Red Hat Enterprise Linux 7

Linux Domain Identity, Authentication, and Policy Guide

Using Red Hat Identity Management in Linux Environments

Aneta Šteflová Petrová

Red Hat Customer Content Services

Marc Muehlfeld

Red Hat Customer Content Services

Tomáš Čapek

Red Hat Customer Content Services

Ella Deon Ballard

Red Hat Customer Content Services

Abstract

Identity and policy management, for both users and machines, is a core function for most enterprise environments. Identity Management provides a way to create an identity domain that allows machines to enroll to a domain and immediately access identity information required for single sign-on and authentication services, as well as policy settings that govern authorization and access.
In addition to this guide, you can find documentation on other features and services related to Red Hat Enterprise Linux Identity Management in the following guides:
The System-Level Authentication Guide documents different applications and services available to configure authentication on local systems, including the authconfig utility, the System Security Services Daemon (SSSD) service, the Pluggable Authentication Module (PAM) framework, Kerberos, the certmonger utility, and single sign-on (SSO) for applications.
The Windows Integration Guide documents how to integrate Linux domains with Microsoft Windows Active Directory (AD) using Identity Management. Among other topics, the guide covers various aspects of direct and indirect AD integration, using SSSD to access a Common Internet File System (CIFS), and the realmd system.
I. Overview of Red Hat Identity Management
1. Introduction to Red Hat Identity Management
1.1. The Goal of Red Hat Identity Management
1.1.1. Examples of Benefits Brought by IdM
1.1.2. Contrasting Identity Management with a Standard LDAP Directory
1.2. The Identity Management Domain
1.2.1. Identity Management Servers
1.2.1.1. Services Hosted by IdM Servers
1.2.2. Identity Management Clients
1.2.2.1. Services Hosted by IdM Clients
II. Installing Identity Management
2. Installing and Uninstalling an Identity Management Server
2.1. Prerequisites for Installing a Server
2.1.1. Hardware Recommendations
2.1.2. System Requirements
2.1.3. Host Name and DNS Configuration
2.1.4. Port Requirements
2.2. Packages Required to Install an IdM Server
2.3. Installing an IdM Server: Introduction
2.3.1. Determining Whether to Use Integrated DNS
2.3.2. Determining What CA Configuration to Use
2.3.3. Installing a Server with Integrated DNS
2.3.4. Installing a Server Without Integrated DNS
2.3.5. Installing a Server with an External CA as the Root CA
2.3.6. Installing Without a CA
2.3.7. Installing a Server Non-Interactively
2.4. Uninstalling an IdM Server
2.5. Renaming a Server
3. Installing and Uninstalling Identity Management Clients
3.1. Prerequisites for Installing a Client
3.2. Packages Required to Install a Client
3.3. Installing a Client
3.3.1. Installing a Client Interactively
3.3.2. Installing a Client Non-interactively
3.4. Setting up an IdM Client Through Kickstart
3.4.1. Pre-creating a Client Host Entry on the IdM Server
3.4.2. Creating a Kickstart File for the Client
3.5. Post-installation Considerations for Clients
3.5.1. Removing Pre-Identity Management Configuration
3.6. Testing the New Client
3.7. Uninstalling a Client
3.8. Re-enrolling a Client into the IdM Domain
3.8.1. Re-enrolling a Client Interactively Using the Administrator Account
3.8.2. Re-enrolling a Client Non-interactively Using the Client Keytab
3.9. Renaming Client Machines
4. Installing and Uninstalling Identity Management Replicas
4.1. Explaining IdM Replicas
