Chapter 3. Authentication and Interoperability

Identity Management sets up a one-way trust by default

The ipa trust-add command now configures a one-way trust by default. One-way trusts enable users and groups in Active Directory (AD) to access resources in Identity Management (IdM) but not the other way around. Previously, the default trust configured by running ipa trust-add was a two-way trust.
IdM still allows the administrator to set up a two-way trust by adding the --two-way=true option to ipa trust-add.

openldap rebase to version 2.4.40

The openldap packages have been upgraded to upstream version 2.4.40, which provides a number of bug fixes and one enhancement over the previous version. Notably, the ORDERING matching rules have been added to the ppolicy attribute type descriptions. Among the fixed bugs are: The server no longer terminates unexpectedly when processing SRV records, and missing objectClass information has been added, which enables the user to modify the front-end configuration by standard means.

Cache authentication in SSSD

Authentication against cache without a reconnection attempt is now available in SSSD even in online mode. Authenticating directly against the network server repeatedly could cause excessive application latency, which could make the login process overly time-consuming.

SSSD enables UID and GID mapping on individual clients

It is now possible to map users to a different UID and GID on specific Red Hat Enterprise Linux clients through client-side configuration by using SSSD. This client-side override possibility can resolve problems caused by UID and GID duplication or ease transition from a legacy system that previously used different ID mapping.
Note that the overrides are stored in the SSSD cache; removing the cache therefore also removes the overrides.

SSSD can now deny SSH access to locked accounts

Previously, when SSSD used OpenLDAP as its authentication database, users could authenticate into the system successfully with an SSH key even after the user account was locked. The ldap_access_order parameter now accepts the ppolicy value, which can deny SSH access to the user in the described situation. For more information about using ppolicy, see the ldap_access_order description in the sssd-ldap(5) manual page.

The sudo utility now capable of verifying command checksum

The configuration of the sudo utility can now store the checksum of a command or script that is being permitted. When the command or script is run again, the checksum is compared to the stored checksum to verify that nothing has changed. If the command or binary is modified, the sudo utility refuses to run the command or logs a warning. This functionality makes it possible to correctly devolve responsibility and problem-solving activities if an incident occurs.

SSSD smart card support

SSSD now supports smart cards for local authentication. With this feature, the user can use a smart card to log on to the system using a text-based or graphical console, as well as local services such as the sudo service. The user places the smart card into the reader and provides the user name and the smart card PIN at the login prompt. If the certificate on the smart card is verified, the user is successfully authenticated.
Note that SSSD does not currently enable the user to acquire a Kerberos ticket using a smart card. To obtain a Kerberos ticket, the user is still required to authenticate using the kinit utility.

Support for multiple certificate profiles and user certificates

Identity Management now supports multiple profiles for issuing server and other certificates instead of only supporting a single server certificate profile. The profiles are stored in the Directory Server and shared between IdM replicas.
In addition, the administrator can now issue certificates to individual users. Previously, it was only possible to issue certificates to hosts and services.

Password Vault

A new feature to allow secure central storage of private user information, such as passwords and keys has been added to Identity Management. Password Vault is built on top of the Public Key Infrastructure (PKI) Key Recovery Authority (KRA) subsystem.

Kerberos HTTPS proxy in Identity Management

A Key Distribution Center (KDC) proxy function, interoperable with the Microsoft Kerberos KDC Proxy Protocol (MS-KKDCP) implementation, is now available in Identity Management and allows clients to access the KDC and kpasswd services by using HTTPS. System administrators can now expose the proxy at their network edge by a simple HTTPS reverse proxy without the need to set up and manage a dedicated application.

Background refresh of cached entries

SSSD now allows cached entries to be updated out-of-band in the background. Prior to this update, when the validity of cached entries expired, SSSD fetched them from the remote server and stored them in the database anew, which could be time consuming. With this update, entries are returned instantly because the back end keeps them updated at all times. Note that this causes a higher load on the server because SSSD downloads the entries periodically instead of only upon request.

Caching for initgroups operations

The SSSD fast memory cache now supports the initgroups operations, which enhances the speed of initgroups processing and improves the performance of some applications, for example GlusterFS and slapi-nis.

Negotiate authentication streamlined with mod_auth_gssapi

Identity Management now uses the mod_auth_gssapi module, which uses GSSAPI calls instead of direct Kerberos calls used by the previously used mod_auth_kerb module.

User life-cycle management capabilities

The user life-cycle management gives the administrator a greater degree of control over activating and deactivating user accounts. The administrator can now provision new user accounts by adding them to a stage area without fully activating them, activate inactive user accounts to make them fully operational, or deactivate user accounts without completely deleting them from the database.
User life-cycle management capabilities bring significant benefits to large IdM deployments. Note that users can be added to the stage area also directly from a standard LDAP client, using direct LDAP operations. Previously, IdM only supported managing users using IdM command-line tools or the IdM web UI.

