Linux Domain Identity, Authentication, and Policy Guide
I. Overview of Red Hat Identity Management
Expand section "I. Overview of Red Hat Identity Management" Collapse section "I. Overview of Red Hat Identity Management"
1. 1. Introduction to Red Hat Identity Management
  Expand section "1. Introduction to Red Hat Identity Management" Collapse section "1. Introduction to Red Hat Identity Management"
  1. 1.1. The Goal of Red Hat Identity Management
    
    Expand section "1.1. The Goal of Red Hat Identity Management" Collapse section "1.1. The Goal of Red Hat Identity Management"
    
    1.1.1. Examples of Benefits Brought by IdM
    
    1.1.2. Contrasting Identity Management with a Standard LDAP Directory
  2. 1.2. The Identity Management Domain
    
    Expand section "1.2. The Identity Management Domain" Collapse section "1.2. The Identity Management Domain"
    
    1.2.1. Identity Management Servers
    
    Expand section "1.2.1. Identity Management Servers" Collapse section "1.2.1. Identity Management Servers"
    
    1.2.1.1. Services Hosted by IdM Servers
    
    1.2.2. Identity Management Clients
    
    Expand section "1.2.2. Identity Management Clients" Collapse section "1.2.2. Identity Management Clients"
    
    1.2.2.1. Services Hosted by IdM Clients
II. Installing Identity Management
Expand section "II. Installing Identity Management" Collapse section "II. Installing Identity Management"
1. 2. Installing and Uninstalling an Identity Management Server
  Expand section "2. Installing and Uninstalling an Identity Management Server" Collapse section "2. Installing and Uninstalling an Identity Management Server"
  1. 2.1. Prerequisites for Installing a Server
    
    Expand section "2.1. Prerequisites for Installing a Server" Collapse section "2.1. Prerequisites for Installing a Server"
    
    2.1.1. Minimal Hardware Requirements
    
    2.1.2. Hardware Recommendations
    
    2.1.3. System Requirements
    
    2.1.4. Prerequisites for Installing a Server in a FIPS Environment
    
    2.1.5. Host Name and DNS Configuration
    
    2.1.6. Port Requirements
  2. 2.2. Packages Required to Install an IdM Server
  3. 2.3. Installing an IdM Server: Introduction
    
    Expand section "2.3. Installing an IdM Server: Introduction" Collapse section "2.3. Installing an IdM Server: Introduction"
    
    2.3.1. Determining Whether to Use Integrated DNS
    
    2.3.2. Determining What CA Configuration to Use
    
    2.3.3. Installing a Server with Integrated DNS
    
    2.3.4. Installing a Server Without Integrated DNS
    
    2.3.5. Installing a Server with an External CA as the Root CA
    
    2.3.6. Installing Without a CA
    
    2.3.7. Installing a Server Non-Interactively
  4. 2.4. Uninstalling an IdM Server
  5. 2.5. Renaming a Server
2. 3. Installing and Uninstalling Identity Management Clients
  Expand section "3. Installing and Uninstalling Identity Management Clients" Collapse section "3. Installing and Uninstalling Identity Management Clients"
  1. 3.1. Prerequisites for Installing a Client
    
    Expand section "3.1. Prerequisites for Installing a Client" Collapse section "3.1. Prerequisites for Installing a Client"
    
    3.1.1. Prerequisites for Installing a Client in a FIPS Environment
  2. 3.2. Packages Required to Install a Client
  3. 3.3. Installing a Client
    
    Expand section "3.3. Installing a Client" Collapse section "3.3. Installing a Client"
    
    3.3.1. Installing a Client Interactively
    
    3.3.2. Installing a Client Non-interactively
  4. 3.4. Setting up an IdM Client Through Kickstart
    
    Expand section "3.4. Setting up an IdM Client Through Kickstart" Collapse section "3.4. Setting up an IdM Client Through Kickstart"
    
    3.4.1. Pre-creating a Client Host Entry on the IdM Server
    
    3.4.2. Creating a Kickstart File for the Client
  5. 3.5. Post-installation Considerations for Clients
    
    Expand section "3.5. Post-installation Considerations for Clients" Collapse section "3.5. Post-installation Considerations for Clients"
    
    3.5.1. Removing Pre-Identity Management Configuration
  6. 3.6. Testing the New Client
  7. 3.7. Uninstalling a Client
  8. 3.8. Re-enrolling a Client into the IdM Domain
    
    Expand section "3.8. Re-enrolling a Client into the IdM Domain" Collapse section "3.8. Re-enrolling a Client into the IdM Domain"
    
    3.8.1. Re-enrolling a Client Interactively Using the Administrator Account
    
    3.8.2. Re-enrolling a Client Non-interactively Using the Client Keytab
  9. 3.9. Renaming Client Machines
3. 4. Installing and Uninstalling Identity Management Replicas
  Expand section "4. Installing and Uninstalling Identity Management Replicas" Collapse section "4. Installing and Uninstalling Identity Management Replicas"
  1. 4.1. Explaining IdM Replicas
  2. 4.2. Deployment Considerations for Replicas
    
    Expand section "4.2. Deployment Considerations for Replicas" Collapse section "4.2. Deployment Considerations for Replicas"
    
    4.2.1. Distribution of Server Services in the Topology
    
    4.2.2. Replica Topology Recommendations
    
    Expand section "4.2.2. Replica Topology Recommendations" Collapse section "4.2.2. Replica Topology Recommendations"
    
    4.2.2.1. Tight Cell Topology
    
    4.2.3. The Hidden Replica Mode
  3. 4.3. Prerequisites for Installing a Replica
  4. 4.4. Packages Required to Install a Replica
  5. 4.5. Creating the Replica: Introduction
    
    Expand section "4.5. Creating the Replica: Introduction" Collapse section "4.5. Creating the Replica: Introduction"
    
    4.5.1. Promoting a Client to a Replica Using a Host Keytab
    
    4.5.2. Installing a Replica Using a Random Password
    
    4.5.3. Installing a Replica with DNS
    
    4.5.4. Installing a Replica with a CA
    
    4.5.5. Installing a Replica from a Server without a CA
  6. 4.6. Testing the New Replica
  7. 4.7. Uninstalling a Replica
III. Administration: Managing Servers
Expand section "III. Administration: Managing Servers" Collapse section "III. Administration: Managing Servers"
1. 5. The Basics of Managing the IdM Server and Services
  Expand section "5. The Basics of Managing the IdM Server and Services" Collapse section "5. The Basics of Managing the IdM Server and Services"
  1. 5.1. Starting and Stopping the IdM Server
  2. 5.2. Logging into IdM Using Kerberos
  3. 5.3. The IdM Command-Line Utilities
    
    Expand section "5.3. The IdM Command-Line Utilities" Collapse section "5.3. The IdM Command-Line Utilities"
    
    5.3.1. Getting Help for ipa Commands
    
    5.3.2. Setting a List of Values
    
    5.3.3. Using Special Characters
    
    5.3.4. Searching IdM Entries
    
    Expand section "5.3.4. Searching IdM Entries" Collapse section "5.3.4. Searching IdM Entries"
    
    5.3.4.1. Adjusting the Search Size and Time Limit
  4. 5.4. The IdM Web UI
    
    Expand section "5.4. The IdM Web UI" Collapse section "5.4. The IdM Web UI"
    
    5.4.1. Supported Web Browsers
    
    5.4.2. Accessing the Web UI and Authenticating
    
    Expand section "5.4.2. Accessing the Web UI and Authenticating" Collapse section "5.4.2. Accessing the Web UI and Authenticating"
    
    5.4.2.1. Accessing the Web UI
    
    5.4.2.2. Available Login Methods
    
    5.4.2.3. Web UI Session Length
    
    5.4.2.4. Authenticating to the IdM Web UI as an AD User
    
    5.4.3. Configuring the Browser for Kerberos Authentication
    
    5.4.4. Configuring an External System for Kerberos Authentication to the Web UI
    
    5.4.5. Proxy Servers and Port Forwarding in the Web UI
2. 6. Managing Replication Topology
  Expand section "6. Managing Replication Topology" Collapse section "6. Managing Replication Topology"
  1. 6.1. Explaining Replication Agreements, Topology Suffixes, and Topology Segments
  2. 6.2. Web UI: Using the Topology Graph to Manage Replication Topology
    
    Expand section "6.2. Web UI: Using the Topology Graph to Manage Replication Topology" Collapse section "6.2. Web UI: Using the Topology Graph to Manage Replication Topology"
    
    6.2.1. Setting up Replication Between Two Servers
    
    6.2.2. Stopping Replication Between Two Servers
  3. 6.3. Command Line: Managing Topology Using the ipa topology* Commands
    
    Expand section "6.3. Command Line: Managing Topology Using the ipa topology* Commands" Collapse section "6.3. Command Line: Managing Topology Using the ipa topology* Commands"
    
    6.3.1. Getting Help for Topology Management Commands
    
    6.3.2. Setting up Replication Between Two Servers
    
    6.3.3. Stopping Replication Between Two Servers
  4. 6.4. Removing a Server from the Topology
    
    Expand section "6.4. Removing a Server from the Topology" Collapse section "6.4. Removing a Server from the Topology"
    
    6.4.1. Web UI: Removing a Server from the Topology
    
    6.4.2. Command Line: Removing a Server from the Topology
  5. 6.5. Managing Server Roles
    
    Expand section "6.5. Managing Server Roles" Collapse section "6.5. Managing Server Roles"
    
    6.5.1. Viewing Server Roles
    
    6.5.2. Promoting a Replica to a Master CA Server
    
    Expand section "6.5.2. Promoting a Replica to a Master CA Server" Collapse section "6.5.2. Promoting a Replica to a Master CA Server"
    
