Chapter 15. Identity Management

This chapter lists the most notable changes to Identity Management (IdM) between RHEL 8 and RHEL 9.

15.1. New features

Identity Management installation packages have been demodularized

Previously in RHEL 8, IdM packages were distributed as modules, which required you to enable a stream and install the profile that corresponds to your desired installation. IdM installation packages have been demodularized in RHEL 9, so you can use the following yum commands to install IdM servers:

  • For a server without integrated DNS services:

    # yum install ipa-server
  • For a server with integrated DNS services:

    # yum install ipa-server ipa-server-dns

If you prefer, you can still use the RHEL 8 installation commands, see Installing packages required for an IdM server.

The SSSD implicit files provider domain is disabled by default

The SSSD implicit files provider domain, which retrieves user information from local files such as /etc/shadow and group information from /etc/groups, is now disabled by default.

To retrieve user and group information from local files with SSSD:

  1. Configure SSSD. Choose one of the following options:

    1. Explicitly configure a local domain with the id_provider=files option in the sssd.conf configuration file.

      [domain/local]
      id_provider=files
      ...
    2. Enable the files provider by setting the enable_files_domain=true option in the sssd.conf configuration file.

      [sssd]
      enable_files_domain = true
  2. Configure the name services switch.

    # authselect enable-feature with-files-provider

15.2. Relocated packages

ansible-freeipa is now available in the AppStream repository with all dependencies

Previously in RHEL 8, before installing the ansible-freeipa package, you first had to enable the Ansible repository and install the ansible package. In RHEL 9, you can install ansible-freeipa without any preliminary steps. Installing ansible-freeipa automatically installs ansible-core as a dependency. Both packages are available in the rhel-9-for-x86_64-appstream-rpms repository.

ansible-freeipa in RHEL 9 contains all the modules that it contained in RHEL 8.

Clustered Samba packages are now available from the Resilient Storage and Gluster Samba Repository

The ctdb clustered Samba packages are now available from the Resilient Storage and Gluster Samba Repository. Previously in RHEL 8, clustered Samba packages were available from the BaseOS repository.

15.3. Removed functionality

The nss-pam-ldapd package has been removed

The nss-pam-ldapd package has been removed from RHEL. Red Hat recommends migrating to SSSD and its ldap provider, which fully replaces the functionality of the nslcd service. SSSD has features that specifically address the needs of nss-pam-ldapd users, such as:

  • hosts databases
  • networks databases
  • services databases

NIS packages have been removed

The following Network Information Service (NIS) components have been removed from RHEL:

  • nss_nis
  • yp-tools
  • ypbind
  • ypserv

There is no direct replacement with fully compatible features because the NIS technology is based on outdated design patterns and is no longer considered secure.

Red Hat recommends using RHEL Identity Management and SSSD instead.

The openssh-ldap package has been removed

As the openssh-ldap subpackage is not maintained upstream, it has been removed from RHEL. Red Hat recommends using SSSD and the sss_ssh_authorizedkeys helper, which integrate better with other IdM solutions and are more secure.

By default, the SSSD ldap and ipa providers read the sshPublicKey LDAP attribute of the user object, if available. Note that you cannot use the default SSSD configuration for the ad provider or IdM trusted domains to retrieve SSH public keys from Active Directory (AD), since AD does not have a default LDAP attribute to store a public key.

To allow the sss_ssh_authorizedkeys helper to get the key from SSSD, enable the ssh responder by adding ssh to the services option in the sssd.conf file. See the sssd.conf(5) man page for details.

To allow sshd to use sss_ssh_authorizedkeys, add the following options to the /etc/ssh/sshd_config file as described by the sss_ssh_authorizedkeys(1) man page:

AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
AuthorizedKeysCommandUser nobody

The custodia package has been removed

The custodia package has been integrated into Red Hat Identity Management in RHEL 9 and is no longer shipped as a separate service.

The gssntlmssp package has been removed

As Windows New Technology LAN Manager (NTLM) is considered insecure, the gssntlmssp package has been removed.