SCEP support in certmonger

The certmonger service has been updated to support the Simple Certificate Enrollment Protocol (SCEP). It is now possible to issue a new certificate and renew or replace existing certificates over SCEP.

Apache modules for IdM now fully supported

The following Apache modules for Identity Management (IdM), added as Technology Preview in Red Hat Enterprise Linux 7.1, are now fully supported: mod_authnz_pam, mod_lookup_identity, and mod_intercept_form_submit. The Apache modules can be used by external applications to achieve tighter interaction with IdM beyond simple authentication.

NSS raises minimum accepted key strength values

The Network Security Services (NSS) library in Red Hat Enterprise Linux 7.2 no longer accepts Diffie-Hellman (DH) key exchange parameters smaller than 768 bits, nor RSA and DSA certificates with key sizes less than 1023 bits. Raising the minimum accepted key strength values prevents attacks exploiting known security vulnerabilities such as Logjam (CVE-2015-4000) and FREAK (CVE-2015-0204).
Note that attempts to connect to a server by using keys weaker than the new minimum values now fail, even though such connections worked in previous versions of Red Hat Enterprise Linux.

NSS enables TLS version 1.1 and 1.2 by default

Applications using protocol versions that NSS enables by default now additionally support the TLS version 1.1 and TLS version 1.2 protocols.

ECDSA certificates are now supported

Applications that use the default NSS cipher list now support connections to servers that use Elliptic Curve Digital Signature Algorithm (ECDSA) certificates.

OpenLDAP automatically chooses the NSS default cipher suites

OpenLDAP clients now automatically choose the Network Security Services (NSS) default cipher suites for communication with the server. It is no longer necessary to maintain the default cipher suites manually in the OpenLDAP source code.

Configuring an IdM server to be a trust agent now supported

Identity Management (IdM) distinguishes two types of IdM master servers: trust controllers and trust agents. Trust controllers run all the services required for establishing and maintaining a trust; trust agents only run services required to provide resolution of users and groups from trusted Active Directory forests to IdM clients enrolled with these IdM servers.
By default, running the ipa-adtrust-install command sets up the IdM server as a trust controller. To configure another IdM server to be a trust agent, pass the --add-agents option to ipa-adtrust-install.

Automated migration from WinSync to trusts now supported

The new ipa-winsync-migrate utility enables seamless migration from synchronization-based integration using WinSync to integration based on Active Directory (AD) trust. The utility automatically migrates all users synchronized using WinSync from a specified AD forest. Previously, migration from synchronization to trust could only be performed manually using ID views.
For more information about ipa-winsync-migrate, see the ipa-winsync-migrate(1) man page.

Multi-step prompting for one-time and long-term passwords

When using a one-time password (a token) together with a long-term password to log in, the user is prompted for both passwords separately. This results in better user experience when using one-time passwords as well as a safer long-term password extraction, which allows long-term password caching to be used for offline authentication.

LPK schema for OpenLDAP now available in the LDIF format

LDIF is the new default format for the OpenLDAP import schema, and the openssh-ldap package now provides the LDAP Public Key (LPK) schema in the LDIF format as well. Therefore, administrators can directly import the LDIF schema when setting up public-key authentication based on LDAP.

Cyrus can authenticate to AD and IdM servers again

An upstream release of the cyrus-sasl packages introduced a non-backward compatible change that prevented Cyrus from authenticating against older SASL implementations. Consequently, Red Hat Enterprise Linux 7 was not able to authenticate to Active Directory (AD) and Red Hat Enterprise Linux 6 Identity Management (IdM) servers. The upstream change has been reverted and Cyrus can now authenticate to AD and IdM servers as expected.

SSSD supports overriding automatically discovered AD site

The Active Directory (AD) DNS site to which the client connects is discovered automatically by default. However, the default automatic search might not discover the most suitable AD site in certain setups. In such situations, you can now define the DNS site manually using the ad_site parameter in the [domain/NAME] section of the /etc/sssd/sssd.conf file.

Support for SAML ECP has been added

The lasso packages have been rebased to version 2.5.0 and the mod_auth_mellon packages have been rebased to version 0.11.0 in order to add support for Security Assertion Markup Language (SAML) Enhanced Client or Proxy (ECP). SAML ECP is an alternative SAML profile that allows non-browser-based Single Sign On (SSO).

The winbindd service no longer lists group memberships in its default configuration

The winbindd service in Samba version 4.2.0 and later no longer lists group memberships for display purposes. In some situations, such as in environments with trusted domains, it was not always possible to provide this information reliably. To prevent the risk of providing inaccurate information, the default winbindd configuration has been changed to winbind expand groups = 0, which disables the previous behavior. Note that some commands, such as the getent group command, previously relied on this functionality and might not behave as before.