Red Hat Enterprise Linux 7

Linux Domain Identity, Authentication, and Policy Guide

Using Red Hat Identity Management in Linux Environments

Aneta Šteflová Petrová

Red Hat Customer Content Services

Marc Muehlfeld

Red Hat Customer Content Services

Tomáš Čapek

Red Hat Customer Content Services

Ella Deon Ballard

Red Hat Customer Content Services

Abstract

Identity and policy management, for both users and machines, is a core function for most enterprise environments. Identity Management provides a way to create an identity domain that allows machines to enroll to a domain and immediately access identity information required for single sign-on and authentication services, as well as policy settings that govern authorization and access.
In addition to this guide, you can find documentation on other features and services related to Red Hat Enterprise Linux Identity Management in the following guides:
The System-Level Authentication Guide documents different applications and services available to configure authentication on local systems, including the authconfig utility, the System Security Services Daemon (SSSD) service, the Pluggable Authentication Module (PAM) framework, Kerberos, the certmonger utility, and single sign-on (SSO) for applications.
The Windows Integration Guide documents how to integrate Linux domains with Microsoft Windows Active Directory (AD) using Identity Management. Among other topics, the guide covers various aspects of direct and indirect AD integration, using SSSD to access a Common Internet File System (CIFS), and the realmd system.
1. Introduction to Red Hat Identity Management
1.1. The Goal of Red Hat Identity Management
1.1.1. Examples of Benefits Brought by IdM
1.1.2. Contrasting Identity Management with a Standard LDAP Directory
1.2. The Identity Management Domain
1.2.1. Identity Management Servers
1.2.1.1. Services Hosted by IdM Servers
1.2.2. Identity Management Clients
1.2.2.1. Services Hosted by IdM Clients
I. Installing Identity Management
2. Installing and Uninstalling an Identity Management Server
2.1. Prerequisites for Installing a Server
2.1.1. Hardware Recommendations
2.1.2. System Requirements
2.1.3. Host Name and DNS Configuration
2.1.4. Port Requirements
2.2. Packages Required to Install an IdM Server
2.3. Installing an IdM Server: Introduction
2.3.1. Determining Whether to Use Integrated DNS
2.3.2. Determining What CA Configuration to Use
2.3.3. Installing a Server with Integrated DNS
2.3.4. Installing a Server Without Integrated DNS
2.3.5. Installing a Server with an External CA as the Root CA
2.3.6. Installing Without a CA
2.3.7. Installing a Server Non-Interactively
2.4. Uninstalling an IdM Server
2.5. Renaming a Server
3. Installing and Uninstalling Identity Management Clients
3.1. Prerequisites for Installing a Client
3.2. Packages Required to Install a Client
3.3. Installing a Client
3.3.1. Installing a Client Interactively
3.3.2. Installing a Client Non-interactively
3.4. Setting up an IdM Client Through Kickstart
3.4.1. Pre-creating a Client Host Entry on the IdM Server
3.4.2. Creating a Kickstart File for the Client
3.5. Post-installation Considerations for Clients
3.5.1. Removing Pre-Identity Management Configuration
3.6. Testing the New Client
3.7. Uninstalling a Client
3.8. Re-enrolling a Client into the IdM Domain
3.8.1. Re-enrolling a Client Interactively Using the Administrator Account
3.8.2. Re-enrolling a Client Non-interactively Using the Client Keytab
3.9. Renaming Client Machines
4. Installing and Uninstalling Identity Management Replicas
4.1. Explaining IdM Replicas
4.2. Deployment Considerations for Replicas
4.2.1. Distribution of Server Services in the Topology
