Cari di RHE Linux 
     Red Hat Enterprise Linux Manual
Daftar Isi
(Sebelumnya) 2 : Chapter 5. Fence Devices - ...3 : Chapter 1. Introduction to ... (Berikutnya)

Identity Management Guide

Managing Identity and Authorization Policies for Linux-Based Infrastructures

Edition 6.4

Ella Deon Lackey

Legal Notice

Copyright © 2012 Red Hat.
The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution-Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available at http://creativecommons.org/licenses/by-sa/3.0/. In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must provide the URL for the original version.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, Red Hat Enterprise Linux, the Shadowman logo, JBoss, MetaMatrix, Fedora, the Infinity Logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.
Linux® is the registered trademark of Linus Torvalds in the United States and other countries.
Java® is a registered trademark of Oracle and/or its affiliates.
XFS® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries.
MySQL® is a registered trademark of MySQL AB in the United States, the European Union and other countries.
All other trademarks are the property of their respective owners.


1801 Varsity Drive
RaleighNC 27606-2072 USA
Phone: +1 919 754 3700
Phone: 888 733 4281
Fax: +1 919 754 3701

Daftar Isi

Abstract

Identity and policy management - for both users and machines - is a core function for almost any enterprise environment. IPA provides a way to create an identity domain that allows machines to enroll to a domain and immediately access identity information required for single sign-on and authentication services, as well as policy settings that govern authorization and access. This manual covers all aspects of installing, configuring, and managing IPA domains, including both servers and clients. This guide is intended for IT and systems administrators.
Preface
1. Audience and Purpose
2. Examples and Formatting
2.1. Brackets
2.2. Client Tool Information
2.3. Text Formatting and Styles
3. Giving Feedback
4. Document Change History
1. Introduction to Identity Management
1.1. IdM v. LDAP: A More Focused Type of Service
1.1.1. A Working Definition for Identity Management
1.1.2. Contrasting Identity Management with a Standard LDAP Directory
1.2. Bringing Linux Services Together
1.2.1. Authentication: Kerberos KDC
1.2.2. Data Storage: 389 Directory Server
1.2.3. Authentication: Dogtag Certificate System
1.2.4. Server/Client Discovery: DNS
1.2.5. Management: NTP
1.3. Relationships Between Servers and Clients
1.3.1. About IdM Servers and Replicas
1.3.2. About IdM Clients
2. Installing an IdM Server
2.1. Supported Server Platforms
2.2. Preparing to Install the IdM Server
2.2.1. Hardware Recommendations
2.2.2. Software Requirements
2.2.3. Supported Web Browsers
2.2.4. System Prerequisites
2.2.4.1. Hostname and IP Address Requirements
2.2.4.2. Directory Server
2.2.4.3. System Files
2.2.4.4. System Ports
2.2.4.5. NTP
2.2.4.6. NSCD
2.2.5. Networking
2.2.5.1. Configuring Networking Services
2.2.5.2. Configuring the /etc/hosts File
2.3. Installing the IdM Server Packages
2.4. Creating an IdM Server Instance
2.4.1. About ipa-server-install
2.4.2. Setting up an IdM Server: Basic Interactive Installation
2.4.3. Examples of Creating the IdM Server
2.4.3.1. Non-Interactive Basic Installation
2.4.3.2. Using Different CA Configurations
2.4.3.3. Using DNS
2.4.4. Troubleshooting Installation Problems
2.5. Setting up IdM Replicas
2.5.1. Prepping and Installing the Replica Server
2.5.2. Creating the Replica
2.5.3. Troubleshooting Replica Installation
2.6. Uninstalling IdM Servers and Replicas
2.7. Upgrading Identity Management to Red Hat Enterprise Linux 6.4