4.2. Deployment Considerations for Replicas
4.2.1. Distribution of Server Services in the Topology
4.2.2. Replica Topology Recommendations
4.2.2.1. Tight Cell Topology
4.3. Prerequisites for Installing a Replica
4.4. Packages Required to Install a Replica
4.5. Creating the Replica: Introduction
4.5.1. Promoting a Client to a Replica Using a Host Keytab
4.5.2. Installing a Replica Using a Random Password
4.5.3. Installing a Replica with DNS
4.5.4. Installing a Replica with a CA
4.5.5. Installing a Replica from a Server without a CA
4.6. Testing the New Replica
4.7. Uninstalling a Replica
III. Administration: Managing Servers
5. The Basics of Managing the IdM Server and Services
5.1. Starting and Stopping the IdM Server
5.2. Logging into IdM Using Kerberos
5.3. The IdM Command-Line Utilities
5.3.1. Getting Help for ipa Commands
5.3.2. Setting a List of Values
5.3.3. Using Special Characters
5.3.4. Searching IdM Entries
5.3.4.1. Adjusting the Search Size and Time Limit
5.4. The IdM Web UI
5.4.1. Supported Web Browsers
5.4.2. Accessing the Web UI and Authenticating
5.4.2.1. Accessing the Web UI
5.4.2.2. Available Login Methods
5.4.2.3. Authenticating to the IdM Web UI as an AD User
5.4.3. Configuring the Browser for Kerberos Authentication
5.4.4. Configuring an External System for Kerberos Authentication to the Web UI
5.4.5. Proxy Servers and Port Forwarding in the Web UI
6. Managing Replication Topology
6.1. Explaining Replication Agreements, Topology Suffixes, and Topology Segments
6.2. Web UI: Using the Topology Graph to Manage Replication Topology
6.2.1. Setting up Replication Between Two Servers
6.2.2. Stopping Replication Between Two Servers
6.3. Command Line: Managing Topology Using the ipa topology* Commands
6.3.1. Getting Help for Topology Management Commands
6.3.2. Setting up Replication Between Two Servers
6.3.3. Stopping Replication Between Two Servers
6.4. Removing a Server from the Topology
6.4.1. Web UI: Removing a Server from the Topology
6.4.2. Command Line: Removing a Server from the Topology
6.5. Managing Server Roles
6.5.1. Viewing Server Roles
6.5.2. Promoting a Replica to a Master CA Server
6.5.2.1. Changing the Current CA Renewal Master
6.5.2.2. Changing Which Server Generates CRLs
6.5.2.3. Verifying That the New Master CA Server Is Configured Correctly
7. Displaying and Raising the Domain Level
7.1. Displaying the Current Domain Level
7.2. Raising the Domain Level
8. Updating and Migrating Identity Management
8.1. Updating Identity Management
8.1.1. Considerations for Updating Identity Management
8.1.2. Using yum to Update the Identity Management Packages
8.2. Migrating Identity Management from Red Hat Enterprise Linux 6 to Version 7
8.2.1. Prerequisites for Migrating Identity Management from Red Hat Enterprise Linux 6 to 7
8.2.2. Updating the Identity Management Schema on Red Hat Enterprise Linux 6
8.2.3. Installing the Red Hat Enterprise Linux 7 Replica
8.2.4. Transitioning the CA Services to the Red Hat Enterprise Linux 7 Server
8.2.5. Stop the Red Hat Enterprise Linux 6 Server
8.2.6. Next Steps After Migrating the Master CA Server
9. Backing Up and Restoring Identity Management
9.1. Full-Server Backup and Data-Only Backup
9.1.1. Creating a Backup
9.1.2. Encrypting Backup
9.1.3. List of Directories and Files Copied During Backup
9.2. Restoring a Backup
9.2.1. Restoring from the Full-Server or Data-Only Backup
9.2.2. Restoring with Multiple Master Servers
9.2.3. Restoring from an Encrypted Backup
10. Defining Access Control for IdM Users
10.1. Access Controls for IdM Entries
10.1.1. Access Control Methods in Identity Management
10.2. Defining Self-Service Settings
