Considerations in adopting RHEL 9
Making open source more inclusive
Providing feedback on Red Hat documentation
1. Preface
2. Architectures
3. Repositories
4. Application Streams
5. Installer and image creation
Expand section "5. Installer and image creation" Collapse section "5. Installer and image creation"
1. 5.1. Installer
2. 5.2. Image creation
6. Subscription management
Expand section "6. Subscription management" Collapse section "6. Subscription management"
1. 6.1. Notable changes to subscription management
7. Software management
Expand section "7. Software management" Collapse section "7. Software management"
1. 7.1. Notable changes to software management
8. Shells and command-line tools
Expand section "8. Shells and command-line tools" Collapse section "8. Shells and command-line tools"
1. 8.1. Notable changes to system management
9. Infrastructure services
Expand section "9. Infrastructure services" Collapse section "9. Infrastructure services"
1. 9.1. Notable changes to infrastructure services
10. Security
Expand section "10. Security" Collapse section "10. Security"
11. Networking
Expand section "11. Networking" Collapse section "11. Networking"
12. Kernel
Expand section "12. Kernel" Collapse section "12. Kernel"
13. Hardware enablement
Expand section "13. Hardware enablement" Collapse section "13. Hardware enablement"
1. 13.1. Unmaintained hardware support
2. 13.2. Removed hardware support
14. File systems and storage
Expand section "14. File systems and storage" Collapse section "14. File systems and storage"
1. 14.1. File systems
2. 14.2. Storage
15. High availability and clusters
Expand section "15. High availability and clusters" Collapse section "15. High availability and clusters"
1. 15.1. Notable changes to high availability and clusters
16. Dynamic programming languages, web servers, database servers
Expand section "16. Dynamic programming languages, web servers, database servers" Collapse section "16. Dynamic programming languages, web servers, database servers"
1. 16.1. Notable changes to dynamic programming languages, web and database servers
17. Identity Management
Expand section "17. Identity Management" Collapse section "17. Identity Management"
18. Virtualization
Expand section "18. Virtualization" Collapse section "18. Virtualization"
19. Containers
Expand section "19. Containers" Collapse section "19. Containers"
1. 19.1. Notable changes to containers
20. Desktop
Expand section "20. Desktop" Collapse section "20. Desktop"
1. 20.1. Notable changes to desktop
21. .NET
Expand section "21. .NET" Collapse section "21. .NET"
1. 21.1. Notable changes to .NET
22. Edge
Expand section "22. Edge" Collapse section "22. Edge"
1. 22.1. RHEL for Edge
23. Performance
Expand section "23. Performance" Collapse section "23. Performance"
1. 23.1. Notable changes to performance
24. System roles
Expand section "24. System roles" Collapse section "24. System roles"
1. 24.1. Performing system administration tasks with RHEL System Roles
A. Changes to packages
Expand section "A. Changes to packages" Collapse section "A. Changes to packages"
Legal Notice

Chapter 17. Identity Management

This chapter lists the most notable changes to Identity Management (IdM) between RHEL 8 and RHEL 9.

17.1. New features

Identity Management installation packages have been demodularized

Previously in RHEL 8, IdM packages were distributed as modules, which required you to enable a stream and install the profile that corresponds to your desired installation. IdM installation packages have been demodularized in RHEL 9, so you can use the following dnf commands to install IdM server packages:

For a server without integrated DNS services:
```
# dnf install ipa-server
```
For a server with integrated DNS services:
```
# dnf install ipa-server ipa-server-dns
```

The SSSD implicit files provider domain is disabled by default

The SSSD implicit files provider domain, which retrieves user information from local files such as /etc/shadow and group information from /etc/groups, is now disabled by default.

To retrieve user and group information from local files with SSSD:

Configure SSSD. Choose one of the following options:
1. Explicitly configure a local domain with the id_provider=files option in the sssd.conf configuration file.
```
[domain/local]
id_provider=files
...
```
2. Enable the files provider by setting the enable_files_domain=true option in the sssd.conf configuration file.
```
[sssd]
enable_files_domain = true
```

Configure the name services switch.

# authselect enable-feature with-files-provider

17.2. Relocated packages

ansible-freeipa is now available in the AppStream repository with all dependencies

Previously in RHEL 8, before installing the ansible-freeipa package, you first had to enable the Ansible repository and install the ansible package. In RHEL 9, you can install ansible-freeipa without any preliminary steps. Installing ansible-freeipa automatically installs ansible-core as a dependency. Both packages are available in the rhel-9-for-x86_64-appstream-rpms repository.

ansible-freeipa in RHEL 9 contains all the modules that it contained in RHEL 8.

Clustered Samba packages are now available from the Resilient Storage and Gluster Samba Repository

The ctdb clustered Samba packages are now available from the Resilient Storage and Gluster Samba Repository. Previously in RHEL 8, clustered Samba packages were available from the BaseOS repository.

17.3. Removed functionality

The nss-pam-ldapd package has been removed

The nss-pam-ldapd package has been removed from RHEL. Red Hat recommends migrating to SSSD and its ldap provider, which fully replaces the functionality of the nslcd service. SSSD has features that specifically address the needs of nss-pam-ldapd users, such as:

hosts databases
networks databases
services databases

NIS packages have been removed

The following Network Information Service (NIS) components have been removed from RHEL:

nss_nis
yp-tools
ypbind
ypserv

There is no direct replacement with fully compatible features because the NIS technology is based on outdated design patterns and is no longer considered secure.

Red Hat recommends using RHEL Identity Management and SSSD instead.

The openssh-ldap package has been removed

As the openssh-ldap subpackage is not maintained upstream, it has been removed from RHEL. Red Hat recommends using SSSD and the sss_ssh_authorizedkeys helper, which integrate better with other IdM solutions and are more secure.

By default, the SSSD ldap and ipa providers read the sshPublicKey LDAP attribute of the user object, if available. Note that you cannot use the default SSSD configuration for the ad provider or IdM trusted domains to retrieve SSH public keys from Active Directory (AD), since AD does not have a default LDAP attribute to store a public key.

To allow the sss_ssh_authorizedkeys helper to get the key from SSSD, enable the ssh responder by adding ssh to the services option in the sssd.conf file. See the sssd.conf(5) man page for details.

To allow sshd to use sss_ssh_authorizedkeys, add the following options to the /etc/ssh/sshd_config file as described by the sss_ssh_authorizedkeys(1) man page:

AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
AuthorizedKeysCommandUser nobody

The custodia package has been removed

The custodia package has been integrated into Red Hat Identity Management in RHEL 9 and is no longer shipped as a separate service.

The gssntlmssp package has been removed

As Windows New Technology LAN Manager (NTLM) is considered insecure, the gssntlmssp package has been removed.

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

Runtimes

Integration and Automation

Chapter 17. Identity Management

17.1. New features

17.2. Relocated packages

17.3. Removed functionality