4.2.2. Replica Topology Recommendations
4.2.2.1. Tight Cell Topology
4.3. Prerequisites for Installing a Replica
4.4. Packages Required to Install a Replica
4.5. Creating the Replica: Introduction
4.5.1. Promoting a Client to a Replica Using a Host Keytab
4.5.2. Installing a Replica Using a Random Password
4.5.3. Installing a Replica with DNS
4.5.4. Installing a Replica with a CA
4.5.5. Installing a Replica from a Server without a CA
4.6. Testing the New Replica
4.7. Uninstalling a Replica
II. The Basics of Managing an Identity Management Domain
5. The Basics of Managing the IdM Server and Services
5.1. Starting and Stopping the IdM Server
5.2. Logging into IdM Using Kerberos
5.3. The IdM Command-Line Utilities
5.3.1. Getting Help for ipa Commands
5.3.2. Setting a List of Values
5.3.3. Using Special Characters
5.3.4. Searching IdM Entries
5.3.4.1. Adjusting the Search Size and Time Limit
5.4. The IdM Web UI
5.4.1. Accessing the Web UI and Authenticating
5.4.2. Configuring the Browser for Kerberos Authentication
5.4.3. Configuring an External System for Kerberos Authentication to the Web UI
5.4.4. Proxy Servers and Port Forwarding in the Web UI
6. Managing Replication Topology
6.1. Explaining Replication Agreements, Topology Suffixes, and Topology Segments
6.2. Web UI: Using the Topology Graph to Manage Replication Topology
6.2.1. Setting up Replication Between Two Servers
6.2.2. Stopping Replication Between Two Servers
6.3. Command Line: Managing Topology Using the ipa topology* Commands
6.3.1. Getting Help for Topology Management Commands
6.3.2. Setting up Replication Between Two Servers
6.3.3. Stopping Replication Between Two Servers
6.4. Removing a Server from the Topology
6.4.1. Web UI: Removing a Server from the Topology
6.4.2. Command Line: Removing a Server from the Topology
6.5. Managing Server Roles
6.5.1. Viewing Server Roles
6.5.2. Promoting a Replica to a Master CA Server
6.5.2.1. Changing the Current CA Renewal Master
6.5.2.2. Changing Which Server Generates CRLs
6.5.2.3. Verifying That the New Master CA Server Is Configured Correctly
7. Displaying and Raising the Domain Level
7.1. Displaying the Current Domain Level
7.2. Raising the Domain Level
8. Updating and Migrating Identity Management
8.1. Updating Identity Management
8.1.1. Considerations for Updating Identity Management
8.1.2. Using yum to Update the Identity Management Packages
8.2. Migrating Identity Management from Red Hat Enterprise Linux 6 to Version 7
8.2.1. Prerequisites for Migrating Identity Management from Red Hat Enterprise Linux 6 to 7
8.2.2. Updating the Identity Management Schema on Red Hat Enterprise Linux 6
8.2.3. Installing the Red Hat Enterprise Linux 7 Replica
8.2.4. Transitioning the CA Services to the Red Hat Enterprise Linux 7 Server
8.2.5. Stop the Red Hat Enterprise Linux 6 Server
8.2.6. Next Steps After Migrating the Master CA Server
9. Backing Up and Restoring Identity Management
9.1. Full-Server Backup and Data-Only Backup
9.1.1. Creating a Backup
9.1.2. Encrypting Backup
9.1.3. List of Directories and Files Copied During Backup
9.2. Restoring a Backup
9.2.1. Restoring from the Full-Server or Data-Only Backup
9.2.2. Restoring with Multiple Master Servers
9.2.3. Restoring from an Encrypted Backup
III. Managing User and System Identities in a Linux Domain
10. Managing User Accounts
10.1. Setting up User Home Directories
10.1.1. Mounting Home Directories Automatically Using the PAM Home Directory Module
10.1.2. Mounting Home Directories Manually
10.2. User Life Cycle
10.2.1. Adding Stage or Active Users
10.2.1.1. User Name Requirements
10.2.1.2. Defining a Custom UID or GID Number
10.2.2. Listing Users and Searching for Users
10.2.3. Activating, Preserving, Deleting, and Restoring Users
