Red Hat Training

A Red Hat training course is available for Red Hat Enterprise Linux

第13章 認証と相互運用性

Manual Backup and Restore Functionality

This update introduces the ipa-backup and ipa-restore commands to Identity Management (IdM), which allow users to manually back up their IdM data and restore them in case of a hardware failure. For further information, see the ipa-backup(1) and ipa-restore(1) manual pages or the documentation in the Linux Domain Identity, Authentication, and Policy Guide.

WinSync から Trust への移行サポート

This update implements the new ID Views mechanism of user configuration. It enables the migration of Identity Management users from a WinSync synchronization-based architecture used by Active Directory to an infrastructure based on Cross-Realm Trusts. For the details of ID Views and the migration procedure, see the documentation in the Windows Integration Guide.

One-Time Password Authentication

One of the best ways to increase authentication security is to require two factor authentication (2FA). A very popular option is to use one-time passwords (OTP). This technique began in the proprietary space, but over time some open standards emerged (HOTP: RFC 4226, TOTP: RFC 6238). Identity Management in Red Hat Enterprise Linux 7.1 contains the first implementation of the standard OTP mechanism. For further details, see the documentation in the System-Level Authentication Guide.

Common Internet File System 向け SSSD 統合

A plug-in interface provided by SSSD has been added to configure the way in which the cifs-utils utility conducts the ID-mapping process. As a result, an SSSD client can now access a CIFS share with the same functionality as a client running the Winbind service. For further information, see the documentation in the Windows Integration Guide.


The ipa-cacert-manage renew command has been added to the Identity management (IdM) client, which makes it possible to renew the IdM Certification Authority (CA) file. This enables users to smoothly install and set up IdM using a certificate signed by an external CA. For details on this feature, see the ipa-cacert-manage(1) manual page.


It is now possible to regulate read permissions of specific sections in the Identity Management (IdM) server UI. This allows IdM server administrators to limit the accessibility of privileged content only to chosen users. In addition, authenticated users of the IdM server no longer have read permissions to all of its contents by default. These changes improve the overall security of the IdM server data.


The domains= option has been added to the pam_sss module, which overrides the domains= option in the /etc/sssd/sssd.conf file. In addition, this update adds the pam_trusted_users option, which allows the user to add a list of numerical UIDs or user names that are trusted by the SSSD daemon, and the pam_public_domains option and a list of domains accessible even for untrusted users. The mentioned additions allow the configuration of systems, where regular users are allowed to access the specified applications, but do not have login rights on the system itself. For additional information on this feature, see the documentation in the Linux Domain Identity, Authentication, and Policy Guide.


ipa-client-install コマンドではデフォルトで SSSD を sudo サービスのデータプロバイダーとして設定するようになります。この動作は --no-sudo オプションを使用すると無効にすることができます。また、Identity Management クライアントのインストール用 NIS ドメインを指定する --nisdomain オプション、NIS ドメイン名を設定しないようにする --no_nisdomain オプションがそれぞれ追加されています。いずれのオプションも使用しないと IPA ドメインが使用されます。

AD および LDAP の sudo プロバイダーの使い方

AD プロバイダーは Active Directory サーバーへの接続に使用するバックエンドです。Red Hat Enterprise Linux 7.1 では AD sudo プロバイダーと LDAP プロバイダーとの併用はテクノロジープレビューとしての対応になります。AD sudo プロバイダーを有効にするには sudo_provider=ad 設定を sssd.conf ファイルのドメインセクションに追加します。

32-bit Version of krb5-server and krb5-server-ldap Deprecated

The 32-bit version of Kerberos 5 Server is no longer distributed, and the following packages are deprecated since Red Hat Enterprise Linux 7.1: krb5-server.i686, krb5-server.s390, krb5-server.ppc, krb5-server-ldap.i686, krb5-server-ldap.s390, and krb5-server-ldap.ppc. There is no need to distribute the 32-bit version of krb5-server on Red Hat Enterprise Linux 7, which is supported only on the following architectures: AMD64 and Intel 64 systems (x86_64), 64-bit IBM Power Systems servers (ppc64), and IBM System z (s390x).

SSSD Leverages GPO Policies to Define HBAC

SSSD is now able to use GPO objects stored on an AD server for access control. This enhancement mimics the functionality of Windows clients, allowing to use a single set of access control rules to handle both Windows and Unix machines. In effect, Windows administrators can now use GPOs to control access to Linux clients.

Apache Modules for IPA

A set of Apache modules has been added to Red Hat Enterprise Linux 7.1 as a Technology Preview. The Apache modules can be used by external applications to achieve tighter interaction with Identity Management beyond simple authentication.

このページには機械翻訳が使用されている場合があります (詳細はこちら)。