Red Hat Training

A Red Hat training course is available for Red Hat Enterprise Linux

Chapter 51. Authentication and Interoperability

Installing an IdM replica on RHEL 7.6 fails if the IdM master runs on RHEL 6

With a recent update of the pki-core package, certain ciphers are no longer enabled by default in the Identity Management (IdM) Certificate Authority (CA). As a consequence, setting up an IdM server with integrated CA on RHEL 7.6 as a replica of a master running on RHEL 6 fails with a CRITICAL Failed to configure CA instance error. To work around the problem, append the following entry to the end of the NSSCipherSuite parameter in the /etc/httpd/conf.d/nss.conf file: 
+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_sha
As a result, the IdM installation on RHEL 7.6 no longer fails. Note that installing a CA-less IdM replica on RHEL 7.6 works as expected even without this workaround. (BZ#1667434)

RADIUS proxy functionality is now also available in IdM running in FIPS mode

In FIPS mode, OpenSSL disables the use of the MD5 digest algorithm by default. Consequently, because the RADIUS protocol requires MD5 to encrypt a secret between the RADIUS client and the RADIUS server, the unavailability of MD5 in FIPS mode causes the RHEL Identity Management (IdM) RADIUS proxy server to fail.
If the RADIUS server is running on the same host as the IdM master, you can work around the problem and enable MD5 within the secure perimeter.
To do that, create a file /etc/systemd/system/radiusd.service.d/ipa-otp.conf with the following content: 
# /etc/systemd/system/radiusd.service.d/ipa-otp.conf
[Service]
Environment=OPENSSL_FIPS_NON_APPROVED_MD5_ALLOW=1
To apply the change, reload the systemd configuration: 
# systemctl daemon-reload
and start the radiusd service: 
# systemctl start radiusd
The configuration of the RADIUS proxy requires the use of a common secret between the client and the server to wrap credentials. Specify this secret in the configuration of the RADIUS proxy in RHEL IdM using the command line interface (CLI) or web UI. To do it in the CLI: 
# ipa radiusproxy-add name_of_your_proxy_server --secret your_secret
(BZ#1571754)

Potential risk when using the default value for ldap_id_use_start_tls option

When using ldap:// without TLS for identity lookups, it can pose a risk for an attack vector. Particularly a man-in-the-middle (MITM) attack which could allow an attacker to impersonate a user by altering, for example, the UID or GID of an object returned in an LDAP search.
Currently, the SSSD configuration option to enforce TLS, ldap_id_use_start_tls, defaults to false. Ensure that your setup operates in a trusted environment and decide if it is safe to use unencrypted communication for id_provider = ldap. Note id_provider = ad and id_provider = ipa are not affected as they use encrypted connections protected by SASL and GSSAPI.
If it is not safe to use unencrypted communication, enforce TLS by setting the ldap_id_use_start_tls option to true in the /etc/sssd/sssd.conf file. The default behavior is planned to be changed in a future release of RHEL.
(JIRA:RHELPLAN-155168)