10.2.1. Creating Self-Service Rules from the Web UI
10.2.2. Creating Self-Service Rules from the Command Line
10.2.3. Editing Self-Service Rules
10.3. Delegating Permissions over Users
10.3.1. Delegating Access to User Groups in the Web UI
10.3.2. Delegating Access to User Groups in the Command Line
10.4. Defining Role-Based Access Controls
10.4.1. Roles
10.4.1.1. Creating Roles in the Web UI
10.4.1.2. Creating Roles in the Command Line
10.4.2. Permissions
10.4.2.1. Creating New Permissions from the Web UI
10.4.2.2. Creating New Permissions from the Command Line
10.4.2.3. Default Managed Permissions
10.4.2.4. Permissions in Earlier Versions of Identity Management
10.4.3. Privileges
10.4.3.1. Creating New Privileges from the Web UI
10.4.3.2. Creating New Privileges from the Command Line
IV. Administration: Managing Identities
11. Managing User Accounts
11.1. Setting up User Home Directories
11.1.1. Mounting Home Directories Automatically Using the PAM Home Directory Module
11.1.2. Mounting Home Directories Manually
11.2. User Life Cycle
11.2.1. Adding Stage or Active Users
11.2.1.1. User Name Requirements
11.2.1.2. Defining a Custom UID or GID Number
11.2.2. Listing Users and Searching for Users
11.2.3. Activating, Preserving, Deleting, and Restoring Users
11.3. Editing Users
11.4. Enabling and Disabling User Accounts
11.5. Allowing Non-admin Users to Manage User Entries
11.6. Using an External Provisioning System for Users and Groups
11.6.1. Configuring User Accounts to Be Used by the External Provisioning System
11.6.2. Configuring IdM to Automatically Activate Stage User Accounts
11.6.3. Configuring the LDAP Provider of the External Provisioning System to Manage the IdM Identities
12. Managing Hosts
12.1. About Hosts, Services, and Machine Identity and Authentication
12.2. About Host Entry Configuration Properties
12.3. Adding Host Entries
12.3.1. Adding Host Entries from the Web UI
12.3.2. Adding Host Entries from the Command Line
12.4. Disabling and Re-enabling Host Entries
12.4.1. Disabling Host Entries
12.4.2. Re-enabling Hosts
12.5. Managing Public SSH Keys for Hosts
12.5.1. About the SSH Key Format
12.5.2. About ipa-client-install and OpenSSH
12.5.3. Uploading Host SSH Keys Through the Web UI
12.5.4. Adding Host Keys from the Command Line
12.5.5. Removing Host Keys
12.6. Setting ethers Information for a Host
13. Managing User and Host Groups
13.1. How User and Host Groups Work in IdM
13.1.1. What User and Host Groups Are
13.1.2. Supported Group Members
13.1.3. Direct and Indirect Group Members
13.1.4. User Group Types in IdM
13.1.5. User and Host Groups Created by Default
13.2. Adding and Removing User or Host Groups
13.3. Adding and Removing User or Host Group Members
13.4. Disabling User Private Groups
13.4.1. Creating a User without a User Private Group
13.4.2. Disabling User Private Groups Globally for All Users
13.4.3. Adding a User with User Private Groups Disabled
13.5. Setting Search Attributes for Users and User Groups
13.6. Defining Automatic Group Membership for Users and Hosts
13.6.1. How Automatic Group Membership Works in IdM
13.6.1.1. What Automatic Group Membership Is
13.6.1.2. Benefits of Automatic Group Membership
13.6.1.3. Automember Rules
13.6.2. Adding an Automember Rule
13.6.3. Applying Automember Rules to Existing Users and Hosts
13.6.4. Configuring a Default Automember Group
14. Unique UID and GID Number Assignments
14.1. ID Ranges
14.2. ID Range Assignments During Installation
14.3. Displaying Currently Assigned ID Ranges
14.4. Automatic ID Range Extension After Deleting a Replica
14.5. Manual ID Range Extension and Assigning a New ID Range
