Red Hat Summit Red Hat SummitSupportConsoleDéveloppeursCommencer un essaiContact

Ce contenu n'est pas disponible dans la langue sélectionnée.

Chapter 12. Deploying Identity Management in a controlled environment: a proof of concept

Explore basic features and concepts of Identity Management in RHEL (IdM) in a safe, isolated sandbox environment.

Gain hands-on experience with the following:

  • Installing a minimal IdM cluster consisting of an IdM server, replica, and client by using Ansible automation.
  • Configuring authentication and various access controls through the IdM Web UI, focusing on host-based access control, role-based access control, and sudo rules. The IdM Web UI is intuitive and so provides the best starting point for interacting with IdM.
  • Performing the same authentication and access control configurations with Ansible, discovering the simplicity, automation, and scalability that Ansible playbooks bring to system management.
Warning

Deploying Identity Management in a controlled environment: a proof of concept is designed to help you test and familiarize yourself with various IdM capabilities, preparing you for deployment in a production environment. It is not intended for direct use in production.

Learn how to perform a basic installation of Identity Management (IdM) in RHEL for testing prior to production deployment. You install the software using an Ansible playbook, which ensures convenience and repeatability.

Prerequisites

  • A system running Red Hat Enterprise Linux (RHEL) with 16 GB of RAM or more.
  • A RHEL subscription.

Terminology and assumptions

  • root is the account on the managed nodes that is used to perform the actions defined in the Ansible playbooks.
  • controller.idm.example.com is the name of the Ansible control node, that is the host on which the Ansible playbooks are stored and run.
  • server.idm.example.com, replica.idm.example.com, and client.idm.example.com are the managed nodes on which Identity Management in RHEL is installed and configured.
  • The control node and the managed nodes are running on virtual machines. All these virtual machines are installed on one physical system that runs RHEL.

Learn how to install RHEL on your virtual machines so that you can later install an IdM cluster on them using the ansible-freeipa RPM collection.

Prerequisites

  • You have downloaded the latest ISO image of RHEL 8, 9 or 10 from the Red Hat Customer Portal.

Procedure

  1. Use the ISO image to install a new VM for the controller system. For details, see Interactively installing RHEL from installation media. During the installation, pay attention to the following:

    1. If you are using the Virtual Machine Manager (VMM) to install your VMs, name the hosts in the controller, server, replica, and client, so that you can match the names in the VMM UI to the names of the hosts on the CLI.
    2. Reserve at least 4 GB of RAM on the VMs on which you are installing an IdM server and replica. 1 GB is enough for a client system.
    3. Reserve 20 GB for the storage on the IdM server and IdM replica.
    4. Select Install, not Test and Install.
    5. Create a local ansible user on the controller during the installation.
    6. Set an easy-to-remember password for the ansible user, for example 12345.
    7. In the Root password section, enter an easy-to-remember password, for example 1234.
    8. Check the Allow root SSH login with password check box.

  2. After the installation is complete, configure the host name for the controller VM:

    1. On the controller VM CLI, enter nmtui.
    2. Using the Down Arrow key, select Set system hostname.

    3. In the newly opened window, enter controller.idm.example.com.

      The host name must be a fully qualified domain name, such as controller.idm.example.com. For more information, see Meeting DNS host name and DNS requirements for IdM in Installing Identity Management.

    4. Using the Down and Right Arrow keys, select OK.
    5. Confirm the new host name by clicking OK again.
    6. In the higher-level interface, select OK and Quit by using the Down and Right Arrow keys.

    7. [Optional] To verify the host name, use the hostname utility on the system: 

      # hostname
      Copy to Clipboard Toggle word wrap 
      controller.idm.example.com
      Copy to Clipboard Toggle word wrap

      The output of hostname must not be localhost or localhost6.

