identity and directories with freeipa
play

Identity and Directories with FreeIPA Simo Sorce Sr. Principal Sw. - PowerPoint PPT Presentation

Sep 17, 2022 •164 likes •487 views

Identity and Directories with FreeIPA Simo Sorce Sr. Principal Sw. Eng., Red Hat 2015/01/21 1 Simo Sorce What is FreeIPA ? FreeIPA is a Directory and Authentication Server aka a Domain Controller Primarily targets at Linux servers.

  1. Identity and Directories with FreeIPA Simo Sorce Sr. Principal Sw. Eng., Red Hat 2015/01/21 1 Simo Sorce

  2. What is FreeIPA ? FreeIPA is a Directory and Authentication Server aka a Domain Controller Primarily targets at Linux servers. “IPA” stands for Identity, Policy and Audit 2 NYLUG – Simo Sorce - FreeIPA

  3. FreeIPA project The FreeIPA project can be defined as a meta- project. It integrates existing Open Source components into a cohesive and harmonized solution. The goal of the FreeIPA project is to provide an easy to use and install but powerful Identity Management solution for Linux environments. 3 NYLUG – Simo Sorce - FreeIPA

  4. Identity Management ? NYLUG – Simo Sorce - FreeIPA

  5. Identity Management “Identity management (IdM) describes the management of individual principals, their authentication, authorization, and privileges within or across system and enterprise boundaries with the goal of increasing security and productivity while decreasing cost, downtime and repetitive tasks.” Wikipedia 5 NYLUG – Simo Sorce - FreeIPA

  6. Identity Management - Basics Identities Authentication Access Control When talking about identities Authentication is the act of The end goal is to be able to in FreeIPA we think equally identifying one actor to apply access policies and of users, hosts and services. another. enforce access privileges. Identity implies concepts In FreeIPA both users and FreeIPA implements a such as naming , credentials , machines own credentials number of standard access privileges , identification is and can authenticate (to) controls as well as new ones key to establish relations each other. (like Host Based Access with other objects. Control). 6 NYLUG – Simo Sorce - FreeIPA

  7. Why should I care for Identity Management ? Every networked machine needs accounts and authentication services. From small startups to big enterprises, from cloud deployments to on-premise, every system admin or devop environment faces the problem of managing users, admins, systems, their credentials and keys, and control and coordinate access. ? Purpose built Identity Management systems reduce errors, and improve productivity of both admins and users by simplifying management. 7 NYLUG – Simo Sorce - FreeIPA

  8. Identities and Directories NYLUG – Simo Sorce - FreeIPA

  9. Just a directory ? A directory is necessary but not sufficient. A modern system includes dedicated authentication services, policies and a way to manage all these components. Naming is also important over networks; if you can't resolve names you can't effectively use modern security and crypto services. 9 NYLUG – Simo Sorce - FreeIPA

  10. FreeIPA Components Core: FreeIPA NTPD 389ds LDAP Server MIT Krb5 KDC Web UI / CLI DNS HTTP APIs / Web UI Python IPA framework Kerberos KDC NTPD server CS (PKI CA) Optional: BIND9 DNS Server Dogtag Certificate System LDAP Directory 10 NYLUG – Simo Sorce - FreeIPA

  11. Holistic approach Not just a bag of parts. Conceal complexity with consistent management interfaces. All the functions are available both via a pleasing Web UI and a powerful CLI all based on the same API. 11 NYLUG – Simo Sorce - FreeIPA

  12. So, what can it do for you ? NYLUG – Simo Sorce - FreeIPA

  13. Manage identities Full identity life-cycle management for: Users Nested user groups Hosts Nested host groups Services Private user groups Auto-membership External users and Netgroups groups Automount maps User self-service 13 NYLUG – Simo Sorce - FreeIPA