10.3. Editing Users
10.4. Enabling and Disabling User Accounts
10.5. Allowing Non-admin Users to Manage User Entries
10.6. Using an External Provisioning System for Users and Groups
10.6.1. Configuring User Accounts to Be Used by the External Provisioning System
10.6.2. Configuring IdM to Automatically Activate Stage User Accounts
10.6.3. Configuring the LDAP Provider of the External Provisioning System to Manage the IdM Identities
11. User Authentication
11.1. User Passwords
11.1.1. Changing and Resetting User Passwords
11.1.1.1. Web UI: Changing Your Own Personal Password
11.1.1.2. Web UI: Resetting Another User's Password
11.1.1.3. Command Line: Changing or Resetting Another User's Password
11.1.2. Enabling Password Reset Without Prompting for a Password Change at the Next Login
11.1.3. Unlocking User Accounts After Password Failures
11.1.3.1. Checking the Status of a User Account
11.2. One-Time Passwords
11.2.1. How OTP Authentication Works in IdM
11.2.1.1. OTP Tokens Supported in IdM
11.2.1.2. Available OTP Authentication Methods
11.2.1.3. GNOME Keyring Service Support
11.2.1.4. Offline Authentication with OTP
11.2.2. Enabling OTP Authentication
11.2.3. Adding a User-Managed Software Token
11.2.4. Adding a User-Managed YubiKey Hardware Token
11.2.5. Adding a Token for a User as the Administrator
11.2.6. Migrating from a Proprietary OTP Solution
11.2.7. Promoting the Current Credentials to Two-Factor Authentication
11.2.8. Resynchronizing an OTP Token
11.3. Restricting Access to Services and Hosts Based on How Users Authenticate
11.3.1. Configuring a Host or a Service to Require a Specific Authentication Method
11.4. Managing Public SSH Keys for Users
11.4.1. Generating an SSH Key
11.4.2. Uploading User SSH Keys
11.4.2.1. Web UI: Uploading User SSH Keys
11.4.2.2. Command Line: Uploading User SSH Keys
11.4.3. Deleting User Keys
11.4.3.1. Web UI: Deleting User SSH Keys
11.4.3.2. Command Line: Deleting User SSH Keys
11.5. Smart Cards
11.5.1. Smart Card and Smart Card Reader Support in Identity Management
11.5.2. Exporting a Certificate From a Smart Card
11.5.3. Storing Smart Card Certificates for IdM Users
11.5.4. Smart Card Certificates in a Trusted Active Directory Environment
11.5.5. Smart Card Authentication on Identity Management Clients
11.5.5.1. Configuring Smart Card Authentication on an IdM Client
11.5.5.2. SSH Log in Using a Smart Card
11.6. User Certificates
12. Managing Hosts
12.1. About Hosts, Services, and Machine Identity and Authentication
12.2. About Host Entry Configuration Properties
12.3. Adding Host Entries
12.3.1. Adding Host Entries from the Web UI
12.3.2. Adding Host Entries from the Command Line
12.4. Disabling and Re-enabling Host Entries
12.4.1. Disabling Host Entries
12.4.2. Re-enabling Hosts
12.5. Managing Public SSH Keys for Hosts
12.5.1. About the SSH Key Format
12.5.2. About ipa-client-install and OpenSSH
12.5.3. Uploading Host SSH Keys Through the Web UI
12.5.4. Adding Host Keys from the Command Line
12.5.5. Removing Host Keys
12.6. Setting ethers Information for a Host
13. Managing User and Host Groups
13.1. How User and Host Groups Work in IdM
13.1.1. What User and Host Groups Are
13.1.2. Supported Group Members
13.1.3. Direct and Indirect Group Members
13.1.4. User Group Types in IdM
13.1.5. User and Host Groups Created by Default
13.2. Adding and Removing User or Host Groups
13.3. Adding and Removing User or Host Group Members
13.4. Disabling User Private Groups
13.4.1. Creating a User without a User Private Group
13.4.2. Disabling User Private Groups Globally for All Users
13.4.3. Adding a User with User Private Groups Disabled
13.5. Setting Search Attributes for Users and User Groups
