Product SiteDocumentation Site

Red Hat Enterprise Linux 6.2

Identity Management Guide

Managing Identity and Authorization Policies for Linux-Based Infrastructures

Edition 2.1.4

Ella Deon Lackey

Legal Notice

Copyright © 2011 Red Hat.
The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available at http://creativecommons.org/licenses/by-sa/3.0/. In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must provide the URL for the original version.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, Red Hat Enterprise Linux, the Shadowman logo, JBoss, MetaMatrix, Fedora, the Infinity Logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.
Linux® is the registered trademark of Linus Torvalds in the United States and other countries.
Java® is a registered trademark of Oracle and/or its affiliates.
XFS® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries.
MySQL® is a registered trademark of MySQL AB in the United States, the European Union and other countries.
All other trademarks are the property of their respective owners.


1801 Varsity Drive
RaleighNC 27606-2072 USA
Phone: +1 919 754 3700
Phone: 888 733 4281
Fax: +1 919 754 3701

Abstract
Identity and policy management — for both users and machines — is a core function for almost any enterprise environment. IPA provides a way to create an identity domain that allows machines to enroll to a domain and immediately access identity information required for single sign-on and authentication services, as well as policy settings that govern authorization and access. This manual covers all aspects of installing, configuring, and managing IPA domains, including both servers and clients. This guide is intended for IT and systems administrators.
Preface
1. Audience and Purpose
2. Examples and Formatting
2.1. Brackets
2.2. Client Tool Information
2.3. Text Formatting and Styles
3. Giving Feedback
4. Document Change History
Release Information
1. Known Issues
1. Introduction to Identity Management
1.1. IPA v. LDAP: A More Focused Type of Service
1.1.1. A Working Definition for Identity Management
1.1.2. Contrasting Identity Management with a Standard LDAP Directory
1.2. Bringing Linux Services Together
1.2.1. Authentication: Kerberos KDC
1.2.2. Data Storage: 389 Directory Server
1.2.3. Authentication: Dogtag Certificate System
1.2.4. Server/Client Discovery: DNS
1.2.5. Management: NTP
1.3. Relationships Between Servers and Clients
1.3.1. About IPA Servers and Replicas
1.3.2. About IPA Clients
2. Installing an IPA Server
2.1. Supported Server Platforms
2.2. Preparing to Install the IPA Server
2.2.1. Hardware Requirements
2.2.2. Software Requirements
2.2.3. Supported Web Browsers
2.2.4. System Prerequisites
2.2.4.1. Hostname Requirements
2.2.4.2. Directory Server
2.2.4.3. System Files
2.2.4.4. System Ports
2.2.4.5. NTP
2.2.4.6. DNS
2.2.4.7. Networking
2.3. Installing the IPA Server Packages
2.4. Creating an IPA Server Instance
2.4.1. About ipa-server-install
2.4.2. Setting up an IPA Server: Basic Interactive Installation
2.4.3. Examples of Creating the IPA Server
2.4.3.1. Non-Interactive Basic Installation
2.4.3.2. Using Different CA Configurations
2.4.3.3. Using DNS
2.4.4. Troubleshooting Installation Problems
2.5. Setting up IPA Replicas
2.5.1. Prepping and Installing the Replica Server
2.5.2. Creating the Replica
2.5.3. Troubleshooting Replica Installation
2.6. Uninstalling IPA Servers and Replicas
3. Setting up Systems as IPA Clients
3.1. What Happens in Client Setup
3.2. Supported Platforms for IPA Clients
3.3. Configuring a Red Hat Enterprise Linux System as an IPA Client
3.4. Manually Configuring a Linux Client
