Identity Management


Identity Management in Red Hat Enterprise Linux® is designed and integrated into Red Hat Enterprise Linux to simplify identity management.

Red hat identity management portfolio

Red Hat Identity Management in Red Hat Enterprise Linux

Identity Management in Red Hat® Enterprise Linux® is designed and integrated into Red Hat Enterprise Linux to simplify identity management. This feature set is available free with your Red Hat Enterprise Linux subscription. Use it to expand how you use Linux while you reduce costs and administrative load. Increase your compliance levels by implementing identity and access management:

Central Authentication Management

Provides a centralized and clear method for managing:

  • Identities for users, machines, and services within large Linux/Unix enterprise environments
  • Security mechanisms

Integrated Public Key Infrastructure (PKI) Service


  • PKI services that sign and publish certificates for hosts and services
  • Certificate Revocation List (CRL) and OCSP services for software validating the published certificate
  • An API to request, show, and find certificates.

Fine-grained Access Control

Lets you define access control policies to govern user identities. The administrator can also delegate selected administrative tasks to other power users to create a clear and simple separation of responsibilities.

One Time Password (OTP)

Provides a popular method for achieving two-factor authentication (2FA). The OTP-based 2FA solution can either use natively managed tokens or leverage third-party 2FA solution by using RADIUS.

Active Directory Cross-Realm Trust

Lets administrators establish cross-forest Kerberos trusts with Microsoft Active Directory. This allows external Active Directory (AD) users convenient access to resources in the Identity Management domain.

Direct Connect to Active Directory

This feature is based on two :

  • The first component retrieves information from Active Directory (AD)
  • The second discovers information and then simplifies the configuration needed to join a domain or realm in a standard way.

Red Hat Directory Server

Red Hat® Directory Server is an LDAP-compliant server product that centralizes user identity and application information. It provides an operating-system independent, network-based registry that you can use to store:

  • Application setting
  • User profiles
  • Group data
  • Policies
  • Access-control information

It is flexible and can support custom schema.

Red Hat Certificate System

Red Hat® Certificate System has a powerful security framework to manage user identities and ensure communication privacy. By handling the major functions of the identity life cycle, Red Hat Certificate System makes it easier to do enterprise-wide deployments and adopt a public key infrastructure (PKI).

Useful Links

To get started with Identity Management, check out the installation scenarios below:

  1. 1

    Enable the idm:DL1 Identity Management server module stream.

    [root@server ~]# yum module enable idm:DL1
  2. 2

    Synchronize packages to the Identity Management stream.

    [root@server ~]# yum distro-sync
  3. 3

    Download the packages necessary for installing an IdM server with an integrated DNS.

    [root@server ~]# yum module install idm:DL1/dns
    For other installation scenarios, see Installing packages required for an IdM server.
  4. 4

    Run the interactive installation utility.

    [root@server ~]# ipa-server-install
  5. 5

    During the interactive session, answer a series of simple questions to set the following entries:

    • Integrated DNS - to configure an integrated DNS service, enter "yes"
    • Host name - by default obtained using reverse DNS
    • Domain name - by default based on the host name
    • Realm name - by default based on the host name
    • Password for Directory Manager - an administrator account for Directory Server
    • Password for IPA administrator - a superuser for the IdM Server
    • Per-server DNS forwarders - for default forwarding policy settings, see the --forward-policy description in the ipa-dns-install(1) man page
    • Reverse zones - the script can check DNS reverse (PTR) records and create new reverse zones if needed
  6. 6

    Enter yes to confirm the server configuration.

    Continue to configure the system with these values? [no]: yes

  7. 7

    After the installation, authenticate to the Kerberos realm to ensure that the administrator is properly configured.

    [root@server ~]# kinit admin
  1. 1

    Download the packages necessary for installing an IdM client.

    [root@client ~]# yum module install idm
  2. 2

    Run the interactive installation utility on the client machine.

    [root@client ~]# ipa-client-install --enable-dns-updates --mkhomedir
  3. 3

    The installation script will attempt to obtain all the required settings, such as DNS records, automatically. Enter "yes" to confirm.

    Client hostname:
    Realm: EXAMPLE.COM
    DNS Domain:
    IPA Server:
    BaseDN: dc=example,dc=com

    Continue to configure the system with these values? [no]: yes
  4. 4

    Enter the credentials of a user whose identity will be used to enroll this client.

    User authorized to enroll computers: admin
    Password for admin@EXAMPLE.COM:
  5. 5

    To test that the installation was successful, check that the client is able to obtain information about users from the IdM server.

    [user@client ~]$ id admin
    uid=1254400000(admin) gid=1254400000(admins) groups=1254400000(admins)
    To test that authentication works correctly, `su` to a root from a non-root user:
    [user@client ~]$ su -
    Last login: Thu Oct 18 18:39:11 CEST 2018 from on pts/0
    [root@client ~]#


Two-factor Authentication

Advantages of One-time Passwords (OTPs)

OTPs are a type of two-factor authentication (2FA) that create a unique password each time you log in to a system. Even if the password is stolen, the OTP cannot be used to log in again. Red Hat®Identity Management combines OTP with SSO (Single Sign-On), so that you can perform the OTP operation once and then be authenticated for multiple applications.

Trusts Between Active Directory and Red Hat Identity Management

Host-Based Access Control (HBAC)

Rules for Host-Based Access Control (HBAC)

Identity Management in Red Hat Enterprise Linux allows you to define HBAC rules to control access to both machines and the services on those machines within the IdM domain. An HBAC rule defines who can access what within the domain. This greatly improves security by providing support for access control granularity in highly complex domain environments.

How can we help you?

Support Cases

Get answers quickly by opening a support case with us.

View Open Cases

Open New Case

Live Chat

Directly access our support engineers during weekday business hours.

Learn more

Call or Email

Speak directly with a Red Hat support expert by phone or through email.

Contact Us