Chapter 26. Identity Management
Identity Management (IdM) provides a unifying environment for standards-defined, common network services, including PAM, LDAP, Kerberos, DNS, NTP, and certificate services. IdM allows Red Hat Enterprise Linux systems to serve as domain controllers.
In Red Hat Enterprise Linux, the ipa-server package provides the IdM server. Enter the following command to see if the ipa-server package is installed:
~]$If it is not installed, enter the following command as the root user to install it:
rpm -q ipa-serverpackage ipa-server is not installed
yum install ipa-server
26.1. Identity Management and SELinux
Identity Management can map IdM users to configured SELinux roles per host so that it is possible to specify SELinux context for IdM access rights. During the user login process, the System Security Services Daemon (
SSSD) queries the access rights defined for a particular IdM user. Then the
pam_selinuxmodule sends a request to the kernel to launch the user process with the proper SELinux context according to the IdM access rights, for example
For more information about Identity Management and SELinux, see the Linux Domain, Identity, Authentication, and Policy Guide for Red Hat Enterprise Linux 7.
26.1.1. Trust to Active Directory Domains
In previous versions of Red Hat Enterprise Linux, Identity Management used the
WinSyncutility to allow users from Active Directory (AD) domains to access data stored on IdM domains. To do that,
WinSynchad to replicate the user and group data from the AD server to the local server and kept the data synchronized.
In Red Hat Enterprise Linux 7, the
SSSDdaemon has been enhanced to work with AD and users are able to create a trusted relationship between IdM and AD domains. The user and group data are read directly from the AD server. Additionally, Kerberos cross-realm trust allowing single sign-on (SSO) authentication between the AD and IdM domains is provided. If SSO is set, users from the AD domains can access data protected by Kerberos that is stored on the IdM domains without requiring a password.
This feature is not installed by default. To use it, install the additional ipa-server-trust-ad package.