2.7.1. Upgrading Packages
2.7.2. Removing Browser Configuration for Ticket Delegation (For Upgrading from 6.2)
2.7.3. Testing Before Upgrading the IdM Server (Recommended)
3. Setting up Systems as IdM Clients
3.1. What Happens in Client Setup
3.2. System Ports
3.3. Configuring a Red Hat Enterprise Linux System as an IdM Client
3.4. Manually Configuring a Linux Client
3.5. Setting up a Linux Client Through Kickstart
3.6. Configuring a Microsoft Windows System to Join the IdM Realm
3.7. Troubleshooting Client Installations
3.7.1. The client can't resolve reverse hostnames when using an external DNS.
3.7.2. The client is not added to the DNS zone.
3.8. Uninstalling an IdM Client
4. Basic Usage
4.1. About the IdM Client Tools
4.1.1. About the IdM Command-Line Tools
4.1.1.1. The Structure of the ipa Command
4.1.1.2. Positional Elements in ipa Commands
4.1.1.3. Managing Entry Attributes with --setattr, --addattr, and --delattr
4.1.1.4. Using Special Characters with IdM Tools
4.1.1.5. Logging into the IdM Domain Before Running
4.1.2. Looking at the IdM UI
4.1.2.1. The UI Layout
4.1.2.2. Page Elements
4.1.2.3. Showing and Changing Group Members
4.2. Logging into IdM
4.2.1. Logging into IdM
4.2.2. Logging in When an IdM User Is Different Than the System User
4.2.3. Checking the Current Logged in User
4.2.4. Caching User Kerberos Tickets
4.3. Using the IdM Web UI
4.3.1. Supported Web Browsers
4.3.2. Opening the IdM Web UI
4.3.3. Configuring the Browser
4.3.4. Using a Browser on Another System
4.3.5. Logging in with Simple Username/Password Credentials
4.3.6. Using the UI with Proxy Servers
4.3.7. Troubleshooting UI Connection Problems
4.4. Understanding Search Limits and Settings
4.4.1. Types of Search Limits and Where They Apply
4.4.2. Setting IdM Search Limits
4.4.2.1. With the Web UI
4.4.2.2. With the Command Line
4.4.3. Overriding the Search Defaults
4.4.4. Setting Search Attributes
4.4.4.1. Setting User Search Attributes
4.4.4.2. Setting Group Search Attributes
4.4.5. Attributes Returned in Search Results
5. Identity: Managing Users and User Groups
5.1. Setting up User Home Directories
5.1.1. About Home Directories
5.1.2. Enabling the PAM Home Directory Module
5.1.3. Manually Mounting Home Directories
5.2. Managing User Entries
5.2.1. About Username Formats
5.2.2. Adding Users
5.2.2.1. From the Web UI
5.2.2.2. From the Command Line
5.2.3. Editing Users
5.2.3.1. From the Web UI
5.2.3.2. From the Command Line
5.2.4. Activating and Deactivating User Accounts
5.2.4.1. From the Web UI
5.2.4.2. From the Command Line
5.2.5. Deleting Users
5.2.5.1. With the Web UI
5.2.5.2. From the Command Line
5.3. Managing Public SSH Keys for Users
5.3.1. About the SSH Key Format
5.3.2. Uploading User SSH Keys Through the Web UI
5.3.3. Uploading User SSH Keys Through the Command Line
5.3.4. Deleting User Keys
5.4. Changing Passwords
5.4.1. From the Web UI
5.4.2. From the Command Line
5.5. Unlocking User Accounts After Password Failures
5.6. Managing User Private Groups
5.6.1. Disabling Private Groups for a Specific User
5.6.2. Disabling Private Groups Globally
5.7. Managing Unique UID and GID Number Assignments
5.7.1. About ID Range Assignments During Installation
5.7.2. Adding New Ranges
5.8. Managing User and Group Schema
5.8.1. About Changing the Default User and Group Schema
5.8.2. Applying Custom Object Classes to New User Entries
5.8.2.1. From the Web UI
5.8.2.2. From the Command Line
5.8.3. Applying Custom Object Classes to New Group Entries
5.8.3.1. From the Web UI
5.8.3.2. From the Command Line
5.9. Managing User Groups
5.9.1. Creating User Groups
5.9.1.1. With the Web UI
5.9.1.2. With the Command Line
5.9.2. Adding Group Members
5.9.2.1. With the Web UI (Group Page)
