Chapter 1. Introduction to Red Hat Identity Management
1.1. The Goal of Red Hat Identity Management
Red Hat Identity Management (IdM) provides a centralized and unified way to manage identity stores, authentication, policies, and authorization policies in a Linux-based domain. IdM significantly reduces the administrative overhead of managing different services individually and using different tools on different machines.
IdM is one of the few centralized identity, policy, and authorization software solutions that support:
- Advanced features of Linux operating system environments
- Unifying large groups of Linux machines
- Native integration with Active Directory
IdM creates a Linux-based and Linux-controlled domain:
- IdM builds on existing, native Linux tools and protocols. It has its own processes and configuration, but its underlying technologies are well-established on Linux systems and trusted by Linux administrators.
- IdM servers and clients are Red Hat Enterprise Linux machines. However, even though IdM does not support Windows clients directly, it allows integration with Active Directory environment.NoteThis guide describes using IdM in Linux environments only. For more information on integration with Active Directory, see the Windows Integration Guide.For information on the Samba suite, which allows integrating Linux machines into Active Directory environment, see the Using Samba for Active Directory Integration chapter in the Windows Integration Guide. If you use Samba as a server, note that integrating the server into the IdM domain and authenticating users connecting to the Samba server against the IdM or a trusted Active Directory domain is not supported.
1.1.1. Examples of Benefits Brought by IdM
- Managing identities and policies with several Linux servers
- Without IdM: Each server is administered separately. All passwords are saved on the local machines. The IT administrator manages users on every machine, sets authentication and authorization policies separately, and maintains local passwords.With IdM: The IT administrator can:
- Maintain the identities in one central place: the IdM server
- Apply policies uniformly to multiples of machines at the same time
- Set different access levels for users by using host-based access control, delegation, and other rules
- Centrally manage privilege escalation rules
- Define how home directories are mounted
- Enterprise single sign-on
- Without IdM: Users log in to the system and are prompted for a password every single time they access a service or application. These passwords might be different, and the users have to remember which credential to use for which application.With IdM: After users log in to the system, they can access multiple services and applications without being repeatedly asked for their credentials. This helps:
- Improve usability
- Reduce the security risk of passwords being written down or stored insecurely
- Boost user productivity
- Managing a mixed Linux and Windows environment
- Without IdM: Windows systems are managed in an Active Directory forest, but development, production, and other teams have many Linux systems. The Linux systems are excluded from the Active Directory environment.With IdM: The IT administrator can:
- Manage the Linux systems using native Linux tools
- Integrate the Linux systems with the Windows systems, thus preserving a centralized user store
- Expand the Linux base easily
- Separate management of Linux and Active Directory machines and enable Linux and Windows admins to control their environment directly
1.1.2. Contrasting Identity Management with a Standard LDAP Directory
A standard LDAP directory, such as Red Hat Directory Server, is a general-purpose directory: it can be customized to fit a broad range of use cases.
- Schema: a flexible schema that can be customized for a vast array of entries, such as users, machines, network entities, physical equipment, or buildings.
- Typically used as: a back-end directory to store data for other applications, such as business applications that provide services on the Internet.
Identity Management (IdM) has a specific purpose: managing identities as well as authentication and authorization policies that relate to these identities.
- Schema: a specific schema that defines a particular set of entries relevant to its purpose, such as entries for user or machine identities.
- Typically used as: the identity and authentication server to manage identities within the boundaries of an enterprise or a project.
The underlying directory server technology is the same for both Red Hat Directory Server and IdM. However, IdM is optimized to manage identities. This limits its general extensibility, but also brings certain benefits: simpler configuration, better automation of resource management, and increased efficiency in managing identities.
Additional Resources
- Identity Management or Red Hat Directory Server – Which One Should I Use? on the Red Hat Enterprise Linux Blog.