identity management
play

Identity Management Scaling Out and Up Jan Pazdziora Principal - PowerPoint PPT Presentation

Aug 29, 2023 •502 likes •700 views

Identity Management Scaling Out and Up Jan Pazdziora Principal Software Engineer Identity Management Engineering, Red Hat jpazdziora@redhat.com 15 th October 2014 Identity Users; user groups. Hosts; host groups; services. Identities

  1. Identity Management Scaling Out and Up Jan Pazdziora Principal Software Engineer Identity Management Engineering, Red Hat jpazdziora@redhat.com 15 th October 2014

  2. Identity ■ Users; user groups. Hosts; host groups; services. ■ Identities can hold additional attributes and objects, such as certificates or keytabs. ■ They can be used to drive behavior. $ id bob uid=1108923(bob) gid=1108923(bob) groups=1108923(bob),10(wheel) $ ssh alice@host1.example.com [alice@host1 ~]$ ■ Traditional identity sources: /etc/passwd , /etc/group . ■ Goals for large organizations: ■ Manage identities centrally, or consume external identities managed by other departments. ■ Use identities for applications as well, not just for operating system. Identity Management Jan Pazdziora 2 / 18

  3. Centralized identity sources ■ Typically achieved by using directory servers. ■ Not exactly trivial. ■ Master posixAccount , organizationalPerson , organizationalRole , learn about *.schema files, indexes, ACLs, get cn= and dc= right... ■ $ slapcat ... > data.ldif $ vi data.ldif $ ldapadd -x -D ... -W -f data.ldif $ ldapmodify -x -D ... -W -f ■ Deal with new versions of software and schemas. ■ When Kerberos is required, manually edit /var/kerberos/krb5kdc/ kdc.conf , /etc/krb5.conf , get familiar with kadmin.local , ... ■ Manually editing DNS zone files is not easy either. Integrated Identity Management Jan Pazdziora 3 / 18

  4. Integrated identity management ■ Just external centralized identity source is not enough. ■ Solution: FreeIPA (IPA). ■ Layer on top of directory server, Kerberos key distribution center, optionally DNS, and certification authority. ■ Subsystems are kept in sync via LDAP backend. Creating user means Kerberos principal immediately exists, adding host can add IP address to DNS automatically, creating service means Kerberos keytab can be retrieved. ■ With host-based access control rules, sudo rules, automount maps, ... ■ With configuration script: # ipa-server-install ... ■ With CLI. ■ With WebUI. Integrated Identity Management Jan Pazdziora 4 / 18

  5. IPA CLI $ ipa user-add --random --first David --last Smith david ------------------ Added user "david" ------------------ User login: david First name: David Last name: Smith Full name: David Smith Display name: David Smith Initials: DS Home directory: /home/david GECOS: David Smith Login shell: /bin/sh Kerberos principal: david@EXAMPLE.COM Email address: david@example.com Random password: -VyDwrTgXKXK UID: 830600007 GID: 830600007 Password: True Member of groups: ipausers Kerberos keys available: True Integrated Identity Management Jan Pazdziora 5 / 18

  6. IPA CLI (continued) $ ipa host-add --ip-address 10.0.0.34 wiki2.example.com --no-reverse -------------------------------- Added host "wiki2.example.com" -------------------------------- Host name: wiki2.example.com Principal name: host/wiki2.example.com@EXAMPLE.COM Password: False Keytab: False Managed by: wiki2.example.com $ ipa dnsrecord-find example.com wiki2 Record name: wiki2 A record: 10.0.0.34 ---------------------------- Number of entries returned 1 ---------------------------- $ host wiki2 wiki2.example.com has address 10.0.0.34 Integrated Identity Management Jan Pazdziora 6 / 18