3.5. Configuring a Solaris System as an IPA Client
3.5.1. Configuring Solaris 10
3.5.2. Configuring Solaris 9
3.6. Configuring an HP-UX System as an IPA Client
3.6.1. Configuring NTP
3.6.2. Configuring LDAP Authentication
3.6.3. Configuring Kerberos
3.6.4. Configuring PAM
3.6.4.1. HP-UX 11i v2
3.6.4.2. HP-UX 11i v1
3.6.5. Configuring SSH
3.6.6. Configuring Access Control
3.6.7. Testing the Configuration
3.7. Configuring an AIX System as an IPA Client
3.7.1. Prerequisites
3.7.2. Configuring the AIX Client
3.8. Troubleshooting Client Installations
3.9. Uninstalling an IPA Client
4. Basic Usage
4.1. About the IPA Client Tools
4.1.1. About the IPA Command-Line Tools
4.1.1.1. ipa and Other Command-Line Scripts
4.1.1.2. Adding Attributes with --setattr and --addattr
4.1.1.3. Tips for Running IPA Tools
4.1.2. Looking at the IPA UI
4.1.2.1. The UI Layout
4.1.2.2. Page Elements
4.1.2.3. Showing and Changing Group Members
4.1.2.4. Looking at Search Results
4.2. Logging into IPA
4.2.1. Logging into IPA
4.2.2. Logging in When an IPA User Is Different Than the System User
4.2.3. Checking the Current Logged in User
4.2.4. Caching User Kerberos Tickets
4.3. Using the IPA Web UI
4.3.1. Supported Web Browsers
4.3.2. Opening the IPA Web UI
4.3.3. Configuring the Browser
4.3.4. Using a Browser on Another System
4.3.5. Enabling Username/Password Authentication in Your Browser
4.3.6. Using the UI with Proxy Servers
4.3.7. Troubleshooting UI Connection Problems
5. Identity: Managing Users and User Groups
5.1. Setting up User Home Directories
5.1.1. About Home Directories
5.1.2. Enabling the PAM Home Directory Module
5.1.3. Manually Automounting Home Directories
5.2. Managing User Accounts
5.2.1. About User Entries
5.2.1.1. About User Schema
5.2.1.2. About Username Formats
5.2.1.3. About Changing the Default User and Group Schema
5.2.1.4. Applying Custom Object Classes to New User Entries
5.2.1.5. Applying Custom Object Classes to New Group Entries
5.2.2. Adding Users
5.2.2.1. From the Web UI
5.2.2.2. From the Command Line
5.2.3. Editing Users
5.2.3.1. From the Web UI
5.2.3.2. From the Command Line
5.2.4. Activating and Deactivating User Accounts
5.2.4.1. From the Web UI
5.2.4.2. From the Command Line
5.2.5. Deleting Users
5.2.5.1. With the Web UI
5.2.5.2. From the Command Line
5.3. Changing Passwords
5.3.1. From the Web UI
5.3.2. From the Command Line
5.4. Managing Unique UID and GID Number Assignments
5.4.1. About ID Range Assignments During Installation
5.4.2. Adding New Ranges
5.5. Managing User Groups
5.5.1. Creating User Groups
5.5.1.1. With the Web UI
5.5.1.2. With the Command Line
5.5.2. Adding Group Members
5.5.2.1. With the Web UI (Group Page)
5.5.2.2. With the Web UI (User's Page)
5.5.2.3. With the Command Line
5.5.2.4. Viewing Direct and Indirect Members of a Group
5.5.3. Deleting User Groups
5.5.3.1. With the Web UI
5.5.3.2. With the Command Line
5.6. Searching for Users and Groups
5.6.1. With the UI
5.6.2. With the Command Line
5.7. Specifying Default User and Group Settings
5.7.1. Viewing the Settings Configuration
5.7.1.1. From the Web UI
5.7.1.2. From the Command Line
5.7.2. Setting Default Search Limits
5.7.2.1. With the Web UI
5.7.2.2. With the Command Line
5.7.3. Setting User Search Attributes
5.7.3.1. From the Web UI
5.7.3.2. From the Web UI
5.7.4. Setting Group Search Attributes
5.7.4.1. From the Web UI
5.7.4.2. From the Command Line
6. Identity: Managing Hosts and Services
6.1. About Hosts, Services, and Machine Identity and Authentication
6.2. Adding Host Entries
6.2.1. Adding Host Entries from the Web UI
6.2.2. Adding Host Entries from the Command Line
6.3. Enrolling Clients Manually