13.6. Defining Automatic Group Membership for Users and Hosts
13.6.1. How Automatic Group Membership Works in IdM
13.6.1.1. What Automatic Group Membership Is
13.6.1.2. Benefits of Automatic Group Membership
13.6.1.3. Automember Rules
13.6.2. Adding an Automember Rule
13.6.3. Applying Automember Rules to Existing Users and Hosts
13.6.4. Configuring a Default Automember Group
14. Unique UID and GID Number Assignments
14.1. ID Ranges
14.2. ID Range Assignments During Installation
14.3. Displaying Currently Assigned ID Ranges
14.4. Automatic ID Range Extension After Deleting a Replica
14.5. Manual ID Range Extension and Assigning a New ID Range
14.6. Ensuring That ID Values Are Unique
14.7. Repairing Changed UID and GID Numbers
15. User and Group Schema
15.1. About Changing the Default User and Group Schema
15.2. Applying Custom Object Classes to New User Entries
15.2.1. From the Web UI
15.2.2. From the Command Line
15.3. Applying Custom Object Classes to New Group Entries
15.3.1. From the Web UI
15.3.2. From the Command Line
15.4. Specifying Default User and Group Attributes
15.4.1. Viewing Attributes from the Web UI
15.4.2. Viewing Attributes from the Command Line
16. ID Views
16.1. Attributes an ID View Can Override
16.2. Getting Help for ID View Commands
16.3. Defining a Different Attribute Value for a User Account on Different Hosts
16.3.1. Web UI: Overriding an Attribute Value for a Specific Host
16.3.2. Command Line: Overriding an Attribute Value for a Specific Host
17. Managing Services
17.1. Adding and Editing Service Entries and Keytabs
17.1.1. Adding Services and Keytabs from the Web UI
17.1.2. Adding Services and Keytabs from the Command Line
17.2. Configuring Clustered Services
17.3. Using the Same Service Principal for Multiple Services
17.4. Retrieve Existing Keytabs for Multiple Servers
17.5. Disabling and Re-enabling Service Entries
17.5.1. Disabling Service Entries
17.5.2. Re-enabling Services
18. Delegating User Access to Hosts and Services
18.1. Delegating Service Management
18.2. Delegating Host Management
18.3. Delegating Host or Service Management in the Web UI
18.4. Accessing Delegated Services
19. Performance Tuning for Bulk Provisioning of Entries
20. Managing Certificates for Users, Hosts, and Services
20.1. Managing Certificates with the Integrated IdM CAs
20.1.1. Requesting New Certificates for a User, Host, or Service
20.1.2. Revoking Certificates with the Integrated IdM CAs
20.1.3. Restoring Certificates with the Integrated IdM CAs
20.2. Managing Certificates Issued by External CAs
20.2.1. Command Line: Adding and Removing Certificates Issued by External CAs
20.2.2. Web UI: Adding and Removing Certificates Issued by External CAs
20.3. Listing and Displaying Certificates
20.4. Certificate Profiles
20.4.1. Certificate Profile Management from the Command Line
20.4.2. Certificate Profile Management from the Web UI
20.4.3. Upgrading IdM Servers with Certificate Profiles
20.5. Certificate Authority ACL Rules
20.5.1. CA ACL Management from the Command Line
20.5.2. CA ACL Management from the Web UI
20.6. Using Certificate Profiles and ACLs to Issue User Certificates with the IdM CAs
21. Managing Kerberos Flags and Principal Aliases
21.1. Kerberos Flags for Services and Hosts
21.1.1. Setting Kerberos Flags from the Web UI
21.1.2. Setting Kerberos Flags from the Command Line
21.2. Managing Kerberos Principal Aliases for Users, Hosts, and Services
21.2.1. Kerberos Principal Alias
21.2.2. Kerberos Enterprise Principal Alias
22. Storing Authentication Secrets with Vaults
22.1. How Vaults Work
22.1.1. Vault Owners, Members, and Administrators
22.1.2. Standard, Symmetric, and Asymmetric Vaults
22.1.3. User, Service, and Shared Vaults
