Chapter 2. Configuring System Authentication
Authentication is the process in which a user is identified and verified to a system. It requires presenting some sort of identity and credentials, such as a user name and password. The system then compares the credentials against the configured authentication service. If the credentials match and the user account is active, then the user is authenticated.
Once a user is authenticated, the information is passed to the access control service to determine what the user is permitted to do. Those are the resources the user is authorized to access. Note that authentication and authorization are two separate processes.
The system must have a configured list of valid account databases for it to check for user authentication. The information to verify the user can be located on the local system or the local system can reference a user database on a remote system, such as LDAP or Kerberos. A local system can use a variety of different data stores for user information, including Lightweight Directory Access Protocol (LDAP), Network Information Service (NIS), and Winbind. Both LDAP and NIS data stores can use Kerberos to authenticate users.
For convenience and potentially part of single sign-on, Red Hat Enterprise Linux can use the System Security Services Daemon (SSSD) as a central daemon to authenticate the user to different identity back ends or even to ask for a ticket-granting ticket (TGT) for the user. SSSD can interact with LDAP, Kerberos, and external applications to verify user credentials.
This chapter explains what tools are available in Red Hat Enterprise Linux for configuring system authentication:
- the
ipa-client-install
utility and therealmd
system for Identity Management systems; see Section 2.1, “Identity Management Tools for System Authentication” for more information - the
authconfig
utility and the authconfig UI for other systems; see Section 2.2, “Usingauthconfig
” for more information
2.1. Identity Management Tools for System Authentication
You can use the
ipa-client-install
utility and the realmd
system to automatically configure system authentication on Identity Management machines.
ipa-client-install
- The
ipa-client-install
utility configures a system to join the Identity Management domain as a client machine. For more information aboutipa-client-install
, see the Installing a Client in the Linux Domain Identity, Authentication, and Policy Guide.Note that for Identity Management systems,ipa-client-install
is preferred overrealmd
. realmd
- The
realmd
system joins a machine to an identity domain, such as an Identity Management or Active Directory domain. For more information aboutrealmd
, see the Using realmd to Connect to an Active Directory Domain section in the Windows Integration Guide.