Red Hat SummitChapter 13. Identity Management
The following chapters contain the most notable changes to Identity Management (IdM) between RHEL 9 and RHEL 10.
DNS over TLS (DoT) in IdM deployments is available as a Technology Preview
Encrypted DNS using DNS over TLS (DoT) is now available as a Technology Preview in Identity Management (IdM) deployments. You can now encrypt all DNS queries and responses between DNS clients and IdM DNS servers.
To start using this functionality, install the ipa-server-encrypted-dns package on IdM servers and replicas, and the ipa-client-encrypted-dns package on IdM clients. Administrators can enable DoT during the installation using the --dns-over-tls option.
IdM configures Unbound as a local caching resolver and BIND to receive DoT requests. This functionality is available through the command-line interface (CLI) and non-interactive installations of IdM.
The following options were added to installation utilities for IdM servers, replicas, clients, and the integrated DNS service:
-
--dot-forwarderto specify an upstream DoT-enabled DNS server. -
--dns-over-tls-keyand--dns-over-tls-certto configure DoT certificates. -
--dns-policyto set a DNS security policy to either allow fallback to unencrypted DNS or enforce strict DoT usage.
By default, IdM uses the relaxed DNS policy, which allows fallback to unencrypted DNS. You can enforce encrypted-only communication by using the new --dns-policy option with the enforced setting.
You can also enable DoT on an existing IdM deployment by reconfiguring the integrated DNS service using ipa-dns-install with the new DoT options.
Support for dynamic DoT updates in SSSD
SSSD now supports performing all dynamic DNS (dyndns) queries using DNS-over-TLS (DoT). You can securely update DNS records when IP addresses change, such as Identity Management (IdM) and Active Directory servers. To enable this functionality, you must install the nsupdate tool from the bind9.18-utils package.
You can use the following new options in the sssd.conf file to enable DoT and configure custom certificates for secure DNS updates:
- dyndns_dns_over_tls
- dyndns_tls_ca_cert
- dyndns_tls_cert
- dyndns_tls_key
For more details about these options, see the sssd-ad(5) and sssd-ad(5) man pages on your system.
IdM-to-IdM migration is now available as a Technology Preview
In RHEL 10, you can use the new ipa-migrate utility, which Red Hat provides as an unsupported Technology Preview, to migrate all IdM-specific data, such as SUDO rules, HBAC, DNA ranges, hosts, services, and more, to another IdM server. This can be useful, for example, when moving IdM from a development or staging environment into a production one or when migrating IdM data between two production servers.
ansible-freeipa now uses the Ansible collection format
In RHEL 10, the ansible-freeipa rpm installs the freeipa.ansible_freeipa collection only.
To use the new collection, add the freeipa.ansible_freeipa prefix to the names of roles and modules. Use the fully-qualified names to follow Ansible recommendations. For example, to refer to the ipahbacrule module, use freeipa.ansible_freeipa.ipahbacrule.
You can simplify the use of modules that are part of the freeipa.ansible_freeipa collection by applying module_defaults.
HSM is now fully supported in IdM
Hardware Security Modules (HSM) are now fully supported in Identity Management (IdM). You can store your key pairs and certificates for your IdM Cerificate Authority (CA) and Key Recovery Authority (KRA) on an HSM. This adds physical security to the private key material.
IdM relies on the networking features of the HSM to share the keys between machines to create replicas. The HSM provides additional security without visibly affecting most IPA operations. When using low-level tooling the certificates and keys are handled differently but this is seamless for most users.
Migration of an existing CA or KRA to an HSM-based setup is not supported. You need to reinstall the CA or KRA with keys on the HSM.
You need the following:
- A supported HSM
- The HSM Public-Key Cryptography Standard (PKCS) #11 library
- An available slot, token, and the token password
To install a CA or KRA with keys stored on an HSM, you must specify the token name and the path to the PKCS#11 library. For example:
ipa-server-install -r EXAMPLE.TEST -U --setup-dns --allow-zone-overlap --no-forwarders -N --auto-reverse --random-serial-numbers --token-name=HSM-TOKEN --token-library-path=/opt/nfast/toolkits/pkcs11/libcknfast.so --setup-kra
ipa-server-install -r EXAMPLE.TEST -U --setup-dns --allow-zone-overlap --no-forwarders -N --auto-reverse --random-serial-numbers --token-name=HSM-TOKEN --token-library-path=/opt/nfast/toolkits/pkcs11/libcknfast.so --setup-kraAutomated removal of expired certificates is enabled by default
In RHEL 10, automated removal of expired certificates is now enabled by default in IdM on new replicas. A prerequisite for this is the generation of random serial numbers for certificates using RSNv3, which is now also enabled by default.
As a result, certificates are now created with random serial numbers and are removed automatically when expired, after a default retention period of 30 days after expiry.
DNSSEC not working correctly in IdM
The DNS Security Extensions (DNSSEC) do not function correctly in IdM in RHEL 10 because of multiple unresolved issues stemming from the replacement of the openssl-pkcs11 OpenSSL engine with the pkcs11-provider OpenSSL provider.