22.1.4. Vault Containers
22.2. Prerequisites for Using Vaults
22.3. Getting Help for Vault Commands
22.4. Storing a User's Personal Secret
22.4.1. Archiving a User's Personal Secret
22.4.2. Retrieving a User's Personal Secret
22.5. Storing a Service Secret in a Vault
22.5.1. Creating a User Vault to Store a Service Password
22.5.2. Provisioning a Service Password from a User Vault to Service Instances
22.5.3. Retrieving a Service Password for a Service Instance
22.5.4. Changing Service Vault Password
22.6. Storing a Common Secret for Multiple Users
22.6.1. Creating the Shared Vault with the Common Secret
22.6.2. Retrieving a Secret from a Shared Vault as a Member User
23. Integrating with NIS Domains and Netgroups
23.1. About NIS and Identity Management
23.2. Setting the NIS Port for Identity Management
23.3. Creating Netgroups
23.3.1. Adding Netgroups
23.3.1.1. With the Web UI
23.3.1.2. With the Command Line
23.3.2. Adding Netgroup Members
23.3.2.1. With the Web UI
23.3.2.2. With the Command Line
23.4. Exposing Automount Maps to NIS Clients
23.5. Migrating from NIS to IdM
23.5.1. Preparing Netgroup Entries in IdM
23.5.2. Enabling the NIS Listener in Identity Management
23.5.3. Exporting and Importing the Existing NIS Data
23.5.3.1. Importing User Entries
23.5.3.2. Importing Group Entries
23.5.3.3. Importing Host Entries
23.5.3.4. Importing Netgroup Entries
23.5.3.5. Importing Automount Maps
23.5.4. Setting Weak Password Encryption for NIS User Authentication to IdM
24. Managing DNS
24.1. BIND in Identity Management
24.2. Supported DNS Zone Types
24.3. DNS Configuration Priorities
24.4. Managing Master DNS Zones
24.4.1. Adding and Removing Master DNS Zones
24.4.2. Adding Additional Configuration for Master DNS Zones
24.4.3. Enabling Zone Transfers
24.4.4. Adding Records to DNS Zones
24.4.5. Examples of Adding or Modifying DNS Resource Records from the Command Line
24.4.6. Deleting Records from DNS Zones
24.4.7. Disabling and Enabling Zones
24.5. Managing Dynamic DNS Updates
24.5.1. Enabling Dynamic DNS Updates
24.5.1.1. Configuring the DNS Zone to Allow Dynamic Updates
24.5.1.2. Configuring the Clients to Send Dynamic Updates
24.5.2. Synchronizing A/AAAA and PTR Records
24.5.3. Updating DNS Dynamic Update Policies
24.6. Managing DNS Forwarding
24.6.1. Configuring Global Forwarders
24.6.2. Configuring Forward Zones
24.7. Managing Reverse DNS Zones
24.8. Defining DNS Query Policy
24.9. DNS Locations
24.9.1. DNS-based Service Discovery
24.9.2. Deployment Considerations for DNS Locations
24.9.2.1. DNS Time to Live (TTL)
24.9.3. Creating DNS Locations
24.9.4. Assigning an IdM Server to a DNS Location
24.10. Installing DNS Services Into an Existing Server
24.10.1. Setting up Additional Name Servers
IV. Defining Domain-wide System Policies
25. Using Automount
25.1. About Automount and IdM
25.2. Configuring Automount
25.2.1. Configuring NFS Automatically
25.2.2. Configuring autofs Manually to Use SSSD and Identity Management
25.2.3. Configuring Automount on Solaris
25.3. Setting up a Kerberos-aware NFS Server
25.3.1. Setting up a Kerberos-aware NFS Server
25.3.2. Setting up a Kerberos-aware NFS Client
25.4. Configuring Locations
25.4.1. Configuring Locations through the Web UI
25.4.2. Configuring Locations through the Command Line
25.5. Configuring Maps
25.5.1. Configuring Direct Maps
25.5.1.1. Configuring Direct Maps from the Web UI
25.5.1.2. Configuring Direct Maps from the Command Line
25.5.2. Configuring Indirect Maps
25.5.2.1. Configuring Indirect Maps from the Web UI
25.5.2.2. Configuring Indirect Maps from the Command Line
25.5.3. Importing Automount Maps
26. Defining Password Policies
26.1. What Are Password Policies and Why Are They Useful