  14. Policy & Security Extensive security policy Role-based, fine-grained delegation of administrative management capabilities: privileges. Host Based Access Control Centralized Sudo Policies Hosts SSL Certificates Groups based password policies management including revocation and automatic renewal via integrated CA and client tools Two Factor Authentication via Hard or Soft-token (TOTP/HOTP) Secure DNS updates (GSS-TSIG) SSH Keys management SELinux User Mapping Both host and user public keys 14 NYLUG – Simo Sorce - FreeIPA

  15. Simple and powerful setup tools Install scripts are used to configure both servers and clients ipa-server-install first server instance ipa-replica-install additional freeipa servers ipa-client-install quick client domain join and setup ipa-advise tool help admins with configuration advice ipa tool command line administrative interface 15 NYLUG – Simo Sorce - FreeIPA

  16. Scalable Location 2 Location 1 16 NYLUG – Simo Sorce - FreeIPA

  17. Integration tools Directory migration ipa migrate-ds tool Including password migration Legacy clients compatibility: Internal NIS server (translates from LDAP data) LDAP “compat” tree for legacy RFC2307-only clients Active Directory Integration via cross-forest trust or sync 17 NYLUG – Simo Sorce - FreeIPA

  18. Trust ? NYLUG – Simo Sorce - FreeIPA

  19. Active Directory Integration (Trust) Active Directory FreeIPA TRUST user@domain.ad Linux 19 NYLUG – Simo Sorce - FreeIPA

  20. Active Directory Cross-Forest Trust Features Authentication to FreeIPA clients Multiple Posix ID mapping choices Password based PAM login Autogenerated IDs GSSAPI/Krb5 single sign on to RFC2307 IDs from AD services ID Views SSH, HTTP/Negotiate, etc.. legacy clients External membership in FreeIPA migrations groups Including (indirect) membership in posix groups for file and other access control 20 NYLUG – Simo Sorce - FreeIPA

  21. Active Directory Integration (Sync) Active Directory Sync users FreeIPA & paswords Linux 21 NYLUG – Simo Sorce - FreeIPA

  22. Clients NYLUG – Simo Sorce - FreeIPA

  23. Clients The 'official' FreeIPA client is SSSD (System Security Services Daemon). SSSD replaces legacy clients like pam_ldap/nss_ldap/pam_krb5 (they are also still fully supported as clients, but they do not offer all the advanced features of SSSD). Certmonger is the client tool used to fetch and automatically renew certificates. 23 NYLUG – Simo Sorce - FreeIPA

  24. SSSD SSSD is the recommended client agent for FreeIPA. But SSSD is more than that, it is a generic agent to connect to identity information and authentication services. SSSD is in fact a pluggable service that provides connectors for multiple identity systems (even at the same time) and organizes identity information sources into “domains”: FreeIPA Domains Active Directory Domains Plain LDAP servers ... 24 NYLUG – Simo Sorce - FreeIPA

  25. SSSD FreeIPA IPA Prov. SUDO Resp. User AD Prov. AD GPO Application pam_sss PAM Resp. Active Cache Directory nss_sss NSS Resp. 25 NYLUG – Simo Sorce - FreeIPA

  26. Key SSSD Features Smart caching of identity information Automatically refreshed as needed Offline identity and authentication support via caching: network interruptions, server maintenance windows, good for laptops Better client behavior: Keeps access credentials private Saves load on the servers thanks to caching and connection pooling. Advanced FreeIPA / AD features 26 NYLUG – Simo Sorce - FreeIPA

  27. Let's take a look at FreeIPA 27 NYLUG – Simo Sorce - FreeIPA

  28. Future features Enterprise user life-cycle User provisioning into staging area and admin controlled activation, recover of deleted users DNSSEC support Automatic zone signing and key rotation Ipsilon Identity Provider (spinoff project) Web authentication and Federation SAML, OpenID, OpenID Connect, Persona, etc... 28 NYLUG – Simo Sorce - FreeIPA

  29. Future features - continued Password vault Allow users or services to store passwords and other secrets in the directory and retrieve them anywhere using a master password With optional escrow for admins Security domains Scope limited sub-CAs VPN Certs Puppet Certs .... 29 NYLUG – Simo Sorce - FreeIPA

