tLS0tCg==
    Owner users: admin
    Vault service: HTTP/server.example.com@EXAMPLE.COM
    The password archived into the vault will be protected with the key.
  4. Retrieve the service password from the administrator's private vault, and then archive it into the new service vault:
    $ ipa vault-retrieve http_password --out password.txt
    -----------------------------------------
    Retrieved data from vault "http_password"
    -----------------------------------------
    $ ipa vault-archive password_vault --service HTTP/server.example.com --in password.txt
    -----------------------------------
    Archived data into vault "password_vault"
    -----------------------------------
    This encrypts the password with the service instance public key.

    Warning

    After archiving the password into the vault, delete password.txt from your system.
Repeat these steps for every service instance that requires the password. Create a new asymmetric vault for each service instance.

22.5.3. Retrieving a Service Password for a Service Instance

A service instance can retrieve the service vault password using the locally-stored service private key.
  1. Log in as the administrator:
    $ kinit admin
  2. Obtain a Kerberos ticket for the service:
    # kinit HTTP/server.example.com -k -t /etc/httpd/conf/ipa.keytab
  3. Retrieve the service vault password:
    $ ipa vault-retrieve password_vault --service HTTP/server.example.com --private-key-file service-private.pem --out password.txt
    ------------------------------------
    Retrieved data from vault "password_vault"
    ------------------------------------
    

22.5.4. Changing Service Vault Password

If a service instance is compromised, isolate it by changing the service vault password and then re-provisioning the new password to non-compromised service instances only.
  1. Archive the new password in the administrator's user vault:
    $ ipa vault-archive http_password --in new_password.txt
    ----------------------------------------
    Archived data into vault "http_password"
    ----------------------------------------
    This overwrites the current password stored in the vault.
  2. Re-provision the new password to each service instance excluding the compromised instance.
    1. Retrieve the new password from the administrator's vault:
      $ ipa vault-retrieve http_password --out password.txt
      -----------------------------------------
      Retrieved data from vault "http_password"
      -----------------------------------------
    2. Archive the new password into the service instance vault:
      $ ipa vault-archive password_vault --service HTTP/server.example.com --in password.txt
      -----------------------------------
      Archived data into vault "password_vault"
      -----------------------------------

      Warning

      After archiving the password into the vault, delete password.txt from your system.

22.6. Storing a Common Secret for Multiple Users

This section shows how an administrator can create a shared vault and allow other users to access the secret in the vault. The administrator archives a common password into the vault, and the other users are able to retrieve the password on any machine in the domain.
This section includes these procedures:
In the procedures:
  • shared_vault is the vault used to store the common password
  • admin is the administrator who creates the shared vault
  • the vault type is standard, so that accessing the archived password does not require the user to provide a vault password
  • secret.txt is the file containing the common secret
  • user1 and user2 are the users allowed to access the vault

22.6.1. Creating the Shared Vault with the Common Secret

Create a shared vault and use it to store the common secret. Add the users who will be accessing the secret as vault members. The vault type is standard, which ensures any user accessing the secret will not be required to authenticate.
  1. Log in as the administrator:
    $ kinit admin
  2. Create the shared vault:
    $ ipa vault-add shared_vault --shared --type standard
    ---------------------------
    Added vault "shared_vault"
    ---------------------------
      Vault name: shared_vault
      Type: standard
      Owner users: admin
      Shared vault: True
  3. Archive the secret into the vault. Add the --shared option to specify that the vault is in the shared container:
    $ ipa vault-archive shared_vault --shared --in secret.txt
    -----------------------------------
    Archived data into vault "shared_vault"
    -----------------------------------

    Note

    One vault can only store one secret.
  4. Add user1 and user2 as vault members:
    ipa vault-add-member shared_vault --shared --users={user1,user2}
    Vault name: shared_vault
    Type: standard
    Owner users: admin
    Shared vault: True
    Member users: user1, user2
    -------------------------
    Number of members added 2
    -------------------------

22.6.2. Retrieving a Secret from a Shared Vault as a Member User

Log in as a member user of the vault, and export the file with the secret from the vault.
  1. Log in as the user1 member user:
    $ kinit user1
  2. Retrieve the secret from the shared vault:
    $ ipa vault-retrieve shared_vault --shared --out secret_exported.txt
    -----------------------------------------
    Retrieved data from vault "shared_vault"
    -----------------------------------------

Chapter 23. Integrating with NIS Domains and Netgroups

Network information service (NIS) is one of the most common ways to manage identities and authentication on Unix networks. It is simple and easy to use, but it also has inherent security risks and a lack of flexibility that can make administering NIS domains problematic.
Identity Management supplies a way to integrate netgroups and other NIS data into the IdM domain, which incorporates the stronger security structure of IdM over the NIS configuration. Alternatively, administrators can simply migrate user and host identities from a NIS domain into the IdM domain.

23.1. About NIS and Identity Management

Network information service (NIS) centrally manages authentication and identity information such as users and passwords, hosts and IP addresses, and POSIX groups. This was originally called Yellow Pages (abbreviated YP) because of its simple focus on identity and authentication lookups.
NIS is considered too insecure for most modern network environments because it provides no host authentication mechanisms and it transmits all of its information over the network unencrypted, including password hashes. Still, while NIS has been falling out of favor with administrators, it is still actively used by many system clients. There are ways to work around those insecurities by integrating NIS with other protocols which offer enhanced security.
In Identity Management, NIS objects are integrated into IdM using the underlying LDAP directory. LDAP services offer support for NIS objects (as defined in RFC 2307), which Identity Management customizes to provide better integration with other domain identities. The NIS object is created inside the LDAP service and then a module like nss_ldap or SSSD fetches the object using an encrypted LDAP connection.
For NIS support, IdM uses the following plug-ins provided in the slapi-nis package:
NIS server plug-in
The NIS Server plug-in enables the directory server to act as a NIS server for clients. In this role, the directory server can dynamically generate and update NIS maps according to its configuration and the contents of the directory information tree (DIT). Additionally, using the plug-in, the directory server serves the results to clients using the NIS protocol as if it were an ordinary NIS server.
Schema Compatibility plug-in
The Schema Compatibility plug-in enables the directory server to provide an alternate view of entries stored in part of the DIT. This includes adding, dropping, or renaming attribute values, and optionally retrieving values for attributes from multiple entries in the tree.
For further details, see the /usr/share/doc/slapi-nis-version/sch-getting-started.txt file.
NIS entities are stored in netgroups. A netgroup allows nesting (groups inside groups), which standard Unix groups do not support. Also, netgroups provide a way to group hosts, which is also missing in Unix group.
NIS groups work by defining users and hosts as members of a larger domain. A netgroup sets a trio of information — host, user, domain. This is called a triple.
host,user,domain
A netgroup triple associates the user or the host with the domain; it does not associate the user and the host with each other. Therefore, a triple usually defines a host or a user for better clarity and management.
host.example.com,,nisdomain.example.com
-,jsmith,nisdomain.example.com
NIS distributes more than just netgroup data. It stores information about users and passwords, groups, network data, and hosts, among other information. Identity Management can use a NIS listener to map passwords, groups, and netgroups to IdM entries.
In IdM LDAP entries, the users in a netgroup can be a single user or a group; both are identified by the memberUser parameter. Likewise, hosts can be either a single host or a host group; both are identified by the memberHost attribute.
dn: ipaUniqueID=d4453480-cc53-11dd-ad8b-0800200c9a66,cn=ng,cn=accounts,...
objectclass: top
objectclass: ipaAssociation
objectclass: ipaNISNetgroup
ipaUniqueID: d4453480-cc53-11dd-ad8b-0800200c9a66
cn: netgroup1
memberHost: fqdn=host1.example.com,cn=computers,cn=accounts,...
memberHost: cn=VirtGuests,cn=hostgroups,cn=accounts,...
memberUser: cn=jsmith,cn=users,cn=accounts,...
memberUser: cn=bjensen,cn=users,cn=accounts,...
memberUser: cn=Engineering,cn=groups,cn=accounts,...
nisDomainName: nisdomain.example.com
In Identity Management, these netgroup entries are handled using the netgroup-* commands, which show the basic LDAP entry:
[root@server ~]# ipa netgroup-show netgroup1
Netgroup name: netgroup1
Description: my netgroup
NIS domain name: nisdomain
Member User: jsmith
Member User: bjensen
Member User: Engineering
Member Host: host1.example.com
Member Host: VirtGuests
When a client attempts to access the NIS netgroup, then Identity Management translates the LDAP entry into a traditional NIS map and sends it to a client over the NIS protocol (using a NIS plug-in) or it translates it into an LDAP format that is compliant with RFC 2307 or RFC 2307bis.

23.2. Setting the NIS Port for Identity Management

The IdM server binds to its NIS services over a random port that is selected when the server starts. It sends that port assignment to the portmapper so that NIS clients know what port to use to contact the IdM server.
Administrators may need to open a firewall for NIS clients or may have other services that need to know the port number in advance and need that port number to remain the same. In that case, an administrator can specify the port to use.

