1.2. The Identity Management Domain
- IdM servers, which work as domain controllers
- IdM clients, which are enrolled with the servers
1.2.1. Identity Management Servers
126.96.36.199. Services Hosted by IdM Servers
- Kerberos KDC
- IdM uses the Kerberos protocol to support single sign-on. With Kerberos, the user only needs to present the correct user name and password once. Then the user can access IdM services without the system prompting for the credentials again.
- LDAP directory server
- IdM includes an internal LDAP directory server instance where it stores all the IdM information, such as information related to Kerberos, user accounts, host entries, services, policies, DNS, and others.The LDAP directory server instance is based on the same technology as Red Hat Directory Server. However, it is tuned to IdM-specific tasks.
NoteThis guide refers to this component as Directory Server.
- Certificate authority
- In most deployments, an integrated certificate authority (CA) is installed with the IdM server. You can also install the server without the integrated CA if you create and provide all required certificates independently.
- For more details on installing an IdM server with the different CA configurations, see Section 2.3.2, “Determining What CA Configuration to Use”.
NoteThis guide refers to this component as Certificate System when addressing the implementation and as certificate authority when addressing the services provided by the implementation.For information relating to Red Hat Certificate System, a standalone Red Hat product, see Product Documentation for Red Hat Certificate System.
- Domain Name System (DNS)
- IdM uses DNS for dynamic service discovery. The IdM client installation utility can use information from DNS to automatically configure the client machine. After the client is enrolled in the IdM domain, it uses DNS to locate IdM servers and services within the domain.
- For more information about service discovery, see the System-Level Authentication Guide.
- For information on using DNS with IdM and important prerequisites, see Section 2.1.5, “Host Name and DNS Configuration”.
- For details on installing an IdM server with or without integrated DNS, see Section 2.3.1, “Determining Whether to Use Integrated DNS”.
- Network Time Protocol
- Many services require that servers and clients have the same system time, within a certain variance. For example, Kerberos tickets use time stamps to determine their validity and to prevent replay attacks. If the times between the server and client skew outside the allowed range, the Kerberos tickets are invalidated.By default, IdM uses the Network Time Protocol (NTP) to synchronize clocks over a network. With NTP, a central server acts as an authoritative clock and the clients synchronize their times to match the server clock. The IdM server is configured as the NTP server for the IdM domain during the server installation process.
NoteRunning an NTP server on an IdM server installed on a virtual machine can lead to inaccurate time synchronization in some environments. To avoid potential problems, do not run NTP on IdM servers installed on virtual machines. For more information on the reliability of an NTP server on a virtual machine, see this Knowledgebase solution.
Figure 1.1. The Identity Management Server: Unifying Services
1.2.2. Identity Management Clients
188.8.131.52. Services Hosted by IdM Clients
- System Security Services Daemon
- The System Security Services Daemon (SSSD) is a client-side application for caching credentials. Using SSSD on client machines is recommended because it simplifies the required client configuration. SSSD also provides additional features, for example:
With SSSD, the IdM administrators can define all identity configuration centrally in the IdM server. Caching enables the local system to continue normal authentication operations if the IdM server becomes unavailable or if the client becomes offline.
- Offline client authentication, ensured by caching credentials from centralized identity and authentication stores locally
- Improved consistency of the authentication process, because it is not necessary to maintain both a central account and a local user account for offline authentication
- Integration with other services, such as
- Host-based access control (HBAC) authorization
certmongerservice monitors and renews the certificates on the client. It can request new certificates for the services on the system.For more information about
certmonger, see the System-Level Authentication Guide.
Figure 1.2. Interactions Between IdM Services