    6.5.2.1. Changing the Current CA Renewal Master
    
    6.5.2.2. Changing Which Server Generates CRLs
    
    6.5.2.3. Verifying That the New Master CA Server Is Configured Correctly
    
    6.5.3. Demotion and Promotion of Hidden Replicas
3. 7. Displaying and Raising the Domain Level
  Expand section "7. Displaying and Raising the Domain Level" Collapse section "7. Displaying and Raising the Domain Level"
  1. 7.1. Displaying the Current Domain Level
  2. 7.2. Raising the Domain Level
4. 8. Updating and Migrating Identity Management
  Expand section "8. Updating and Migrating Identity Management" Collapse section "8. Updating and Migrating Identity Management"
  1. 8.1. Updating Identity Management
    
    Expand section "8.1. Updating Identity Management" Collapse section "8.1. Updating Identity Management"
    
    8.1.1. Considerations for Updating Identity Management
    
    8.1.2. Using yum to Update the Identity Management Packages
  2. 8.2. Migrating Identity Management from Red Hat Enterprise Linux 6 to Version 7
    
    Expand section "8.2. Migrating Identity Management from Red Hat Enterprise Linux 6 to Version 7" Collapse section "8.2. Migrating Identity Management from Red Hat Enterprise Linux 6 to Version 7"
    
    8.2.1. Prerequisites for Migrating Identity Management from Red Hat Enterprise Linux 6 to 7
    
    8.2.2. Updating the Identity Management Schema on Red Hat Enterprise Linux 6
    
    8.2.3. Installing the Red Hat Enterprise Linux 7 Replica
    
    8.2.4. Transitioning the CA Services to the Red Hat Enterprise Linux 7 Server
    
    8.2.5. Stop the Red Hat Enterprise Linux 6 Server
    
    8.2.6. Next Steps After Migrating the Master CA Server
5. 9. Backing Up and Restoring Identity Management
  Expand section "9. Backing Up and Restoring Identity Management" Collapse section "9. Backing Up and Restoring Identity Management"
  1. 9.1. Full-Server Backup and Data-Only Backup
    
    Expand section "9.1. Full-Server Backup and Data-Only Backup" Collapse section "9.1. Full-Server Backup and Data-Only Backup"
    
    9.1.1. Creating a Backup
    
    Expand section "9.1.1. Creating a Backup" Collapse section "9.1.1. Creating a Backup"
    
    9.1.1.1. Working Around Insufficient Space on Volumes Involved During Backup
    
    9.1.2. Encrypting Backup
    
    9.1.3. List of Directories and Files Copied During Backup
  2. 9.2. Restoring a Backup
    
    Expand section "9.2. Restoring a Backup" Collapse section "9.2. Restoring a Backup"
    
    9.2.1. Restoring from the Full-Server or Data-Only Backup
    
    9.2.2. Restoring with Multiple Master Servers
    
    9.2.3. Restoring from an Encrypted Backup
6. 10. Defining Access Control for IdM Users
  Expand section "10. Defining Access Control for IdM Users" Collapse section "10. Defining Access Control for IdM Users"
  1. 10.1. Access Controls for IdM Entries
    
    Expand section "10.1. Access Controls for IdM Entries" Collapse section "10.1. Access Controls for IdM Entries"
    
    10.1.1. Access Control Methods in Identity Management
  2. 10.2. Defining Self-Service Settings
    
    Expand section "10.2. Defining Self-Service Settings" Collapse section "10.2. Defining Self-Service Settings"
    
    10.2.1. Creating Self-Service Rules from the Web UI
    
    10.2.2. Creating Self-Service Rules from the Command Line
    
    10.2.3. Editing Self-Service Rules
  3. 10.3. Delegating Permissions over Users
    
    Expand section "10.3. Delegating Permissions over Users" Collapse section "10.3. Delegating Permissions over Users"
    
    10.3.1. Delegating Access to User Groups in the Web UI
    
    10.3.2. Delegating Access to User Groups in the Command Line
  4. 10.4. Defining Role-Based Access Controls
    
    Expand section "10.4. Defining Role-Based Access Controls" Collapse section "10.4. Defining Role-Based Access Controls"
    
    10.4.1. Roles
    
    Expand section "10.4.1. Roles" Collapse section "10.4.1. Roles"
    
    10.4.1.1. Creating Roles in the Web UI
    
    10.4.1.2. Creating Roles in the Command Line
    
    10.4.2. Permissions
    
    Expand section "10.4.2. Permissions" Collapse section "10.4.2. Permissions"
    
    10.4.2.1. Creating New Permissions from the Web UI
    
    10.4.2.2. Creating New Permissions from the Command Line
    
    10.4.2.3. Default Managed Permissions
    
    10.4.2.4. Permissions in Earlier Versions of Identity Management
    
    10.4.3. Privileges
    
    Expand section "10.4.3. Privileges" Collapse section "10.4.3. Privileges"
    
    10.4.3.1. Creating New Privileges from the Web UI
    
    10.4.3.2. Creating New Privileges from the Command Line
IV. Administration: Managing Identities
Expand section "IV. Administration: Managing Identities" Collapse section "IV. Administration: Managing Identities"
1. 11. Managing User Accounts
  Expand section "11. Managing User Accounts" Collapse section "11. Managing User Accounts"
  1. 11.1. Setting up User Home Directories
    
    Expand section "11.1. Setting up User Home Directories" Collapse section "11.1. Setting up User Home Directories"
    
    11.1.1. Mounting Home Directories Automatically Using the PAM Home Directory Module
    
    11.1.2. Mounting Home Directories Manually
  2. 11.2. User Life Cycle
    
    Expand section "11.2. User Life Cycle" Collapse section "11.2. User Life Cycle"
    
    11.2.1. Adding Stage or Active Users
    
    Expand section "11.2.1. Adding Stage or Active Users" Collapse section "11.2.1. Adding Stage or Active Users"
    
    11.2.1.1. User Name Requirements
    
    11.2.1.2. Defining a Custom UID or GID Number
    
    11.2.2. Listing Users and Searching for Users
    
    11.2.3. Activating, Preserving, Deleting, and Restoring Users
  3. 11.3. Editing Users
  4. 11.4. Enabling and Disabling User Accounts
  5. 11.5. Allowing Non-admin Users to Manage User Entries
  6. 11.6. Using an External Provisioning System for Users and Groups
    
    Expand section "11.6. Using an External Provisioning System for Users and Groups" Collapse section "11.6. Using an External Provisioning System for Users and Groups"
    
    11.6.1. Configuring User Accounts to Be Used by the External Provisioning System
    
    11.6.2. Configuring IdM to Automatically Activate Stage User Accounts
    
    11.6.3. Configuring the LDAP Provider of the External Provisioning System to Manage the IdM Identities
2. 12. Managing Hosts
  Expand section "12. Managing Hosts" Collapse section "12. Managing Hosts"
  1. 12.1. About Hosts, Services, and Machine Identity and Authentication
  2. 12.2. About Host Entry Configuration Properties
  3. 12.3. Adding Host Entries
    
    Expand section "12.3. Adding Host Entries" Collapse section "12.3. Adding Host Entries"
    
    12.3.1. Adding Host Entries from the Web UI
    
    12.3.2. Adding Host Entries from the Command Line
  4. 12.4. Disabling and Re-enabling Host Entries
    
    Expand section "12.4. Disabling and Re-enabling Host Entries" Collapse section "12.4. Disabling and Re-enabling Host Entries"
    
    12.4.1. Disabling Host Entries
    
    12.4.2. Re-enabling Hosts
  5. 12.5. Managing Public SSH Keys for Hosts
    
    Expand section "12.5. Managing Public SSH Keys for Hosts" Collapse section "12.5. Managing Public SSH Keys for Hosts"
    
    12.5.1. About the SSH Key Format
    
    12.5.2. About ipa-client-install and OpenSSH
    
    12.5.3. Uploading Host SSH Keys Through the Web UI
    
    12.5.4. Adding Host Keys from the Command Line
    
    12.5.5. Removing Host Keys
  6. 12.6. Setting ethers Information for a Host
3. 13. Managing User and Host Groups
  Expand section "13. Managing User and Host Groups" Collapse section "13. Managing User and Host Groups"
  1. 13.1. How User and Host Groups Work in IdM
    
    Expand section "13.1. How User and Host Groups Work in IdM" Collapse section "13.1. How User and Host Groups Work in IdM"
    
    13.1.1. What User and Host Groups Are
    
    13.1.2. Supported Group Members
    
    13.1.3. Direct and Indirect Group Members
    
    13.1.4. User Group Types in IdM
    
    13.1.5. User and Host Groups Created by Default
  2. 13.2. Adding and Removing User or Host Groups
  3. 13.3. Adding and Removing User or Host Group Members
  4. 13.4. Disabling User Private Groups
    
    Expand section "13.4. Disabling User Private Groups" Collapse section "13.4. Disabling User Private Groups"
    
    13.4.1. Creating a User without a User Private Group
    
    13.4.2. Disabling User Private Groups Globally for All Users
    
    13.4.3. Adding a User with User Private Groups Disabled
  5. 13.5. Setting Search Attributes for Users and User Groups
  6. 13.6. Defining Automatic Group Membership for Users and Hosts
    
    Expand section "13.6. Defining Automatic Group Membership for Users and Hosts" Collapse section "13.6. Defining Automatic Group Membership for Users and Hosts"
    
    13.6.1. How Automatic Group Membership Works in IdM
    
    Expand section "13.6.1. How Automatic Group Membership Works in IdM" Collapse section "13.6.1. How Automatic Group Membership Works in IdM"
    