  3. Repeat the previous steps for all the other VMs: server, replica, and client.

  4. Configure reciprocal logins to individual systems using host names instead of IP addresses:

    1. On the controller CLI, enter: 

      # ip a
      Copy to Clipboard Toggle word wrap 
      1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: enp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 52:54:00:b7:e6:ac brd ff:ff:ff:ff:ff:ff
    inet 192.168.122.86/24 brd 192.168.122.255 scope global dynamic noprefixroute enp1s0
       valid_lft 3106sec preferred_lft 3106sec
    inet6 fe80::5054:ff:feb7:e6ac/64 scope link noprefixroute
       valid_lft forever preferred_lft forever
      Copy to Clipboard Toggle word wrap

      Note the IP address that starts with 192.168.X.X.

    2. Do the same on all the other virtual hosts.

    3. On controller, add the host names and IP addresses of all the virtual systems to /etc/hosts file. The file can look as follows: 

      127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.122.86 controller.idm.example.com controller
192.168.122.42 server.idm.example.com server
192.168.122.103 replica.idm.example.com replica
192.168.122.200 client.idm.example.com client
      Copy to Clipboard Toggle word wrap
    4. Update the /etc/hosts file on your physical system in the same way.

  5. Ensure that the operating system on controller is up to date:

    1. SSH from your local system to the root account on controller: 

      your-physical-system]$ ssh root@controller
      Copy to Clipboard Toggle word wrap

    2. Register the controller virtual machine with Red Hat’s subscription management service: 

      # subscription-manager register --username <your_user_name> --password <your_password>
      Copy to Clipboard Toggle word wrap

    3. Ensure that you are using the latest packages: 

      # yum update
      Copy to Clipboard Toggle word wrap
    4. Repeat the previous steps for all the other VMs.

Verification

  • Test connectivity between your physical system and one of the virtual systems by using its fully-qualified domain name (FQDN) or short name: 

    your-physical-system]$ ping controller
    Copy to Clipboard Toggle word wrap 
    PING controller.idm.example.com (192.168.122.86) 56(84) bytes of data.
64 bytes from controller.idm.example.com (192.168.122.86): icmp_seq=1 ttl=64 time=0.353 ms
64 bytes from controller.idm.example.com (192.168.122.86): icmp_seq=2 ttl=64 time=0.398 ms
64 bytes from controller.idm.example.com (192.168.122.86): icmp_seq=3 ttl=64 time=0.453 ms
    Copy to Clipboard Toggle word wrap

Learn how to prepare the Ansible control node for installing and configuring IdM on the managed nodes.

Prerequisites

Procedure

  1. On the controller system, create an SSH public and private key: 

    [ansible@controller]$ ssh-keygen
    Copy to Clipboard Toggle word wrap 
    Generating public/private rsa key pair.
Enter file in which to save the key (/home/ansible/.ssh/id_rsa):
Enter passphrase (empty for no passphrase): [Enter]
Enter same passphrase again: [Enter]
...
    Copy to Clipboard Toggle word wrap

    Use the suggested default location for the key file. As this is a PoC environment, leave the passphrase empty.

  2. Create the ~/.ansible.cfg file with the following content: 

    [defaults]
inventory = /home/ansible/inventory
remote_user = root
    Copy to Clipboard Toggle word wrap
    Note

    Settings in the ~/.ansible.cfg file have a higher priority and override settings from the global /etc/ansible/ansible.cfg file.

    With these settings, Ansible performs the following actions:

    • Manages hosts in the specified inventory file.
    • Uses the account set in the remote_user parameter when it establishes SSH connections to managed nodes.

  3. Create an ~/inventory file in INI or YAML format that lists the host names of managed hosts and the values for the required installation variables: 

    [ipaserver]
server.idm.example.com

[ipaserver:vars]
ipaserver_domain=idm.example.com
ipaserver_realm=IDM.EXAMPLE.COM
ipaserver_setup_dns=True
ipaserver_auto_forwarders=True
ipaadmin_password=Secret123
ipadm_password=Secret123

[ipareplicas]
replica.idm.example.com

[ipareplicas:vars]
ipareplica_setup_dns=true
ipareplica_auto_forwarders=true
ipaadmin_password=Secret123
ipareplica_servers=server.idm.example.com