6.3.1. Performing a Split Enrollment
6.3.2. Performing a Bulk or Kickstart Enrollment
6.4. Manually Unconfiguring Client Machines
6.5. Managing Services
6.5.1. Adding and Editing Service Entries and Keytabs
6.5.1.1. Adding Services and Keytabs from the Web UI
6.5.1.2. Adding Services and Keytabs from the Command Line
6.5.2. Adding Services and Certificates for Services
6.5.2.1. Adding Services and Certificates from the Web UI
6.5.2.2. Adding Services and Certificates from the Command Line
6.5.3. Storing Certificates in NSS Databases
6.5.4. Configuring Clustered Services
6.5.5. Using the Same Service Principal for Multiple Services
6.6. Disabling Host and Service Entries
6.7. Extending Access Permissions over Other Hosts and Services
6.7.1. Delegating Service Management
6.7.2. Delegating Host Management
6.7.3. Accessing Delegated Services
6.8. Renaming Machines and Reconfiguring IPA Client Configuration
6.9. Managing Host Groups
6.9.1. Creating Host Groups
6.9.1.1. Creating Host Groups from the Web UI
6.9.1.2. Creating Host Groups from the Command Line
6.9.2. Adding Group Members
6.9.2.1. Adding Group Members from the Web UI
6.9.2.2. Adding Group Members from the Command Line
6.10. Troubleshooting Host Problems
6.10.1. Certificate Not Found/Serial Number Not Found Errors
6.10.2. Debugging Client Connection Problems
7. Identity: Integrating with Microsoft Active Directory
7.1. About Active Directory and Identity Management
7.1.1. About Active Directory Synchronization
7.1.2. Attributes Which Are Synchronized
7.1.3. User Schema Differences between Identity Management and Active Directory
7.1.3.1. Values for cn Attributes
7.1.3.2. Values for street and streetAddress
7.1.3.3. Constraints on the initials Attribute
7.2. Setting up Active Directory for Synchronization
7.3. Managing Synchronization Agreements
7.3.1. Trusting the Active Directory and IPA CA Certificates
7.3.2. Creating Synchronization Agreements
7.3.3. Changing the Behavior for Syncing User Account Attributes
7.3.4. Changing the Synchronized Windows Subtree
7.3.5. Deleting Synchronization Agreements
7.3.6. Winsync Agreement Failures
7.4. Managing Password Synchronization
7.4.1. Setting up the Windows Server for Password Synchronization
7.4.2. Setting up Password Synchronization
7.4.3. Exempting Active Directory Users from Password Synchronization
8. Identity: Managing DNS
8.1. About DNS in IPA
8.2. Configuring DNS in Identity Management
8.3. Configuring the bind-dyndb-ldap Plug-in
8.4. Changing Recursive Queries Against Forwarders
8.5. Adding DNS Zones
8.5.1. Adding DNS Zones from the Web UI
8.5.2. Adding DNS Zones from the Command Line
8.6. Modifying DNS Zones
8.6.1. Editing the Zone Configuration in the Web UI
8.6.2. Editing the Zone Configuration in the Command Line
8.7. Enabling Dynamic DNS Updates
8.7.1. Enabling Dynamic DNS Updates in the Web UI
8.7.2. Enabling Dynamic DNS Updates in the Command Line
8.8. Enabling and Disabling Zones
8.8.1. Disabling Zones in the Web UI
8.8.2. Disabling Zones in the Command Line
8.9. Adding Records to DNS Zones
8.9.1. Adding DNS Resource Records from the Web UI
8.9.2. Adding DNS Resource Records from the Command Line
8.10. Deleting Records from DNS Zones
8.10.1. Deleting Records with the Web UI
8.10.2. Deleting Records with the Command Line
8.11. Resolving Hostnames in the IPA Domain
8.12. Changing Load Balancing for IPA Servers and Replicas
9. Policy: Using Automount
9.1. About Automount and IPA
9.2. Configuring Automount
9.2.1. Configuring autofs on Red Hat Enterprise Linux
9.2.2. Configuring Automount on Solaris
9.3. Setting up a Kerberized NFS Server
9.3.1. Setting up a Kerberized NFS Server