The changes introduced by OpenSSL have impacted the integrated DNS functionality within RHEL IdM. Specifically, the changes are affecting multiple components in IdM, including ipa, bind, bind-dyndb-ldap, softhsm, and python-cryptography, and how these components interact with security modules.
The pam_console module has been removed
The pam_console module has been removed from RHEL 10. The pam_console module granted file permissions and authentication capabilities to users logged in at the physical console or terminals, and adjusted these privileges based on console login status and user presence. As an alternative to pam_console, you can use the systemd-logind system service instead. For configuration details, see the logind.conf(5) man page.
The libsss_simpleifp subpackage has been removed
The libsss_simpleifp subpackage that provided the libsss_simpleifp.so library was deprecated in RHEL 9. The libsss_simpleifp subpackage has been removed in RHEL 10.
The enumeration feature has been removed for AD and IdM providers
Support for the enumeration feature, which enabled you to list all users or groups using getent passwd/group for AD and IdM providers, was deprecated in Red Hat Enterprise Linux (RHEL) 9. The enumeration feature has been removed in RHEL 10.
The NIS server emulator has been removed
RHEL IdM does not provide the NIS functionality anymore.
The RSA PKINIT method has been removed
The private key-based RSA method is no longer supported in the MIT Kerberos. It has been removed for security reasons, especially for its vulnerability to the Marvin attack. As a result, the -X flag_RSA_PROTOCOL parameter of the kinit commands has no effect anymore. The Diffie-Hellman key agreement method is used as the default PKINIT mechanism.
The 389-ds-base package now creates only LMDB instances
Previously, Directory Server created instances with Berkeley Database (BDB). However, the libdb library that implements the BDB version used by 389-ds-base is no longer available in RHEL 10.
Starting with RHEL 10, the 389-ds-base package uses the Lightning Memory-Mapped Database (LMDB) as the database type by default. This change impacts the following areas:
- The migration procedure
- The database configuration parameters
- The database tuning
- Monitoring and log files
LMDB introduces the following configuration parameters that are stored under the new cn=mdb,cn=config,cn=ldbm database,cn=plugins,cn=config configuration entry:
nsslapd-mdb-max-sizesets the database maximum size in bytes. +- Important
-
Make sure that
nsslapd-mdb-max-sizeis high enough to store all intended data. However, the parameter size must not be too high to impact the performance because the database file is memory-mapped.
-
nsslapd-mdb-max-readerssets the maximum number of read operations that can be opened at the same time. Directory Server autotunes this setting. -
nsslapd-mdb-max-dbssets the maximum number of named database instances that can be included within the memory-mapped database file.
Along with the new LMDB settings, you can still use the nsslapd-db-home-directory database configuration parameter.
The BDB instances are no longer supported in Directory Server. Therefore, migrate all instances to LMDB.
authselect is now required by PAM and cannot be uninstalled
In RHEL 10, authselect-libs package now owns /etc/nsswitch.conf and selected PAM configuration, including system-auth, password-auth, smartcard-auth, fingerprint-auth, and postlogin in /etc/pam.d/. Ownership of these files has been transferred to authselect-libs package, with /etc/nsswitch.conf previously owned by the glibc package and the PAM configuration files previously owned by the pam package. Since authselect is required by the pam package, it cannot be uninstalled.
For system upgrades from previous RHEL versions:
-
If an
authselectconfiguration already exists,authselect apply-changesautomatically updates the configuration to the latest version. If there was no previousauthselectconfiguration on your system, no changes are made. -
On systems managed by
authselect, any non-authselect configurations are now forcefully overwritten without a prompt during the nextauthselectcall. The--forceoption is no longer required.
If you require a special configuration, create a custom authselect profile. Note that you must manually update custom profiles to keep them up to date with your system.
You can opt-out from using authselect:
authselect opt-out
# authselect opt-outThe SSSD files provider has been removed
The SSSD files provider has been removed from RHEL 10.0. Previously, the SSSD files provider was responsible for smart card authentication and session recording for local users. As a replacement, you can configure the SSSD proxy provider.
Local profile is the new default authselect profile
Due to the removal of the SSSD files provider in RHEL 10.0, a new authselect local profile has been introduced to handle local user management without relying on SSSD. The local profile replaces the previous minimal profile and becomes the default authselect profile for new installations instead of the sssd profile.
During upgrades, the authselect utility automatically migrates existing configurations from minimal to local profile.
Additionally, the sssd authselect profile has been updated to remove the with-files-domain and with-files-access-provider options and it no longer handles local user accounts directly via these options. If you relied on these options, you must update your SSSD configuration to use proxy provider instead of files provider.
The sssd profile now supports the --with-tlog option, which enables session recording for users managed by SSSD.
The dnssec-enable: no; option has been removed
The dnssec-enable: no; option in the /etc/named/ipa-options-ext.conf file has been removed in RHEL 10.0. DNS Security Extensions (DNSSEC) are enabled by default and cannot be disabled. The dnssec-validation: no; option still continues to be available.
The reconnection_retries option has been removed
The reconnection_retries option has been removed from the sssd.conf file in SSSD in RHEL 10.0. Because SSSD switched to a new architecture using internal IPC between SSSD processes and responders no longer connect to the backend, the reconnection_retries option is no longer used.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}