Show Table of Contents
Chapter 27. Identity Management
Identity Management (IdM) provides a unifying environment for standards-defined, common network services, including PAM, LDAP, Kerberos, DNS, NTP, and certificate services. IdM allows Red Hat Enterprise Linux systems to serve as domain controllers.[25]
In Red Hat Enterprise Linux, the ipa-server package provides the IdM server. Enter the following command to see if the ipa-server package is installed:
~]$ rpm -q ipa-server
package ipa-server is not installed
If it is not installed, enter the following command as the root user to install it:
~]# yum install ipa-server
27.1. Identity Management and SELinux
Identity Management can map IdM users to configured SELinux roles per host so that it is possible to specify SELinux context for IdM access rights. During the user login process, the System Security Services Daemon (
SSSD) queries the access rights defined for a particular IdM user. Then the pam_selinux module sends a request to the kernel to launch the user process with the proper SELinux context according to the IdM access rights, for example guest_u:guest_r:guest_t:s0.
For more information about Identity Management and SELinux, see the Linux Domain, Identity, Authentication, and Policy Guide for Red Hat Enterprise Linux 7.
27.1.1. Trust to Active Directory Domains
In previous versions of Red Hat Enterprise Linux, Identity Management used the
WinSync utility to allow users from Active Directory (AD) domains to access data stored on IdM domains. To do that, WinSync had to replicate the user and group data from the AD server to the local server and kept the data synchronized.
In Red Hat Enterprise Linux 7, the
SSSD daemon has been enhanced to work with AD and users are able to create a trusted relationship between IdM and AD domains. The user and group data are read directly from the AD server. Additionally, Kerberos cross-realm trust allowing single sign-on (SSO) authentication between the AD and IdM domains is provided. If SSO is set, users from the AD domains can access data protected by Kerberos that is stored on the IdM domains without requiring a password.
This feature is not installed by default. To use it, install the additional ipa-server-trust-ad package.
[25]
For more information about Identity Management, see the Linux Domain, Identity, Authentication, and Policy Guide for Red Hat Enterprise Linux 7.
Where did the comment section go?
Red Hat's documentation publication system recently went through an upgrade to enable speedier, more mobile-friendly content. We decided to re-evaluate our commenting platform to ensure that it meets your expectations and serves as an optimal feedback mechanism. During this redesign, we invite your input on providing feedback on Red Hat documentation via the discussion platform.