Note

Any available port number below 1024 can be used for the NIS Plug-in setting.
The NIS configuration is in the NIS Plug-in in Identity Management's internal Directory Server instance. To specify the port:
  1. Enable the NIS listener and compatibility plug-ins:
    [root@ipaserver ~]# ipa-nis-manage enable
    [root@ipaserver ~]# ipa-compat-manage enable
  2. Edit the plug-in configuration and add the port number as an argument. For example, to set the port to 514:
    [root@ipaserver ~]# ldapmodify -x -D 'cn=directory manager' -w secret
    
    dn: cn=NIS Server,cn=plugins,cn=config
    changetype: modify
    add: nsslapd-pluginarg0
    nsslapd-pluginarg0: 514
    
    modifying entry "cn=NIS Server,cn=plugins,cn=config"
  3. Restart the Directory Server to load the new plug-in configuration.
    [root@ipaserver ~]# systemctl restart dirsrv.target

23.3. Creating Netgroups

All netgroups in Identity Management are essentially static groups, meaning that the members of the group are manually and explicitly added to the group. IdM allows nested groups, where a group is a member of another group. In that case, all of the group members of the member group automatically belong to the parent group, as well.
Netgroups are added in two steps: the group itself is created, and then members are added to it.

23.3.1. Adding Netgroups

23.3.1.1. With the Web UI

  1. Open the Identity tab, and select the Netgroups subtab.
  2. Click Add at the top of the netgroups list.
    Netgroups List

    Figure 23.1. Netgroups List

  3. Enter a unique name and, optionally, a description.
    Add Netgroup Dialogue

    Figure 23.2. Add Netgroup Dialogue

    The group name is the identifier used for the netgroup in the IdM domain, and it cannot be changed after it is created. The name cannot contain spaces, but other separators like an underscore (_) are allowed.
  4. Click the Add and Edit button to go immediately to the netgroup's edit pages.
  5. Optionally, set the NIS domain for the netgroup. This defaults to the IdM domain, but it can be changed.
    1. Click the name of the group you wish to edit.
    2. In the General part of the settings, enter the name of the alternate NIS domain in the NIS domain name field.
      Netgroup Tab

      Figure 23.3. Netgroup Tab

      The NIS domain name field sets the domain that appears in the netgroup triple. It does not affect which NIS domain the Identity Management listener responds to.
  6. Add members, as described in Section 23.3.2.1, “With the Web UI”.

23.3.1.2. With the Command Line

New netgroups are added using the netgroup-add command. This adds only the group; members are added separately. Two attributes are always required: the group name and the group description. If those attributes are not given as arguments, then the script prompts for them. There is also an option to set the NIS domain name to use for the group; this defaults to the IdM domain, but it can be set to something different, depending on the network configuration.
[jsmith@server ~]$ ipa netgroup-add --desc="description"  [--nisdomain=domainName]  groupName
For example:
[root@server ~][root@server ~]# ipa netgroup-add --desc="my new netgroup" example-netgroup
[root@server ~]# ipa netgroup-add-member --hosts=ipa.example.com example-netgroup
[root@server ~]# ypcat -d example.com -h ipa.example.com netgroup
(ipa.example.com,-,example.com)

Note

The --nisdomain option sets the domain that appears in the netgroup triple. It does not affect which NIS domain the Identity Management listener responds to.

23.3.2. Adding Netgroup Members

Note

Netgroups can contain user groups, host groups, and other netgroups as their members. These are nested groups.
It can take up to several minutes for the members of the child group to show up as members of the parent group. This is especially true on virtual machines where the nested groups have more than 500 members.
When creating nested groups, be careful not to create recursive groups. For example, if GroupA is a member of GroupB, do not add GroupB as a member of GroupA. Recursive groups are not supported and can cause unpredictable behavior.

23.3.2.1. With the Web UI

  1. Open the Identity tab, and select the Netgroups subtab.
  2. Click the name of the netgroup to which to add members.
    Netgroups List

    Figure 23.4. Netgroups List

  3. Choose the type of netgroup member to add. Click Add by the list of the netgroup members.
    User Menu in the Netgroup Tab

    Figure 23.5. User Menu in the Netgroup Tab

  4. Click the check box by the names of the users to add, and click the right arrow button, >, to move the names to the selection box.
    Add User Menu in the Netgroup Tab

    Figure 23.6. Add User Menu in the Netgroup Tab

  5. Click Add.

23.3.2.2. With the Command Line

Once the group is configured, begin adding netgroup members with the netgroup-add-member command. Users, groups, hosts, host groups, and other netgroups can all be added to the netgroup entry. The entry name of the NIS group being edited usually comes at the end of the command:
# ipa netgroup-add-member --users=users --groups=groups --hosts=hosts --hostgroups=hostGroups --netgroups=netgroups  groupName
To set more than one member, either use the option multiple times or use a comma-separated list inside a set of curly braces (for example, --option={val1,val2,val3}). For example, this sets two users and two hosts with the other configuration:
[root@server ~]# ipa netgroup-add-member --users=jsmith --users=bjensen --groups=ITadmin --hosts=host1.example.com --hosts=host2.example.com --hostgroups=EngDev --netgroups=nisgroup2 example-group

23.4. Exposing Automount Maps to NIS Clients

When the NIS service is enabled on a system, the IdM server is automatically configured to set the NIS domain to the IdM domain's name, and to include IdM users, groups, and netgroups as passwd, group, and netgroup maps in the NIS domain.
If any automount maps are already defined, these maps need to be manually added to the NIS configuration in Identity Management for them to be exposed to NIS clients. The NIS server is managed by a special plug-in entry in the IdM LDAP directory; this is a container entry, and each NIS domain and map used by the NIS server is configured as a child entry beneath that container. The NIS domain entry must contain:
  • the name of the NIS domain
  • the name of the NIS map
  • information on how to find the directory entries to use as the NIS map's contents
  • information on which attributes to use as the NIS map's key and value
Most of these settings will be the same for every map.
The IdM server stores the automount maps, grouped by automount location, in the cn=automount branch of the IdM directory tree.
The NIS domain and map is added using LDAP tools, like ldapadd, and editing the directory directly. For example, this adds an automount map that is named auto.example in a location named default and for a server named nisserver:
[root@server ~]# ldapadd -h nisserver.example.com -x -D "cn=Directory Manager" -w secret

dn: nis-domain=example.com+nis-map=auto.example,cn=NIS Server,cn=plugins,cn=config
objectClass: extensibleObject
nis-domain: example.com
nis-map: auto.example
nis-filter: (objectclass=automount)
nis-key-format: %{automountKey}
nis-value-format: %{automountInformation}
nis-base: automountmapname=auto.example,cn=default,cn=automount,dc=example,dc=com
A similar add operation needs to be run for every map that is configured.

23.5. Migrating from NIS to IdM

There is no direct migration path from NIS to Identity Management. This is a manual process with three major steps: setting up netgroup entries in IdM, exporting the existing data from NIS, and importing that data into IdM. There are several options for how to set up the IdM environment and how to export data; the best option depends on the type of data and the overall network environment that you have.

23.5.1. Preparing Netgroup Entries in IdM

The first step is to identify what kinds of identities are being managed by NIS. Frequently, a NIS server is used for either user entries or host entries, but not for both, which can simplify the data migration process.
For user entries
Determine what applications are using the user information in the NIS server. While some clients (like sudo) require NIS netgroups, many clients can use Unix groups instead. If no netgroups are required, then simply create corresponding user accounts in IdM and delete the netgroups entirely. Otherwise, create the user entries in IdM and then create an IdM-managed netgroup and add those users as members. This is described in Section 23.3, “Creating Netgroups”.
For host entries
Whenever a host group is created in IdM, a corresponding shadow NIS group is automatically created. These netgroups can then be managed using the ipa-host-net-manage command.
For a direct conversion
It may be necessary to have an exact conversion, with every NIS user and host having an exact corresponding entry in IdM. In that case, each entry can be created using the original NIS names:
  1. Create an entry for every user referenced in a netgroup.
  2. Create an entry for every host referenced in a netgroup.
  3. Create a netgroup with the same name as the original netgroup.
  4. Add the users and hosts as direct members of the netgroup. Alternatively, add the users and hosts into IdM groups or other netgroups, and then add those groups as members to the netgroup.

23.5.2. Enabling the NIS Listener in Identity Management

The IdM Directory Server can function as a limited NIS server. The slapi-nis plug-in sets up a special NIS listener that receives incoming NIS requests and manages the NIS maps within the Directory Server. Identity Management uses three NIS maps:
  • passwd
  • group
  • netgroup
Using IdM as an intermediate NIS server offers a reasonable way to handle NIS requests while migrating NIS clients and data.
The slapi-nis plug-in is not enabled by default. To enable NIS for Identity Management:
  1. Obtain new Kerberos credentials as an IdM admin user.
    [root@ipaserver ~]# kinit admin
  2. Enable the NIS listener and compatibility plug-ins:
    [root@ipaserver ~]# ipa-nis-manage enable
    [root@ipaserver ~]# ipa-compat-manage enable
  3. Restart the port mapper and Directory Server service:
    [root@server ~]# systemctl start rpcbind.service
    [root@server ~]# systemctl restart dirsrv.target

23.5.3. Exporting and Importing the Existing NIS Data

NIS can contain information for users, groups, DNS and hosts, netgroups, and automount maps. Any of these entry types can be migrated over to the IdM server.
Migration is performed by exporting the data using ypcat and then looping through that output and creating the IdM entries with the corresponding ipa *-add commands. While this could be done manually, it is easiest to script it. These examples use a shell script.