    13.6.1.1. What Automatic Group Membership Is
    
    13.6.1.2. Benefits of Automatic Group Membership
    
    13.6.1.3. Automember Rules
    
    13.6.2. Adding an Automember Rule
    
    13.6.3. Applying Automember Rules to Existing Users and Hosts
    
    13.6.4. Configuring a Default Automember Group
4. 14. Unique UID and GID Number Assignments
  Expand section "14. Unique UID and GID Number Assignments" Collapse section "14. Unique UID and GID Number Assignments"
5. 15. User and Group Schema
  Expand section "15. User and Group Schema" Collapse section "15. User and Group Schema"
  1. 15.1. About Changing the Default User and Group Schema
  2. 15.2. Applying Custom Object Classes to New User Entries
    
    Expand section "15.2. Applying Custom Object Classes to New User Entries" Collapse section "15.2. Applying Custom Object Classes to New User Entries"
    
    15.2.1. From the Web UI
    
    15.2.2. From the Command Line
  3. 15.3. Applying Custom Object Classes to New Group Entries
    
    Expand section "15.3. Applying Custom Object Classes to New Group Entries" Collapse section "15.3. Applying Custom Object Classes to New Group Entries"
    
    15.3.1. From the Web UI
    
    15.3.2. From the Command Line
  4. 15.4. Specifying Default User and Group Attributes
    
    Expand section "15.4. Specifying Default User and Group Attributes" Collapse section "15.4. Specifying Default User and Group Attributes"
    
    15.4.1. Viewing Attributes from the Web UI
    
    15.4.2. Viewing Attributes from the Command Line
6. 16. Managing Services
  Expand section "16. Managing Services" Collapse section "16. Managing Services"
  1. 16.1. Adding and Editing Service Entries and Keytabs
    
    Expand section "16.1. Adding and Editing Service Entries and Keytabs" Collapse section "16.1. Adding and Editing Service Entries and Keytabs"
    
    16.1.1. Adding Services and Keytabs from the Web UI
    
    16.1.2. Adding Services and Keytabs from the Command Line
  2. 16.2. Configuring Clustered Services
  3. 16.3. Using the Same Service Principal for Multiple Services
  4. 16.4. Retrieve Existing Keytabs for Multiple Servers
  5. 16.5. Disabling and Re-enabling Service Entries
    
    Expand section "16.5. Disabling and Re-enabling Service Entries" Collapse section "16.5. Disabling and Re-enabling Service Entries"
    
    16.5.1. Disabling Service Entries
    
    16.5.2. Re-enabling Services
7. 17. Delegating Access to Hosts and Services
  Expand section "17. Delegating Access to Hosts and Services" Collapse section "17. Delegating Access to Hosts and Services"
8. 18. ID Views
  Expand section "18. ID Views" Collapse section "18. ID Views"
  1. 18.1. Attributes an ID View Can Override
  2. 18.2. Getting Help for ID View Commands
  3. 18.3. Defining a Different Attribute Value for a User Account on Different Hosts
    
    Expand section "18.3. Defining a Different Attribute Value for a User Account on Different Hosts" Collapse section "18.3. Defining a Different Attribute Value for a User Account on Different Hosts"
    
    18.3.1. Web UI: Overriding an Attribute Value for a Specific Host
    
    18.3.2. Command Line: Overriding an Attribute Value for a Specific Host
9. 19. Defining Access Control for IdM Users
10. 20. Managing Kerberos Flags and Principal Aliases
  Expand section "20. Managing Kerberos Flags and Principal Aliases" Collapse section "20. Managing Kerberos Flags and Principal Aliases"
  1. 20.1. Kerberos Flags for Services and Hosts
    
    Expand section "20.1. Kerberos Flags for Services and Hosts" Collapse section "20.1. Kerberos Flags for Services and Hosts"
    
    20.1.1. Setting Kerberos Flags from the Web UI
    
    20.1.2. Setting and Removing Kerberos Flags from the Command Line
    
    20.1.3. Displaying Kerberos Flags from the Command Line
  2. 20.2. Managing Kerberos Principal Aliases for Users, Hosts, and Services
    
    Expand section "20.2. Managing Kerberos Principal Aliases for Users, Hosts, and Services" Collapse section "20.2. Managing Kerberos Principal Aliases for Users, Hosts, and Services"
    
    20.2.1. Kerberos Principal Alias
    
    20.2.2. Kerberos Enterprise Principal Alias
11. 21. Integrating with NIS Domains and Netgroups
  Expand section "21. Integrating with NIS Domains and Netgroups" Collapse section "21. Integrating with NIS Domains and Netgroups"
  1. 21.1. About NIS and Identity Management
    
    Expand section "21.1. About NIS and Identity Management" Collapse section "21.1. About NIS and Identity Management"
    
    21.1.1. NIS Netgroups in Identity Management
    
    Expand section "21.1.1. NIS Netgroups in Identity Management" Collapse section "21.1.1. NIS Netgroups in Identity Management"
    
    21.1.1.1. Displaying NIS Netgroup Entries
  2. 21.2. Enabling NIS in Identity Management
  3. 21.3. Creating Netgroups
    
    Expand section "21.3. Creating Netgroups" Collapse section "21.3. Creating Netgroups"
    
    21.3.1. Adding a Netgroup
    
    21.3.2. Adding Members to a Netgroup
  4. 21.4. Exposing Automount Maps to NIS Clients
    
    Expand section "21.4. Exposing Automount Maps to NIS Clients" Collapse section "21.4. Exposing Automount Maps to NIS Clients"
    
    21.4.1. Adding an Automount Map
  5. 21.5. Migrating from NIS to IdM
    
    Expand section "21.5. Migrating from NIS to IdM" Collapse section "21.5. Migrating from NIS to IdM"
    
    21.5.1. Preparing Netgroup Entries in IdM
    
    21.5.2. Enabling the NIS Listener in Identity Management
    
    21.5.3. Exporting and Importing the Existing NIS Data
    
    Expand section "21.5.3. Exporting and Importing the Existing NIS Data" Collapse section "21.5.3. Exporting and Importing the Existing NIS Data"
    
    21.5.3.1. Migrating User Entries
    
    21.5.3.2. Migrating Group Entries
    
    21.5.3.3. Migrating Host Entries
    
    21.5.3.4. Migrating Netgroup Entries
    
    21.5.3.5. Migrating Automount Maps
    
    21.5.4. Enabling Weak Password Hashing for NIS User Authentication
V. Administration: Managing Authentication
Expand section "V. Administration: Managing Authentication" Collapse section "V. Administration: Managing Authentication"
1. 22. User Authentication
  Expand section "22. User Authentication" Collapse section "22. User Authentication"
  1. 22.1. User Passwords
    
    Expand section "22.1. User Passwords" Collapse section "22.1. User Passwords"
    
    22.1.1. Changing and Resetting User Passwords
    
    Expand section "22.1.1. Changing and Resetting User Passwords" Collapse section "22.1.1. Changing and Resetting User Passwords"
    
    22.1.1.1. Web UI: Changing Your Own Personal Password
    
    22.1.1.2. Web UI: Resetting Another User's Password
    
    22.1.1.3. Command Line: Changing or Resetting Another User's Password
    
    22.1.2. Enabling Password Reset Without Prompting for a Password Change at the Next Login
    
    22.1.3. Unlocking User Accounts After Password Failures
    
    Expand section "22.1.3. Unlocking User Accounts After Password Failures" Collapse section "22.1.3. Unlocking User Accounts After Password Failures"
    
    22.1.3.1. Checking the Status of a User Account
  2. 22.2. Enabling Tracking of Last Successful Kerberos Authentication
  3. 22.3. One-Time Passwords
    
    Expand section "22.3. One-Time Passwords" Collapse section "22.3. One-Time Passwords"
    
    22.3.1. How OTP Authentication Works in IdM
    
    Expand section "22.3.1. How OTP Authentication Works in IdM" Collapse section "22.3.1. How OTP Authentication Works in IdM"
    
    22.3.1.1. OTP Tokens Supported in IdM
    
    22.3.1.2. Available OTP Authentication Methods
    
    22.3.1.3. GNOME Keyring Service Support
    
    22.3.1.4. Offline Authentication with OTP
    
    22.3.2. Required Settings for Configuring a RADIUS Proxy on an IdM Server Running in FIPS Mode
    
    22.3.3. Enabling Two Factor Authentication
    
    22.3.4. Adding a User-Managed Software Token
    
    22.3.5. Adding a User-Managed YubiKey Hardware Token
    
    22.3.6. Adding a Token for a User as the Administrator
    
    22.3.7. Migrating from a Proprietary OTP Solution
    
    Expand section "22.3.7. Migrating from a Proprietary OTP Solution" Collapse section "22.3.7. Migrating from a Proprietary OTP Solution"
    
    22.3.7.1. Changing the Timeout Value of a KDC When Running a RADIUS Server in a Slow Network
    
    22.3.8. Promoting the Current Credentials to Two-Factor Authentication
    
    22.3.9. Resynchronizing an OTP Token
    
    22.3.10. Replacing a Lost OTP Token
  4. 22.4. Restricting Access to Services and Hosts Based on How Users Authenticate
    
    Expand section "22.4. Restricting Access to Services and Hosts Based on How Users Authenticate" Collapse section "22.4. Restricting Access to Services and Hosts Based on How Users Authenticate"
    
    22.4.1. Configuring a Host or a Service to Require a Specific Authentication Method
    
    22.4.2. Changing the Kerberos Authentication Indicator
  5. 22.5. Managing Public SSH Keys for Users
    
    Expand section "22.5. Managing Public SSH Keys for Users" Collapse section "22.5. Managing Public SSH Keys for Users"
    