9.3.2. Setting up a Kerberized NFS Client
9.4. Configuring Locations
9.4.1. Configuring Locations through the Web UI
9.4.2. Configuring Locations through the Command Line
9.5. Configuring Maps
9.5.1. Configuring Direct Maps
9.5.1.1. Configuring Direct Maps from the Web UI
9.5.1.2. Configuring Direct Maps from the Command Line
9.5.2. Configuring Indirect Maps
9.5.2.1. Configuring Indirect Maps from the Web UI
9.5.2.2. Configuring Indirect Maps from the Command Line
9.5.3. Importing Automount Maps
10. Policy: Integrating with NIS Domains and Netgroups
10.1. About NIS and Identity Management
10.2. Creating Netgroups
10.2.1. Adding Netgroups
10.2.1.1. With the Web UI
10.2.1.2. With the Command Line
10.2.2. Adding Netgroup Members
10.2.2.1. With the Web UI
10.2.2.2. With the Command Line
10.3. Exposing Automount Maps to NIS Clients
10.4. Migrating from NIS to IPA
10.4.1. Preparing Netgroup Entries in IPA
10.4.2. Enabling the NIS Listener in Identity Management
10.4.3. Exporting the Existing NIS Data
11. Policy: Defining Password Policies
11.1. About Password Policies and Policy Attributes
11.2. Viewing Password Policies
11.2.1. Viewing the Global Password Policy
11.2.1.1. With the Web UI
11.2.1.2. With the Command Line
11.2.2. Viewing Group-Level Password Policies
11.2.2.1. With the Web UI
11.2.2.2. With the Command Line
11.2.3. Viewing the Password Policy in Effect for a User
11.3. Editing the Global Password Policy
11.3.1. With the UI
11.3.2. With the Command Line
11.4. Creating Group-Level Password Policies
11.4.1. With the Web UI
11.4.2. With the Command Line
11.5. Changing the Priority of Group Password Policies
11.6. Setting Account Lockout Policies
11.7. Enabling a Password Change Dialog
12. Policy: Managing the Kerberos Domain
12.1. About Kerberos
12.1.1. About Principal Names
12.1.2. About Protecting Keytabs
12.2. Setting Kerberos Ticket Policies
12.2.1. Setting Global Ticket Policies
12.2.1.1. From the Web UI
12.2.1.2. From the Command Line
12.2.2. Setting User-Level Ticket Policies
12.3. Refreshing Kerberos Tickets
12.4. Caching Kerberos Passwords
12.5. Removing Keytabs
12.6. Troubleshooting Kerberos Errors
13. Policy: Using sudo
13.1. About sudo and IPA
13.1.1. General sudo Configuration in Identity Management
13.1.2. sudo and Netgroups
13.1.3. Supported sudo Clients
13.2. Setting up sudo Commands and Command Groups
13.2.1. Adding sudo Commands
13.2.1.1. Adding sudo Commands with the Web UI
13.2.1.2. Adding sudo Commands with the Command Line
13.2.2. Adding sudo Command Groups
13.2.2.1. Adding sudo Command Groups with the Web UI
13.2.2.2. Adding sudo Command Groups with the Command Line
13.3. Defining sudo Rules
13.3.1. Defining sudo Rules in the Web UI
13.3.2. Defining sudo Rules in the Command Line
13.4. An Example of Configuring sudo
13.4.1. Server Configuration for sudo Rules
13.4.2. Client Configuration for sudo Rules
14. Policy: Configuring Host-Based Access Control
14.1. About Host-Based Access Control
14.2. Creating Host-Based Access Control Entries for Services and Service Groups
14.2.1. Adding HBAC Services
14.2.1.1. Adding HBAC Services in the Web UI
14.2.1.2. Adding Services in the Command Line
14.2.2. Adding Service Groups
14.2.2.1. Adding Service Groups in the Web UI
14.2.2.2. Adding Service Groups in the Command Line
14.3. Defining Host-Based Access Control Rules
14.3.1. Setting Host-Based Access Control Rules in the Web UI
14.3.2. Setting Host-Based Access Control Rules in the Command Line
14.4. Testing Host-Based Access Control Rules
14.4.1. The Limits of Host-Based Access Control Configuration
14.4.2. Test Scenarios for Host-Based Access Control