23.5.3.1. Importing User Entries

The /etc/passwd file contains all of the NIS user information. These entries can be used to create IdM user accounts with UID, GID, GECOS, shell, home directory, and name attributes that mirror the NIS entries.
For example, this is nis-user.sh:
#!/bin/sh
# 1 is the nis domain, 2 is the nis master server
ypcat -d $1 -h $2 passwd > /dev/shm/nis-map.passwd 2>&1

IFS=$'\n'
for line in $(cat /dev/shm/nis-map.passwd); do
        IFS=' '
        username=$(echo $line|cut -f1 -d:)
        # Not collecting encrypted password because we need cleartext password to create kerberos key
        uid=$(echo $line|cut -f3 -d:)
        gid=$(echo $line|cut -f4 -d:)
        gecos=$(echo $line|cut -f5 -d:)
        homedir=$(echo $line|cut -f6 -d:)
        shell=$(echo $line|cut -f7 -d:)

        # Now create this entry
        echo passw0rd1|ipa user-add $username --first=NIS --last=USER --password --gidnumber=$gid --uid=$uid --gecos=$gecos --homedir=$homedir --shell=$shell
        ipa user-show $username
done 
This can be run for a given NIS domain:
[root@nis-server ~]# kinit admin
[root@nis-server ~]# ./nis-user.sh nisdomain nis-master.example.com

Note

This script does not migrate user passwords. Rather, it creates a temporary password which users are then prompted to change when they next log in.

23.5.3.2. Importing Group Entries

The /etc/group file contains all of the NIS group information. These entries can be used to create IdM user group accounts with the GID, gecos, shell, home directory, and name attributes that mirror the NIS entries.
For example, this is nis-group.sh:
#!/bin/sh
# 1 is the nis domain, 2 is the nis master server
ypcat -d $1 -h $2 group > /dev/shm/nis-map.group 2>&1

IFS=$'\n'
for line in $(cat /dev/shm/nis-map.group); do
        IFS=' '
        groupname=$(echo $line|cut -f1 -d:)
        # Not collecting encrypted password because we need cleartext password to create kerberos key
        gid=$(echo $line|cut -f3 -d:)
        members=$(echo $line|cut -f4 -d:)

        # Now create this entry
        ipa group-add $groupname --desc=NIS_GROUP_$groupname --gid=$gid
        if [ -n "$members" ]; then
		ipa group-add-member $groupname --users={$members}
        fi
        ipa group-show $groupname
done 
This can be run for a given NIS domain:
[root@nis-server ~]# kinit admin
[root@nis-server ~]# ./nis-group.sh nisdomain nis-master.example.com

23.5.3.3. Importing Host Entries

The /etc/hosts file contains all of the NIS host information. These entries can be used to create IdM host accounts that mirror the NIS entries.
For example, this is nis-hosts.sh:
#!/bin/sh
# 1 is the nis domain, 2 is the nis master server
ypcat -d $1 -h $2 hosts | egrep -v "localhost|127.0.0.1" > /dev/shm/nis-map.hosts 2>&1

IFS=$'\n'
for line in $(cat /dev/shm/nis-map.hosts); do
        IFS=' '
        ipaddress=$(echo $line|awk '{print $1}')
        hostname=$(echo $line|awk '{print $2}')
        master=$(ipa env xmlrpc_uri |tr -d '[:space:]'|cut -f3 -d:|cut -f3 -d/)
        domain=$(ipa env domain|tr -d '[:space:]'|cut -f2 -d:)
        if [ $(echo $hostname|grep "\." |wc -l) -eq 0 ]; then
                hostname=$(echo $hostname.$domain)
        fi
        zone=$(echo $hostname|cut -f2- -d.)
        if [ $(ipa dnszone-show $zone 2>/dev/null | wc -l) -eq 0 ]; then
                ipa dnszone-add --name-server=$master --admin-email=root.$master
        fi
        ptrzone=$(echo $ipaddress|awk -F. '{print $3 "." $2 "." $1 ".in-addr.arpa."}')
        if [ $(ipa dnszone-show $ptrzone 2>/dev/null|wc -l) -eq 0 ]; then
                ipa dnszone-add  $ptrzone --name-server=$master --admin-email=root.$master
        fi
        # Now create this entry
        ipa host-add $hostname --ip-address=$ipaddress
        ipa host-show $hostname
done
This can be run for a given NIS domain:
[root@nis-server ~]# kinit admin
[root@nis-server ~]# ./nis-hosts.sh nisdomain nis-master.example.com

Note

This script example does not account for special host scenarios, such as using aliases.

23.5.3.4. Importing Netgroup Entries

The /etc/netgroup file contains all of the NIS netgroup information. These entries can be used to create IdM netgroup accounts that mirror the NIS entries.
For example, this is nis-netgroup.sh:
#!/bin/sh
# 1 is the nis domain, 2 is the nis master server
ypcat -k -d $1 -h $2 netgroup > /dev/shm/nis-map.netgroup 2>&1

IFS=$'\n'
for line in $(cat /dev/shm/nis-map.netgroup); do
        IFS=' '
        netgroupname=$(echo $line|awk '{print $1}')
        triples=$(echo $line|sed "s/^$netgroupname //")
        echo "ipa netgroup-add $netgroupname --desc=NIS_NG_$netgroupname"
        if [ $(echo $line|grep "(,"|wc -l) -gt 0 ]; then
                echo "ipa netgroup-mod $netgroupname --hostcat=all"
        fi
        if [ $(echo $line|grep ",,"|wc -l) -gt 0 ]; then
                echo "ipa netgroup-mod $netgroupname --usercat=all"
        fi

        for triple in $triples; do
                triple=$(echo $triple|sed -e 's/-//g' -e 's/(//' -e 's/)//')
                if [ $(echo $triple|grep ",.*,"|wc -l) -gt 0 ]; then
                        hostname=$(echo $triple|cut -f1 -d,)
                        username=$(echo $triple|cut -f2 -d,)
                        domain=$(echo $triple|cut -f3 -d,)
                        hosts=""; users=""; doms="";
                        [ -n "$hostname" ] && hosts="--hosts=$hostname"
                        [ -n "$username" ] && users="--users=$username"
                        [ -n "$domain"   ] && doms="--nisdomain=$domain"
                        echo "ipa netgroup-add-member $hosts $users $doms"
                else
                        netgroup=$triple
                        echo "ipa netgroup-add $netgroup --desc=NIS_NG_$netgroup"
                fi
        done
done
As explained briefly in Section 23.1, “About NIS and Identity Management”, NIS entries exist in a set of three values, called a triple. The triple is host,user,domain, but not every component is required; commonly, a triple only defines a host and domain or user and domain. The way this script is written, the ipa netgroup-add-member command always adds a host, user, and domain triple to the netgroup.
if [ $(echo $triple|grep ",.*,"|wc -l) -gt 0 ]; then
        hostname=$(echo $triple|cut -f1 -d,)
        username=$(echo $triple|cut -f2 -d,)
        domain=$(echo $triple|cut -f3 -d,)
        hosts=""; users=""; doms="";
        [ -n "$hostname" ] && hosts="--hosts=$hostname"
        [ -n "$username" ] && users="--users=$username"
        [ -n "$domain"   ] && doms="--nisdomain=$domain"
        echo "ipa netgroup-add-member $hosts $users $doms" 
Any missing element is added as a blank, so the triple is properly migrated. For example, for the triple server,,domain the options with the member add command are --hosts=server --users="" --nisdomain=domain.
This can be run for a given NIS domain by specifying the NIS domain and NIS server:
[root@nis-server ~]# kinit admin
[root@nis-server ~]# ./nis-hosts.sh nisdomain nis-master.example.com

23.5.3.5. Importing Automount Maps

Automount maps are actually a series of nested and interrelated entries that define the location (the parent entry), and then associated keys and maps.
While the data are the same in the NIS and IdM entries, the way that data are defined is different. The NIS information is exported and then used to construct an LDAP entry for the automount location and associated map; a script then creates an entry for every configured key for the map.
Unlike the other NIS migration script examples, this script takes options to create an automount location and a map name, along with the migrated NIS domain and server.
#!/bin/sh
# 1 is for the automount entry in ipa

ipa automountlocation-add $1

# 2 is the nis domain, 3 is the nis master server, 4 is the map name
ypcat -k -d $2 -h $3 $4 > /dev/shm/nis-map.$4 2>&1

ipa automountmap-add $1 $4

basedn=$(ipa env basedn|tr -d '[:space:]'|cut -f2 -d:)
cat > /tmp/amap.ldif <<EOF
dn: nis-domain=nisdomain.example.com+nis-map=$4,cn=NIS Server,cn=plugins,cn=config
objectClass: extensibleObject
nis-domain: $3
nis-map: $4
nis-base: automountmapname=$4,cn=nis,cn=automount,$basedn
nis-filter: (objectclass=*)
nis-key-format: %{automountKey}
nis-value-format: %{automountInformation}
EOF
ldapadd -x -h $3 -D "cn=directory manager" -w secret -f /tmp/amap.ldif