  7. IPA WebUI Integrated Identity Management Jan Pazdziora 7 / 18

  8. Simple use on Linux clients ■ sssd: System Security Services Daemon. ■ Caching for speed and offline use, failover support, multiple domains. ■ Integration to PAM via pam_sss.so . ■ Sudo rules, automount maps, SELinux user mapping, handling of ssh public keys, ... ■ With configuration script: # ipa-client-install ... ■ IPA is not mandatory on the server side — sssd can be configured to use other provider types than just IPA servers. Integrated Identity Management Jan Pazdziora 8 / 18

  9. Replicating IPA ■ For failover. ■ For high availability. ■ Create GPG-encrypted replica information file. [root@ipa ~]# ipa-replica-prepare ipa2.example.com ■ Copy the encrypted file to the replica machine. ■ Configure the replica [root@ipa2 ~]# ipa-replica-install replica-info-ipa2.example.com.gpg ■ Multi-master replication means either of the master or replica can be used for write operations. ■ sssd and other OS-libraries are able to failover to replicas. Identity Management Scaling Out Jan Pazdziora 9 / 18

  10. Cross-realm trust ■ Active Directory users accessing Linux machines and services run in Linux realm. ■ And vice versa. ■ Enable trust support in IPA # ipa-adtrust-install --netbios-name=EXAMPLE -a password ■ Set up DNS forwarding in IPA to AD # ipa dnsforwardzone-add addomain.test \ --forwarder=10.1.2.3 --forward-policy=only ■ Set up DNS forwarding in AD to IPA C:\> dnscmd 127.0.0.1 /ZoneAdd EXAMPLE.COM /Forwarder 10.0.0.10 ■ Establish two-way trust # ipa trust-add --type=ad ADDOMAIN.TEST --admin Administrator ... Identity Management Scaling Out Jan Pazdziora 10 / 18

  11. The architecture IPA-enrolled client workstation Windows client ⇓ ⇓ Active IPA realm Directory realm ⟺ Active Directory IPA master ⟺ IPA replica server ⇑ ⇑ IPA-enrolled server Windows server The arrows show the direction of the enrollment / trust and authentication operations. Communication can place from any client to any server. Identity Management Scaling Out Jan Pazdziora 11 / 18

  12. Identity management scaling out ■ With IPA replicas, robust identity and authentication source setup can be achieved. ■ With cross-realm trust, Linux-hosted services on IPA-enrolled machines can be accessed by users authenticated to Windows domain. ■ In Windows, users get Kerberos ticket (TGT) just by logging in. ■ In Linux, kinit or graphical tools can be used. ■ The net result is simpler user experience with less passwords to be remembered and easier management of the whole setup. ■ IPA or sssd not present in your favorite Linux distribution? ■ While we might not be able to add them there ourselves, we will be happy to help people who would like to package and maintain them. ■ Container images are available for testing purposes. Identity Management Scaling Out Jan Pazdziora 12 / 18

  13. User identities in applications ■ So far we have looked at OS-level authentication and identity services. ■ IPA on server and sssd on clients provide robust and flexible solution. ■ Assume organization deploys new application (typically Web-based). ■ How will the user identities be managed? ■ Proposal: use what already works for operating system. ■ Instead of every application or application framework implementing the same complex support for various types of authentication sources and failover and caching and reestablishing network connections, take advantage of sssd. Identity Management Scaling Up Jan Pazdziora 13 / 18

  14. Authentication in Apache modules ■ mod_authnz_pam ■ PAM authentication. ■ Access control module (even for Kerberos / mod_auth_kerb). ■ With configurable PAM service name and pam_sss.so , it can take advantage of IPA's HBAC mechanism. ■ mod_intercept_form_submit ■ Intercept logon form POST submission. ■ Attempt PAM authentication with [ login, password ] pair. ■ mod_lookup_identity ■ Retrieve additional attributes of authentication user from sssd. ■ What Web application often need: name, email address, group membership. Identity Management Scaling Up Jan Pazdziora 14 / 18

  15. Module overview Apache Modules Authen. Method Authentication Access Check Extra User Info Application None Kerberos mod_auth_kerb mod_nss mod_authnz_pam Certificate mod_lookup_identity mod_ssl Form- mod_intercept_form_submit Based Identity Management Scaling Up Jan Pazdziora 15 / 18