15. Configuration: Defining Access Control within IPA
15.1. About Access Controls for IPA Entries
15.1.1. A Brief Look at Access Control Concepts
15.1.2. Access Control Methods in Identity Management
15.2. Defining Self-Service Settings
15.2.1. Creating Self-Service Rules from the Web UI
15.2.2. Creating Self-Service Rules from the Command Line
15.2.3. Editing Self-Service Rules
15.3. Delegating Permissions over Users
15.3.1. Delegating Access to User Groups in the Web UI
15.3.2. Delegating Access to User Groups in the Command Line
15.4. Defining Role-Based Access Controls
15.4.1. Creating Roles
15.4.1.1. Creating Roles in the Web UI
15.4.1.2. Creating Roles in the Command Line
15.4.2. Creating New Permissions
15.4.2.1. Creating New Permissions from the Web UI
15.4.2.2. Creating New Permissions from the Command Line
15.4.3. Creating New Privileges
15.4.3.1. Creating New Privileges from the Web UI
15.4.3.2. Creating New Privileges from the Command Line
16. Configuring the IPA Server
16.1. Identity Management Files and Logs
16.1.1. A Reference of IPA Server Configuration Files and Directories
16.1.2. About default.conf and Context Configuration Files
16.1.3. Checking IPA Server Logs
16.1.3.1. Enabling Server Debug Logging
16.1.3.2. Debugging Command-Line Operations
16.2. Disabling Anonymous Binds
16.3. Configuring Alternate Certificate Authorities
16.4. Configuring CRLs and OCSP Responders
16.4.1. Using an OSCP Responder with SELinux
16.4.2. Changing the CRL Update Interval
16.4.3. Changing the OCSP Responder Location
16.5. Setting an IPA Server as an Apache Virtual Host
16.6. Setting DNS Entries for Multi-Homed Servers
16.7. Managing Replication Agreements Between IPA Servers
16.7.1. Listing Replication Agreements
16.7.2. Creating and Removing Replication Agreements
16.7.3. Forcing Replication
16.7.4. Reinitializing IPA Servers
16.8. Promoting a Replica to an IPA Server
16.8.1. Promoting a Replica with a Dogtag Certificate System CA
16.8.2. Promoting a Replica with a Self-Signed CA
16.9. Testing Before Upgrading the IPA Server
17. Migrating from an LDAP Directory to IPA
17.1. An Overview of LDAP to IPA Migration
17.1.1. Planning the Client Configuration
17.1.1.1. Initial Client Configuration (Pre-Migration)
17.1.1.2. Recommended Configuration for Red Hat Enterprise Linux Clients
17.1.1.3. Alternative Supported Configuration
17.1.2. Planning Password Migration
17.1.3. Migration Considerations and Requirements
17.1.3.1. LDAP Servers Supported for Migration
17.1.3.2. Migration Environment Requirements
17.1.3.3. Migration Tools
17.1.3.4. Migration Sequence
17.2. Scenario 1: Using SSSD as Part of Migration
17.3. Scenario 2: Migrating an LDAP Server Directly to Identity Management
18. Working with certmonger
18.1. Requesting a Certificate with certmonger
18.2. Storing Certificates in NSS Databases
18.3. Tracking Certificates with certmonger
A. Frequently Asked Questions
B. IPA Tools Reference
B.1. Using Special Characters
B.2. ipa
B.2.1. Location
B.2.2. Syntax
B.2.3. Help Topics
B.2.4. Global Options
B.2.5. Adding Attributes with --setattr and --addattr
B.2.6. Return Codes
B.2.7. Commands
B.3. ipa DNS Commands
B.3.1. ipa dnszone-add
B.3.1.1. Syntax
B.3.1.2. Options
B.4. ipa Host Commands
B.4.1. ipa host-add
B.4.1.1. Syntax
B.4.1.2. Options
B.5. Server Scripts
B.5.1. ipa-replica-install
B.5.1.1. Location
B.5.1.2. Syntax
B.5.1.3. Options
B.5.2. ipa-replica-prepare
B.5.2.1. Location
B.5.2.2. Syntax
B.5.2.3. Options
B.5.3. ipa-server-install
B.5.3.1. Location
B.5.3.2. Syntax
B.5.3.3. Options
B.6. Client Scripts
B.6.1. ipa-client-install
B.6.1.1. Location
B.6.1.2. Syntax
B.6.1.3. Options
Glossary
Index