14.6. Ensuring That ID Values Are Unique
14.7. Repairing Changed UID and GID Numbers
15. User and Group Schema
15.1. About Changing the Default User and Group Schema
15.2. Applying Custom Object Classes to New User Entries
15.2.1. From the Web UI
15.2.2. From the Command Line
15.3. Applying Custom Object Classes to New Group Entries
15.3.1. From the Web UI
15.3.2. From the Command Line
15.4. Specifying Default User and Group Attributes
15.4.1. Viewing Attributes from the Web UI
15.4.2. Viewing Attributes from the Command Line
16. Managing Services
16.1. Adding and Editing Service Entries and Keytabs
16.1.1. Adding Services and Keytabs from the Web UI
16.1.2. Adding Services and Keytabs from the Command Line
16.2. Configuring Clustered Services
16.3. Using the Same Service Principal for Multiple Services
16.4. Retrieve Existing Keytabs for Multiple Servers
16.5. Disabling and Re-enabling Service Entries
16.5.1. Disabling Service Entries
16.5.2. Re-enabling Services
17. Delegating User Access to Hosts and Services
17.1. Delegating Service Management
17.2. Delegating Host Management
17.3. Delegating Host or Service Management in the Web UI
17.4. Accessing Delegated Services
18. ID Views
18.1. Attributes an ID View Can Override
18.2. Getting Help for ID View Commands
18.3. Defining a Different Attribute Value for a User Account on Different Hosts
18.3.1. Web UI: Overriding an Attribute Value for a Specific Host
18.3.2. Command Line: Overriding an Attribute Value for a Specific Host
19. Defining Access Control for IdM Users
20. Managing Kerberos Flags and Principal Aliases
20.1. Kerberos Flags for Services and Hosts
20.1.1. Setting Kerberos Flags from the Web UI
20.1.2. Setting Kerberos Flags from the Command Line
20.2. Managing Kerberos Principal Aliases for Users, Hosts, and Services
20.2.1. Kerberos Principal Alias
20.2.2. Kerberos Enterprise Principal Alias
21. Integrating with NIS Domains and Netgroups
21.1. About NIS and Identity Management
21.1.1. NIS Netgroups in Identity Management
21.1.1.1. Displaying NIS Netgroup Entries
21.2. Enabling NIS in Identity Management
21.3. Creating Netgroups
21.3.1. Adding a Netgroup
21.3.2. Adding Members to a Netgroup
21.4. Exposing Automount Maps to NIS Clients
21.4.1. Adding an Automount Map
21.5. Migrating from NIS to IdM
21.5.1. Preparing Netgroup Entries in IdM
21.5.2. Enabling the NIS Listener in Identity Management
21.5.3. Exporting and Importing the Existing NIS Data
21.5.3.1. Migrating User Entries
21.5.3.2. Migrating Group Entries
21.5.3.3. Migrating Host Entries
21.5.3.4. Migrating Netgroup Entries
21.5.3.5. Migrating Automount Maps
21.5.4. Enabling Weak Password Hashing for NIS User Authentication
V. Administration: Managing Authentication
22. User Authentication
22.1. User Passwords
22.1.1. Changing and Resetting User Passwords
22.1.1.1. Web UI: Changing Your Own Personal Password
22.1.1.2. Web UI: Resetting Another User's Password
22.1.1.3. Command Line: Changing or Resetting Another User's Password
22.1.2. Enabling Password Reset Without Prompting for a Password Change at the Next Login
22.1.3. Unlocking User Accounts After Password Failures
22.1.3.1. Checking the Status of a User Account
22.2. One-Time Passwords
22.2.1. How OTP Authentication Works in IdM
22.2.1.1. OTP Tokens Supported in IdM
22.2.1.2. Available OTP Authentication Methods
22.2.1.3. GNOME Keyring Service Support
22.2.1.4. Offline Authentication with OTP
22.2.2. Enabling OTP Authentication
22.2.3. Adding a User-Managed Software Token
22.2.4. Adding a User-Managed YubiKey Hardware Token
22.2.5. Adding a Token for a User as the Administrator
22.2.6. Migrating from a Proprietary OTP Solution
