Menu Close
Chapter 17. Identity Management
This chapter lists the most notable changes to Identity Management (IdM) between RHEL 8 and RHEL 9.
17.1. New features
Identity Management installation packages have been demodularized
Previously in RHEL 8, IdM packages were distributed as modules, which required you to enable a stream and install the profile that corresponds to your desired installation. IdM installation packages have been demodularized in RHEL 9, so you can use the following dnf commands to install IdM server packages:
For a server without integrated DNS services:
# dnf install ipa-server
For a server with integrated DNS services:
# dnf install ipa-server ipa-server-dns
The SSSD implicit files provider domain is disabled by default
The SSSD implicit files
provider domain, which retrieves user information from local files such as /etc/shadow
and group information from /etc/groups
, is now disabled by default.
To retrieve user and group information from local files with SSSD:
Configure SSSD. Choose one of the following options:
Explicitly configure a local domain with the
id_provider=files
option in thesssd.conf
configuration file.[domain/local] id_provider=files ...
Enable the
files
provider by setting theenable_files_domain=true
option in thesssd.conf
configuration file.[sssd] enable_files_domain = true
Configure the name services switch.
# authselect enable-feature with-files-provider
17.2. Relocated packages
ansible-freeipa
is now available in the AppStream repository with all dependencies
Previously in RHEL 8, before installing the ansible-freeipa
package, you first had to enable the Ansible repository and install the ansible
package. In RHEL 9, you can install ansible-freeipa
without any preliminary steps. Installing ansible-freeipa
automatically installs ansible-core
as a dependency. Both packages are available in the rhel-9-for-x86_64-appstream-rpms
repository.
ansible-freeipa
in RHEL 9 contains all the modules that it contained in RHEL 8.
Clustered Samba packages are now available from the Resilient Storage and Gluster Samba Repository
The ctdb
clustered Samba packages are now available from the Resilient Storage and Gluster Samba Repository. Previously in RHEL 8, clustered Samba packages were available from the BaseOS repository.
17.3. Removed functionality
The nss-pam-ldapd package has been removed
The nss-pam-ldapd
package has been removed from RHEL. Red Hat recommends migrating to SSSD and its ldap
provider, which fully replaces the functionality of the nslcd
service. SSSD has features that specifically address the needs of nss-pam-ldapd
users, such as:
- hosts databases
- networks databases
- services databases
NIS packages have been removed
The following Network Information Service (NIS) components have been removed from RHEL:
-
nss_nis
-
yp-tools
-
ypbind
-
ypserv
There is no direct replacement with fully compatible features because the NIS technology is based on outdated design patterns and is no longer considered secure.
Red Hat recommends using RHEL Identity Management and SSSD instead.
The openssh-ldap package has been removed
As the openssh-ldap
subpackage is not maintained upstream, it has been removed from RHEL. Red Hat recommends using SSSD and the sss_ssh_authorizedkeys
helper, which integrate better with other IdM solutions and are more secure.
By default, the SSSD ldap
and ipa
providers read the sshPublicKey
LDAP attribute of the user object, if available. Note that you cannot use the default SSSD configuration for the ad
provider or IdM trusted domains to retrieve SSH public keys from Active Directory (AD), since AD does not have a default LDAP attribute to store a public key.
To allow the sss_ssh_authorizedkeys
helper to get the key from SSSD, enable the ssh
responder by adding ssh
to the services
option in the sssd.conf
file. See the sssd.conf(5)
man page for details.
To allow sshd
to use sss_ssh_authorizedkeys
, add the following options to the /etc/ssh/sshd_config
file as described by the sss_ssh_authorizedkeys(1)
man page:
AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys AuthorizedKeysCommandUser nobody
The custodia package has been removed
The custodia
package has been integrated into Red Hat Identity Management in RHEL 9 and is no longer shipped as a separate service.
The gssntlmssp package has been removed
As Windows New Technology LAN Manager (NTLM) is considered insecure, the gssntlmssp
package has been removed.