5.9.2.2. With the Web UI (User's Page)
5.9.2.3. With the Command Line
5.9.2.4. Viewing Direct and Indirect Members of a Group
5.9.3. Deleting User Groups
5.9.3.1. With the Web UI
5.9.3.2. With the Command Line
5.10. Searching for Users and Groups
5.10.1. With the UI
5.10.2. With the Command Line
5.11. Specifying Default User and Group Settings
5.11.1. Viewing Settings from the Web UI
5.11.2. Viewing Settings from the Command Line
6. Identity: Managing Hosts and Services
6.1. About Hosts, Services, and Machine Identity and Authentication
6.2. Adding Host Entries
6.2.1. Adding Host Entries from the Web UI
6.2.2. Adding Host Entries from the Command Line
6.3. Enrolling Clients Manually
6.3.1. Performing a Split Enrollment
6.4. Manually Unconfiguring Client Machines
6.5. Managing Services
6.5.1. Adding and Editing Service Entries and Keytabs
6.5.1.1. Adding Services and Keytabs from the Web UI
6.5.1.2. Adding Services and Keytabs from the Command Line
6.5.2. Adding Services and Certificates for Services
6.5.2.1. Adding Services and Certificates from the Web UI
6.5.2.2. Adding Services and Certificates from the Command Line
6.5.3. Storing Certificates in NSS Databases
6.5.4. Configuring Clustered Services
6.5.5. Using the Same Service Principal for Multiple Services
6.6. Disabling and Re-enabling Host and Service Entries
6.6.1. Disabling Host and Service Entries
6.6.2. Re-enabling Hosts and Services
6.7. Extending Access Permissions over Other Hosts and Services
6.7.1. Delegating Service Management
6.7.2. Delegating Host Management
6.7.3. Delegating Host or Service Management in the Web UI
6.7.4. Accessing Delegated Services
6.8. Managing Public SSH Keys for Hosts
6.8.1. About the SSH Key Format
6.8.2. About ipa-client-install and OpenSSH
6.8.3. Uploading Host SSH Keys Through the Web UI
6.8.4. Adding Host Keys from the Command Line
6.8.5. Removing Host Keys
6.9. Renaming Machines and Reconfiguring IdM Client Configuration
6.10. Managing Host Groups
6.10.1. Creating Host Groups
6.10.1.1. Creating Host Groups from the Web UI
6.10.1.2. Creating Host Groups from the Command Line
6.10.2. Adding Group Members
6.10.2.1. Adding Group Members from the Web UI
6.10.2.2. Adding Group Members from the Command Line
6.11. Troubleshooting Host Problems
6.11.1. Certificate Not Found/Serial Number Not Found Errors
6.11.2. Debugging Client Connection Problems
7. Identity: Integrating with NIS Domains and Netgroups
7.1. About NIS and Identity Management
7.2. Setting the NIS Port for Identity Management
7.3. Creating Netgroups
7.3.1. Adding Netgroups
7.3.1.1. With the Web UI
7.3.1.2. With the Command Line
7.3.2. Adding Netgroup Members
7.3.2.1. With the Web UI
7.3.2.2. With the Command Line
7.4. Exposing Automount Maps to NIS Clients
7.5. Migrating from NIS to IdM
7.5.1. Preparing Netgroup Entries in IdM
7.5.2. Enabling the NIS Listener in Identity Management
7.5.3. Exporting and Importing the Existing NIS Data
7.5.3.1. Importing User Entries
7.5.3.2. Importing Group Entries
7.5.3.3. Importing Host Entries
7.5.3.4. Importing Netgroup Entries
7.5.3.5. Importing Automount Maps
7.5.4. Setting Weak Password Encryption for NIS User Authentication to IdM
8. Identity: Integrating with Active Directory Through Cross-Realm Kerberos Trusts
8.1. The Meaning of "Trust"
8.1.1. How Trust Works: Transparency Between Kerberos and DNS Realms
8.1.1.1. Components Involved in Trusts
8.1.1.2. Active Directory and Identity Management Directories
8.1.1.3. DNS Domains
8.1.1.4. Kerberos Realms, Authentication, and Authorization
8.1.2. Trust in Contrast to Synchronization
8.1.3. Active Directory Users and IdM Features: sudo and Host-Based Access Control Policies
8.1.4. Potential Issues with Group Mapping and SIDs