22.2.7. Promoting the Current Credentials to Two-Factor Authentication
22.2.8. Resynchronizing an OTP Token
22.3. Restricting Access to Services and Hosts Based on How Users Authenticate
22.3.1. Configuring a Host or a Service to Require a Specific Authentication Method
22.4. Managing Public SSH Keys for Users
22.4.1. Generating an SSH Key
22.4.2. Uploading User SSH Keys
22.4.2.1. Web UI: Uploading User SSH Keys
22.4.2.2. Command Line: Uploading User SSH Keys
22.4.3. Deleting User Keys
22.4.3.1. Web UI: Deleting User SSH Keys
22.4.3.2. Command Line: Deleting User SSH Keys
22.5. Configuring SSSD to Provide a Cache for the OpenSSH Services
22.5.1. How SSSD Works with OpenSSH
22.5.2. Configuring OpenSSH to Use SSSD for Host Keys
22.5.3. Configuring OpenSSH to Use SSSD for User Keys
22.6. Smart Card Authentication in Identity Management
22.7. User Certificates
23. Smart-card Authentication in Identity Management
23.1. Managing Smart Card Links in the Identity Management Server
23.1.1. Exporting a Certificate From a Smart Card
23.1.2. Linking User Accounts to Smart Card Certificates
23.1.2.1. Creating a Link Between a Certificate and a User Account
23.1.2.2. Removing a Link Between a Certificate and a User Account
23.1.2.3. Linking an Active Directory User Account and a Smart Card
23.1.2.4. Configuring Identity Mapping
23.1.2.5. Additional Resources
23.1.3. Finding Users That Match a Specified Certificate
23.1.4. Additional Resources
23.2. Authenticating to an Identity Management Client with a Smart Card
23.2.1. Smart Card-based Authentication Options Supported on Identity Management Clients
23.2.2. Preparing the Identity Management Client for Smart-card Authentication
23.2.3. Authenticating on an Identity Management Client with a Smart Card Using the Console Login
23.2.4. Authenticating on an Identity Management Client with a Smart Card Using SSH
23.2.5. Additional Resources
23.3. Authenticating to an Identity Management System Remotely with a Smart Card
23.3.1. Preparing the Local System for Smart-card Authentication
23.3.2. Preparing the Remote Identity Management System for Smart-card Authentication
23.3.3. Linking the Smart Card Certificate and the User Entry in Active Directory
23.3.4. Authenticating to the Remote System from the Local System
23.3.5. Additional Resources
23.4. Configuring a User Name Hint Policy for Smart-card Authentication
23.4.1. User Name Hints in Identity Management
23.4.2. Enabling User Name Hints in Identity Management
23.5. PKINIT Smart-card Authentication in Identity Management
23.5.1. Preparing the Identity Management Client for PKINIT Authentication
23.5.2. As an Identity Management User: Authenticate Using PKINIT on an Identity Management Client
23.5.3. As an Active Directory User: Authenticate Using PKINIT on an Identity Management Client
23.6. Authenticating to the Identity Management Web UI with a Smart Card
23.6.1. Preparing the Identity Management Server for Smart-card Authentication in the Web UI
23.6.2. Preparing the Browser for Smart-card Authentication
23.6.3. Authenticating to the Identity Management Web UI with a Smart Card as an Identity Management User
23.6.4. Additional Resources
23.7. Integrating Identity Management Smart-card Authentication with Web Applications
23.7.1. Prerequisites for Web Application Authentication with Smart Cards
23.7.2. Configuring Identity Management Smart-card Authentication for a Web Application
24. Managing Certificates for Users, Hosts, and Services
24.1. Managing Certificates with the Integrated IdM CAs
24.1.1. Requesting New Certificates for a User, Host, or Service