  30. Clearly the best thing since sliced bread! FreeIPA Server available in: RHEL / CentOS / Fedora Debian (unstable) Ubuntu (15.04) SSSD Client available in pretty much all distros and even FreeBSD Cures admin-blues in minutes! As seen on TV! 30 NYLUG – Simo Sorce - FreeIPA

  31. Questions ? Learn more http://freeipa.org http://fedorahosted.org/sssd IRC – FreeNode: #freeipa, #sssd Try it out Demo site: http://ipa.demo1.freeipa.org FreeOTP: https://fedorahosted.org/freeotp Docker Images: http://www.freeipa.org/page/Docker 31 NYLUG – Simo Sorce - FreeIPA

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

FreeIPA www.freeipa.org Identity Management in the FOSS World Simo Sorce Principal Software

FreeIPA www.freeipa.org Identity Management in the FOSS World Simo Sorce Principal Software

FreeIPA www.freeipa.org Identity Management in the FOSS World Simo Sorce Principal Software Engineer Red Hat, Inc. What is FreeIPA ? Acronym: Free Identity, Policy, Audit Purpose: Make it simpler to manage a complex problem

729 views • 28 slides
Enhancements to FreeIPA Replication Topology Management Jan Pazdziora Sr. Principal Software

Enhancements to FreeIPA Replication Topology Management Jan Pazdziora Sr. Principal Software

Enhancements to FreeIPA Replication Topology Management Jan Pazdziora Sr. Principal Software Engineer Identity Management Special Projects, Red Hat 6 th October 2015 FreeIPA Integration of multiple identity-management tools. directory

352 views • 17 slides
Handling POSIX attributes for trusted Active Directory users and groups in FreeIPA Alexander

Handling POSIX attributes for trusted Active Directory users and groups in FreeIPA Alexander

Handling POSIX attributes for trusted Active Directory users and groups in FreeIPA Alexander Bokovoy <ab@samba.org> May 21th, 2015 Samba Team / Red Hat 0 A crisis of identity (solved?) FreeIPA What is FreeIPA? Cross Forest Trusts

298 views • 29 slides
FREEIPA INSTALLATION USING ANSIBLE-FREEIPA FOSDEM - 2018-02-03 Thomas Wrner Senior Software

FREEIPA INSTALLATION USING ANSIBLE-FREEIPA FOSDEM - 2018-02-03 Thomas Wrner Senior Software

FREEIPA INSTALLATION USING ANSIBLE-FREEIPA FOSDEM - 2018-02-03 Thomas Wrner Senior Software Engineer, Red Hat Inc. https://github.com/freeipa/ansible-freeipa/ AGENDA Project goals IPA installers vs. ansible-freeipa IPA client installation

406 views • 16 slides
FOSDEM 2019 Distributions devroom FreeIPA and cross-distribution packaging experience Alexander

FOSDEM 2019 Distributions devroom FreeIPA and cross-distribution packaging experience Alexander

FOSDEM 2019 Distributions devroom FreeIPA and cross-distribution packaging experience Alexander Bokovoy FreeIPA and cross-distribution packaging experience about:me Red Hat Sr. Principal software engineer at Red Hat Identity

792 views • 31 slides
GLOBAL CATALOG SERVICE IMPLEMENTATION IN FREEIPA Alexander Bokovoy Red Hat Inc. May 4th, 2017

GLOBAL CATALOG SERVICE IMPLEMENTATION IN FREEIPA Alexander Bokovoy Red Hat Inc. May 4th, 2017

GLOBAL CATALOG SERVICE IMPLEMENTATION IN FREEIPA Alexander Bokovoy Red Hat Inc. May 4th, 2017 ABOUT:ME Sr. Principal Software Engineer at Red Hat Samba Team member since 2003 Core FreeIPA developer since 2011 2 WHAT IS THIS TALK

669 views • 30 slides
Files and Streams File Directories File Directory A set of files and other (sub)directories

