It seems that the daily news is full of the fallout that results when companies fail to protect online identities. The ability to limit access to sensitive applications and information to the right people with the right credentials is critical to ensuring the overall security of your infrastructure; critical... but not always easy.
Until recently, options for centralized identity management for the Linux environment were limited. There was no turnkey domain controller-like solution for the Linux/UNIX environment. Some Linux shops integrated open source tools like Kerberos and DNS to create centralized Linux-based identity management, but this option could be time-consuming to develop and expensive to maintain. Others integrated Linux clients directly into Microsoft Active Directory, but this option limited their ability to take advantage of some useful native Linux functionality like sudo and automount.
Identity Management in Red Hat Enterprise Linux
Since the 6.4 release, Red Hat Enterprise Linux has included the Identity Management (IdM) feature set to provide a centralized and clear way to manage identities for users, machines, and services within large Linux/Unix enterprise environments. In addition, Identity Management provides a way to define access control policies to govern those identities. Identity Management, based on work done in the upstream open source community FreeIPA, provides a unifying skin for standards-defined, common network services, including PAM, LDAP, Kerberos, DNS, NTP, and certificate services. This allows Red Hat Enterprise Linux systems to serve as domain controllers in Linux environments. Because Identity Management is an integrated feature of Red Hat Enterprise Linux, it is easy and cost-effective to introduce identity and policy management wherever it’s needed.
What’s new in the beta of Red Hat Enterprise Linux 7?
Active Directory / Identity Management Integration
For many organizations, Active Directory (AD) is the central hub for the user identity management inside the enterprise. Yet it is often the case that all systems that AD users can access (including Linux) need access to AD to perform authentication and identity lookups.
Identity Management in the Red Hat Enterprise Linux 7 beta provides two paths to integrate Linux systems into the Active Directory environment:
- Direct Integration - Linux systems can be connected to Active Directory directly by configuring a component called SSSD. This component acts as an identity and authentication gateway into a central identity store. SSSD can be easily configured using a new component called realmd. Realmd detects an available domain based on the DNS records and configures SSSD to interact with the right identity source. Realmd can connect the Linux system to either IdM or AD as shown below. Once the system is joined into the domain users managed by this domain can access the joined systems. They can authenticate and their POSIX attributes as well as group membership will be recognized by the Linux system. The SSSD in this setup replaces the formerly used winbind component. Note, however, that if you plan to use CIFS file sharing on Linux systems, you need to configure winbind following existing reference architecture materials.
- Indirect Integration - Direct integration is limited to using only the authentication and identity information related to users. Systems do not get policies and data, which limits their identity and access control potential in the enterprise environment. Linux systems can get policies like sudo, host-based access control rules, automount, netgroups, SELinux user mappings and other capabilities from a central identity management server. The identity management server provides centralized management of Linux systems giving them identity, credentials and providing centrally managed policies for the Linux features listed above. In most environments, users that are stored and authenticated by Active Directory need to have access to Linux resources. That can be accomplished by establishing a trust relationship between the identity management server and Active Directory. This diagram below shows how users from an Active Directory forest gain access to the Linux systems joined into the identity management (IdM) domain.
Other New Features
Identity Management in the Red Hat Enterprise Linux 7 beta delivers other new features for both the SSSD (client) and Identity Management Server that make identity management in Red Hat Enterprise Linux more functional and easier to manage, including support of domain trusts, UI improvements, and a prototype back-up and restore procedure.
For those with existing subscriptions or who have already downloaded Red Hat Enterprise Linux 7 beta, the identity management team invites you to try out the direct and indirect paths to Active Directory integration and any of the other new client or server capabilities. Please leave me feedback in the comments below – I look forward to hearing from you!
執筆者紹介
チャンネル別に見る
自動化
テクノロジー、チームおよび環境に関する IT 自動化の最新情報
AI (人工知能)
お客様が AI ワークロードをどこでも自由に実行することを可能にするプラットフォームについてのアップデート
オープン・ハイブリッドクラウド
ハイブリッドクラウドで柔軟に未来を築く方法をご確認ください。
セキュリティ
環境やテクノロジー全体に及ぶリスクを軽減する方法に関する最新情報
エッジコンピューティング
エッジでの運用を単純化するプラットフォームのアップデート
インフラストラクチャ
世界有数のエンタープライズ向け Linux プラットフォームの最新情報
アプリケーション
アプリケーションの最も困難な課題に対する Red Hat ソリューションの詳細
オリジナル番組
エンタープライズ向けテクノロジーのメーカーやリーダーによるストーリー
製品
ツール
試用、購入、販売
コミュニケーション
Red Hat について
エンタープライズ・オープンソース・ソリューションのプロバイダーとして世界をリードする Red Hat は、Linux、クラウド、コンテナ、Kubernetes などのテクノロジーを提供しています。Red Hat は強化されたソリューションを提供し、コアデータセンターからネットワークエッジまで、企業が複数のプラットフォームおよび環境間で容易に運用できるようにしています。
言語を選択してください
Red Hat legal and privacy links
- Red Hat について
- 採用情報
- イベント
- 各国のオフィス
- Red Hat へのお問い合わせ
- Red Hat ブログ
- ダイバーシティ、エクイティ、およびインクルージョン
- Cool Stuff Store
- Red Hat Summit