Chapter 3. Installing and Uninstalling Identity Management Clients

This chapter explains how to configure a system to join an Identity Management (IdM) domain as a client machine enrolled with a server.


See Section 1.2, “The Identity Management Domain” for details on clients and servers in the IdM domain.

3.1. Prerequisites for Installing a Client

DNS requirements
Employ proper DNS delegation. For details on DNS requirements in IdM, see Section 2.1.3, “Host Name and DNS Configuration”.
Do not alter the resolv.conf file on clients.
Port requirements
IdM clients connect to a number of ports on IdM servers to communicate with their services. These ports must be open on the IdM servers to work. For more information on which ports IdM requires, see Section 2.1.4, “Port Requirements”.
On a client, open these ports in the outgoing direction. If you are using a firewall that does not filter outgoing packets, such as firewalld, the ports are already available in the outgoing direction.
Federal Information Processing Standard (FIPS) support
In environments set up using Red Hat Enterprise Linux 7.4 and later:
  • You can configure a new IdM server, replica, or client on a system with the FIPS mode enabled. The installation script automatically detects a system with FIPS enabled and configures IdM without the administrator's intervention.
    To enable FIPS in the operating system, see Enabling FIPS Mode in the Security Guide.


    You cannot:
    • Enable FIPS mode on existing IdM servers previously installed with FIPS mode disabled.
    • Install a replica in FIPS mode when using an existing IdM server with FIPS mode disabled.
In environments set up using Red Hat Enterprise Linux 7.3 and earlier:
  • IdM does not support the FIPS mode. Disable FIPS on your system before installing an IdM server, replica, or client, and do not enable it after the installation.
For further details about FIPS mode, see Federal Information Processing Standard (FIPS) in the Security Guide.
Name Service Cache Daemon (NSCD) requirements
Red Hat recommends to disable NSCD on Identity Management machines. Alternatively, if disabling NSCD is not possible, only enable NSCD for maps that SSSD does not cache.
Both NSCD and the SSSD service perform caching, and problems can occur when systems use both services simultaneously. See the System-Level Authentication Guide for information on how to avoid conflicts between NSCD and SSSD.