Files and Streams File Directories File Directory A set of files and other (sub)directories

Files and Streams File Directories File Directory A set of files and other (sub)directories Principle function: help people find their way around data on a system Implementation Directories are stored as additional files OS maintains a file

486 views • 9 slides
Files and Directories Dalhousie University Winter 2019 Files and Directories Much of the

Files and Directories Dalhousie University Winter 2019 Files and Directories Much of the

CSCI 2132: Software Development Norbert Zeh Faculty of Computer Science Files and Directories Dalhousie University Winter 2019 Files and Directories Much of the operation of Unix and programs running on Unix can be described as processes

701 views • 44 slides
Enterprise desktop at home with FreeIPA and GNOME Alexander Bokovoy ( abokovoy@redhat.com )

Enterprise desktop at home with FreeIPA and GNOME Alexander Bokovoy ( abokovoy@redhat.com )

January 30th, 2016 FOSDEM16 Enterprise desktop at home with FreeIPA and GNOME Alexander Bokovoy ( abokovoy@redhat.com ) Enterprise desktop at home with FreeIPA and GNOME 2 Enterprise? Enterprise desktop at home with FreeIPA and GNOME 3 *

978 views • 71 slides
Directories & Continuation This Week: How to program with directories more Reading:

Directories & Continuation This Week: How to program with directories more Reading:

Overview Last Week: Efficiency read/write The File File pointer Unix System Programming File control/access Permissions, Meta Data, Ownership, umask, holes Directories & Continuation This Week: How to program with

518 views • 9 slides
Enterprise desktop: improving client side in the age of Samba AD and FreeIPA Alexander Bokovoy

Enterprise desktop: improving client side in the age of Samba AD and FreeIPA Alexander Bokovoy

Principal Software Engineer, Red Hat // Samba Team SambaXP16 Enterprise desktop: improving client side in the age of Samba AD and FreeIPA Alexander Bokovoy Enterprise desktop: improving client side in the age of Samba AD and FreeIPA 2

1.33k views • 106 slides
PATHS & DIRECTORIES MCS 260 Fall 2020 Week 1 Discussion / FILES AND DIRECTORIES A file is a

PATHS & DIRECTORIES MCS 260 Fall 2020 Week 1 Discussion / FILES AND DIRECTORIES A file is a

PATHS & DIRECTORIES MCS 260 Fall 2020 Week 1 Discussion / FILES AND DIRECTORIES A file is a named object that stores data (e.g. a document). Files cannot contain other files. A directory or folder is a container that stores files &

517 views • 9 slides
Identity Theft Identity Theft Identity theft occurs when your personal information is stolen

Identity Theft Identity Theft Identity theft occurs when your personal information is stolen

Identity Theft Identity Theft Identity theft occurs when your personal information is stolen and used without your knowledge to commit fraud or other crimes Identity theft can cost you time and money. Tips for Preventing Identity Theft

322 views • 10 slides
Identity and Access Management Using Identity Management and Identity Governance to increase

Identity and Access Management Using Identity Management and Identity Governance to increase

Identity and Access Management Using Identity Management and Identity Governance to increase Automation and Security. Identity Management (IAM, IdM) defining and managing the roles and access privileges of individual network users, and the

2.89k views • 13 slides
IDENTITY What is the Relationship Between Identity and the College Experience? What Role

IDENTITY What is the Relationship Between Identity and the College Experience? What Role

2/15/2019 Jordan Truex Agenda or Summary Layout The Road to SelfAuthorship NonTraditional Students Effective Interview Strategies Meeting the Student Where They Are IDENTITY What is the Relationship Between Identity and the

367 views • 10 slides
What is Identity Theft? "Someone obtaining your personal identifying information without

What is Identity Theft? "Someone obtaining your personal identifying information without

Identity Fraud: Protecting Your Identity Between Work and Play Ryan Sothan, Outreach Coordinator Nebraska Department of Justice, Office of the Attorney General Consumer Protection and Anti-Trust Division What is Identity Theft?