24.1.2. Revoking Certificates with the Integrated IdM CAs
24.1.3. Restoring Certificates with the Integrated IdM CAs
24.2. Managing Certificates Issued by External CAs
24.2.1. Command Line: Adding and Removing Certificates Issued by External CAs
24.2.2. Web UI: Adding and Removing Certificates Issued by External CAs
24.3. Listing and Displaying Certificates
24.4. Certificate Profiles
24.4.1. Certificate Profile Management from the Command Line
24.4.2. Certificate Profile Management from the Web UI
24.4.3. Upgrading IdM Servers with Certificate Profiles
24.5. Certificate Authority ACL Rules
24.5.1. CA ACL Management from the Command Line
24.5.2. CA ACL Management from the Web UI
24.6. Using Certificate Profiles and ACLs to Issue User Certificates with the IdM CAs
25. Storing Authentication Secrets with Vaults
25.1. How Vaults Work
25.1.1. Vault Owners, Members, and Administrators
25.1.2. Standard, Symmetric, and Asymmetric Vaults
25.1.3. User, Service, and Shared Vaults
25.1.4. Vault Containers
25.2. Prerequisites for Using Vaults
25.3. Getting Help for Vault Commands
25.4. Storing a User's Personal Secret
25.4.1. Archiving a User's Personal Secret
25.4.2. Retrieving a User's Personal Secret
25.5. Storing a Service Secret in a Vault
25.5.1. Creating a User Vault to Store a Service Password
25.5.2. Provisioning a Service Password from a User Vault to Service Instances
25.5.3. Retrieving a Service Password for a Service Instance
25.5.4. Changing Service Vault Password
25.6. Storing a Common Secret for Multiple Users
25.6.1. Creating the Shared Vault with the Common Secret
25.6.2. Retrieving a Secret from a Shared Vault as a Member User
26. Managing Certificates and Certificate Authorities
26.1. Lightweight Sub-CAs
26.1.1. Creating a Lightweight Sub-CA
26.1.2. Removing a Lightweight Sub-CA
26.2. Renewing Certificates
26.2.1. Renewing Certificates Automatically
26.2.2. Renewing CA Certificates Manually
26.2.2.1. Renewing a Self-Signed IdM CA Certificate Manually
26.2.2.2. Renewing an Externally-Signed IdM CA Certificate Manually
26.3. Installing a CA Certificate Manually
26.4. Changing the Certificate Chain
26.5. Allowing IdM to Start with Expired Certificates
26.6. Installing Third-Party Certificates for HTTP or LDAP
26.7. Configuring OCSP Responders
26.7.1. Changing the CRL Update Interval
26.8. Installing a CA Into an Existing IdM Domain
26.9. Replacing the Web Server's and LDAP Server's Certificate
VI. Administration: Managing Policies
27. Defining Password Policies
27.1. What Are Password Policies and Why Are They Useful
27.2. How Password Policies Work in IdM
27.2.1. Supported Password Policy Attributes
27.2.2. Global and Group-specific Password Policies
27.2.3. Password Policy Priorities
27.3. Adding a New Password Policy
27.4. Modifying Password Policy Attributes
27.5. Changing Password Expiration Date with Immediate Effect
28. Managing the Kerberos Domain
28.1. Managing Kerberos Ticket Policies
28.1.1. Global and User-specific Kerberos Ticket Policies
28.1.2. Configuring the Global Kerberos Ticket Policy
28.1.3. Configuring User-specific Kerberos Ticket Policies
28.2. Rekeying Kerberos Principals
28.3. Protecting Keytabs
28.4. Removing Keytabs
28.5. Additional Resources
29. Using sudo
29.1. The sudo Utility in Identity Management
29.1.1. The Identity Management LDAP Schema for sudo
29.1.2. NIS Domain Name Requirements
29.2. sudo Rules in Identity Management
29.2.1. External Users and Hosts in sudo Rules
29.2.2. User Group Support for sudo Rules
29.2.3. Support for sudoers Options
29.3. Configuring the Location for Looking up sudo Policies
29.3.1. Configuring Hosts to Use IdM sudo Policies in Earlier Versions of IdM
