Chapter 4. Integration with external authentication and authorization domains


The Directory and Domain Services feature brings an additional security level by joining the identity and access management systems of your organization with the Red Hat Hybrid Cloud Console. You can register your existing identity provider domain, such as Red Hat Identity Management (IdM).

Important

The Directory and Domain Services feature is only available in the Preview mode.

4.1. Security considerations for Directory and Domain Services

To register an identity domain of your organization in the Red Hat Hybrid Cloud Console and enroll the machines in it, you must open ports for the required services on the server where your identity domain is deployed.

For example, to ensure your machines have access from the public cloud environment to your IdM server, you must configure access to your IdM server for the following services:

HTTPS
Allows the Directory and Domain Service to use the certificate from the RHEL subscription to enroll the image in the IdM server using IPA API.
Kerberos
Allows users and hosts to authenticate with the Kerberos authentication method.
LDAP
Allows SSSD to retrieve security policies and user information from the IdM server.

The following ports need to be open in order to provide the access to the services.

Table 4.1. IdM ports
ServicePortsProtocol

HTTP/HTTPS

80, 443

TCP

LDAP/LDAPS

389, 636

TCP

Kerberos

88, 464

TCP and UDP

DNS

53

TCP and UDP (optional)

By using these protocols, you allow access to your organization from every enrolled machine that runs in a public cloud environment. Make sure your company security policies allow it.

Additional resources

4.2. Registering an identity domain with the Hybrid Cloud Console

You can register the identity domain of your organization in the Red Hat Hybrid Cloud Console. It enables you to use your existing identity domain with the new instances running from images in the Hybrid Cloud Console.

Currently, the Directory and Domain Services only support an IdM setup. You can only enable one domain at a time. When you enable a domain, you must disable all other domains in the Red Hat Hybrid Cloud Console.

Prerequisites

  • You have the ipa-hcc-server package installed from the EPEL repository on the existing IdM server.
  • You have IPA administrator permissions.
  • You have Organization Administrator permissions or you have a user with the Directory and Domain Services administrator role. For more details, see Procedures for configuring User Access in Red Hat Hybrid Cloud Console.

Procedure

  1. Access Hybrid Cloud Console, click Settings Integrations and from the navigation panel choose Directory and Domain Services. The Directory and Domain Services dashboard opens.
  2. Click Register identity domain to open the Register identity domain wizard.
  3. Optional: On the Preparation page, the wizard prompts you to verify the ipa-hcc-server package is installed on your IdM server. Follow the instructions on the page and click Next.
  4. On the Registration page.

    1. Copy the command for registration of your domain, switch to the terminal of your IdM server and run this command under the root privileges:

      # ipa-hcc register <registration token>
      
      Domain information:
          realm name:     <REALM_NAME>
          domain name:    <domain_name>
          dns domains:    <dns_domains>
    2. To continue registering your IdM server, type Yes:

      Proceed with registration? Yes/No (default No): <Yes>
  5. Once the registration command is complete in your IdM server terminal, switch back to the Register identity domain wizard and on the Registration page click Test again to verify registration. Wait for the wizard to verify your registration and click Next.
  6. On the Details page, you can customize the Display name field for your domain. Optionally, enter the description for this domain and leave the Domain auto-join on launch toggle enabled if you want to make your domain available during launching images in a public cloud environment after you complete the registration. Click Next.
  7. On the Review page, review all your settings and click Finish to complete the registration.

Verification

  • Confirm that your domain appears on the Directory and Domain Services dashboard.

Next steps

  • You can enroll your machines to the registered domain during the launch to the environment of your choice. For that, ensure you add the ipa-hcc-client package from the EPEL repository during the blueprint creation in Images.

4.3. Editing identity domain registrations

You can rename and edit the description of the registered domain. You can also enable or disable the auto-join on launch feature for the registered domain.

Prerequisites

  • You have Organization Administrator permissions or you have a user with the Directory and Domain Services administrator role.

Procedure

  1. Access Hybrid Cloud Console, click Settings Integrations and from the navigation panel choose Directory and Domain Services. The Directory and Domain Services dashboard opens.
  2. From the list of domains locate the domain you want to edit, click the Option menu, and choose Edit.
  3. You can edit the following parameters:

    Display name
    Changes the name of your domain.
    Description
    Changes the description of your domain.
    Domain auto-join on launch
    Enables or disables this domain for enrolling the instances during the launch to the public cloud providers.

4.4. Removing authentication domain registration from Hybrid Cloud Console

You can remove the registration of your external authentication domain from the Red Hat Hybrid Cloud Console.

Prerequisites

  • You have Organization Administrator permissions or you have a user with the Directory and Domain Services administrator role.

Procedure

  1. Access Hybrid Cloud Console, click Settings Integrations and from the navigation panel choose Directory and Domain Services. The Directory and Domain Services dashboard opens.
  2. From the list of domains locate the domain you want to remove, click the Option menu, and choose Delete. The Delete identity domain registration window opens.
  3. Select the I understand that this action cannot be undone checkbox and click Delete.
  4. Optional: Access your IdM server terminal and uninstall the ipa-hcc-server package:

    # dnf remove ipa-hcc-server

    If your IdM deployment consists of multiple servers, remove the ipa-hcc-server package from all of the servers.

Verification

  • Open the Directory and Domain Services dashboard and verify the registration of your external authentication domain is not in the list.
Red Hat logoGithubRedditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.