26.2. How Password Policies Work in IdM
26.2.1. Supported Password Policy Attributes
26.2.2. Global and Group-specific Password Policies
26.2.3. Password Policy Priorities
26.3. Adding a New Password Policy
26.4. Modifying Password Policy Attributes
26.5. Changing Password Expiration Date with Immediate Effect
27. Managing the Kerberos Domain
27.1. Managing Kerberos Ticket Policies
27.1.1. Global and User-specific Kerberos Ticket Policies
27.1.2. Configuring the Global Kerberos Ticket Policy
27.1.3. Configuring User-specific Kerberos Ticket Policies
27.2. Rekeying Kerberos Principals
27.3. Protecting Keytabs
27.4. Removing Keytabs
27.5. Additional Resources
28. Using sudo
28.1. The sudo Utility in Identity Management
28.1.1. The Identity Management LDAP Schema for sudo
28.1.2. NIS Domain Name Requirements
28.2. sudo Rules in Identity Management
28.2.1. External Users and Hosts in sudo Rules
28.2.2. User Group Support for sudo Rules
28.2.3. Support for sudoers Options
28.3. Configuring the Location for Looking up sudo Policies
28.3.1. Configuring Hosts to Use IdM sudo Policies in Earlier Versions of IdM
28.3.1.1. Applying the sudo Policies to Hosts Using SSSD
28.3.1.2. Applying the sudo Policies to Hosts Using LDAP
28.4. Adding sudo Commands, Command Groups, and Rules
28.4.1. Adding sudo Commands
28.4.2. Adding sudo Command Groups
28.4.3. Adding sudo Rules
28.5. Modifying sudo Commands and Command Groups
28.6. Modifying sudo Rules
28.7. Listing and Displaying sudo Commands, Command Groups, and Rules
28.8. Disabling and Enabling sudo Rules
28.9. Removing sudo Commands, Command Groups, and Rules
29. Configuring Host-Based Access Control
29.1. How Host-Based Access Control Works in IdM
29.2. Configuring Host-based Access Control in an IdM Domain
29.2.1. Creating HBAC Rules
29.2.2. Testing HBAC Rules
29.2.3. Disabling HBAC Rules
29.3. Adding HBAC Service Entries for Custom HBAC Services
29.4. Adding HBAC Service Groups
30. Defining SELinux User Maps
30.1. About Identity Management, SELinux, and Mapping Users
30.2. Configuring SELinux User Map Order and Defaults
30.2.1. In the Web UI
30.2.2. In the CLI
30.3. Mapping SELinux Users and IdM Users
30.3.1. In the Web UI
30.3.2. In the CLI
V. Configuring the Identity Management Server
31. Defining Access Control for IdM Users
31.1. Access Controls for IdM Entries
31.1.1. Access Control Methods in Identity Management
31.2. Defining Self-Service Settings
31.2.1. Creating Self-Service Rules from the Web UI
31.2.2. Creating Self-Service Rules from the Command Line
31.2.3. Editing Self-Service Rules
31.3. Delegating Permissions over Users
31.3.1. Delegating Access to User Groups in the Web UI
31.3.2. Delegating Access to User Groups in the Command Line
31.4. Defining Role-Based Access Controls
31.4.1. Roles
31.4.1.1. Creating Roles in the Web UI
31.4.1.2. Creating Roles in the Command Line
31.4.2. Permissions
31.4.2.1. Creating New Permissions from the Web UI
31.4.2.2. Creating New Permissions from the Command Line
31.4.2.3. Default Managed Permissions
31.4.2.4. Permissions in Earlier Versions of Identity Management
31.4.3. Privileges
31.4.3.1. Creating New Privileges from the Web UI
31.4.3.2. Creating New Privileges from the Command Line
32. Identity Management Files and Logs
32.1. A Reference of IdM Server Configuration Files and Directories
32.2. IdM Domain Services and Log Rotation
32.3. About default.conf and Context Configuration Files
32.4. Checking IdM Server Logs
32.4.1. Enabling Server Debug Logging
32.4.2. Debugging Command-Line Operations
33. Managing Certificates and Certificate Authorities
33.1. Lightweight Sub-CAs
33.1.1. Creating a Lightweight Sub-CA
33.1.2. Removing a Lightweight Sub-CA