IFS=$'\n'
for line in $(cat /dev/shm/nis-map.$4); do
        IFS=" "
        key=$(echo "$line" | awk '{print $1}')
        info=$(echo "$line" | sed -e "s#^$key[ \t]*##")
        ipa automountkey-add nis $4 --key="$key" --info="$info"
done
This can be run for a given NIS domain:
[root@nis-server ~]# kinit admin
[root@nis-server ~]# ./nis-hosts.sh location nisdomain nis-master.example.com map

23.5.4. Setting Weak Password Encryption for NIS User Authentication to IdM

A NIS server can handle CRYPT password hashes. Once an existing NIS server is migrated to IdM (and its underlying LDAP database), it may still be necessary to preserve the NIS-supported CRYPT passwords. However, the LDAP server does not use CRYPT hashes by default. It uses salted SHA (SSHA) or SSHA-256. If the 389 Directory Server password hash is not changed, then NIS users cannot authenticate to the IdM domain. The kinit command is not affected by the server's password hashing configuration.
To set the underlying 389 Directory Server to use CRYPT as the password hash, change the passwordStorageScheme attribute using ldapmodify:
[root@server ~]# ldapmodify -D "cn=directory server" -w secret -p 389 -h ipaserver.example.com

dn: cn=config
changetype: modify
replace: passwordStorageScheme
passwordStorageScheme: crypt

Note

Changing the password storage scheme only applies the scheme to new passwords; it does not retroactively change the encryption method used for existing passwords.
If weak cryptography is required for password hashes, it is better to change the setting as early as possible so that more user passwords use the weaker password hash.

Chapter 24. Managing DNS

An Identity Management server can be installed without integrated DNS services so that it uses an external DNS service or with DNS configured. See Section 2.3, “Installing an IdM Server: Introduction” and Section 2.3.1, “Determining Whether to Use Integrated DNS” for details.
If the DNS service is configured within the domain, IdM offers the administrator a significant amount of flexibility and control over DNS settings. For example, DNS entries for the domain, such as host entries, locations, or records, can be managed using native IdM tools, and clients can update their own DNS records dynamically.
Most documentation material and tutorials available for BIND version 9.9 are also applicable to IdM DNS, because majority of configuration options work in the same way in BIND and IdM. This chapter mostly focuses on notable differences between BIND and IdM.

24.1. BIND in Identity Management

IdM integrates BIND DNS server version 9.9 with an LDAP database used for data replication and with Kerberos for DNS update signing using the GSS-TSIG protocol [3]. This enables convenient DNS management using IdM tools and at the same time increases resiliency because IdM-integrated DNS servers support multi-master operations, allowing all IdM-integrated DNS servers to accept DNS updates from clients without having a single point of failure.
The default IdM DNS configuration is suitable for internal networks that are not accessible from the public Internet. If the IdM DNS server is accessible from the public Internet, Red Hat recommends applying the usual hardening applicable to the BIND service, described in the Red Hat Enterprise Linux Networking Guide.

Note

It is not possible to run BIND integrated with IdM inside a chroot environment.
BIND integrated with IdM communicates with the Directory Server using the bind-dyndb-ldap plug-in. IdM creates a dynamic-db configuration section in the /etc/named.conf file for the BIND service, which configures the bind-dyndb-ldap plug-in for the BIND named-pkcs11 service.
The most notable difference between standard BIND and IdM DNS is that IdM stores all DNS information as LDAP entries. Every domain name is represented as an LDAP entry, and every resource record is stored as an LDAP attribute of the LDAP entry. For example, the following client1.example.com. domain name contains three A records and one AAAA record:
dn: idnsname=client1,idnsname=example.com.,cn=dns,dc=idm,dc=example,dc=com
objectclass: top
objectclass: idnsrecord
idnsname: client1
Arecord: 192.0.2.1
Arecord: 192.0.2.2
Arecord: 192.0.2.3
AAAArecord: 2001:DB8::ABCD

Important

To edit DNS data or BIND configuration, always use the IdM tools described in this chapter.

24.2. Supported DNS Zone Types

IdM supports two DNS zone types: master and forward zones.

Note

This guide uses the BIND terminology for zone types which is different from the terminology used for Microsoft Windows DNS. Master zones in BIND serve the same purpose as forward lookup zones and reverse lookup zones in Microsoft Windows DNS. Forward zones in BIND serve the same purpose as conditional forwarders in Microsoft Windows DNS.
Master DNS zones
Master DNS zones contain authoritative DNS data and can accept dynamic DNS updates. This behavior is equivalent to the type master setting in standard BIND configuration. Master zones are managed using the ipa dnszone-* commands.
In compliance with standard DNS rules, every master zone must contain SOA and NS records. IdM generates these records automatically when the DNS zone is created, but the NS records must be manually copied to the parent zone to create proper delegation.
In accordance with standard BIND behavior, forwarding configuration specified for master zones only affects queries for names for which the server is not authoritative.

Example 24.1. Example Scenario for DNS Forwarding

The IdM server contains the test.example. master zone. This zone contains an NS delegation record for the sub.test.example. name. In addition, the test.example. zone is configured with the 192.0.2.254 forwarder IP address.
A client querying the name nonexistent.test.example. receives the NXDomain answer, and no forwarding occurs because the IdM server is authoritative for this name.
On the other hand, querying for the sub.test.example. name is forwarded to the configured forwarder 192.0.2.254 because the IdM server is not authoritative for this name.
Forward DNS zones
Forward DNS zones do not contain any authoritative data. All queries for names belonging to a forward DNS zone are forwarded to a specified forwarder. This behavior is equivalent to the type forward setting in standard BIND configuration. Forward zones are managed using the ipa dnsforwardzone-* commands.

24.3. DNS Configuration Priorities

Many DNS configuration options can be configured on three different levels.
Zone-specific configuration
The level of configuration specific for a particular zone defined in IdM has the highest priority. Zone-specific configuration is managed using the ipa dnszone-* and ipa dnsforwardzone-* commands.
Global DNS configuration
If no zone-specific configuration is defined, IdM uses global DNS configuration stored in LDAP. Global DNS configuration is managed using the ipa dnsconfig-* commands. Settings defined in global DNS configuration are applied to all IdM DNS servers.
Configuration in /etc/named.conf
Configuration defined in the /etc/named.conf file on each IdM DNS server has the lowest priority. It is specific for each server and must be edited manually.
The /etc/named.conf file is usually only used to specify DNS forwarding to a local DNS cache; other options are managed using the commands for zone-specific and global DNS configuration mentioned above.
DNS options can be configured on multiple levels at once. In such cases, configuration with the highest priority takes precedence over configuration defined at lower levels.

24.4. Managing Master DNS Zones

24.4.1. Adding and Removing Master DNS Zones

Adding Master DNS Zones in the Web UI

  1. Open the Network Services tab, and select the DNS subtab, followed by the DNS Zones section.
    Managing DNS Master Zones

    Figure 24.1. Managing DNS Master Zones

  2. To add a new master zone, click Add at the top of the list of all zones.
    Adding a Master DNS Zone

    Figure 24.2. Adding a Master DNS Zone

  3. Provide the zone name, and click Add.
    Entering a New Master Zone

    Figure 24.3. Entering a New Master Zone

Adding Master DNS Zones from the Command Line

The ipa dnszone-add command adds a new zone to the DNS domain. Adding a new zone requires you to specify the name of the new subdomain. You can pass the subdomain name directly with the command:
$ ipa dnszone-add newserver.example.com
If you do not pass the name to ipa dnszone-add, the script prompts for it automatically.
The ipa dnszone-add command also accepts various command-line options. For a complete list of these options, run the ipa dnszone-add --help command.

Removing Master DNS Zones

To remove a master DNS zone in the web UI, in the list of all zones, select the check box by the zone name and click Delete.
Removing a Master DNS Zone

Figure 24.4. Removing a Master DNS Zone

To remove a master DNS zone from the command line, use the ipa dnszone-del command. For example:
$ ipa dnszone-del server.example.com

24.4.2. Adding Additional Configuration for Master DNS Zones

IdM creates a new zone with certain default configuration, such as the refresh periods, transfer settings, or cache settings.

DNS Zone Configuration Attributes

The available zone settings are listed in Table 24.1, “Zone Attributes”. Along with setting the actual information for the zone, the settings define how the DNS server handles the start of authority (SOA) record entries and how it updates its records from the DNS name server.