8.1.5. Active Directory Users and IdM Administration
8.2. Environment and Machine Requirements to Set Up Trusts
8.2.1. Domain and Realm Names
8.2.2. NetBIOS Names
8.2.3. Integrated DNS
8.2.4. Firewalls and Ports
8.2.5. Clock Settings
8.2.6. Supported Username Formats
8.2.7. Trust Can Only Be Configured Once
8.3. Setting up Trust with IdM as a DNS Subdomain of Active Directory
8.4. Setting up Trust with IdM and Active Directory in Different DNS Domains
8.5. Creating IdM Groups for Active Directory Users
8.6. Using SSH from Active Directory Machines for IdM Resources
8.7. Using Trust with Kerberized Web Applications
9. Identity: Integrating with Microsoft Active Directory Through Synchronization
9.1. About Active Directory and Identity Management
9.2. About Synchronized Attributes
9.2.1. User Schema Differences between Identity Management and Active Directory
9.2.1.1. Values for cn Attributes
9.2.1.2. Values for street and streetAddress
9.2.1.3. Constraints on the initials Attribute
9.2.1.4. Requiring the surname (sn) Attribute
9.2.2. Active Directory Entries and RFC 2307 Attributes
9.3. Setting up Active Directory for Synchronization
9.4. Managing Synchronization Agreements
9.4.1. Trusting the Active Directory and IdM CA Certificates
9.4.2. Creating Synchronization Agreements
9.4.3. Changing the Behavior for Syncing User Account Attributes
9.4.4. Changing the Synchronized Windows Subtree
9.4.5. Configuring Uni-Directional Sync
9.4.6. Deleting Synchronization Agreements
9.4.7. Winsync Agreement Failures
9.5. Managing Password Synchronization
9.5.1. Setting up the Windows Server for Password Synchronization
9.5.2. Setting up Password Synchronization
9.5.3. Exempting Active Directory Users from Password Synchronization
10. Identity: Managing DNS
10.1. About DNS in IdM
10.2. The IdM-Generated DNS File
10.3. Setting up DNS After IdM Server Installation
10.4. Managing DNS Zone Entries
10.4.1. Adding DNS Zones
10.4.1.1. Adding DNS Zones from the Web UI
10.4.1.2. Adding DNS Zones from the Command Line
10.4.2. Modifying DNS Zones
10.4.2.1. Editing the Zone Configuration in the Web UI
10.4.2.2. Editing the Zone Configuration in the Command Line
10.4.3. Enabling and Disabling Zones
10.4.3.1. Disabling Zones in the Web UI
10.4.3.2. Disabling Zones in the Command Line
10.5. Managing DNS Record Entries
10.5.1. Adding Records to DNS Zones
10.5.1.1. Adding DNS Resource Records from the Web UI
10.5.1.2. Adding DNS Resource Records from the Command Line
10.5.2. Deleting Records from DNS Zones
10.5.2.1. Deleting Records with the Web UI
10.5.2.2. Deleting Records with the Command Line
10.6. Configuring the bind-dyndb-ldap Plug-in
10.6.1. Changing the DNS Cache Setting
10.6.2. Enabling Zone Refreshes and Persistent Searches
10.7. Changing Recursive Queries Against Forwarders
10.8. Enabling Dynamic DNS Updates
10.8.1. Enabling Dynamic DNS Updates in the Web UI
10.8.2. Enabling Dynamic DNS Updates in the Command Line
10.9. Configuring Forwarders and Forward Policy
10.9.1. Configuring Global Forwarders
10.9.2. Configuring Zone Forwarders
10.9.3. Configuring Forwarder Policy for a Zone
10.10. Enabling Zone Transfers
10.11. Defining DNS Queries
10.12. Synchronizing Forward and Reverse Zone Entries
10.13. Setting DNS Access Policies
10.14. Resolving Hostnames in the IdM Domain
10.15. Changing Load Balancing for IdM Servers and Replicas
11. Policy: Using Automount
11.1. About Automount and IdM
11.2. Configuring Automount
11.2.1. Configuring autofs on Red Hat Enterprise Linux
11.3. Setting up a Kerberized NFS Server
11.3.1. Setting up a Kerberized NFS Server
11.3.2. Setting up a Kerberized NFS Client
11.4. Configuring Kerberized CIFS
11.4.1. Setting up Samba Groups in IdM
11.4.2. Configuring the CIFS Client