    22.5.1. Generating an SSH Key
    
    22.5.2. Uploading User SSH Keys
    
    Expand section "22.5.2. Uploading User SSH Keys" Collapse section "22.5.2. Uploading User SSH Keys"
    
    22.5.2.1. Web UI: Uploading User SSH Keys
    
    22.5.2.2. Command Line: Uploading User SSH Keys
    
    22.5.3. Deleting User Keys
    
    Expand section "22.5.3. Deleting User Keys" Collapse section "22.5.3. Deleting User Keys"
    
    22.5.3.1. Web UI: Deleting User SSH Keys
    
    22.5.3.2. Command Line: Deleting User SSH Keys
  6. 22.6. Configuring SSSD to Provide a Cache for the OpenSSH Services
    
    Expand section "22.6. Configuring SSSD to Provide a Cache for the OpenSSH Services" Collapse section "22.6. Configuring SSSD to Provide a Cache for the OpenSSH Services"
    
    22.6.1. How SSSD Works with OpenSSH
    
    22.6.2. Configuring OpenSSH to Use SSSD for Host Keys
    
    22.6.3. Configuring OpenSSH to Use SSSD for User Keys
  7. 22.7. Smart-card Authentication in Identity Management
  8. 22.8. User Certificates
2. 23. Smart-card Authentication in Identity Management
  Expand section "23. Smart-card Authentication in Identity Management" Collapse section "23. Smart-card Authentication in Identity Management"
  1. 23.1. Exporting a Certificate From a Smart Card
  2. 23.2. Configuring Certificate Mapping Rules in Identity Management
    
    Expand section "23.2. Configuring Certificate Mapping Rules in Identity Management" Collapse section "23.2. Configuring Certificate Mapping Rules in Identity Management"
    
    23.2.1. Certificate Mapping Rules for Configuring Authentication on Smart Cards
    
    Expand section "23.2.1. Certificate Mapping Rules for Configuring Authentication on Smart Cards" Collapse section "23.2.1. Certificate Mapping Rules for Configuring Authentication on Smart Cards"
    
    23.2.1.1. Certificate Mapping Rules for Trusts with Active Directory Domains
    
    23.2.1.2. Components of an Identity Mapping Rule in IdM
    
    23.2.1.3. Obtaining the Issuer from a Certificate for Use in a Matching Rule
    
    23.2.2. Configuring Certificate Mapping for Users Stored in IdM
    
    Expand section "23.2.2. Configuring Certificate Mapping for Users Stored in IdM" Collapse section "23.2.2. Configuring Certificate Mapping for Users Stored in IdM"
    
    23.2.2.1. Adding a Certificate Mapping Rule in IdM
    
    Expand section "23.2.2.1. Adding a Certificate Mapping Rule in IdM" Collapse section "23.2.2.1. Adding a Certificate Mapping Rule in IdM"
    
    23.2.2.1.1. Adding a Certificate Mapping Rule in the IdM Web UI
    
    23.2.2.1.2. Adding a Certificate Mapping Rule Using the Command Line
    
    23.2.2.2. Adding Certificate Mapping Data to a User Entry in IdM
    
    Expand section "23.2.2.2. Adding Certificate Mapping Data to a User Entry in IdM" Collapse section "23.2.2.2. Adding Certificate Mapping Data to a User Entry in IdM"
    
    23.2.2.2.1. Adding Certificate Mapping Data to a User Entry in the IdM Web UI
    
    23.2.2.2.2. Adding Certificate Mapping Data to a User Entry Using the Command Line
    
    23.2.3. Configuring Certificate Mapping for Users Whose AD User Entry Contains the Whole Certificate
    
    Expand section "23.2.3. Configuring Certificate Mapping for Users Whose AD User Entry Contains the Whole Certificate" Collapse section "23.2.3. Configuring Certificate Mapping for Users Whose AD User Entry Contains the Whole Certificate"
    
    23.2.3.1. Adding a Certificate Mapping Rule for Users Whose AD User Entry Contains the Whole Certificate Using the IdM Web UI
    
    23.2.3.2. Adding a Certificate Mapping Rule for User Whose AD User Entry Contains the Whole Certificate Using the Command Line
    
    23.2.4. Configuring Certificate Mapping if AD is Configured to Map User Certificates to User Accounts
    
    Expand section "23.2.4. Configuring Certificate Mapping if AD is Configured to Map User Certificates to User Accounts" Collapse section "23.2.4. Configuring Certificate Mapping if AD is Configured to Map User Certificates to User Accounts"
    
    23.2.4.1. Adding a Certificate Mapping Rule Using the Web UI if the Trusted AD Domain is Configured to Map User Certificates
    
    23.2.4.2. Adding a Certificate Mapping Rule Using the Command Line if the Trusted AD Domain is Configured to Map User Certificates
    
    23.2.4.3. Checking Certificate Mapping Data on the AD Side
    
    23.2.5. Configuring Certificate Mapping if the AD User Entry Contains no Certificate or Mapping Data
    
    Expand section "23.2.5. Configuring Certificate Mapping if the AD User Entry Contains no Certificate or Mapping Data" Collapse section "23.2.5. Configuring Certificate Mapping if the AD User Entry Contains no Certificate or Mapping Data"
    
    23.2.5.1. Adding a Certificate Mapping Rule Using the Web UI if the AD User Entry Contains no Certificate or Mapping Data
    
    23.2.5.2. Adding a Certificate Mapping Rule Using the Command Line if the AD User Entry Contains no Certificate or Mapping Data
    
    23.2.5.3. Adding a Certificate to an AD User’s ID Override Using the Web UI
    
    23.2.5.4. Adding a Certificate to an AD User’s ID Override Using the Command Line
    
    23.2.6. Combining Several Identity Mapping Rules Into One
  3. 23.3. Authenticating to an Identity Management Client with a Smart Card
    
    Expand section "23.3. Authenticating to an Identity Management Client with a Smart Card" Collapse section "23.3. Authenticating to an Identity Management Client with a Smart Card"
    
    23.3.1. Smart Card-based Authentication Options Supported on Identity Management Clients
    
    23.3.2. Preparing the Identity Management Client for Smart-card Authentication
    
    23.3.3. Authenticating on an Identity Management Client with a Smart Card Using the Console Login
    
    23.3.4. Authenticating to the Remote System from the Local System
    
    23.3.5. Additional Resources
  4. 23.4. Configuring a User Name Hint Policy for Smart-card Authentication
    
    Expand section "23.4. Configuring a User Name Hint Policy for Smart-card Authentication" Collapse section "23.4. Configuring a User Name Hint Policy for Smart-card Authentication"
    
    23.4.1. User Name Hints in Identity Management
    
    23.4.2. Enabling User Name Hints in Identity Management
  5. 23.5. PKINIT Smart-card Authentication in Identity Management
    
    Expand section "23.5. PKINIT Smart-card Authentication in Identity Management" Collapse section "23.5. PKINIT Smart-card Authentication in Identity Management"
    
    23.5.1. Preparing the Identity Management Client for PKINIT Authentication
    
    23.5.2. As an Identity Management User: Authenticate Using PKINIT on an Identity Management Client
    
    23.5.3. As an Active Directory User: Authenticate Using PKINIT on an Identity Management Client
  6. 23.6. Authenticating to the Identity Management Web UI with a Smart Card
    
    Expand section "23.6. Authenticating to the Identity Management Web UI with a Smart Card" Collapse section "23.6. Authenticating to the Identity Management Web UI with a Smart Card"
    
    23.6.1. Preparing the Identity Management Server for Smart-card Authentication in the Web UI
    
    23.6.2. Preparing the Browser for Smart-card Authentication
    
    23.6.3. Authenticating to the Identity Management Web UI with a Smart Card as an Identity Management User
    
    23.6.4. Additional Resources
  7. 23.7. Integrating Identity Management Smart-card Authentication with Web Applications
    
    Expand section "23.7. Integrating Identity Management Smart-card Authentication with Web Applications" Collapse section "23.7. Integrating Identity Management Smart-card Authentication with Web Applications"
    
    23.7.1. Prerequisites for Web Application Authentication with Smart Cards
    
    23.7.2. Configuring Identity Management Smart-card Authentication for a Web Application
  8. 23.8. Enforcing a Specific Authentication Indicator When Obtaining a Ticket from the KDC
3. 24. Managing Certificates for Users, Hosts, and Services
  Expand section "24. Managing Certificates for Users, Hosts, and Services" Collapse section "24. Managing Certificates for Users, Hosts, and Services"
  1. 24.1. Managing Certificates with the Integrated IdM CAs
    
    Expand section "24.1. Managing Certificates with the Integrated IdM CAs" Collapse section "24.1. Managing Certificates with the Integrated IdM CAs"
    
    24.1.1. Requesting New Certificates for a User, Host, or Service
    
    Expand section "24.1.1. Requesting New Certificates for a User, Host, or Service" Collapse section "24.1.1. Requesting New Certificates for a User, Host, or Service"
    
    24.1.1.1. Requesting New Certificates Using certutil
    
    24.1.1.2. Preparing a Certificate Request With Multiple SAN Fields Using OpenSSL
    
    24.1.1.3. Requesting New Certificates Using Certmonger
    
    24.1.1.4. Submitting a Certificate Request to the IdM CA
    
    24.1.2. Revoking Certificates with the Integrated IdM CAs
    
    24.1.3. Restoring Certificates with the Integrated IdM CAs
  2. 24.2. Managing Certificates Issued by External CAs
    
    Expand section "24.2. Managing Certificates Issued by External CAs" Collapse section "24.2. Managing Certificates Issued by External CAs"
    
