Identity Management


Identity Management in Red Hat Enterprise Linux® is designed and integrated into Red Hat Enterprise Linux to simplify identity management.

Red hat identity management portfolio

Red Hat Identity Management in Red Hat Enterprise Linux

Identity Management in Red Hat® Enterprise Linux® is designed and integrated into Red Hat Enterprise Linux to simplify identity management. This feature set is available free with your Red Hat Enterprise Linux subscription. Use it to expand how you use Linux while you reduce costs and administrative load. Increase your compliance levels by implementing identity and access management:

Central Authentication Management

Provides a centralized and clear method for managing:

  • Identities for users, machines, and services within large Linux/Unix enterprise environments
  • Security mechanisms

Integrated Public Key Infrastructure (PKI) Service


  • PKI services that sign and publish certificates for hosts and services
  • Certificate Revocation List (CRL) and OCSP services for software validating the published certificate
  • An API to request, show, and find certificates.

Fine-grained Access Control

Lets you define access control policies to govern user identities. The administrator can also delegate selected administrative tasks to other power users to create a clear and simple separation of responsibilities.

One Time Password (OTP)

Provides a popular method for achieving two-factor authentication (2FA). The OTP-based 2FA solution can either use natively managed tokens or leverage third-party 2FA solution by using RADIUS.

Active Directory Cross-Realm Trust

Lets administrators establish cross-forest Kerberos trusts with Microsoft Active Directory. This allows external Active Directory (AD) users convenient access to resources in the Identity Management domain.

Direct Connect to Active Directory

This feature is based on two :

  • The first component retrieves information from Active Directory (AD)
  • The second discovers information and then simplifies the configuration needed to join a domain or realm in a standard way.

Red Hat Directory Server

Red Hat® Directory Server is an LDAP-compliant server product that centralizes user identity and application information. It provides an operating-system independent, network-based registry that you can use to store:

  • Application setting
  • User profiles
  • Group data
  • Policies
  • Access-control information

It is flexible and can support custom schema.

Red Hat Certificate System

Red Hat® Certificate System has a powerful security framework to manage user identities and ensure communication privacy. By handling the major functions of the identity life cycle, Red Hat Certificate System makes it easier to do enterprise-wide deployments and adopt a public key infrastructure (PKI).

Useful Links

To get started with Identity Management, check out the installation scenarios below:

    A typical installation of your Identity Management (IdM) server will take approximately 10 minutes:

  1. 1

    Install the Identity Management server package.

    ​[root@server ~]# yum install ipa-server

  2. 2

    Configure a host name for your system.

    [root@server ~]# hostnamectl set-hostname

  3. 3

    Run the installation script for the Identity Management server.

    ​​[root@server ~]# ipa-server-install

  4. 4

    During the interactive session, answer a series of simple questions to set the following entries:

    • Integrated DNS - if your DNS zone and SRV records are properly set on your system, you may proceed by selecting the default value "no".
    • Host name - by default obtained using reverse DNS
    • Domain name - by default based on the host name
    • Realm name - by default based on the host name
    • Password for Directory Manager - an administrator account for Directory Server
    • Password for IPA administrator - a superuser for the IdM Server
  5. 5

    After the installation, authenticate to the Kerberos realm to ensure that the administrator is properly configured.

    [root@server ~]# kinit admin

    A typical installation of an IdM client will take approximately 1 minute:

  1. 1

    Run the installation script on the client machine with the following parameters to enroll the host to the IdM realm.

    ​[root@client ~]# ipa-client-install --server --domain

    Note that if your DNS zone and SRV records are set properly on your system, the auto-discovery feature will enroll your host without the need to specify the server and the domain and the clients will fail-over in case the original IPA server becomes unavailable.

  2. 2

    After the installation, authenticate to the Kerberos realm to ensure that the administrator is properly configured.

    ​[root@client ~]# kinit admin

    You can also print basic account information to verify that the SSSD service is running as expected:

    [root@client ~]# id admin


Two-factor Authentication

Advantages of One-time Passwords (OTPs)

OTPs are a type of two-factor authentication (2FA) that create a unique password each time you log in to a system. Even if the password is stolen, the OTP cannot be used to log in again. Red Hat®Identity Management combines OTP with SSO (Single Sign-On), so that you can perform the OTP operation once and then be authenticated for multiple applications.

Trusts Between Active Directory and Red Hat Identity Management

Host-Based Access Control (HBAC)

Rules for Host-Based Access Control (HBAC)

Identity Management in Red Hat Enterprise Linux allows you to define HBAC rules to control access to both machines and the services on those machines within the IdM domain. An HBAC rule defines who can access what within the domain. This greatly improves security by providing support for access control granularity in highly complex domain environments.

How can we help you?

Support Cases

Get answers quickly by opening a support case with us.

View Open Cases

Open New Case

Live Chat

Directly access our support engineers during weekday business hours.

Learn more

Call or Email

Speak directly with a Red Hat support expert by phone or through email.

Contact Us