  16. Applications easy to adapt ■ Changes to the application or framework code are very small. ■ Many already support REMOTE_USER authentication, from HTTP Basic Authentication days. ■ Applications become accessible by all users in the organization, in authenticated manner. ■ No more manually managing users in applications' user tables ■ User records can get auto-populated and updated whenever the user logs in. ■ Applications still locally manage mapping of groups to roles or authorization permissions. ■ The user group membership information provided by the external identity provider via Apache drives the access check. Identity Management Scaling Up Jan Pazdziora 16 / 18

  17. Identity management scaling up ■ The same code and setups which support large scale deployments on operating system level can be used for Web applications as well. ■ Spacewalk, Foreman, or ManageIQ already take advantage of it. ■ Django being investigated. ■ Your favorite application not supporting Kerberos or IPA's HBAC? ■ While we might not be able to enable them for this type of authentication ourselves, we will be happy to help people who would like to add the feature. Identity Management Scaling Up Jan Pazdziora 17 / 18

  18. Conclusion and references ■ Solutions for flexible and scalable identity management setups exist: ■ Integrated server side, with AD integration. ■ Operating system level. ■ Web applications. ■ They make mid-size setups easy, large-size setups possible. ■ Explore them, use them, let us know what you think. ■ www.freeipa.org ■ fedorahosted.org/sssd/ ■ www.freeipa.org/page/Web_App_Authentication ■ github.com/adelton/docker-freeipa Jan Pazdziora 18 / 18

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Identity and Access Management Using Identity Management and Identity Governance to increase

Identity and Access Management Using Identity Management and Identity Governance to increase

Identity and Access Management Using Identity Management and Identity Governance to increase Automation and Security. Identity Management (IAM, IdM) defining and managing the roles and access privileges of individual network users, and the

2.89k views • 13 slides
Trust, Identity Management and GENI Dr. Ken Klingenstein, Senior Director, Middleware and

Trust, Identity Management and GENI Dr. Ken Klingenstein, Senior Director, Middleware and

Trust, Identity Management and GENI Dr. Ken Klingenstein, Senior Director, Middleware and Security, Internet2 Technologist, University of Colorado at Boulder Topics Internet identity update Technology updates ISOC, IETF Identity,

601 views • 23 slides
Agenda Identity & Access management About company midPoint Clients &

Agenda Identity & Access management About company midPoint Clients &

Agenda Identity & Access management About company midPoint Clients & partners Conclusion Identity management System Requester Users admin Approver Application Application Provisioning system Identity A

826 views • 45 slides
IDENTITY MANAGEMENT Presentation at EuroCAMP 2009-05-17 by Roland Hedberg

IDENTITY MANAGEMENT Presentation at EuroCAMP 2009-05-17 by Roland Hedberg

IDENTITY MANAGEMENT Presentation at EuroCAMP 2009-05-17 by Roland Hedberg <roland.hedberg@adm.umu.se> Tuesday, May 19, 2009 WHAT IS IDM ? Identity management is the management of the identity life cycle of entities. --- wikipedia

534 views • 26 slides
Online Identity & Social Media by: Nicole Santarsiero What is Online Identity? -Online

Online Identity & Social Media by: Nicole Santarsiero What is Online Identity? -Online

Online Identity & Social Media by: Nicole Santarsiero What is Online Identity? -Online identity management (OIM) - Online personal/business branding also known as personal reputation management -The created presence of a person on the

471 views • 8 slides
Identity and Access Management with the INDIGO IAM service Andrea Ceccanti

Identity and Access Management with the INDIGO IAM service Andrea Ceccanti

Identity and Access Management with the INDIGO IAM service Andrea Ceccanti andrea.ceccanti@cnaf.infn.it EOSC-Hub AAI Tech Talk Europe, Earth, June 15th 2018 INDIGO Identity and Access Management service Flexible authentication support (SAML,