    24.2.1. Command Line: Adding and Removing Certificates Issued by External CAs
    
    24.2.2. Web UI: Adding and Removing Certificates Issued by External CAs
  3. 24.3. Listing and Displaying Certificates
  4. 24.4. Certificate Profiles
    
    Expand section "24.4. Certificate Profiles" Collapse section "24.4. Certificate Profiles"
    
    24.4.1. Creating a Certificate Profile
    
    24.4.2. Certificate Profile Management from the Command Line
    
    24.4.3. Certificate Profile Management from the Web UI
    
    24.4.4. Upgrading IdM Servers with Certificate Profiles
  5. 24.5. Certificate Authority ACL Rules
    
    Expand section "24.5. Certificate Authority ACL Rules" Collapse section "24.5. Certificate Authority ACL Rules"
    
    24.5.1. CA ACL Management from the Command Line
    
    24.5.2. CA ACL Management from the Web UI
  6. 24.6. Using Certificate Profiles and ACLs to Issue User Certificates with the IdM CAs
4. 25. Storing Authentication Secrets with Vaults
  Expand section "25. Storing Authentication Secrets with Vaults" Collapse section "25. Storing Authentication Secrets with Vaults"
  1. 25.1. How Vaults Work
    
    Expand section "25.1. How Vaults Work" Collapse section "25.1. How Vaults Work"
    
    25.1.1. Vault Owners, Members, and Administrators
    
    25.1.2. Standard, Symmetric, and Asymmetric Vaults
    
    25.1.3. User, Service, and Shared Vaults
    
    25.1.4. The Different Types of Vault Containers
  2. 25.2. Prerequisites for Using Vaults
  3. 25.3. Getting Help for Vault Commands
  4. 25.4. Storing a User's Personal Secret
    
    Expand section "25.4. Storing a User's Personal Secret" Collapse section "25.4. Storing a User's Personal Secret"
    
    25.4.1. Archiving a User's Personal Secret
    
    25.4.2. Retrieving a User's Personal Secret
  5. 25.5. Storing a Service Secret in a Vault
    
    Expand section "25.5. Storing a Service Secret in a Vault" Collapse section "25.5. Storing a Service Secret in a Vault"
    
    25.5.1. Creating a User Vault to Store a Service Password
    
    25.5.2. Provisioning a Service Password from a User Vault to Service Instances
    
    25.5.3. Retrieving a Service Password for a Service Instance
    
    25.5.4. Changing Service Vault Password
  6. 25.6. Storing a Common Secret for Multiple Users
    
    Expand section "25.6. Storing a Common Secret for Multiple Users" Collapse section "25.6. Storing a Common Secret for Multiple Users"
    
    25.6.1. Creating the Shared Vault with the Common Secret
    
    25.6.2. Retrieving a Secret from a Shared Vault as a Member User
  7. 25.7. Changing the Password or Public Key of a Vault
5. 26. Managing Certificates and Certificate Authorities
  Expand section "26. Managing Certificates and Certificate Authorities" Collapse section "26. Managing Certificates and Certificate Authorities"
  1. 26.1. Lightweight Sub-CAs
    
    Expand section "26.1. Lightweight Sub-CAs" Collapse section "26.1. Lightweight Sub-CAs"
    
    26.1.1. Creating a Lightweight Sub-CA
    
    26.1.2. Removing a Lightweight Sub-CA
  2. 26.2. Renewing Certificates
    
    Expand section "26.2. Renewing Certificates" Collapse section "26.2. Renewing Certificates"
    
    26.2.1. Renewing Certificates Automatically
    
    26.2.2. Renewing CA Certificates Manually
    
    Expand section "26.2.2. Renewing CA Certificates Manually" Collapse section "26.2.2. Renewing CA Certificates Manually"
    
    26.2.2.1. Renewing a Self-Signed IdM CA Certificate Manually
    
    26.2.2.2. Renewing an Externally-Signed IdM CA Certificate Manually
    
    26.2.3. Renewing Expired System Certificates When IdM is Offline
  3. 26.3. Installing a CA Certificate Manually
  4. 26.4. Changing the Certificate Chain
  5. 26.5. Allowing IdM to Start with Expired Certificates
  6. 26.6. Installing Third-Party Certificates for HTTP or LDAP
  7. 26.7. Configuring OCSP Responders
    
    Expand section "26.7. Configuring OCSP Responders" Collapse section "26.7. Configuring OCSP Responders"
    
    26.7.1. Changing the CRL Update Interval
  8. 26.8. Installing a CA Into an Existing IdM Domain
  9. 26.9. Replacing the Web Server's and LDAP Server's Certificate
6. 27. Kerberos PKINIT Authentication in IdM
  Expand section "27. Kerberos PKINIT Authentication in IdM" Collapse section "27. Kerberos PKINIT Authentication in IdM"
VI. Administration: Managing Policies
Expand section "VI. Administration: Managing Policies" Collapse section "VI. Administration: Managing Policies"
1. 28. Defining Password Policies
  Expand section "28. Defining Password Policies" Collapse section "28. Defining Password Policies"
  1. 28.1. What Are Password Policies and Why Are They Useful
  2. 28.2. How Password Policies Work in IdM
    
    Expand section "28.2. How Password Policies Work in IdM" Collapse section "28.2. How Password Policies Work in IdM"
    
    28.2.1. Supported Password Policy Attributes
    
    28.2.2. Global and Group-specific Password Policies
    
    28.2.3. Password Policy Priorities
  3. 28.3. Adding a New Password Policy
  4. 28.4. Modifying Password Policy Attributes
  5. 28.5. Changing Password Expiration Date with Immediate Effect
2. 29. Managing the Kerberos Domain
  Expand section "29. Managing the Kerberos Domain" Collapse section "29. Managing the Kerberos Domain"
  1. 29.1. Managing Kerberos Ticket Policies
    
    Expand section "29.1. Managing Kerberos Ticket Policies" Collapse section "29.1. Managing Kerberos Ticket Policies"
    
    29.1.1. Determining the lifetime of a Kerberos Ticket
    
    29.1.2. Global and User-specific Kerberos Ticket Policies
    
    29.1.3. Configuring the Global Kerberos Ticket Policy
    
    29.1.4. Configuring User-specific Kerberos Ticket Policies
  2. 29.2. Rekeying Kerberos Principals
  3. 29.3. Protecting Keytabs
  4. 29.4. Removing Keytabs
  5. 29.5. Additional Resources
3. 30. Using sudo
  Expand section "30. Using sudo" Collapse section "30. Using sudo"
  1. 30.1. The sudo Utility in Identity Management
    
    Expand section "30.1. The sudo Utility in Identity Management" Collapse section "30.1. The sudo Utility in Identity Management"
    
    30.1.1. The Identity Management LDAP Schema for sudo
    
    30.1.2. NIS Domain Name Requirements
  2. 30.2. sudo Rules in Identity Management
    
    Expand section "30.2. sudo Rules in Identity Management" Collapse section "30.2. sudo Rules in Identity Management"
    
    30.2.1. External Users and Hosts in sudo Rules
    
    30.2.2. User Group Support for sudo Rules
    
    30.2.3. Support for sudoers Options
  3. 30.3. Configuring the Location for Looking up sudo Policies
    
    Expand section "30.3. Configuring the Location for Looking up sudo Policies" Collapse section "30.3. Configuring the Location for Looking up sudo Policies"
    
    30.3.1. Configuring Hosts to Use IdM sudo Policies in Earlier Versions of IdM
    
    Expand section "30.3.1. Configuring Hosts to Use IdM sudo Policies in Earlier Versions of IdM" Collapse section "30.3.1. Configuring Hosts to Use IdM sudo Policies in Earlier Versions of IdM"
    
    30.3.1.1. Applying the sudo Policies to Hosts Using SSSD
    
    30.3.1.2. Applying the sudo Policies to Hosts Using LDAP
  4. 30.4. Adding sudo Commands, Command Groups, and Rules
    
    Expand section "30.4. Adding sudo Commands, Command Groups, and Rules" Collapse section "30.4. Adding sudo Commands, Command Groups, and Rules"
    
    30.4.1. Adding sudo Commands
    
    30.4.2. Adding sudo Command Groups
    
    30.4.3. Adding sudo Rules
  5. 30.5. Modifying sudo Commands and Command Groups
  6. 30.6. Modifying sudo Rules
  7. 30.7. Listing and Displaying sudo Commands, Command Groups, and Rules
  8. 30.8. Disabling and Enabling sudo Rules
  9. 30.9. Removing sudo Commands, Command Groups, and Rules
  10. 30.10. Additional Resources
4. 31. Configuring Host-Based Access Control
  Expand section "31. Configuring Host-Based Access Control" Collapse section "31. Configuring Host-Based Access Control"
  1. 31.1. How Host-Based Access Control Works in IdM
  2. 31.2. Configuring Host-based Access Control in an IdM Domain
    
    Expand section "31.2. Configuring Host-based Access Control in an IdM Domain" Collapse section "31.2. Configuring Host-based Access Control in an IdM Domain"
    
    31.2.1. Creating HBAC Rules
    
    31.2.2. Testing HBAC Rules
    
    31.2.3. Disabling HBAC Rules
  3. 31.3. Adding HBAC Service Entries for Custom HBAC Services
  4. 31.4. Adding HBAC Service Groups
5. 32. Defining SELinux User Maps
  Expand section "32. Defining SELinux User Maps" Collapse section "32. Defining SELinux User Maps"
  1. 32.1. About Identity Management, SELinux, and Mapping Users
  2. 32.2. Configuring SELinux User Map Order and Defaults
    
