Show Table of Contents

1.2. The Identity Management Domain
The Identity Management (IdM) domain consists of a group of machines that share the same configuration, policies, and identity stores. The shared properties allow the machines within the domain to be aware of each other and operate together.
From the perspective of IdM, the domain includes the following types of machines:
- IdM servers, which work as domain controllers
- IdM clients, which are enrolled with the servers
IdM servers are also IdM clients enrolled with themselves: server machines provide the same functionality as clients.
IdM supports Red Hat Enterprise Linux machines as the IdM servers and clients.
Note
This guide describes using IdM in Linux environments. For more information on integration with Active Directory, see the Windows Integration Guide.
1.2.1. Identity Management Servers
The IdM servers act as central repositories for identity and policy information. They also host the services used by domain members. IdM provides a set of management tools to manage all the IdM-associated services centrally: the IdM web UI and command-line utilities.
For information on installing IdM servers, see Chapter 2, Installing and Uninstalling an Identity Management Server.
To support redundancy and load balancing, the data and configuration can be replicated from one IdM server to another: a replica of the initial server. You can configure servers and their replicas to provide different services to clients. For more details on IdM replicas, see Chapter 4, Installing and Uninstalling Identity Management Replicas.
1.2.1.1. Services Hosted by IdM Servers
Most of the following services are not strictly required to be installed on the IdM server. For example, services such as a certificate authority (CA), a DNS server, or a Network Time Protocol (NTP) server can be installed on an external server outside the IdM domain.
- Kerberos:
krb5kdc
andkadmin
- IdM uses the Kerberos protocol to support single sign-on. With Kerberos, users only need to present the correct username and password once and can access IdM services without the system prompting for credentials again.
- Kerberos is divided into two parts:
- The
krb5kdc
service is the Kerberos Authentication service and Key Distribution Center (KDC) daemon. - The
kadmin
service is the Kerberos database administration program.
For details on how Kerberos works, see the System-Level Authentication Guide. - For information on how to authenticate using Kerberos in IdM, see Section 5.2, “Logging into IdM Using Kerberos”.
- For information on managing Kerberos in IdM, see Chapter 29, Managing the Kerberos Domain.
- LDAP directory server:
dirsrv
- The IdM internal LDAP directory server instance stores all IdM information, such as information related to Kerberos, user accounts, host entries, services, policies, DNS, and others.The LDAP directory server instance is based on the same technology as Red Hat Directory Server. However, it is tuned to IdM-specific tasks.
Note
This guide refers to this component as Directory Server. - Certificate Authority:
pki-tomcatd
- The integrated Certificate Authority (CA) is based on the same technology as Red Hat Certificate System.
pki
is the Command-Line Interface for accessing Certificate System services.- For more details on installing an IdM server with different CA configurations, see Section 2.3.2, “Determining What CA Configuration to Use”.
Note
This guide refers to this component as Certificate System when addressing the implementation and as certificate authority when addressing the services provided by the implementation.For information relating to Red Hat Certificate System, a standalone Red Hat product, see Product Documentation for Red Hat Certificate System. - Domain Name System (DNS):
named
- IdM uses DNS for dynamic service discovery. The IdM client installation utility can use information from DNS to automatically configure the client machine. After the client is enrolled in the IdM domain, it uses DNS to locate IdM servers and services within the domain.The
BIND (Berkeley Internet Name Domain)
implementation of the DNS (Domain Name System) protocols in Red Hat Enterprise Linux includes thenamed
DNS server.named-pkcs11
is a version of theBIND
DNS server built with native support for the PKCS#11 cryptographic standard.- For more information about service discovery, see the System-Level Authentication Guide.
- For information on the
BIND
DNS server, see the the Networking Guide. - For information on using DNS with IdM and important prerequisites, see Section 2.1.5, “Host Name and DNS Configuration”.
- For details on installing an IdM server with or without integrated DNS, see Section 2.3.1, “Determining Whether to Use Integrated DNS”.
- Network Time Protocol:
ntpd
- Many services require that servers and clients have the same system time, within a certain variance. For example, Kerberos tickets use time stamps to determine their validity and to prevent replay attacks. If the times between the server and client skew outside the allowed range, the Kerberos tickets are invalidated.By default, IdM uses the Network Time Protocol (NTP) to synchronize clocks over a network via the
ntpd
service. With NTP, a central server acts as an authoritative clock and the clients synchronize their times to match the server clock. The IdM server is configured as the NTP server for the IdM domain during the server installation process.Note
Running an NTP server on an IdM server installed on a virtual machine can lead to inaccurate time synchronization in some environments. To avoid potential problems, do not run NTP on IdM servers installed on virtual machines. For more information on the reliability of an NTP server on a virtual machine, see this Knowledgebase solution.
- Apache HTTP Server:
httpd
- The Apache HTTP web server provides the IdM Web UI, and also manages communication between the Certificate Authority and other IdM services.
- For more information about the Apache HTTP Server, see the System Administrator’s Guide.
- Samba / Winbind:
smb
,winbind
- Samba implements the Server Message Block (SMB) protocol, also known as the Common Internet File System (CIFS) protocol), in Red Hat Enterprise Linux. Via the
smb
service, the SMB protocol enables you to access resources on a server, such as file shares and shared printers. If you have configured a Trust with an Active Directory (AD) environment, the Winbind service manages communication between IdM servers and AD servers.- For more information about Samba, see the System Administrator’s Guide.
- For more information about Winbind, see the System-Level Authentication Guide.
- One-time password (OTP) authentication:
ipa-otpd
- One-time passwords (OTP) are passwords that are generated by an authentication token for only one session, as part of two-factor authentication. OTP authentication is implemented in Red Hat Enterprise Linux via the
ipa-otpd
service.- For more information about OTP authentication, see Section 22.3, “One-Time Passwords”.
- Custodia:
ipa-custodia
- Custodia is a Secrets Services provider, it stores and shares access to secret material such as passwords, keys, tokens, certificates.
- OpenDNSSEC:
ipa-dnskeysyncd
- OpenDNSSEC is a DNS manager that automates the process of keeping track of DNS security extensions (DNSSEC) keys and the signing of zones. The
ipa-dnskeysyncd
servuce manages synchronization between the IdM Directory Server and OpenDNSSEC.

Figure 1.1. The Identity Management Server: Unifying Services
1.2.2. Identity Management Clients
IdM clients are machines configured to operate within the IdM domain. They interact with the IdM servers to access domain resources. For example, they belong to the Kerberos domains configured on the servers, receive certificates and tickets issued by the servers, and use other centralized services for authentication and authorization.
An IdM client does not require dedicated client software to interact as a part of the domain. It only requires proper system configuration of certain services and libraries, such as Kerberos or DNS. This configuration directs the client machine to use IdM services.
For information on installing IdM clients, see Chapter 3, Installing and Uninstalling Identity Management Clients.
1.2.2.1. Services Hosted by IdM Clients
- System Security Services Daemon:
sssd
- The System Security Services Daemon (SSSD) is the client-side application that manages user authentication and caching credentials.Caching enables the local system to continue normal authentication operations if the IdM server becomes unavailable or if the client goes offline.For more information about SSSD, see the System-Level Authentication Guide. SSSD also supports Windows Active Directory (AD). For more information about using SSSD with AD, see the Windows Integration Guide.
certmonger
- The
certmonger
service monitors and renews the certificates on the client. It can request new certificates for the services on the system.For more information aboutcertmonger
, see the System-Level Authentication Guide.

Figure 1.2. Interactions Between IdM Services