Table 24.1. Zone Attributes

Attribute Command-Line Option Description
Authoritative name server --name-server
Sets the domain name of the master DNS name server, also known as SOA MNAME.
By default, each IdM server advertises itself in the SOA MNAME field. Consequently, the value stored in LDAP using --name-server is ignored.
Administrator e-mail address --admin-email Sets the email address to use for the zone administrator. This defaults to the root account on the host.
SOA serial --serial Sets a serial number in the SOA record. Note that IdM sets the version number automatically and users are not expected to modify it.
SOA refresh --refresh Sets the interval, in seconds, for a secondary DNS server to wait before requesting updates from the primary DNS server.
SOA retry --retry Sets the time, in seconds, to wait before retrying a failed refresh operation.
SOA expire --expire Sets the time, in seconds, that a secondary DNS server will try to perform a refresh update before ending the operation attempt.
SOA minimum --minimum Sets the time to live (TTL) value in seconds for negative caching according to RFC 2308.
SOA time to live --ttl Sets TTL in seconds for records at zone apex. In zone example.com, for instance, all records (A, NS, or SOA) under name example.com are configured, but no other domain names, like test.example.com, are affected.
Default time to live --default-ttl Sets the default time to live (TTL) value in seconds for negative caching for all values in a zone that never had an individual TTL value set before. Requires a restart of the named-pkcs11 service on all IdM DNS servers after changes to take effect.
BIND update policy --update-policy
Sets the permissions allowed to clients in the DNS zone.
See Dynamic Update Policies in the BIND 9 Administrator Reference Manual for more information on update policy syntax.
Dynamic update --dynamic-update=TRUE|FALSE Enables dynamic updates to DNS records for clients.
Note that if this is set to false, IdM client machines will not be able to add or update their IP address. See Section 24.5.1, “Enabling Dynamic DNS Updates” for more information.
Allow transfer --allow-transfer=string
Gives a list of IP addresses or network names which are allowed to transfer the given zone, separated by semicolons (;).
Zone transfers are disabled by default. The default --allow-transfer value is none.
Allow query --allow-query Gives a list of IP addresses or network names which are allowed to issue DNS queries, separated by semicolons (;).
Allow PTR sync --allow-sync-ptr=1|0 Sets whether A or AAAA records (forward records) for the zone will be automatically synchronized with the PTR (reverse) records.
Zone forwarders --forwarder=IP_address Specifies a forwarder specifically configured for the DNS zone. This is separate from any global forwarders used in the IdM domain.
To specify multiple forwarders, use the option multiple times.
Forward policy --forward-policy=none|only|first Specifies the forward policy. For information about the supported policies, see Section 24.6, “Forward Policies”

Editing the Zone Configuration in the Web UI

To manage DNS master zones from the web UI, open the Network Services tab, and select the DNS subtab, followed by the DNS Zones section.
DNS Master Zones Management

Figure 24.5. DNS Master Zones Management

To edit an existing master zone in the DNS Zones section:
  1. Click on the zone name in the list of all zones to open the DNS zone page.
    Editing a Master Zone

    Figure 24.6. Editing a Master Zone

  2. Click Settings, and then change the zone configuration as required.
    The Settings Tab in the Master Zone Edit Page

    Figure 24.7. The Settings Tab in the Master Zone Edit Page

    For information about the available settings, see Table 24.1, “Zone Attributes”.
  3. Click Save to confirm the new configuration.

Note

If you are changing the default time to live (TTL) of a zone, restart the named-pkcs11 service on all IdM DNS servers to make the changes take effect. All other settings are automatically activated immediately.

Editing the Zone Configuration from the Command Line

To modify an existing master DNS zone from the command line, use the ipa dnszone-mod command. For information about the available settings, see Table 24.1, “Zone Attributes”.
If an attribute does not exist in the DNS zone entry, the ipa dnszone-mod command adds the attribute. If the attribute exists, the command overwrites the current value with the specified value.
For detailed information about ipa dnszone-mod and its options, run the ipa dnszone-mod --help command.

Note

If you are changing the default time to live (TTL) of a zone, restart the named-pkcs11 service on all IdM DNS servers to make the changes take effect. All other settings are automatically activated immediately.

24.4.3. Enabling Zone Transfers

Name servers maintain authoritative data for the zones; changes made to the zones must be sent to and distributed among the name servers for the DNS domain. A zone transfer copies all resource records from one name server to another.
IdM supports zone transfers according to the RFC 5936 (AXFR) and RFC 1995 (IXFR) standards.

Important

The IdM-integrated DNS is multi-master. SOA serial numbers in IdM zones are not synchronized between IdM servers. For this reason, configure DNS slave servers to only use one IdM master server. This prevents zone transfer failures caused by non-synchronized SOA serial numbers.

Enabling Zone Transfers in the UI

Open the DNS zone page, as described in Section 24.4.2, “Editing the Zone Configuration in the Web UI”, and switch to the Settings tab.
Under Allow transfer, specify the name servers to which the zone records will be transferred.
Enabling Zone Transfers

Figure 24.8. Enabling Zone Transfers

Click Save at the top of the DNS zone page to confirm the new configuration.

Enabling Zone Transfers from the Command Line

To enable zone transfers from the command line, add the --allow-transfer option to the ipa dnszone-mod command. Specify the list of name servers to which the zone records will be transferred using --allow-transfer. For example:
[user@server ~]$ ipa dnszone-mod --allow-transfer=192.0.2.1;198.51.100.1;203.0.113.1 example.com
Once zone transfers are enabled in the bind service, IdM DNS zones can be transferred, by name, by clients such as the dig utility:
[root@server ~]# dig @ipa-server zone_name AXFR

24.4.4. Adding Records to DNS Zones

IdM supports many different record types. The following four are used most frequently:
A
This is a basic map for a host name and an ordinary IPv4 address. The record name of an A record is a host name, such as www. The IP Address value of an A record is a standard IPv4 address, such as 192.0.2.1.
For more information about A records, see RFC 1035.
AAAA
This is a basic map for a host name and an IPv6 address. The record name of an AAAA record is a host name, such as www. The IP Address value is a standard hexadecimal IPv6 address, such as 2001:DB8::1111.
For more information about AAAA records, see RFC 3596.
SRV
Service (SRV) resource records map service names to the DNS name of the server that is providing that particular service. For example, this record type can map a service like an LDAP directory to the server which manages it.
The record name of an SRV record has the format _service._protocol, such as _ldap._tcp. The configuration options for SRV records include priority, weight, port number, and host name for the target service.
For more information about SRV records, see RFC 2782.
PTR
A pointer record type (PTR) record adds a reverse DNS record, which maps an IP address to a domain name.

Note

All reverse DNS lookups for IPv4 addresses use reverse entries that are defined in the in-addr.arpa. domain. The reverse address, in human-readable form, is the exact reverse of the regular IP address, with the in-addr.arpa. domain appended to it. For example, for the network address 192.0.2.0/24, the reverse zone is 2.0.192.in-addr.arpa.
The record name of a PTR record must be in the standard format specified in RFC 1035, extended in RFC 2317, and RFC 3596. The host name value must be a canonical host name of the host for which you want to create the record. For more information, see Example 24.8, “PTR Record”.

Note

Reverse zones can also be configured for IPv6 addresses, with zones in the .ip6.arpa. domain. For more information about IPv6 reverse zones, see RFC 3596.
When adding DNS resource records, note that many of the records require different data. For example, a CNAME record requires a host name, while an A record requires an IP address. In the web UI, the fields in the form for adding a new record are updated automatically to reflect what data is required for the currently selected type of record.

DNS Wildcard Support

IdM supports the special record * in a DNS zone as wildcard.

Example 24.2. Demonstrating DNS Wildcard Results

  1. Configure the following in your DNS zone example.com:
    • A wildcard A record *.example.com.
    • An MX record for mail.example.com, but no A record for this host.
    • No record for demo.example.com.
  2. Query existing and non-existent DNS records and types. You will receive the following results:
    # host -t MX mail.example.com.
    mail.example.com mail is handled by 10 server.example.com.
    
    # host -t MX demo.example.com.
    demo.example.com. has no MX record.
    
    # host -t A mail.example.com.
    mail.example.com has no A record
    
    # host -t A demo.example.com.
    random.example.com has address 192.168.1.1
    
For more details, see RFC1034.

Adding DNS Resource Records from the Web UI

  1. In the DNS Resource Records section, click Add to add a new record.
    Adding a New DNS Resource Record

    Figure 24.9. Adding a New DNS Resource Record

  2. Select the type of record to create and fill out the other fields as required.
    Defining a New DNS Resource Record

    Figure 24.10. Defining a New DNS Resource Record

  3. Click Add to confirm the new record.

Adding DNS Resource Records from the Command Line

To add a DNS resource record of any type from the command line, use the ipa dnsrecord-add command. The command follows this syntax:
$ ipa dnsrecord-add zone_name record_name --record_type_option=data
The zone_name is the name of the DNS zone to which the record is being added. The record_name is an identifier for the new DNS resource record.
Table 24.2, “Common ipa dnsrecord-add Options” lists options for the most common resource record types: A (IPv4), AAAA (IPv6), SRV, and PTR. Lists of entries can be set by using the option multiple times with the same command invocation or, in Bash, by listing the options in a comma-separated list inside curly braces, such as --option={val1,val2,val3}.
For more detailed information on how to use ipa dnsrecord-add and which DNS record types are supported by IdM, run the ipa dnsrecord-add --help command.