    Expand section "32.2. Configuring SELinux User Map Order and Defaults" Collapse section "32.2. Configuring SELinux User Map Order and Defaults"
    
    32.2.1. In the Web UI
    
    32.2.2. In the CLI
  3. 32.3. Mapping SELinux Users and IdM Users
    
    Expand section "32.3. Mapping SELinux Users and IdM Users" Collapse section "32.3. Mapping SELinux Users and IdM Users"
    
    32.3.1. In the Web UI
    
    32.3.2. In the CLI
VII. Administration: Managing Network Services
Expand section "VII. Administration: Managing Network Services" Collapse section "VII. Administration: Managing Network Services"
1. 33. Managing DNS
  Expand section "33. Managing DNS" Collapse section "33. Managing DNS"
  1. 33.1. BIND in Identity Management
  2. 33.2. Supported DNS Zone Types
  3. 33.3. DNS Configuration Priorities
  4. 33.4. Managing Master DNS Zones
    
    Expand section "33.4. Managing Master DNS Zones" Collapse section "33.4. Managing Master DNS Zones"
    
    33.4.1. Adding and Removing Master DNS Zones
    
    33.4.2. Adding Additional Configuration for Master DNS Zones
    
    33.4.3. Enabling Zone Transfers
    
    33.4.4. Adding Records to DNS Zones
    
    33.4.5. Examples of Adding or Modifying DNS Resource Records from the Command Line
    
    33.4.6. Deleting Records from DNS Zones
    
    33.4.7. Disabling and Enabling Zones
  5. 33.5. Managing Dynamic DNS Updates
    
    Expand section "33.5. Managing Dynamic DNS Updates" Collapse section "33.5. Managing Dynamic DNS Updates"
    
    33.5.1. Enabling Dynamic DNS Updates
    
    Expand section "33.5.1. Enabling Dynamic DNS Updates" Collapse section "33.5.1. Enabling Dynamic DNS Updates"
    
    33.5.1.1. Configuring the DNS Zone to Allow Dynamic Updates
    
    33.5.1.2. Configuring the Clients to Send Dynamic Updates
    
    33.5.2. Synchronizing A/AAAA and PTR Records
    
    Expand section "33.5.2. Synchronizing A/AAAA and PTR Records" Collapse section "33.5.2. Synchronizing A/AAAA and PTR Records"
    
    33.5.2.1. Configuring PTR Record Synchronization in the Web UI
    
    33.5.2.2. Configuring PTR Record Synchronization Using the Command Line
    
    Expand section "33.5.2.2. Configuring PTR Record Synchronization Using the Command Line" Collapse section "33.5.2.2. Configuring PTR Record Synchronization Using the Command Line"
    
    33.5.2.2.1. Configuring PTR Record Synchronization for a Specific Zone
    
    33.5.2.2.2. Configuring PTR Record Synchronization Globally for all Zones
    
    33.5.3. Updating DNS Dynamic Update Policies
  6. 33.6. Managing DNS Forwarding
    
    Expand section "33.6. Managing DNS Forwarding" Collapse section "33.6. Managing DNS Forwarding"
    
    33.6.1. Configuring Global Forwarders
    
    33.6.2. Configuring Forward Zones
  7. 33.7. Managing Reverse DNS Zones
  8. 33.8. Defining DNS Query Policy
  9. 33.9. DNS Locations
    
    Expand section "33.9. DNS Locations" Collapse section "33.9. DNS Locations"
    
    33.9.1. DNS-based Service Discovery
    
    33.9.2. Deployment Considerations for DNS Locations
    
    Expand section "33.9.2. Deployment Considerations for DNS Locations" Collapse section "33.9.2. Deployment Considerations for DNS Locations"
    
    33.9.2.1. DNS Time to Live (TTL)
    
    33.9.3. Creating DNS Locations
    
    33.9.4. Assigning an IdM Server to a DNS Location
    
    33.9.5. Configuring a Client to Use IdM Servers in the Same Location
  10. 33.10. Updating DNS Records Systematically When Using External DNS
    
    Expand section "33.10. Updating DNS Records Systematically When Using External DNS" Collapse section "33.10. Updating DNS Records Systematically When Using External DNS"
    
    33.10.1. Updating External DNS in Identity Management
    
    33.10.2. GUI: Updating External DNS Records
    
    33.10.3. Command Line: Updating External DNS Records Using nsupdate
  11. 33.11. Installing DNS Services Into an Existing Server
    
    Expand section "33.11. Installing DNS Services Into an Existing Server" Collapse section "33.11. Installing DNS Services Into an Existing Server"
    
    33.11.1. Setting up Additional Name Servers
    
    Expand section "33.11.1. Setting up Additional Name Servers" Collapse section "33.11.1. Setting up Additional Name Servers"
    
    33.11.1.1. Setting up Additional Name Servers
2. 34. Using Automount
  Expand section "34. Using Automount" Collapse section "34. Using Automount"
  1. 34.1. About Automount and IdM
  2. 34.2. Configuring Automount
    
    Expand section "34.2. Configuring Automount" Collapse section "34.2. Configuring Automount"
    
    34.2.1. Configuring NFS Automatically
    
    34.2.2. Configuring autofs Manually to Use SSSD and Identity Management
    
    34.2.3. Configuring Automount on Solaris
  3. 34.3. Setting up a Kerberos-aware NFS Server
  4. 34.4. Setting up a Kerberos-aware NFS Client
  5. 34.5. Configuring Locations
    
    Expand section "34.5. Configuring Locations" Collapse section "34.5. Configuring Locations"
    
    34.5.1. Configuring Locations through the Web UI
    
    34.5.2. Configuring Locations through the Command Line
  6. 34.6. Configuring Maps
    
    Expand section "34.6. Configuring Maps" Collapse section "34.6. Configuring Maps"
    
    34.6.1. Configuring Direct Maps
    
    Expand section "34.6.1. Configuring Direct Maps" Collapse section "34.6.1. Configuring Direct Maps"
    
    34.6.1.1. Configuring Direct Maps from the Web UI
    
    34.6.1.2. Configuring Direct Maps from the Command Line
    
    34.6.2. Configuring Indirect Maps
    
    Expand section "34.6.2. Configuring Indirect Maps" Collapse section "34.6.2. Configuring Indirect Maps"
    
    34.6.2.1. Configuring Indirect Maps from the Web UI
    
    34.6.2.2. Configuring Indirect Maps from the Command Line
    
    34.6.3. Importing Automount Maps
VIII. Security Hardening
Expand section "VIII. Security Hardening" Collapse section "VIII. Security Hardening"
1. 35. Configuring TLS for Identity Management
  Expand section "35. Configuring TLS for Identity Management" Collapse section "35. Configuring TLS for Identity Management"
2. 36. Disabling Anonymous Binds
IX. Performance Tuning
Expand section "IX. Performance Tuning" Collapse section "IX. Performance Tuning"
1. 37. Performance Tuning for Bulk Provisioning of Entries
2. 38. Failover, load balancing and high availability in Identity Management
X. Migration
Expand section "X. Migration" Collapse section "X. Migration"
1. 39. Migrating from an LDAP Directory to IdM
  Expand section "39. Migrating from an LDAP Directory to IdM" Collapse section "39. Migrating from an LDAP Directory to IdM"
  1. 39.1. An Overview of an LDAP to IdM Migration
    
    Expand section "39.1. An Overview of an LDAP to IdM Migration" Collapse section "39.1. An Overview of an LDAP to IdM Migration"
    
    39.1.1. Planning the Client Configuration
    
    Expand section "39.1.1. Planning the Client Configuration" Collapse section "39.1.1. Planning the Client Configuration"
    
    39.1.1.1. Initial Client Configuration (Pre-Migration)
    
    39.1.1.2. Recommended Configuration for Red Hat Enterprise Linux Clients
    
    39.1.1.3. Alternative Supported Configuration
    
    39.1.2. Planning Password Migration
    
    Expand section "39.1.2. Planning Password Migration" Collapse section "39.1.2. Planning Password Migration"
    
    39.1.2.1. Method 1: Using Temporary Passwords and Requiring a Change
    
    39.1.2.2. Method 2: Using the Migration Web Page
    
    39.1.2.3. Method 3: Using SSSD (Recommended)
    
    39.1.2.4. Migrating Cleartext LDAP Passwords
    
    39.1.2.5. Automatically Resetting Passwords That Do Not Meet Requirements
    
    39.1.3. Migration Considerations and Requirements
    
    Expand section "39.1.3. Migration Considerations and Requirements" Collapse section "39.1.3. Migration Considerations and Requirements"
    
    39.1.3.1. LDAP Servers Supported for Migration
    
    39.1.3.2. Migration Environment Requirements
    
    39.1.3.3. Migration — IdM System Requirements
    
    39.1.3.4. Considerations about Sudo Rules
    
    39.1.3.5. Migration Tools
    
    39.1.3.6. Improving Migration Performance
    
    39.1.3.7. Migration Sequence
  2. 39.2. Examples for Using ipa migrate-ds
    
    Expand section "39.2. Examples for Using ipa migrate-ds" Collapse section "39.2. Examples for Using ipa migrate-ds"
    