11.5. Configuring Locations
11.5.1. Configuring Locations through the Web UI
11.5.2. Configuring Locations through the Command Line
11.6. Configuring Maps
11.6.1. Configuring Direct Maps
11.6.1.1. Configuring Direct Maps from the Web UI
11.6.1.2. Configuring Direct Maps from the Command Line
11.6.2. Configuring Indirect Maps
11.6.2.1. Configuring Indirect Maps from the Web UI
11.6.2.2. Configuring Indirect Maps from the Command Line
11.6.3. Importing Automount Maps
12. Policy: Defining Password Policies
12.1. About Password Policies and Policy Attributes
12.2. Viewing Password Policies
12.2.1. Viewing the Global Password Policy
12.2.1.1. With the Web UI
12.2.1.2. With the Command Line
12.2.2. Viewing Group-Level Password Policies
12.2.2.1. With the Web UI
12.2.2.2. With the Command Line
12.2.3. Viewing the Password Policy in Effect for a User
12.3. Creating and Editing Password Policies
12.3.1. Creating Password Policies in the Web UI
12.3.2. Creating Password Policies with the Command Line
12.3.3. Editing Password Policies with the Command Line
12.4. Managing Password Expiration Limits
12.5. Changing the Priority of Group Password Policies
12.6. Setting Account Lockout Policies
12.6.1. In the UI
12.6.2. In the CLI
12.7. Enabling a Password Change Dialog
13. Policy: Managing the Kerberos Domain
13.1. About Kerberos
13.1.1. About Principal Names
13.1.2. About Protecting Keytabs
13.2. Setting Kerberos Ticket Policies
13.2.1. Setting Global Ticket Policies
13.2.1.1. From the Web UI
13.2.1.2. From the Command Line
13.2.2. Setting User-Level Ticket Policies
13.3. Refreshing Kerberos Tickets
13.4. Caching Kerberos Passwords
13.5. Removing Keytabs
13.6. Troubleshooting Kerberos Errors
14. Policy: Using sudo
14.1. About sudo and IPA
14.1.1. General sudo Configuration in Identity Management
14.1.2. sudo and Netgroups
14.1.3. Supported sudo Clients
14.2. Setting up sudo Commands and Command Groups
14.2.1. Adding sudo Commands
14.2.1.1. Adding sudo Commands with the Web UI
14.2.1.2. Adding sudo Commands with the Command Line
14.2.2. Adding sudo Command Groups
14.2.2.1. Adding sudo Command Groups with the Web UI
14.2.2.2. Adding sudo Command Groups with the Command Line
14.3. Defining sudo Rules
14.3.1. About External Users and Hosts
14.3.2. About sudo Options Format
14.3.3. Defining sudo Rules in the Web UI
14.3.4. Defining sudo Rules in the Command Line
14.4. Applying the Configured sudo Policies to Hosts
15. Policy: Configuring Host-Based Access Control
15.1. About Host-Based Access Control
15.2. Creating Host-Based Access Control Entries for Services and Service Groups
15.2.1. Adding HBAC Services
15.2.1.1. Adding HBAC Services in the Web UI
15.2.1.2. Adding Services in the Command Line
15.2.2. Adding Service Groups
15.2.2.1. Adding Service Groups in the Web UI
15.2.2.2. Adding Service Groups in the Command Line
15.3. Defining Host-Based Access Control Rules
15.3.1. Setting Host-Based Access Control Rules in the Web UI
15.3.2. Setting Host-Based Access Control Rules in the Command Line
15.4. Testing Host-Based Access Control Rules
15.4.1. The Limits of Host-Based Access Control Configuration
15.4.2. Test Scenarios for Host-Based Access Control (CLI-Based)
15.4.3. Testing Host-Based Access Control Rules in the UI
16. Policy: Defining SELinux User Maps
16.1. About Identity Management, SELinux, and Mapping Users
16.2. Configuring SELinux Users in IdM
16.2.1. In the Web UI
16.2.2. In the CLI
16.3. Mapping SELinux Users and IdM Users
16.3.1. In the Web UI
16.3.2. In the CLI
16.4. Troubleshooting SELinux Login Problems
17. Policy: Defining Automatic Group Membership for Users and Hosts
17.1. About Automembership
17.2. Defining Automembership Rules (Basic Procedure)
