Chapter 18. Identity Management

In RHEL 8, the packages necessary for installing an Identity Management (IdM) server and client are distributed as a module. The client stream is the default stream of the idm module, and you can download the packages necessary for installing the client without enabling the stream.

The IdM server module stream is called DL1 and contains multiple profiles that correspond to the different types of IdM servers:

To download the packages in a specific profile of the DL1 stream:

For details, see Installing packages required for an Identity Management server and Packages required to install an Identity Management client.

The default RHEL 9 FIPS cryptographic policy aiming to comply with FIPS 140-3 does not allow the use of the AES HMAC-SHA1 encryption types' key derivation function as defined by RFC3961, section 5.1.

This constraint does not allow you to add a RHEL 9 IdM replica in FIPS mode to a RHEL 8 IdM environment in FIPS mode in which the first server was installed on a RHEL 8.6 or earlier systems. This is because there are no common encryption types between RHEL 9 and the previous RHEL versions, which commonly use the AES HMAC-SHA1 encryption types but do not use the AES HMAC-SHA2 encryption types.

kadmin.local getprinc K/M | grep -E '^Key:'

# kadmin.local getprinc K/M | grep -E '^Key:'

We are working on a solution to generate missing AES HMAC-SHA2-encrypted Kerberos keys on RHEL 7 and RHEL 8 servers. This will achieve FIPS 140-3 compliance on the RHEL 9 replica. However, this process cannot be fully automated, because the design of Kerberos key cryptography makes it impossible to convert existing keys to different encryption types. The only way is to ask users to renew their passwords.

In Red Hat Enterprise Linux (RHEL) 7, external group membership allows AD users and groups to access IdM resources in a POSIX environment with the help of the System Security Services Daemon (SSSD).

The IdM LDAP server has its own mechanisms to grant access control. RHEL 8 introduces an update that allows adding an ID user override for an AD user as a member of an IdM group. An ID override is a record describing what a specific Active Directory user or group properties should look like within a specific ID view, in this case the Default Trust View. As a consequence of the update, the IdM LDAP server is able to apply access control rules for the IdM group to the AD user.

AD users are now able to use the self service features of IdM UI, for example to upload their SSH keys, or change their personal data. An AD administrator is able to fully administer IdM without having two different accounts and passwords.

Red Hat Enterprise Linux 8.1 introduces the ansible-freeipa package, which provides Ansible roles and modules for Identity Management (IdM) deployment and management. You can use Ansible roles to install and uninstall IdM servers, replicas, and clients. You can use Ansible modules to manage IdM groups, topology, and users. There are also example playbooks available.

This update simplifies the installation and configuration of IdM based solutions.

Starting with RHEL 8.6, installing the ansible-freeipa package automatically installs the ansible-core package, a more basic version of ansible, as a dependency. Both ansible-freeipa and ansible-core are available in the rhel-9-for-x86_64-appstream-rpms repository.

ansible-freeipa in RHEL 8.6 contains all the modules that it contained prior to RHEL 8.6.

Prior to RHEL 8.6, you first had to enable the Ansible repository and install the ansible package. Only then could you install ansible-freeipa.

As of Red Hat Enterprise Linux 8.6, you can download ansible-freeipa modules from the Ansible Automation Hub (AAH) instead of downloading them from the standard RHEL repository. By using AAH, you can benefit from the faster updates of the ansible-freeipa modules available in this repository.

In AAH, ansible-freeipa roles and modules are distributed in the collection format. Note that you need an Ansible Automation Platform (AAP) subscription to access the content on the AAH portal. You also need ansible version 2.14 or later.

The redhat.rhel_idm collection has the same content as the traditional ansible-freeipa package. However, the collection format uses a fully qualified collection name (FQCN) that consists of a namespace and the collection name. For example, the redhat.rhel_idm.ipadnsconfig module corresponds to the ipadnsconfig module in ansible-freeipa provided by a RHEL repository. The combination of a namespace and a collection name ensures that the objects are unique and can be shared without any conflicts.

As of RHEL 8.10, you can associate Identity Management (IdM) users with external identity providers (IdPs) that support the OAuth 2 device authorization flow. Examples of such IdPs include Red Hat build of Keycloak, Azure Entra ID, Github, Google, and Facebook.

If an IdP reference and an associated IdP user ID exist in IdM, you can use them to enable an IdM user to authenticate at the external IdP. After performing authentication and authorization at the external IdP, the IdM user receives a Kerberos ticket with single sign-on capabilities. The user must authenticate with the SSSD version available in RHEL 8.7 or later.

You can also use the idp ansible-freeipa module to configure IdP authentication for IdM users.

A session recording solution has been added to Red Hat Enterprise Linux 8 (RHEL 8). A new tlog package and its associated web console session player enable to record and playback the user terminal sessions. The recording can be configured per user or user group via the System Security Services Daemon (SSSD) service. All terminal input and output is captured and stored in a text-based format in a system journal. The input is inactive by default for security reasons not to intercept raw passwords and other sensitive information.

The solution can be used for auditing of user sessions on security-sensitive systems. In the event of a security breach, the recorded sessions can be reviewed as a part of a forensic analysis. The system administrators are now able to configure the session recording locally and view the result from the RHEL 8 web console interface or from the command line using the tlog-play utility.