Table 24.2. Common ipa dnsrecord-add Options

General Record Options
Option Description
--ttl=number Sets the time to live for the record.
--structured Parses the raw DNS records and returns them in a structured format.
"A" Record Options
Option Description
--a-rec=ARECORD Passes a list of A records.
--a-ip-address=string Gives the IP address for the record.
"AAAA" Record Options
Option Description
--aaaa-rec=AAAARECORD Passes a list of AAAA (IPv6) records.
--aaaa-ip-address=string Gives the IPv6 address for the record.
"PTR" Record Options
Option Description
--ptr-rec=PTRRECORD Passes a list of PTR records.
--ptr-hostname=string Gives the host name for the record.
"SRV" Record Options
Option Description
--srv-rec=SRVRECORD Passes a list of SRV records.
--srv-priority=number Sets the priority of the record. There can be multiple SRV records for a service type. The priority (0 - 65535) sets the rank of the record; the lower the number, the higher the priority. A service has to use the record with the highest priority first.
--srv-weight=number Sets the weight of the record. This helps determine the order of SRV records with the same priority. The set weights should add up to 100, representing the probability (in percentages) that a particular record is used.
--srv-port=number Gives the port for the service on the target host.
--srv-target=string Gives the domain name of the target host. This can be a single period (.) if the service is not available in the domain.

24.4.5. Examples of Adding or Modifying DNS Resource Records from the Command Line

Example 24.3. Adding a IPv4 Record

The following example creates the record www.example.com with the IP address 192.0.2.123.
$ ipa dnsrecord-add example.com www --a-rec 192.0.2.123

Example 24.4. Adding a IPv4 Wildcard Record

The following example creates a wildcard A record with the IP address 192.0.2.123:
$ ipa dnsrecord-add example.com "*" --a-rec 192.0.2.123

Example 24.5. Modifying a IPv4 Record

When creating a record, the option to specify the A record value is --a-record. However, when modifying an A record, the --a-record option is used to specify the current value for the A record. The new value is set with the --a-ip-address option.
$ ipa dnsrecord-mod example.com www --a-rec 192.0.2.123 --a-ip-address 192.0.2.1

Example 24.6. Adding an IPv6 Record

The following example creates the record www.example.com with the IP address 2001:db8::1231:5675.
$ ipa dnsrecord-add example.com www --aaaa-rec 2001:db8::1231:5675

Example 24.7. Adding an SRV Record

In the following example, _ldap._tcp defines the service type and the connection protocol for the SRV record. The --srv-rec option defines the priority, weight, port, and target values.
For example:
[root@server ~]# ipa dnsrecord-add server.example.com _ldap._tcp --srv-rec="0 51 389 server1.example.com."
[root@server ~]# ipa dnsrecord-add server.example.com _ldap._tcp --srv-rec="1 49 389 server2.example.com."
The weight values (51 and 49 in this example) add up to 100 and represent the probability (in percentages) that a particular record is used.

Example 24.8. PTR Record

When adding the reverse DNS record, the zone name used with the ipa dnsrecord-add command is reverse, compared to the usage for adding other DNS records:
$ ipa dnsrecord-add reverseNetworkIpAddress hostIpAddress --ptr-rec FQDN
Typically, hostIpAddress is the last octet of the IP address in a given network.
For example, this adds a PTR record for server4.example.com with IPv4 address 192.0.2.4:
$ ipa dnsrecord-add 2.0.192.in-addr.arpa 4 --ptr-rec server4.example.com.
The next example adds a reverse DNS entry to the 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa. IPv6 reverse zone for the host server2.example.com with the IP address 2001:DB8::1111:
$ ipa dnsrecord-add 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa. 1.1.1.0.0.0.0.0.0.0.0.0.0.0.0 --ptr-rec server2.example.com.

24.4.6. Deleting Records from DNS Zones

Deleting Records in the Web UI

To delete only a specific record type from the resource record:
  1. In the DNS Resource Records section, click the name of the resource record.
    Selecting a DNS Resource Record

    Figure 24.11. Selecting a DNS Resource Record

  2. Select the check box by the name of the record type to delete.
    Deleting a DNS Resource Record

    Figure 24.12. Deleting a DNS Resource Record

    After this, only the selected record type is deleted; the other configuration is left intact.
To delete all records for the resource in the zone:
  1. In the DNS Resource Records section, select the check box by the name of the resource record to delete, and then click Delete at the top of the list of zone records.
    Deleting an Entire Resource Record

    Figure 24.13. Deleting an Entire Resource Record

    After this, the entire resource record is deleted.

Deleting Records from the Command Line

To remove records from a zone, use the ipa dnsrecord-del command and add the --recordType-rec option together with the record value.
For example, to remove the A type record:
$ ipa dnsrecord-del example.com www --a-rec 192.0.2.1
If you run ipa dnsrecord-del without any options, the command prompts for information about the record to delete. Note that passing the --del-all option with the command removes all associated records for the zone.
For detailed information on how to use ipa dnsrecord-del and a complete list of options accepted by the command, run the ipa dnsrecord-del --help command.

24.4.7. Disabling and Enabling Zones

IdM allows the administrator to disable and enable DNS zones. While deleting a DNS zone, described in Section 24.4.1, “Removing Master DNS Zones”, completely removes the zone entry and all the associated configuration, disabling the zone removes it from activity without permanently removing the zone from IdM. A disabled zone can also be enabled again.

Disabling and Enabling Zones in the Web UI

To manage DNS zones from the Web UI, open the Network Services tab, and select the DNS subtab, followed by the DNS Zones section.
Managing DNS Zones

Figure 24.14. Managing DNS Zones

To disable a zone, select the check box next to the zone name and click Disable.
Disabling a DNS Zone

Figure 24.15. Disabling a DNS Zone

Similarly, to enable a disabled zone, select the check box next to the zone name and click Enable.

Disabling and Enabling DNS Zones from the Command Line

To disable a DNS zone from the command line, use the ipa dnszone-disable command. For example:
[user@server ~]$ ipa dnszone-disable zone.example.com
----------------------------------------- 
Disabled DNS zone "example.com" 
-----------------------------------------
To re-enable a disabled zone, use the ipa dnszone-enable command.

24.5. Managing Dynamic DNS Updates

24.5.1. Enabling Dynamic DNS Updates

Dynamic DNS updates are disabled by default for new DNS zones in IdM. With dynamic updates disabled, the ipa-client-install script cannot add a DNS record pointing to the new client.

Note

Enabling dynamic updates can potentially pose a security risk. However, if enabling dynamic updates is acceptable in your environment, you can do it to make client installations easier.
Enabling dynamic updates requires the following:
  • The DNS zone must be configured to allow dynamic updates
  • The local clients must be configured to send dynamic updates

24.5.1.1. Configuring the DNS Zone to Allow Dynamic Updates

Enabling Dynamic DNS Updates in the Web UI

  1. Open the Network Services tab, and select the DNS subtab, followed by the DNS Zones section.
    DNS Zone Management

    Figure 24.16. DNS Zone Management

  2. Click on the zone name in the list of all zones to open the DNS zone page.
    Editing a Master Zone

    Figure 24.17. Editing a Master Zone

  3. Click Settings to switch to the DNS zone settings tab.
    The Settings Tab in the Master Zone Edit Page

    Figure 24.18. The Settings Tab in the Master Zone Edit Page

  4. Scroll down to the Dynamic update field, and set the value to True.
    Enabling Dynamic DNS Updates

    Figure 24.19. Enabling Dynamic DNS Updates

  5. Click Save at the top of the page to confirm the new configuration.

Enabling Dynamic DNS Updates from the Command Line

To allow dynamic updates to the DNS zones from the command line, use the ipa dnszone-mod command with the --dynamic-update=TRUE option. For example:
[user@server ~]$ ipa dnszone-mod server.example.com --dynamic-update=TRUE

24.5.1.2. Configuring the Clients to Send Dynamic Updates

Clients are automatically set up to send DNS updates when they are enrolled in the domain, by using the --enable-dns-updates option with the ipa-client-install script.
[root@client ~]# ipa-client-install --enable-dns-updates
The DNS zone has a time to live (TTL) value set for records within its SOA configuration. However, the TTL for the dynamic updates is managed on the local system by the System Security Service Daemon (SSSD). To change the TTL value for the dynamic updates, edit the SSSD file to set a value; the default is 1200 seconds.
  1. Open the SSSD configuration file.
    [root@server ~]# vim /etc/sssd/sssd.conf
  2. Find the domain section for the IdM domain.
    [domain/ipa.example.com]
  3. If dynamic updates have not been enabled for the client, then set the dyndns_update value to true.
    dyndns_updates = true
  4. Add or edit the dyndns_ttl parameter to set the value, in seconds.
    dyndns_ttl = 2400

24.5.2. Synchronizing A/AAAA and PTR Records

A and AAAA records are configured separately from PTR records in reverse zones. Because these records are configured independently, it is possible for A/AAAA records to exist without corresponding PTR records, and vice versa.
There are some DNS setting requirements for PTR synchronization to work:
  • Both forward and reverse zones must be managed by the IdM server.
  • Both zones must have dynamic updates enabled.
    Enabling dynamic updates is covered in Section 24.5.1, “Enabling Dynamic DNS Updates”.
  • PTR synchronization must be enabled for the master forward zone, not for the reverse zone.
  • The PTR record will be updated only if the name of the requesting client matches the name in the PTR record.