    39.2.1. Migrating Specific Subtrees
    
    39.2.2. Specifically Including or Excluding Entries
    
    39.2.3. Excluding Entry Attributes
    
    39.2.4. Setting the Schema to Use
  3. 39.3. Migrating an LDAP Server to Identity Management
  4. 39.4. Migrating over SSL
A. Troubleshooting: General Guidelines
Expand section "A. Troubleshooting: General Guidelines" Collapse section "A. Troubleshooting: General Guidelines"
B. Troubleshooting: Solutions to Specific Problems
Expand section "B. Troubleshooting: Solutions to Specific Problems" Collapse section "B. Troubleshooting: Solutions to Specific Problems"
1. B.1. Identity Management Servers
  Expand section "B.1. Identity Management Servers" Collapse section "B.1. Identity Management Servers"
2. B.2. Identity Management Replicas
  Expand section "B.2. Identity Management Replicas" Collapse section "B.2. Identity Management Replicas"
3. B.3. Identity Management Clients
  Expand section "B.3. Identity Management Clients" Collapse section "B.3. Identity Management Clients"
4. B.4. Logging In and Authentication Problems
  Expand section "B.4. Logging In and Authentication Problems" Collapse section "B.4. Logging In and Authentication Problems"
5. B.5. Vaults
  Expand section "B.5. Vaults" Collapse section "B.5. Vaults"
  1. B.5.1. Users Cannot Access Their Vault Due To Insufficient 'add' Privilege
C. A Reference of Identity Management Files and Logs
Expand section "C. A Reference of Identity Management Files and Logs" Collapse section "C. A Reference of Identity Management Files and Logs"
D. Managing Replicas at Domain Level 0
Expand section "D. Managing Replicas at Domain Level 0" Collapse section "D. Managing Replicas at Domain Level 0"
1. D.1. Replica Information File
2. D.2. Creating Replicas
  Expand section "D.2. Creating Replicas" Collapse section "D.2. Creating Replicas"
3. D.3. Managing Replicas and Replication Agreements
  Expand section "D.3. Managing Replicas and Replication Agreements" Collapse section "D.3. Managing Replicas and Replication Agreements"
4. D.4. Promoting a Replica to a Master CA Server
  Expand section "D.4. Promoting a Replica to a Master CA Server" Collapse section "D.4. Promoting a Replica to a Master CA Server"
  1. D.4.1. Changing Which Server Handles Certificate Renewal
E. Identity Management Server Ports Considerations
Expand section "E. Identity Management Server Ports Considerations" Collapse section "E. Identity Management Server Ports Considerations"
1. E.1. Identity Management components and associated services
F. Notable Changes in IdM
G. Revision History
Legal Notice

Red Hat Training

A Red Hat training course is available for Red Hat Enterprise Linux

22.3. One-Time Passwords

Important

The IdM solution for OTP authentication is only supported for clients running Red Hat Enterprise Linux 7.1 or later.

One-time password (OTP) is a password valid for only one authentication session and becomes invalid after use. Unlike a traditional static password, OTP generated by an authentication token keeps changing. OTPs are used as part of two-factor authentication:

The user authenticates with a traditional password.
The user provides an OTP code generated by a recognized OTP token.

Two-factor authentication is considered safer than authentication using a traditional password alone. Even if a potential intruder intercepts the OTP during login, the intercepted OTP will already be invalid by that point because it can only be used for successful authentication once.

Warning

The following security and other limitations currently relate to the OTP support in IdM:

The most important security limitation is the potential vulnerability to replay attacks across the system. Replication is asynchronous, and an OTP code can therefore be reused during the replication period. A user might be able to log on to two servers at the same time. However, this vulnerability is usually difficult to exploit due to comprehensive encryption.
It is not possible to obtain a ticket-granting ticket (TGT) using a client that does not support OTP authentication. This might affect certain use cases, such as authentication using the mod_auth_kerb module or the Generic Security Services API (GSSAPI).
It is not possible to use password + OTP in the IdM solution if the FIPS mode is enabled.

22.3.1. How OTP Authentication Works in IdM

22.3.1.1. OTP Tokens Supported in IdM

Software and Hardware Tokens

IdM supports both software and hardware tokens.

User-managed and Administrator-managed Tokens

Users can manage their own tokens, or the administrator can manage their tokens for them:

User-managed tokens: Users have full control over user-managed tokens in Identity Management: they are allowed to create, edit, or delete their tokens.
Administrator-managed tokens: The administrator adds administrator-managed tokens to the users' accounts. Users themselves have read-only access for such tokens: they do not have the permission to manage or modify the tokens and they are not required to configure them in any way.

Note that users cannot delete or deactivate a token if it is their only active token at the moment. As an administrator, you cannot delete or deactivate your last active token, but you can delete or deactivate the last active token of another user.

Supported OTP Algorithms

Identity Management supports the following two standard OTP mechanisms:

The HMAC-Based One-Time Password (HOTP) algorithm is based on a counter. HMAC stands for Hashed Message Authentication Code.
The Time-Based One-Time Password (TOTP) algorithm is an extension of HOTP to support time-based moving factor.

22.3.1.2. Available OTP Authentication Methods

When enabling OTP authentication, you can choose from the following authentication methods:

Two-factor authentication (password + OTP): With this method, the user is always required to enter both a standard password and an OTP code.
Password: With this method, the user still has the option to authenticate using a standard password only.
RADIUS proxy server authentication: For information on configuring a RADIUS server for OTP validation, see Section 22.3.7, “Migrating from a Proprietary OTP Solution”.

Global and User-specific Authentication Methods

You can configure these authentication methods either globally or for individual users:

By default, user-specific authentication method settings take precedence over global settings. If no authentication method is set for a user, the globally-defined methods apply.
You can disable per-user authentication method settings for any user. This ensures IdM ignores the per-user settings and always applies the global settings for the user.

Combining Multiple Authentication Methods

If you set multiple methods at once, either one of them will be sufficient for successful authentication. For example:

If you configure both two-factor and password authentication, the user must provide the password (first factor), but providing the OTP (second factor) is optional when using the command line:
```
First Factor:
Second Factor (optional):
```
In the web UI, the user must still provide both factors.

Note

Individual hosts or services might be configured to require a certain authentication method, for example OTP. If you attempt to authenticate to such hosts or services using the first factor only, you will be denied access. See Section 22.4, “Restricting Access to Services and Hosts Based on How Users Authenticate”.

However, a minor exception exists when RADIUS and another authentication method are configured:

Kerberos will always use RADIUS, but LDAP will not. LDAP only recognizes the password and two-factor authentication methods.
If you use an external two-factor authentication provider, use Kerberos from your applications. If you want to let users authenticate with a password only, use LDAP. It is recommended that the applications leverage Apache modules and SSSD, which allows to configure either Kerberos or LDAP.

22.3.1.3. GNOME Keyring Service Support

IdM integrates OTP authentication with the GNOME Keyring service. Note that GNOME Keyring integration requires the user to enter the first and second factors separately:

First factor: static_password
Second factor: one-time_password

22.3.1.4. Offline Authentication with OTP

IdM supports offline OTP authentication. However, to be able to log in offline, the user must first authenticate when the system is online by entering the static password and OTP separately:

First factor: static_password
Second factor: one-time_password

If both passwords are entered separately like this when logging in online, the user will subsequently be able to authenticate even if the central authentication server is unavailable. Note that IdM only prompts for the first-factor traditional static password when the user authenticates offline.

IdM also supports entering both the static password and OTP together in one string in the First factor prompt. However, note that this is not compatible with offline OTP authentication. If the user enters both factors in a single prompt, IdM will always have to contact the central authentication server when authenticating, which requires the system to be online.

Important

If you use OTP authentication on devices that also operate offline, such as laptops, Red Hat recommends to enter the static password and OTP separately to make sure offline authentication will be available. Otherwise, IdM will not allow you to log in after the system goes offline.

If you want to benefit from OTP offline authentication, apart from entering the static and OTP passwords separately, also make sure to meet the following conditions:

The cache_credentials option in the /etc/sssd/sssd.conf file is set to True, which enables caching the first factor password.
The first-factor static password meets the password length requirement defined in the cache_credentials_minimal_first_factor_length option set in /etc/sssd/sssd.conf. The default minimal length is 8 characters. For more information about the option, see the sssd.conf(5) man page.

Note that even if the krb5_store_password_if_offline option is set to true in /etc/sssd/sssd.conf, SSSD does not attempt to refresh the Kerberos ticket-granting ticket (TGT) when the system goes online again because the OTP might already be invalid at that point. To obtain a TGT in this situation, the user must authenticate again using both factors.

22.3.2. Required Settings for Configuring a RADIUS Proxy on an IdM Server Running in FIPS Mode

In Federal Information Processing Standard (FIPS) mode, OpenSSL disables the use of the MD5 digest algorithm by default. Consequently, as the RADIUS protocol requires MD5 to encrypt a secret between the RADIUS client and the RADIUS server, the unavailability of MD5 in FIPS mode results in the IdM RADIUS proxy server to fail.

If the RADIUS server is running on the same host as the IdM master, you can work around the problem and enable MD5 within the secure perimeter, by performing the following steps:

Create the /etc/systemd/system/radiusd.service.d/ipa-otp.conf file with the following content:
```
[Service] 
Environment=OPENSSL_FIPS_NON_APPROVED_MD5_ALLOW=1
```
Reload the systemd configuration:
```
# systemctl daemon-reload
```
Start the radiusd service:
```
# systemctl start radiusd
```

22.3.3. Enabling Two Factor Authentication

For details on the available authentication methods related to OTP, see Section 22.3.1.2, “Available OTP Authentication Methods”.

To enable two factor authentication using:

the web UI, see the section called “Web UI: Enabling Two Factor Authentication”.
the command line, see the section called “Command Line: Enabling Two Factor Authentication”.

Web UI: Enabling Two Factor Authentication

To set authentication methods globally for all users:

Select IPA Server → Configuration.
In the User Options area, select the required Default user authentication types.
Figure 22.4. User Authentication Methods

To ensure the global settings are not overridden with per-user settings, select Disable per-user override. If you do not select Disable per-user override, authentication methods configured per user take precedence over the global settings.