29.3.1.1. Applying the sudo Policies to Hosts Using SSSD
29.3.1.2. Applying the sudo Policies to Hosts Using LDAP
29.4. Adding sudo Commands, Command Groups, and Rules
29.4.1. Adding sudo Commands
29.4.2. Adding sudo Command Groups
29.4.3. Adding sudo Rules
29.5. Modifying sudo Commands and Command Groups
29.6. Modifying sudo Rules
29.7. Listing and Displaying sudo Commands, Command Groups, and Rules
29.8. Disabling and Enabling sudo Rules
29.9. Removing sudo Commands, Command Groups, and Rules
30. Configuring Host-Based Access Control
30.1. How Host-Based Access Control Works in IdM
30.2. Configuring Host-based Access Control in an IdM Domain
30.2.1. Creating HBAC Rules
30.2.2. Testing HBAC Rules
30.2.3. Disabling HBAC Rules
30.3. Adding HBAC Service Entries for Custom HBAC Services
30.4. Adding HBAC Service Groups
31. Defining SELinux User Maps
31.1. About Identity Management, SELinux, and Mapping Users
31.2. Configuring SELinux User Map Order and Defaults
31.2.1. In the Web UI
31.2.2. In the CLI
31.3. Mapping SELinux Users and IdM Users
31.3.1. In the Web UI
31.3.2. In the CLI
VII. Administration: Managing Network Services
32. Managing DNS
32.1. BIND in Identity Management
32.2. Supported DNS Zone Types
32.3. DNS Configuration Priorities
32.4. Managing Master DNS Zones
32.4.1. Adding and Removing Master DNS Zones
32.4.2. Adding Additional Configuration for Master DNS Zones
32.4.3. Enabling Zone Transfers
32.4.4. Adding Records to DNS Zones
32.4.5. Examples of Adding or Modifying DNS Resource Records from the Command Line
32.4.6. Deleting Records from DNS Zones
32.4.7. Disabling and Enabling Zones
32.5. Managing Dynamic DNS Updates
32.5.1. Enabling Dynamic DNS Updates
32.5.1.1. Configuring the DNS Zone to Allow Dynamic Updates
32.5.1.2. Configuring the Clients to Send Dynamic Updates
32.5.2. Synchronizing A/AAAA and PTR Records
32.5.3. Updating DNS Dynamic Update Policies
32.6. Managing DNS Forwarding
32.6.1. Configuring Global Forwarders
32.6.2. Configuring Forward Zones
32.7. Managing Reverse DNS Zones
32.8. Defining DNS Query Policy
32.9. DNS Locations
32.9.1. DNS-based Service Discovery
32.9.2. Deployment Considerations for DNS Locations
32.9.2.1. DNS Time to Live (TTL)
32.9.3. Creating DNS Locations
32.9.4. Assigning an IdM Server to a DNS Location
32.10. Updating DNS Records Systematically When Using External DNS
32.10.1. Updating External DNS in Identity Management
32.10.2. GUI: Updating External DNS Records
32.10.3. Command Line: Updating External DNS Records Using nsupdate
32.11. Installing DNS Services Into an Existing Server
32.11.1. Setting up Additional Name Servers
33. Using Automount
33.1. About Automount and IdM
33.2. Configuring Automount
33.2.1. Configuring NFS Automatically
33.2.2. Configuring autofs Manually to Use SSSD and Identity Management
33.2.3. Configuring Automount on Solaris
33.3. Setting up a Kerberos-aware NFS Server
33.3.1. Setting up a Kerberos-aware NFS Server
33.3.2. Setting up a Kerberos-aware NFS Client
33.4. Configuring Locations
33.4.1. Configuring Locations through the Web UI
33.4.2. Configuring Locations through the Command Line
33.5. Configuring Maps
33.5.1. Configuring Direct Maps
33.5.1.1. Configuring Direct Maps from the Web UI
33.5.1.2. Configuring Direct Maps from the Command Line
33.5.2. Configuring Indirect Maps
33.5.2.1. Configuring Indirect Maps from the Web UI
33.5.2.2. Configuring Indirect Maps from the Command Line
33.5.3. Importing Automount Maps
VIII. Security Hardening
34. Configuring TLS for Identity Management
34.1. Configuring the httpd Daemon
34.2. Configuring the Directory Server Component