Important

Changes made through the IdM web UI, through the IdM command-line tools, or by editing the LDAP entry directly do not update the PTR record. Only changes made by the DNS service itself trigger PTR record synchronization.

Warning

A client system can update its own IP address. This means that a compromised client can be used to overwrite PTR records by changing its IP address.

Configuring PTR Record Synchronization in the Web UI

Note that PTR record synchronization must be configured on the zone where A or AAAA records are stored, not on the reverse DNS zone where PTR records are located.
  1. Open the Network Services tab, and select the DNS subtab, followed by the DNS Zones section.
    DNS Zone Management

    Figure 24.20. DNS Zone Management

  2. Click on the zone name in the list of all zones to open the DNS zone page.
    Editing a DNS Zone

    Figure 24.21. Editing a DNS Zone

  3. Click Settings to switch to the DNS zone settings tab.
    The Settings Tab in the Master Zone Edit Page

    Figure 24.22. The Settings Tab in the Master Zone Edit Page

  4. Select the Allow PTR sync check box.
    Enabling PTR Synchronization

    Figure 24.23. Enabling PTR Synchronization

  5. Click Save at the top of the page to confirm the new configuration.

Configuring PTR Record Synchronization from the Command Line

Note that PTR record synchronization must be configured on the zone where A or AAAA records are stored, not on the reverse DNS zone where PTR records are located.
To configure a DNS zone to allow its forward and reverse entries to be synchronized automatically, set the --allow-sync-ptr option to 1 when the zone is created or when it is edited. For example, using the ipa dnszone-mod command when editing an existing zone:
[user@server ~]$ ipa dnszone-mod --allow-sync-ptr=1 zone.example.com
The default --allow-sync-ptr value is 0, which disables synchronization.

24.5.3. Updating DNS Dynamic Update Policies

DNS domains maintained by IdM servers can accept a DNS dynamic update according to RFC 3007[4].
The rules that determine which records can be modified by a specific client follow the same syntax as the update-policy statement in the /etc/named.conf file. For more information on dynamic update policies, see the BIND 9 documentation.
Note that if dynamic DNS updates are disabled for the DNS zone, all DNS updates are declined without reflecting the dynamic update policy statement. For information on enabling dynamic DNS updates, see Section 24.5.1, “Enabling Dynamic DNS Updates”.

Updating DNS Update Policies in the Web UI

  1. Open the Network Services tab, and select the DNS subtab, followed by the DNS Zones section.
    DNS Zone Management

    Figure 24.24. DNS Zone Management

  2. Click on the zone name in the list of all zones to open the DNS zone page.
    Editing a DNS Zone

    Figure 24.25. Editing a DNS Zone

  3. Click Settings to switch to the DNS zone settings tab.
    The Settings Tab in the Master Zone Edit Page

    Figure 24.26. The Settings Tab in the Master Zone Edit Page

  4. Set the required update policies in a semi-colon separated list in the BIND update policy text box.
    DNS Update Policy Settings

    Figure 24.27. DNS Update Policy Settings

  5. Click Save at the top of the DNS zone page to confirm the new configuration.

Updating DNS Update Policies from the Command Line

To set the DNS update policy from the command line, use the --update-policy option and add the access control rule in a statement after the option. For example:
$ ipa dnszone-mod zone.example.com --update-policy "grant EXAMPLE.COM  krb5-self * A; grant EXAMPLE.COM krb5-self * AAAA; grant EXAMPLE.COM  krb5-self * SSHFP;"

24.6. Managing DNS Forwarding

DNS forwarding affects how DNS queries are answered. By default, the BIND service integrated with IdM is configured to act as both an authoritative and recursive DNS server.
When a DNS client queries a name belonging to a DNS zone for which the IdM server is authoritative, BIND replies with data contained in the configured zone. Authoritative data always takes precedence over any other data.
When a DNS client queries a name for which the IdM server is not authoritative, BIND attempts to resolve the query using other DNS servers. If no forwarders are defined, BIND asks the root servers on the Internet and uses recursive resolution algorithm to answer the DNS query.
In some cases, it is not desirable to let BIND contact other DNS servers directly and perform the recursion based on data available on the Internet. These cases include:
  • Split DNS configuration, also known as DNS views configuration, where DNS servers return different answers to different clients. Split DNS configuration is typical for environments where some DNS names are available inside the company network, but not from the outside.
  • Configurations where a firewall restricts access to DNS on the Internet.
  • Configurations with centralized filtering or logging on the DNS level.
  • Configurations with forwarding to a local DNS cache, which helps optimize network traffic.
In such configurations, BIND does not use full recursion on the public Internet. Instead, it uses another DNS server, a so-called forwarder, to resolve the query. When BIND is configured to use a forwarder, queries and answers are forwarded back and forth between the IdM server and the forwarder, and the IdM server acts as the DNS cache for non-authoritative data.

Forward Policies

IdM supports the first and only standard BIND forward policies, as well as the none IdM-specific forward policy.
Forward first (default)
DNS queries are forwarded to the configured forwarder. If a query fails because of a server error or timeout, BIND falls back to the recursive resolution using servers on the Internet. The forward first policy is the default policy. It is suitable for traffic optimization.
Forward only
DNS queries are forwarded to the configured forwarder. If a query fails because of a server error or timeout, BIND returns an error to the client. The forward only policy is recommended for environments with split DNS configuration.
None: Forwarding disabled
DNS queries are not forwarded. Disabling forwarding is only useful as a zone-specific override for global forwarding configuration. This options is the IdM equivalent of specifying an empty list of forwarders in BIND configuration.

Forwarding Does Not Combine Data from IdM and Other DNS Servers

Forwarding cannot be used to combine data in IdM with data from other DNS servers. The BIND service does not forward queries to another server if the queried DNS name belongs to a zone for which the IdM server is authoritative. As a consequence, forwarding is not used when the client queries a name that does not exist in an IdM-managed zone.

Example 24.9. Example Scenario

The IdM server is authoritative for the test.example. DNS zone. BIND is configured to forward queries to the DNS server with the 192.0.2.254 IP address.
When a client sends a query for the nonexistent.test.example. DNS name, BIND detects that the IdM server is authoritative for the test.example. zone and does not forward the query to the 192.0.2.254. server. As a result, the DNS client receives the NXDomain answer, informing the user that the queried domain does not exist.

24.6.1. Configuring Global Forwarders

Global forwarders are DNS servers used for resolving all DNS queries for which an IdM server is not authoritative, as described in Section 24.6, “Managing DNS Forwarding”.
The administrator can configure IP addresses and forward policies for global forwarding in the following two ways:
Using the ipa dnsconfig-mod command or the IdM web UI
Configuration set using these native IdM tools is immediately applied to all IdM DNS servers. As explained in Section 24.3, “DNS Configuration Priorities”, global DNS configuration has higher priority than local configuration defined in the /etc/named.conf files.
By editing the /etc/named.conf file
Manually editing the /etc/named.conf on every IdM DNS server allows using a different global forwarder and policy on each of the servers. Note that the BIND service must be restarted after changing /etc/named.conf.

Configuring Forwarders in the Web UI

To define the DNS global configuration in the IdM web UI:
  1. Click the Network Services tab, and select the DNS subtab, followed by the DNS Global Configuration section.
  2. To add a new global forwarder, click Add and enter the IP address. To define a new forward policy, select it from the list of available policies.
    Editing Global DNS Configuration in the Web UI

    Figure 24.28. Editing Global DNS Configuration in the Web UI

  3. Click Save to confirm the new configuration.

Configuring Forwarders from the Command Line

To set a global list of forwarders from the command line, use the ipa dnsconfig-mod command. It edits the DNS global configuration by editing the LDAP data. The ipa dnsconfig-mod command and its options affect all IdM DNS servers at once and override any local configuration.
For example, to edit the list of global forwarders using ipa dnsconfig-mod:
[user@server ~]$ ipa dnsconfig-mod --forwarder=192.0.2.254
  Global forwarders: 192.0.2.254

24.6.2. Configuring Forward Zones

Forward zones do not contain any authoritative data and instruct the name server to only forward queries for names belonging into a particular zone to a configured forwarder.