33.2. Renewing Certificates
33.2.1. Renewing Certificates Automatically
33.2.2. Renewing CA Certificates Manually
33.2.2.1. Renewing a Self-Signed IdM CA Certificate Manually
33.2.2.2. Renewing an Externally-Signed IdM CA Certificate Manually
33.3. Installing a CA Certificate Manually
33.4. Changing the Certificate Chain
33.5. Allowing IdM to Start with Expired Certificates
33.6. Installing Third-Party Certificates for HTTP or LDAP
33.7. Configuring OCSP Responders
33.7.1. Changing the CRL Update Interval
33.8. Installing a CA Into an Existing IdM Domain
33.9. Replacing the Web Server's and LDAP Server's Certificate
34. Disabling Anonymous Binds
35. Configuring TLS for Identity Management
35.1. Configuring the httpd Daemon
35.2. Configuring the Directory Server Component
35.3. Configuring the Certificate Server Component
35.4. Result
36. Migrating from an LDAP Directory to IdM
36.1. An Overview of an LDAP to IdM Migration
36.1.1. Planning the Client Configuration
36.1.1.1. Initial Client Configuration (Pre-Migration)
36.1.1.2. Recommended Configuration for Red Hat Enterprise Linux Clients
36.1.1.3. Alternative Supported Configuration
36.1.2. Planning Password Migration
36.1.2.1. Method 1: Using Temporary Passwords and Requiring a Change
36.1.2.2. Method 2: Using the Migration Web Page
36.1.2.3. Method 3: Using SSSD (Recommended)
36.1.2.4. Migrating Cleartext LDAP Passwords
36.1.2.5. Automatically Resetting Passwords That Do Not Meet Requirements
36.1.3. Migration Considerations and Requirements
36.1.3.1. LDAP Servers Supported for Migration
36.1.3.2. Migration Environment Requirements
36.1.3.3. Migration — IdM System Requirements
36.1.3.4. Migration Tools
36.1.3.5. Improving Migration Performance
36.1.3.6. Migration Sequence
36.2. Examples for Using ipa migrate-ds
36.2.1. Migrating Specific Subtrees
36.2.2. Specifically Including or Excluding Entries
36.2.3. Excluding Entry Attributes
36.2.4. Setting the Schema to Use
36.3. Migrating an LDAP Server Identity Management
36.4. Migrating over SSL
A. Troubleshooting Identity Management
A.1. Identity Management Servers
A.1.1. External CA Installation Fails
A.1.2. named Daemon Fails to Start
A.1.3. Installing a Server Fails on a System with IPv6 Disabled
A.2. Identity Management Replicas
A.2.1. Authenticating AD Users Against a New Replica Fails
A.2.2. Replica Starts with SASL, GSS-API, and Kerberos Errors in the Directory Server Logs
A.2.3. The DNS forward Record Does Not Match the Reverse Address
A.2.4. Serial Numbers Not Found Errors
A.2.5. Cleaning Replica Update Vector (RUV) Errors
A.2.6. Recovering a Lost CA Server
A.3. Identity Management Clients
A.3.1. The Client Is Unable to Resolve Reverse Lookups when Using an External DNS
A.3.2. The Client Is Not Added to the DNS Zone
A.3.3. Client Connection Problems
A.4. Logging In and Authentication Problems
A.4.1. Kerberos GSS Failures When Running ipa Commands
A.4.2. Kerberos Authentication Not Working in the UI
A.4.3. SSH Connection Fails when Using GSS-API
A.4.4. OTP Token Out of Sync
B. Managing Replicas at Domain Level 0
B.1. Replica Information File
B.2. Creating Replicas
B.2.1. Installing a Replica without DNS
B.2.2. Installing a Replica with DNS
B.2.3. Installing a Replica with Various CA Configurations
B.2.4. Adding Additional Replication Agreements
B.3. Managing Replicas and Replication Agreements
B.3.1. Explaining Replication Agreements
B.3.2. Listing Replication Agreements
B.3.3. Creating and Removing Replication Agreements
B.3.4. Initiating a Manual Replication Update
B.3.5. Re-initializing a Replica
B.3.6. Removing a Replica
B.4. Promoting a Replica to a Master CA Server
B.4.1. Changing Which Server Handles Certificate Renewal
C. Revision History