34.3. Configuring the Certificate Server Component
34.4. Result
35. Disabling Anonymous Binds
IX. Performance Tuning
36. Performance Tuning for Bulk Provisioning of Entries
X. Migration
37. Migrating from an LDAP Directory to IdM
37.1. An Overview of an LDAP to IdM Migration
37.1.1. Planning the Client Configuration
37.1.1.1. Initial Client Configuration (Pre-Migration)
37.1.1.2. Recommended Configuration for Red Hat Enterprise Linux Clients
37.1.1.3. Alternative Supported Configuration
37.1.2. Planning Password Migration
37.1.2.1. Method 1: Using Temporary Passwords and Requiring a Change
37.1.2.2. Method 2: Using the Migration Web Page
37.1.2.3. Method 3: Using SSSD (Recommended)
37.1.2.4. Migrating Cleartext LDAP Passwords
37.1.2.5. Automatically Resetting Passwords That Do Not Meet Requirements
37.1.3. Migration Considerations and Requirements
37.1.3.1. LDAP Servers Supported for Migration
37.1.3.2. Migration Environment Requirements
37.1.3.3. Migration — IdM System Requirements
37.1.3.4. Migration Tools
37.1.3.5. Improving Migration Performance
37.1.3.6. Migration Sequence
37.2. Examples for Using ipa migrate-ds
37.2.1. Migrating Specific Subtrees
37.2.2. Specifically Including or Excluding Entries
37.2.3. Excluding Entry Attributes
37.2.4. Setting the Schema to Use
37.3. Migrating an LDAP Server Identity Management
37.4. Migrating over SSL
A. Troubleshooting: General Guidelines
A.1. Investigating Failures when Executing the ipa Utility
A.2. Investigating kinit Authentication Failures
A.3. Investigating IdM Web UI Authentication Failures
A.4. Investigating Smart Card Authentication Failures
A.5. Investigating Why a Service Fails to Start
A.6. Troubleshooting DNS
A.7. Troubleshooting Replication
B. Troubleshooting: Solutions to Specific Problems
B.1. Identity Management Servers
B.1.1. External CA Installation Fails
B.1.2. named Daemon Fails to Start
B.1.3. Installing a Server Fails on a System with IPv6 Disabled
B.2. Identity Management Replicas
B.2.1. Authenticating AD Users Against a New Replica Fails
B.2.2. Replica Starts with SASL, GSS-API, and Kerberos Errors in the Directory Server Logs
B.2.3. The DNS forward Record Does Not Match the Reverse Address
B.2.4. Serial Numbers Not Found Errors
B.2.5. Cleaning Replica Update Vector (RUV) Errors
B.2.6. Recovering a Lost CA Server
B.3. Identity Management Clients
B.3.1. The Client Is Unable to Resolve Reverse Lookups when Using an External DNS
B.3.2. The Client Is Not Added to the DNS Zone
B.3.3. Client Connection Problems
B.4. Logging In and Authentication Problems
B.4.1. Kerberos GSS Failures When Running ipa Commands
B.4.2. SSH Connection Fails when Using GSS-API
B.4.3. OTP Token Out of Sync
B.4.4. Smart Card Authentication Fails with Timeout Error Messages
C. A Reference of Identity Management Files and Logs
C.1. Identity Management Configuration Files and Directories
C.2. Identity Management Log Files and Directories
C.3. IdM Domain Services and Log Rotation
D. Managing Replicas at Domain Level 0
D.1. Replica Information File
D.2. Creating Replicas
D.2.1. Installing a Replica without DNS
D.2.2. Installing a Replica with DNS
D.2.3. Installing a Replica with Various CA Configurations
D.2.4. Adding Additional Replication Agreements
D.3. Managing Replicas and Replication Agreements
D.3.1. Explaining Replication Agreements
D.3.2. Listing Replication Agreements
D.3.3. Creating and Removing Replication Agreements
D.3.4. Initiating a Manual Replication Update
D.3.5. Re-initializing a Replica
D.3.6. Removing a Replica
D.4. Promoting a Replica to a Master CA Server
D.4.1. Changing Which Server Handles Certificate Renewal
E. Revision History