Chapter 19. Authentication and Interoperability

The Active Directory (AD) provider is a back end used to connect to an AD server. In Red Hat Enterprise Linux 7.2, using the AD sudo provider together with the LDAP provider is supported as a Technology Preview. To enable the AD sudo provider, add the sudo_provider=ad setting in the [domain] section of the sssd.conf file.

Identity Management servers with integrated DNS now support DNS Security Extensions (DNSSEC), a set of extensions to DNS that enhance security of the DNS protocol. DNS zones hosted on Identity Management servers can be automatically signed using DNSSEC. The cryptographic keys are automatically generated and rotated.

Users who decide to secure their DNS zones with DNSSEC are advised to read and follow these documents:

DNSSEC Operational Practices, Version 2: http://tools.ietf.org/html/rfc6781#section-2

Secure Domain Name System (DNS) Deployment Guide: http://dx.doi.org/10.6028/NIST.SP.800-81-2

DNSSEC Key Rollover Timing Considerations: http://tools.ietf.org/html/rfc7583

Note that Identity Management servers with integrated DNS use DNSSEC to validate DNS answers obtained from other DNS servers. This might affect the availability of DNS zones that are not configured in accordance with recommended naming practices described in the Red Hat Enterprise Linux Networking Guide: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Networking_Guide/ch-Configure_Host_Names.html#sec-Recommended_Naming_Practices.

A new Nunc Stans event framework to handle multiple simultaneous connections has been added as Technology Preview. The framework allows supporting several thousand active connections with no performance degradation. It is disabled by default.

This update implements a browser for the JSON-RPC API in Identity Management. The browser can be used to view the API. Note that this feature is experimental and the API is not yet supported.

The ipsilon packages provide the Ipsilon identity provider service for federated single sign-on (SSO). Ipsilon links authentication providers and applications or utilities to allow for SSO. It includes a server and utilities to configure Apache-based service providers.

The Ipsilon server and toolkit is designed to configure Apache-based identity Service Providers. The server is a pluggable self-contained mod_wsgi application that provides federated SSO to web applications.

Ipsilon is introduced in this release as a Technology Preview. Customers are advised not to consider integration of this service for production environments at this time.