17.2.1. From the Web UI
17.2.2. From the CLI
17.3. Examples of Using Automember Groups
17.3.1. Setting an All Users/Hosts Rule
17.3.2. Defining Default Automembership Groups
17.3.3. Using Automembership Groups with Windows Users
18. Configuration: Defining Access Control within IdM
18.1. About Access Controls for IdM Entries
18.1.1. A Brief Look at Access Control Concepts
18.1.2. Access Control Methods in Identity Management
18.2. Defining Self-Service Settings
18.2.1. Creating Self-Service Rules from the Web UI
18.2.2. Creating Self-Service Rules from the Command Line
18.2.3. Editing Self-Service Rules
18.3. Delegating Permissions over Users
18.3.1. Delegating Access to User Groups in the Web UI
18.3.2. Delegating Access to User Groups in the Command Line
18.4. Defining Role-Based Access Controls
18.4.1. Creating Roles
18.4.1.1. Creating Roles in the Web UI
18.4.1.2. Creating Roles in the Command Line
18.4.2. Creating New Permissions
18.4.2.1. Creating New Permissions from the Web UI
18.4.2.2. Creating New Permissions from the Command Line
18.4.3. Creating New Privileges
18.4.3.1. Creating New Privileges from the Web UI
18.4.3.2. Creating New Privileges from the Command Line
19. Configuration: Configuring the IdM Server
19.1. Identity Management Files and Logs
19.1.1. A Reference of IdM Server Configuration Files and Directories
19.1.2. About default.conf and Context Configuration Files
19.1.3. Checking IdM Server Logs
19.1.3.1. Enabling Server Debug Logging
19.1.3.2. Debugging Command-Line Operations
19.2. Disabling Anonymous Binds
19.3. Configuring Alternate Certificate Authorities
19.4. Configuring CRLs and OCSP Responders
19.4.1. Using an OSCP Responder with SELinux
19.4.2. Changing the CRL Update Interval
19.4.3. Changing the OCSP Responder Location
19.5. Setting DNS Entries for Multi-Homed Servers
19.6. Managing Replication Agreements Between IdM Servers
19.6.1. Listing Replication Agreements
19.6.2. Creating and Removing Replication Agreements
19.6.3. Forcing Replication
19.6.4. Reinitializing IdM Servers
19.6.5. Resolving Replication Conflicts
19.6.5.1. Solving Naming Conflicts
19.6.5.2. Solving Orphan Entry Conflicts
19.7. Removing a Replica
19.8. Troubleshooting
19.8.1. Starting IdM with Expired Certificates
19.8.2. There are SASL, GSS-API, and Kerberos errors in the 389 Directory Server logs when the replica starts.
20. Migrating from an LDAP Directory to IdM
20.1. An Overview of LDAP to IdM Migration
20.1.1. Planning the Client Configuration
20.1.1.1. Initial Client Configuration (Pre-Migration)
20.1.1.2. Recommended Configuration for Red Hat Enterprise Linux Clients
20.1.1.3. Alternative Supported Configuration
20.1.2. Planning Password Migration
20.1.2.1. Method 1: Using Temporary Passwords and Requiring a Change
20.1.2.2. Method 2: Using the Migration Web Page
20.1.2.3. Method 3: Using SSSD (Recommended)
20.1.2.4. Migrating Cleartext LDAP Passwords
20.1.2.5. Automatically Resetting Passwords That Do Not Meet Requirements
20.1.3. Migration Considerations and Requirements
20.1.3.1. LDAP Servers Supported for Migration
20.1.3.2. Migration Environment Requirements
20.1.3.3. Migration Tools
20.1.3.4. Migration Sequence
20.2. Examples for Using migrate-ds
20.2.1. Migrating Specific Subtrees
20.2.2. Specifically Including or Excluding Entries
20.2.3. Excluding Entry Attributes
20.2.4. Setting the Schema to Use
20.3. Scenario 1: Using SSSD as Part of Migration
20.4. Scenario 2: Migrating an LDAP Server Directly to Identity Management
A. Frequently Asked Questions
B. Working with certmonger
B.1. Requesting a Certificate with certmonger
B.2. Storing Certificates in NSS Databases
B.3. Tracking Certificates with certmonger
Glossary
Index