430 views • 24 slides
Authoritative Quality From Campus Identity Management to a Federated Solution EuroCAMP, Porto,

Authoritative Quality From Campus Identity Management to a Federated Solution EuroCAMP, Porto,

Authoritative Quality From Campus Identity Management to a Federated Solution EuroCAMP, Porto, 2005-11-07 Ingrid Melve, FEIDE manager From campus identity management to a federated solution Case: FEIDE Campus Identity Management 2

655 views • 30 slides
Conference 2018 Shift into the future with predictions for Identity & Access Management BCNET

Conference 2018 Shift into the future with predictions for Identity & Access Management BCNET

Conference 2018 Shift into the future with predictions for Identity & Access Management BCNET Identity & Access Management Community of Practice Panelists: Corey Scholefield Vera Merkusheva Isabel Wong Sabrina da Silva 2 Conference

622 views • 19 slides
Introduction to Identity Management Systems Alan Robiette, JISC (UK)

Introduction to Identity Management Systems Alan Robiette, JISC (UK)

Introduction to Identity Management Systems Alan Robiette, JISC (UK) <a.robiette@jisc.ac.uk> Supporting education and research Overview What is meant by identity management? What are identifiers (IDs) for? How are they

815 views • 22 slides
LIGO Identity Management: Some Status and Trends Scott Koranda for LIGO LIGO and University of

LIGO Identity Management: Some Status and Trends Scott Koranda for LIGO LIGO and University of

LIGO Identity Management: Some Status and Trends Scott Koranda for LIGO LIGO and University of Wisconsin-Milwaukee March 8, 2010 LIGO-XXXXXXXX 1 / 12 Why the LIGO Identity Management Project? Unburden users from requesting, retrieving,

425 views • 13 slides
Identity management and security Could an IdP be considered an OES? www.law.kuleuven.be/citip

Identity management and security Could an IdP be considered an OES? www.law.kuleuven.be/citip

Identity management and security Could an IdP be considered an OES? www.law.kuleuven.be/citip What is an Identity provider (IdP)? 2 Proprietary IdM and PKI IdM e.g. e.g. Belgian eID Facebook IdP IdP Verifies Issues Issues credential

517 views • 22 slides
Identity management in the European Grid Infrastructure Established solutions, new needs, open

Identity management in the European Grid Infrastructure Established solutions, new needs, open

EGI InSPIRE Identity management in the European Grid Infrastructure Established solutions, new needs, open questions Gergely Sipos Technical Outreach Manager EGI.eu, Amsterdam gergely.sipos@egi.eu Identity Management for research and

452 views • 28 slides
Identity Theft Identity Theft Identity theft occurs when your personal information is stolen

Identity Theft Identity Theft Identity theft occurs when your personal information is stolen

Identity Theft Identity Theft Identity theft occurs when your personal information is stolen and used without your knowledge to commit fraud or other crimes Identity theft can cost you time and money. Tips for Preventing Identity Theft

322 views • 10 slides
Identity Management Identity Management Alberto Pace Alberto Pace CERN, Information Technology

Identity Management Identity Management Alberto Pace Alberto Pace CERN, Information Technology

Identity Management Identity Management Alberto Pace Alberto Pace CERN, Information Technology Department alberto.pace@cern.ch Computer Security Computer Security The present of computer security Bugs Vulnerabilities Known exploits

506 views • 23 slides
Secure Identity Changes in a Changing World S Id tit Ch i Ch i W ld WG 5 Identity

Secure Identity Changes in a Changing World S Id tit Ch i Ch i W ld WG 5 Identity

ISO/IEC JTC 1/SC 27/WG 5 Identity Management & Privacy Technologies Secure Identity Changes in a Changing World S Id tit Ch i Ch i W ld WG 5 Identity Management & Privacy Technologies Id tit M t & P i T h l i within

831 views • 20 slides
Sun Java TM System Identity Solution Stuart Sim Chief Architect Global Education & Research