To set authentication methods individually on a per-user basis:

Select Identity → Users, and click the name of the user to edit.
In the Account Settings area, select the required User authentication types.
Figure 22.5. User Authentication Methods

Command Line: Enabling Two Factor Authentication

To set authentication methods globally for all users:

Run the ipa config-mod --user-auth-type command. For example, to set the global authentication method to two-factor authentication:
```
$ ipa config-mod --user-auth-type=otp
```
For a list of values accepted by --user-auth-type, run the ipa config-mod --help command.
To disable per-user overrides, thus ensuring the global settings are not overridden with per-user settings, add the --user-auth-type=disabled option as well. For example, to set the global authentication method to two-factor authentication and disable per-user overrides:
```
$ ipa config-mod --user-auth-type=otp --user-auth-type=disabled
```
If you do not set --user-auth-type=disabled, authentication methods configured per user take precedence over the global settings.

To set authentication methods individually for a specified user:

Run the ipa user-mod --user-auth-type command. For example, to set that user will be required to use two-factor authentication:
```
$ ipa user-mod user --user-auth-type=otp
```

To set multiple authentication methods, add --user-auth-type multiple times. For example, to configure both password and two-factor authentication globally for all users:

$ ipa config-mod --user-auth-type=otp --user-auth-type=password

22.3.4. Adding a User-Managed Software Token

Log in with your standard password.
Make sure the FreeOTP Authenticator application is installed on your mobile device. To download FreeOTP Authenticator, see the FreeOTP source page.
Create the software token in the IdM web UI or from the command line.
- To create the token in the web UI, click Add under the OTP tokens tab. If you are logged-in as the administrator, the OTP Tokens tab is accessible through the Authentication tab.
  Figure 22.6. Adding an OTP Token for a User
- To create the token from the command line, run the ipa otptoken-add command.
```
$ ipa otptoken-add
------------------
Added OTP token ""
------------------
  Unique ID: 7060091b-4e40-47fd-8354-cb32fecd548a
  Type: TOTP
...
```
  For more information about ipa otptoken-add, run the command with the --help option added.
A QR code is displayed in the web UI or on the command line. Scan the QR code with FreeOTP Authenticator to provision the token to the mobile device.

22.3.5. Adding a User-Managed YubiKey Hardware Token

A programmable hardware token, such as a YubiKey token, can only be added from the command line. To add a YubiKey hardware token as the user owning the token:

Log in with your standard password.
Insert your YubiKey token.
Run the ipa otptoken-add-yubikey command.
- If the YubiKey has an empty slot available, the command will select the empty slot automatically.
- If no empty slot is available, you must select a slot manually using the --slot option.For example:
```
$ ipa otptoken-add-yubikey --slot=2
```
  Note that this overwrites the selected slot.

22.3.6. Adding a Token for a User as the Administrator

To add a software token as the administrator:

Make sure you are logged-in as the administrator.
Make sure the FreeOTP Authenticator application is installed on the mobile device. To download FreeOTP Authenticator, see the FreeOTP source page.
Create the software token in the IdM web UI or from the command line.
- To create the token in the web UI, select Authentication → OTP Tokens and click Add at the top of the list of OTP tokens. In the Add OTP Token form, select the owner of the token.
  Figure 22.7. Adding an Administrator-Managed Software Token
- To create the token from the command line, run the ipa otptoken-add command with the --owner option. For example:
```
$ ipa otptoken-add --owner=user
------------------
Added OTP token ""
------------------
  Unique ID: 5303baa8-08f9-464e-a74d-3b38de1c041d
  Type: TOTP
...
```
A QR code is displayed in the web UI or on the command line. Scan the QR code with FreeOTP Authenticator to provision the token to the mobile device.

To add a programmable hardware token, such as a YubiKey token, as the administrator:

Make sure you are logged-in as the administrator.
Insert the YubiKey token.
Run the ipa otptoken-add-yubikey command with the --owner option. For example:
```
$ ipa otptoken-add-yubikey --owner=user
```

22.3.7. Migrating from a Proprietary OTP Solution

To enable the migration of a large deployment from a proprietary OTP solution to the IdM-native OTP solution, IdM offers a way to offload OTP validation to a third-party RADIUS server for a subset of users. The administrator creates a set of RADIUS proxies where each proxy can only reference a single RADIUS server. If more than one server needs to be addressed, it is recommended to create a virtual IP solution that points to multiple RADIUS servers. Such a solution needs to be built outside of RHEL IdM with the help of the keepalived daemon, for example. The administrator then assigns one of these proxy sets to a user. As long as the user has a RADIUS proxy set assigned, IdM bypasses all other authentication mechanisms.

Note

IdM does not provide any token management or synchronization support for tokens in the third-party system.

To configure a RADIUS server for OTP validation and to add a user to the proxy server:

Make sure that the radius user authentication method is enabled. See Section 22.3.3, “Enabling Two Factor Authentication” for details.
Run the ipa radiusproxy-add proxy_name --secret secret command to add a RADIUS proxy. The command prompts you for inserting the required information.
The configuration of the RADIUS proxy requires the use of a common secret between the client and the server to wrap credentials. Specify this secret in the --secret parameter.
Run the ipa user-mod radiususer --radius=proxy_name command to assign a user to the added proxy.
If required, configure the user name to be sent to RADIUS by running the ipa user-mod radiususer --radius-username=radius_user command.

As a result, the user OTP authentication will start to be processed through the RADIUS proxy server.

Note

To run a RADIUS server on an IdM master with FIPS mode enabled, additionally, perform the steps described in Section 22.3.2, “Required Settings for Configuring a RADIUS Proxy on an IdM Server Running in FIPS Mode”.

When the user is ready to be migrated to the IdM native OTP system, you can simply remove the RADIUS proxy assignment for the user.

22.3.7.1. Changing the Timeout Value of a KDC When Running a RADIUS Server in a Slow Network

In certain situations, such as running a RADIUS proxy in a slow network, the IdM KDC closes the connection before the RADIUS server responds because the connection timed out while waiting for the user to enter the token.

To change the timeout settings of the KDC:

Change the value of the timeout parameter in the [otp] section in the /var/kerberos/krb5kdc/kdc.conf file. For example, to set the timeout to 120 seconds:
```
[otp]
DEFAULT = {
  timeout = 120
  ...
}
```
Restart the krb5kdc service:
```
# systemctl restart krb5kdc
```

22.3.8. Promoting the Current Credentials to Two-Factor Authentication

If both password and two-factor authentication are configured, but you only authenticated using the password, you might be denied access to certain services or hosts (see Section 22.4, “Restricting Access to Services and Hosts Based on How Users Authenticate”). In this situation, promote your credentials from one-factor to two-factor authentication by authenticating again:

Lock your screen. The default keyboard shortcut to lock the screen is Super key+L.
Unlock your screen. When asked for credentials, use both password and OTP.

22.3.9. Resynchronizing an OTP Token

See Section B.4.3, “OTP Token Out of Sync”.

22.3.10. Replacing a Lost OTP Token

The following procedure describes how a user who lost its OTP token can replace the token:

As an administrator, enable password and OTP authentication for the user:

[admin@server]# ipa user-mod --user-auth-type=password --user-auth-type=otp user_name

The user can now add a new token. For example, to add a new token that has New Token set in the description:
```
[user@server]# ipa otptoken-add --desc="New Token"
```
For further details, enter the command the ipa otptoken-add --help parameter added.

The user can now delete the old token:

Optionally, list the tokens associated with the account:

[user@server]# ipa otptoken-find
--------------------
2 OTP tokens matched
--------------------
  Unique ID: 4ce8ec29-0bf7-4100-ab6d-5d26697f0d8f
  Type: TOTP
  Description: New Token
  Owner: user

  Unique ID: e1e9e1ef-172c-4fa9-b637-6b017ce79315
  Type: TOTP
  Description: Old Token
  Owner: user
----------------------------
Number of entries returned 2
----------------------------

Delete the old token. For example, to delete the token with the e1e9e1ef-172c-4fa9-b637-6b017ce79315 ID:

[user@server]# # ipa otptoken-del e1e9e1ef-172c-4fa9-b637-6b017ce79315
--------------------------------------------------------
Deleted OTP token "e1e9e1ef-172c-4fa9-b637-6b017ce79315"
--------------------------------------------------------

As an administrator, enable only OTP authentication for the user:
```
[admin@server]# ipa user-mod --user-auth-type=otp user_name
```

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

Runtimes

Integration and Automation

Red Hat Training

22.3. One-Time Passwords

22.3.1. How OTP Authentication Works in IdM

22.3.1.1. OTP Tokens Supported in IdM

Software and Hardware Tokens

User-managed and Administrator-managed Tokens

Supported OTP Algorithms

22.3.1.2. Available OTP Authentication Methods

Global and User-specific Authentication Methods

Combining Multiple Authentication Methods

22.3.1.3. GNOME Keyring Service Support

22.3.1.4. Offline Authentication with OTP

22.3.2. Required Settings for Configuring a RADIUS Proxy on an IdM Server Running in FIPS Mode

22.3.3. Enabling Two Factor Authentication

Web UI: Enabling Two Factor Authentication

Command Line: Enabling Two Factor Authentication

22.3.4. Adding a User-Managed Software Token

22.3.5. Adding a User-Managed YubiKey Hardware Token

22.3.6. Adding a Token for a User as the Administrator

22.3.7. Migrating from a Proprietary OTP Solution

22.3.7.1. Changing the Timeout Value of a KDC When Running a RADIUS Server in a Slow Network

22.3.8. Promoting the Current Credentials to Two-Factor Authentication

22.3.9. Resynchronizing an OTP Token

22.3.10. Replacing a Lost OTP Token