Red Hat Training

A Red Hat training course is available for Red Hat Enterprise Linux

Chapter 3. Installing and Uninstalling Identity Management Clients

This chapter explains how to configure a system to join an Identity Management (IdM) domain as a client machine enrolled with a server.
Note
See Section 1.2, “The Identity Management Domain” for details on clients and servers in the IdM domain.

3.1. Prerequisites for Installing a Client

DNS requirements
Employ proper DNS delegation. For details on DNS requirements in IdM, see Section 2.1.5, “Host Name and DNS Configuration”.
Do not alter the resolv.conf file on clients.
Port requirements
IdM clients connect to a number of ports on IdM servers to communicate with their services. These ports must be open on the IdM servers in the incoming direction. For more information on which ports IdM requires, see Section 2.1.6, “Port Requirements”.
On a client, open these ports in the outgoing direction. If you are using a firewall that does not filter outgoing packets, such as firewalld, the ports are already available in the outgoing direction.
Name Service Cache Daemon (NSCD) requirements
Red Hat recommends to disable NSCD on Identity Management machines. Alternatively, if disabling NSCD is not possible, only enable NSCD for maps that SSSD does not cache.
Both NSCD and the SSSD service perform caching, and problems can occur when systems use both services simultaneously. See the System-Level Authentication Guide for information on how to avoid conflicts between NSCD and SSSD.

3.1.1. Supported versions of RHEL for installing IdM clients

An Identity Management (IdM) deployment in which IdM servers are running on the latest minor version of RHEL 7 supports clients that are running on the latest minor versions of:
  • RHEL 7
    RHEL 8
    RHEL 9
Note
If you are planning to make your IdM deployment FIPS-compliant, {RH} strongly recommends migrating your environment to RHEL 9. RHEL 9 is the first major RHEL version certified for FIPS 140-3.

3.1.2. Prerequisites for Installing a Client in a FIPS Environment

In environments set up using Red Hat Enterprise Linux 7.4 and later:
  • You can configure a new client on a system with the Federal Information Processing Standard (FIPS) mode enabled. The installation script automatically detects a system with FIPS enabled and configures IdM without the administrator's intervention.
    To enable FIPS in the operating system, see Enabling FIPS Mode in the Security Guide.
In environments set up using Red Hat Enterprise Linux 7.3 and earlier:
  • IdM does not support the FIPS mode. Disable FIPS on your system before installing an IdM client, and do not enable it after the installation.
For further details about FIPS mode, see Federal Information Processing Standard (FIPS) in the Security Guide.