Chapter 15. Identity Management
This chapter lists the most notable changes to Identity Management (IdM) between RHEL 8 and RHEL 9.
15.1. New features
Identity Management installation packages have been demodularized
Previously in RHEL 8, IdM packages were distributed as modules, which required you to enable a stream and install the profile that corresponds to your desired installation. IdM installation packages have been demodularized in RHEL 9, so you can use the following yum commands to install IdM servers:
For a server without integrated DNS services:
# yum install ipa-server
For a server with integrated DNS services:
# yum install ipa-server ipa-server-dns
If you prefer, you can still use the RHEL 8 installation commands, see Installing packages required for an IdM server.
The SSSD implicit files provider domain is disabled by default
The SSSD implicit
files provider domain, which retrieves user information from local files such as
/etc/shadow and group information from
/etc/groups, is now disabled by default.
To retrieve user and group information from local files with SSSD:
Configure SSSD. Choose one of the following options:
Explicitly configure a local domain with the
id_provider=filesoption in the
[domain/local] id_provider=files ...
filesprovider by setting the
enable_files_domain=trueoption in the
[sssd] enable_files_domain = true
Configure the name services switch.
# authselect enable-feature with-files-provider
15.2. Relocated packages
ansible-freeipa is now available in the AppStream repository with all dependencies
Previously in RHEL 8, before installing the
ansible-freeipa package, you first had to enable the Ansible repository and install the
ansible package. In RHEL 9, you can install
ansible-freeipa without any preliminary steps. Installing
ansible-freeipa automatically installs
ansible-core as a dependency. Both packages are available in the
ansible-freeipa in RHEL 9 contains all the modules that it contained in RHEL 8.
Clustered Samba packages are now available from the Resilient Storage and Gluster Samba Repository
ctdb clustered Samba packages are now available from the Resilient Storage and Gluster Samba Repository. Previously in RHEL 8, clustered Samba packages were available from the BaseOS repository.
15.3. Removed functionality
The nss-pam-ldapd package has been removed
nss-pam-ldapd package has been removed from RHEL. Red Hat recommends migrating to SSSD and its
ldap provider, which fully replaces the functionality of the
nslcd service. SSSD has features that specifically address the needs of
nss-pam-ldapd users, such as:
- hosts databases
- networks databases
- services databases
NIS packages have been removed
The following Network Information Service (NIS) components have been removed from RHEL:
There is no direct replacement with fully compatible features because the NIS technology is based on outdated design patterns and is no longer considered secure.
Red Hat recommends using RHEL Identity Management and SSSD instead.
The openssh-ldap package has been removed
openssh-ldap subpackage is not maintained upstream, it has been removed from RHEL. Red Hat recommends using SSSD and the
sss_ssh_authorizedkeys helper, which integrate better with other IdM solutions and are more secure.
By default, the SSSD
ipa providers read the
sshPublicKey LDAP attribute of the user object, if available. Note that you cannot use the default SSSD configuration for the
ad provider or IdM trusted domains to retrieve SSH public keys from Active Directory (AD), since AD does not have a default LDAP attribute to store a public key.
To allow the
sss_ssh_authorizedkeys helper to get the key from SSSD, enable the
ssh responder by adding
ssh to the
services option in the
sssd.conf file. See the
sssd.conf(5) man page for details.
sshd to use
sss_ssh_authorizedkeys, add the following options to the
/etc/ssh/sshd_config file as described by the
sss_ssh_authorizedkeys(1) man page:
AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys AuthorizedKeysCommandUser nobody
The custodia package has been removed
custodia package has been integrated into Red Hat Identity Management in RHEL 9 and is no longer shipped as a separate service.
The gssntlmssp package has been removed
As Windows New Technology LAN Manager (NTLM) is considered insecure, the
gssntlmssp package has been removed.