Sun Java TM System Identity Solution Stuart Sim Chief Architect Global Education & Research

Sun Java TM System Identity Solution Stuart Sim Chief Architect Global Education & Research Sun Microsystems Agenda Business Drivers for Identity Management Suns Identity Management Solution Sun Java System Access Manager

1.12k views • 87 slides
gPlazma2: Plugins and Configuration Karsten Schwank Zeuthen, 17.4.2012 Overview Basics

gPlazma2: Plugins and Configuration Karsten Schwank Zeuthen, 17.4.2012 Overview Basics

gPlazma2: Plugins and Configuration Karsten Schwank Zeuthen, 17.4.2012 Overview Basics Plugins Migrating from v1 to v2 Introducing Argus Introducing Kerberos Examples The WLCG Case Using Kerberos and NIS

748 views • 58 slides
Questioning Kerberos Assumptions Sam Hartman IETF 63 Questioning Kerberos Assumptions

Questioning Kerberos Assumptions Sam Hartman IETF 63 Questioning Kerberos Assumptions

Questioning Kerberos Assumptions Sam Hartman IETF 63 Questioning Kerberos Assumptions Principal Names are not remapped in cross-realm The destination KDC is not involved in cross-realm Privacy of principal names 1 Why Remap

534 views • 19 slides
Authentication Scenarios 2. Users share a password with a trusted authority (authentication

Authentication Scenarios 2. Users share a password with a trusted authority (authentication

Authentication Scenarios 2. Users share a password with a trusted authority (authentication servers) Kerberos Challenge-response Symm.Key What do we learn from previous attacks? Timestamps: are valid only in a small time window

334 views • 22 slides
Kerberos V4 Slide 1 Kerberos network authentication using Needham-Schroeder insecure

Kerberos V4 Slide 1 Kerberos network authentication using Needham-Schroeder insecure

Kerberos4 1 Kerberos V4 Slide 1 Kerberos network authentication using Needham-Schroeder insecure network: listen, modify secret key login session : from login to logout Version 5: more complex, not just TCP/IP, greater

98 views • 7 slides
Lecture 9 Authentication & Key Distribution 1 Where are we now? We know a bit of

Lecture 9 Authentication & Key Distribution 1 Where are we now? We know a bit of

Lecture 9 Authentication & Key Distribution 1 Where are we now? We know a bit of the following: Conventional (symmetric) cryptography Hash functions and MACs Public key (asymmetric) cryptography Encryption

490 views • 33 slides
Brian LaMacchia Agenda Integrity Checking (HMAC redux) Protocols (Part 1 Session-based

Brian LaMacchia Agenda Integrity Checking (HMAC redux) Protocols (Part 1 Session-based

Winter 2011 Josh Benaloh Brian LaMacchia Agenda Integrity Checking (HMAC redux) Protocols (Part 1 Session-based protocols) Introduction Kerberos SSL/TLS Certificates and Public Key Infrastructure (PKI) Certificates

1.81k views • 135 slides
SciTokens and Credential Management Zach Miller zmiller@cs.wisc.edu Jason Patton

SciTokens and Credential Management Zach Miller zmiller@cs.wisc.edu Jason Patton

SciTokens and Credential Management Zach Miller zmiller@cs.wisc.edu Jason Patton jpatton@cs.wisc.edu HTCondor Week 2019 This material is based upon work supported by the National Science Foundation under Grant No. 1738962. Any opinions,

890 views • 39 slides
Short Lived Credential Service SLCS Tony J. Genovese Lawrence Berkeley National Laboratory USA

Short Lived Credential Service SLCS Tony J. Genovese Lawrence Berkeley National Laboratory USA

Short Lived Credential Service SLCS Tony J. Genovese Lawrence Berkeley National Laboratory USA November 29, 2005 Outline Background What is SLCS? Document overview Examples Issues and Status Future Profiles? Asian

638 views • 11 slides

More recommend