27.1. Identity Management and SELinux
Identity Management can map IdM users to configured SELinux roles per host so that it is possible to specify SELinux context for IdM access rights. During the user login process, the System Security Services Daemon (
SSSD) queries the access rights defined for a particular IdM user. Then the
pam_selinux module sends a request to the kernel to launch the user process with the proper SELinux context according to the IdM access rights, for example
27.1.1. Trust to Active Directory Domains
In previous versions of Red Hat Enterprise Linux, Identity Management used the
utility to allow users from Active Directory (AD
) domains to access data stored on IdM domains. To do that,
had to replicate the user and group data from the AD server to the local server and kept the data synchronized.
In Red Hat Enterprise Linux 7, the
daemon has been enhanced to work with AD and users are able to create a trusted relationship between IdM and AD domains. The user and group data are read directly from the AD server. Additionally, Kerberos cross-realm trust allowing single sign-on (SSO
) authentication between the AD and IdM domains is provided. If SSO is set, users from the AD domains can access data protected by Kerberos that is stored on the IdM domains without requiring a password.
This feature is not installed by default. To use it, install the additional ipa-server-trust-ad package.