Preface

Identity Management is a Red Hat Enterprise Linux-based way to create a security, identity, and authentication domain. The different security and authentication protocols available to Linux and Unix systems (like Kerberos, NIS, DNS, PAM, and sudo) are complex, unrelated, and difficult to manage coherently, especially when combined with different identity stores.
Identity Management provides a layer that unifies all of these disparate services and simplifies the administrative tasks for managing users, systems, and security. IdM breaks management down into two categories: identity and policy. It centralizes the functions of managing the users and entities within your IT environment (identity) and then provides a framework to define authentication and authorization for a global security framework and user-friendly tools like single sign-on (policy).

1. Audience and Purpose

With Identity Management, a Red Hat Enterprise Linux system can easily become the center of an identity/authentication domain and even provide access to the domain for clients of other operating systems. IdM is an integrated system, that builds on existing and reliable technologies like LDAP and certificate protocols, with a robust yet straightforward set of tools (including a web-based UI). The key to identity/policy management with IdM is simplicity and flexibility:
  • Centralized identity stores for authentication and single sign-on using both integrated LDAP services (with 389 Directory Server) and, optionally, NIS services
  • Clear and manageable administrative control over system services like PAM, NTP, and sudo
  • Simplified DNS domains and maintenance
  • Scalable Kerberos realms and cross-realms which clients can easily join
This guide is written for systems administrators and IT staff who will manage IdM domains, user systems, and servers. This assumes a moderate knowledge of Linux-based systems administration and familiarity with important concepts like access control, LDAP, and Kerberos.
This guide covers every aspect of using IdM, including preparation and installation processes, administrative tasks, and the IdM tools. This guide also explains the major concepts behind both identity and policy management, generally, and IdM features specifically. Administrative tasks in this guide are categorized as either Identity or Policy in the chapter title to help characterize the administrative functions.

2. Examples and Formatting

Each of the examples used in this guide, such as file locations and commands, have certain defined conventions.

2.1. Brackets

Square brackets ([]) are used to indicate an alternative element in a name. For example, if a tool is available in /usr/lib on 32-bit systems and in /usr/lib64 on 64-bit systems, then the tool location may be represented as /usr/lib[64].

2.2. Client Tool Information

The tools for IdM are located in the /usr/bin and the /usr/sbin directories.
The LDAP tools used to edit the IdM directory services, such as ldapmodify and ldapsearch, are from OpenLDAP. OpenLDAP tools use SASL connections by default. To perform a simple bind using a username and password, use the -x argument to disable SASL.

2.3. Text Formatting and Styles

Certain words are represented in different fonts, styles, and weights. Different character formatting is used to indicate the function or purpose of the phrase being highlighted.
Formatting StylePurpose
Monospace with a background
This type of formatting is used for anything entered or returned in a command prompt.
Italicized textAny text which is italicized is a variable, such as instance_name or hostname. Occasionally, this is also used to emphasize a new term or other phrase.
Bolded textMost phrases which are in bold are application names, such as Cygwin, or are fields or options in a user interface, such as a User Name Here: field or Save button. This can also indicate a file, package, or directory name, such as /usr/sbin.
Other formatting styles draw attention to important text.

NOTE

A note provides additional information that can help illustrate the behavior of the system or provide more detail for a specific issue.

IMPORTANT

Important information is necessary, but possibly unexpected, such as a configuration change that will not persist after a reboot.

WARNING

A warning indicates potential data loss, as may happen when tuning hardware for maximum performance.

3. Giving Feedback

If there is any error in this book or there is any way to improve the documentation, please let us know. Bugs can be filed against the documentation for IdM through Bugzilla, http://bugzilla.redhat.com/bugzilla. Make the bug report as specific as possible, so we can be more effective in correcting any issues:
  1. Select the Red Hat group and the Red Hat Enterprise Linux 6 product.
  2. Set the component to doc-Enterprise_Identity_Management_Guide.
  3. For errors, give the page number (for the PDF) or URL (for the HTML), and give a succinct description of the problem, such as incorrect procedure or typo.
    For enhancements, put in what information needs to be added and why.
  4. Give a clear title for the bug. For example, "Incorrect command example for setup script options" is better than "Bad example".
We appreciate receiving any feedback - requests for new sections, corrections, improvements, enhancements, even new ways of delivering the documentation or new styles of docs. You are welcome to contact Red Hat Content Services directly at [email protected].

4. Document Change History

Revision History
Revision 6.4-1March 1, 2013Ella Deon Lackey
Adding trusts.
Revision 6.3-1October 18, 2012Ella Deon Lackey
Commenting out sudo configuration example.
Removing group sync information from winsync chapter.
Commenting out CRL generation section.
Revision 6.2-8December 16, 2011Ella Deon Lackey
Fixing sudoers_debug example in sudo client configuration procedure, Bugzilla #768792.
Fixing migration command example, Bugzilla #766089.
Revision 6.2-7December 6, 2011Ella Deon Lackey
Release for GA of Red Hat Enterprise Linux 6.2.
(Sebelumnya) 2 : Chapter 5. Fence Devices - ...3 : Chapter 1. Introduction to ... (Berikutnya)