Important

Do not use forward zones unless absolutely required. Limit their use to overriding global forwarding configuration. In most cases, it is sufficient to only configure global forwarding, described in Section 24.6.1, “Configuring Global Forwarders”, and forward zones are not necessary.
Forward zones are a non-standard solution, and using them can lead to unexpected and problematic behavior. When creating a new DNS zone, Red Hat recommends to always use standard DNS delegation using NS records and to avoid forward zones.
For information on the supported forward policies, see Section 24.6, “Forward Policies”.
For further information about the BIND service, see the Red Hat Enterprise Linux Networking Guide, the BIND 9 Administrator Reference Manual included in the /usr/share/doc/bind-version_number/ directory, or external sources [5] .

Configuring Forward Zones in the Web UI

To manage forward zones in the web UI, click the Network Services tab, and select the DNS subtab, followed by the DNS Forward Zones section.
Managing DNS Forward Zones

Figure 24.29. Managing DNS Forward Zones

In the DNS Forward Zones section, the administrator can handle all required operations regarding forward zones: show current list of forward zones, add a new forward zone, delete a forward zone, display a forward zone, allow to modify forwarders and forward policy per a forward zone, and disable or enable a forward zone.

Configuring Forward Zones from the Command Line

To manage forward zones from the command line, use the ipa dnsforwardzone-* commands described below.

Note

The ipa dnsforwardzone-* commands behave consistently with the ipa dnszone-* commands used to manage master zones.
The ipa dnsforwardzone-* commands accept several options; notably, the --forwarder, --forward-policy, and --name-from-ip options. For detailed information about the available options, see Table 24.1, “Zone Attributes” or run the commands with the --help option added, for example:
ipa dnsforwardzone-add --help
Adding Forward Zones
Use the dnsforwardzone-add command to add a new forward zone. It is required to specify at least one forwarder if the forward policy is not set to none.
[user@server ~]$ ipa dnsforwardzone-add zone.test. --forwarder=172.16.0.1 --forwarder=172.16.0.2 --forward-policy=first

Zone name: zone.test.
Zone forwarders: 172.16.0.1, 172.16.0.2
Forward policy: first
Modifying Forward Zones
Use the dnsforwardzone-mod command to modify a forward zone. It is required to specify at least one forwarder if the forward policy is not none. Modifications can be performed in several ways.
[user@server ~]$ ipa dnsforwardzone-mod zone.test. --forwarder=172.16.0.3

Zone name: zone.test.
Zone forwarders: 172.16.0.3
Forward policy: first
[user@server ~]$ ipa dnsforwardzone-mod zone.test. --forward-policy=only

Zone name: zone.test.
Zone forwarders: 172.16.0.3
Forward policy: only
Showing Forward Zones
Use the dnsforwardzone-show command to display information about a specified forward zone.
[user@server ~]$ ipa dnsforwardzone-show zone.test.

Zone name: zone.test.
Zone forwarders: 172.16.0.5
Forward policy: first
Finding Forward Zones
Use the dnsforwardzone-find command to locate a specified forward zone.
[user@server ~]$ ipa dnsforwardzone-find zone.test.

Zone name: zone.test.
Zone forwarders: 172.16.0.3
Forward policy: first
----------------------------
Number of entries returned 1
----------------------------
Deleting Forward Zones
Use the dnsforwardzone-del command to delete specified forward zones.
[user@server ~]$ ipa dnsforwardzone-del zone.test. 

----------------------------
Deleted forward DNS zone "zone.test."
----------------------------
Enabling and Disabling Forward Zones
Use dnsforwardzone-enable and dnsforwardzone-disable commands to enable and disable forward zones. Note that forward zones are enabled by default.
[user@server ~]$ ipa dnsforwardzone-enable zone.test. 

----------------------------
Enabled forward DNS zone "zone.test."
----------------------------
[user@server ~]$ ipa dnsforwardzone-disable zone.test. 

----------------------------
Disabled forward DNS zone "zone.test."
----------------------------
Adding and Removing Permissions
Use dnsforwardzone-add-permission and dnsforwardzone-remove-permission commands to add or remove system permissions.
[user@server ~]$ ipa dnsforwardzone-add-permission zone.test.

---------------------------------------------------------
Added system permission "Manage DNS zone zone.test."
---------------------------------------------------------
  Manage DNS zone zone.test.
[user@server ~]$ ipa dnsforwardzone-remove-permission zone.test.

---------------------------------------------------------
Removed system permission "Manage DNS zone zone.test."
---------------------------------------------------------
  Manage DNS zone zone.test.

24.7. Managing Reverse DNS Zones

A reverse DNS zone can be identified in the following two ways:
  • By the zone name, in the format reverse_ipv4_address.in-addr.arpa or reverse_ipv6_address.ip6.arpa.
    The reverse IP address is created by reversing the order of the components of the IP address. For example, if the IPv4 network is 192.0.2.0/24, the reverse zone name is 2.0.192.in-addr.arpa. (with the trailing period).
  • By the network address, in the format network_ip_address/subnet_mask_bit_count
    To create the reverse zone by its IP network, set the network information to the (forward-style) IP address, with the subnet mask bit count. The bit count must be a multiple of eight for IPv4 addresses or a multiple of four for IPv6 addresses.

Adding a Reverse DNS Zone in the Web UI

  1. Open the Network Services tab, and select the DNS subtab, followed by the DNS Zones section.
    DNS Zone Management

    Figure 24.30. DNS Zone Management

  2. Click Add at the top of the list of all zones.
    Adding a Reverse DNS Zone

    Figure 24.31. Adding a Reverse DNS Zone

  3. Fill in the zone name or the reverse zone IP network.
    1. For example, to add a reverse DNS zone by the zone name:
      Creating a Reverse Zone by Name

      Figure 24.32. Creating a Reverse Zone by Name

    2. Alternatively, to add a reverse DNS zone by the reverse zone IP network:
      Creating a Reverse Zone by IP Network

      Figure 24.33. Creating a Reverse Zone by IP Network

      The validator for the Reverse zone IP network field warns you about an invalid network address during typing. The warning will disappear once you enter the full network address.
  4. Click Add to confirm the new reverse zone.

Adding a Reverse DNS Zone from the Command Line

To create a reverse DNS zone from the command line, use the ipa dnszone-add command.
For example, to create the reverse zone by the zone name:
[user@server]$ ipa dnszone-add 2.0.192.in-addr.arpa.
Alternatively, to create the reverse zone by the IP network:
[user@server ~]$ ipa dnszone-add --name-from-ip=192.0.2.0/24

Other Management Operations for Reverse DNS Zones

Section 24.4, “Managing Master DNS Zones” describes other zone management operations, some of which are also applicable to reverse DNS zone management, such as editing or disabling and enabling DNS zones.

24.8. Defining DNS Query Policy

To resolve host names within the DNS domain, a DNS client issues a query to the DNS name server. For some security contexts or for performance, it might be advisable to restrict what clients can query DNS records in the zone.
DNS queries can be configured when the zone is created or when it is modified by using the --allow-query option with the ipa dnszone-mod command to set a list of clients which are allowed to issue queries.
For example:
[user@server ~]$ ipa dnszone-mod --allow-query=192.0.2.0/24;2001:DB8::/32;203.0.113.1 example.com
The default --allow-query value is any, which allows the zone to be queried by any client.

24.9. DNS Locations

24.9.1. DNS-based Service Discovery

DNS-based Service discovery is a process in which a client uses the DNS protocol to locate servers in a network that offer a specific service such as LDAP or Kerberos. One typical type of operation is to allow clients to locate authentication servers within the closest network infrastructure, because they provide a higher throughput and lower network latency, lowering overall costs.
The major advantages of service discovery are:
  • No need for clients to be explicitly configured with names of nearby servers.
  • DNS servers are used as central providers of policy. Clients using the same DNS server have access to the same policy about service providers and their preferred order.
In an IdM domain, DNS service records (SRV records) exists for LDAP, Kerberos, and other services. For example, the following command queries the DNS server for hosts providing a TCP-based Kerberos service in an IdM DNS domain:

Example 24.10. DNS Location Independent Results

$ dig -t SRV +short _kerberos._tcp.idm.example.com
0 100 88 idmserver-01.idm.example.com.
0 100 88 idmserver-02.idm.example.com.
The output contains the following information:
  • 0 (priority): Priority of the target host. A lower value is preferred.
  • 100 (weight). Specifies a relative weight for entries with the same priority. For further information, see RFC 2782, section 3.
  • 88 (port number): Port number of the service.
  • Canonical name of the host providing the service.
In the previous example, the two host names returned have the same priority and weight. In this case, the client uses a random entry from the result list.
When the client instead queries a DNS server configured in a DNS location, the output differs. For IdM servers that are assigned to a location, tailored values are returned. In the example below, the client queries a DNS server in the location germany:

Example 24.11. DNS Location-based Results

$ dig -t SRV +short _kerberos._tcp.idm.example.com
_kerberos._tcp.germany._locations.idm.example.com.
0 100 88 idmserver-01.idm.example.com.
50 100 88 idmserver-02.idm.example.com.
The IdM DNS server automatically returns a DNS alias (CNAME) pointing to a DNS location specific SRV record which prefers local servers. This CNAME record is shown in the first line of the output. In the previous example, the host idmserver-01.idm.example.com has the lowest priority value and is therefore preferred.