314 views • 18 slides
SElinux filesystem filesystem labeling labeling SElinux and type enforcement and type

SElinux filesystem filesystem labeling labeling SElinux and type enforcement and type

SElinux filesystem filesystem labeling labeling SElinux and type enforcement and type enforcement November 13, 2020 Administrative Administrative submittal instructions submittal instructions answer the lab assignments

356 views • 24 slides
Securing Web Content Joakim Koskela, Nicholas Weaver, Andrei Gurtov and Mark Allman ReArch'09

Securing Web Content Joakim Koskela, Nicholas Weaver, Andrei Gurtov and Mark Allman ReArch'09

Securing Web Content Joakim Koskela, Nicholas Weaver, Andrei Gurtov and Mark Allman ReArch'09 Rome, December 1 s t 2009 2009-12-01 2009-12-01 How do we protect the user without dwarfing the web experience? Nature of the web has changed

464 views • 30 slides
Page Segmentation by Web Content Clustering Sadet Alcic Heinrich-Heine-University of Duesseldorf

Page Segmentation by Web Content Clustering Sadet Alcic Heinrich-Heine-University of Duesseldorf

Page Segmentation by Web Content Clustering Sadet Alcic Heinrich-Heine-University of Duesseldorf Department of Computer Science Institute for Databases and Information Systems May 26, 2011 WIMS 11 1 / 19 Outline 1 Introduction Motivation

654 views • 40 slides
Semantic Web Challenge on Tabular Data to KG Matching Kavitha Srinivas , IBM Research, USA Ernesto

Semantic Web Challenge on Tabular Data to KG Matching Kavitha Srinivas , IBM Research, USA Ernesto

Semantic Web Challenge on Tabular Data to KG Matching Kavitha Srinivas , IBM Research, USA Ernesto Jimnez-Ruiz , City, University of London, UK Oktie Hassanzadeh , IBM Research, USA Jiaoyan Chen , University of Oxford, UK Vasilis Efthymiou , IBM

363 views • 23 slides
Lab 0 Objectives Intro to Labs Intro to Operating Systems Start Lab #0 UNIX/Linux

Lab 0 Objectives Intro to Labs Intro to Operating Systems Start Lab #0 UNIX/Linux

Lab 0 Objectives Intro to Labs Intro to Operating Systems Start Lab #0 UNIX/Linux intro Use jEdit (Text Editor) Create Web page Sakai (Forum for Broader Issues) Jan 8, 2019 Sprenkle - CSCI111 1 Intro to Labs

427 views • 18 slides
9 MARCH, 2016 Activating your Student Website CSE 154 Web Programming First Things First

9 MARCH, 2016 Activating your Student Website CSE 154 Web Programming First Things First

9 MARCH, 2016 Activating your Student Website CSE 154 Web Programming First Things First Youve got this. The Final Exam will be held at 8:30 next Thursday We will hold a Final Exam review session next Wednesday (time/location TBD)

561 views • 17 slides
MC714: Sistemas Distribu dos Prof. Lucas Wanner Instituto de Computac ao, Unicamp

MC714: Sistemas Distribu dos Prof. Lucas Wanner Instituto de Computac ao, Unicamp

MC714: Sistemas Distribu dos Prof. Lucas Wanner Instituto de Computac ao, Unicamp Aula 27: Sistemas Web Distribu dos Distributed Web-based systems Essence The WWW is a huge client-server system with millions of servers; each

347 views • 13 slides
Should a Carbon Tax Be Part of the Strategy for Achieving 100% Clean Energy? November 18, 2020

Should a Carbon Tax Be Part of the Strategy for Achieving 100% Clean Energy? November 18, 2020

100% Clean Energy Collaborative Webinar Should a Carbon Tax Be Part of the Strategy for Achieving 100% Clean Energy? November 18, 2020 Webinar Logistics Join audio: Choose Mic & Speakers to use VoIP Choose Telephone and dial

692 views • 40 slides

More recommend