[ipaclients]
client.idm.example.com

[ipaclients:vars]
ipaadmin_password=Secret123
ipaclient_domain=idm.example.com
ipaclient_configure_dns_resolver=true
ipaclient_dns_servers=192.168.122.1
ipaclient_servers=server.idm.example.com
    Copy to Clipboard Toggle word wrap

  4. Create an install-cluster.yml file with the following content: 

    ---
- name: Play to configure IPA server
  hosts: ipaserver
  become: true
  roles:
  - role: freeipa.ansible_freeipa.ipaserver
    state: present

- name: Play to configure IPA clients with username/password
  hosts: ipaclients
  become: true
  roles:
  - role: freeipa.ansible_freeipa.ipaclient
    state: present

- name: Play to configure IPA replicas
  hosts: ipareplicas
  serial: 1
  become: true
  roles:
  - role: freeipa.ansible_freeipa.ipareplica
    state: present
    Copy to Clipboard Toggle word wrap

    The playbook contains three plays:

    • The first one installs the primary IdM server.
    • The second one installs an IdM client.
    • The third one installs an IdM replica. The serial: 1 directive instructs Ansible to deploy only one replica at a time against the same IdM server.

  5. Using root privileges, install the ansible-freeipa collection: 

    [root@controller]# dnf install ansible-freeipa
    Copy to Clipboard Toggle word wrap 
    [...]
Transaction Summary
========================================================================================================================================================================
Install  11 Packages
Total download size: 9.8 M
Installed size: 42 M
Is this ok [y/N]: y
[...]
    Copy to Clipboard Toggle word wrap

Learn how to prepare your virtual machines as Ansible managed nodes so that they can be used for the installation of an IdM deployment.

Prerequisites

Procedure

  1. Install the root user’s SSH public key on to the root account on the server managed node:

    1. Log in to the control node as root, and copy the SSH public key to the root account on server: 

      [root@controller]$ ssh-copy-id root@server.idm.example.com
      Copy to Clipboard Toggle word wrap 
      /usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/ansible/.ssh/id_rsa.pub"
The authenticity of host 'server.idm.example.com (192.168.122.42)' can't be established.
ECDSA key fingerprint is SHA256:9bZ33GJNODK3zbNhybokN/6Mq7hu3vpBXDrCxe7NAvo.
      Copy to Clipboard Toggle word wrap

    2. When prompted, connect by entering yes: 

      Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
      Copy to Clipboard Toggle word wrap 
      /usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
      Copy to Clipboard Toggle word wrap

    3. When prompted, enter the password of root on server: 

      root@server.idm.example.com's password: 1234
      Copy to Clipboard Toggle word wrap 
      Number of key(s) added: 1
Now try logging into the machine, with:   "ssh 'root@server.idm.example.com'"
and check to make sure that only the key(s) you wanted were added.
      Copy to Clipboard Toggle word wrap

    4. Verify the SSH connection by remotely executing a command on server: 

      [root@controller]$ ssh root@server.idm.example.com whoami
      Copy to Clipboard Toggle word wrap 
      root
      Copy to Clipboard Toggle word wrap
  2. Repeat on all the other managed nodes, replica and client.

Verification

  1. Verify that you can execute commands from the control node on an all managed nodes: 

    [root@controller]$ ansible all -m ping
    Copy to Clipboard Toggle word wrap 
    BECOME password:
client.idm.example.com | SUCCESS => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/bin/python3"
    },
    "changed": false,
    "ping": "pong"
}
server.idm.example.com | SUCCESS => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/bin/python3"
    },
    "changed": false,
    "ping": "pong"
}
replica.idm.example.com | SUCCESS => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/bin/python3"
    },
    "changed": false,
    "ping": "pong"
}
    Copy to Clipboard Toggle word wrap

    The hard-coded all group dynamically contains all hosts listed in the inventory file.

  2. Verify that privilege escalation works correctly. Use the Ansible command module to run the whoami utility on all managed nodes: 

    [root@controller]$ ansible all -m command -a whoami
    Copy to Clipboard Toggle word wrap 
    BECOME password: <password>
client.idm.example.com | CHANGED | rc=0 >>
root
server.idm.example.com | CHANGED | rc=0 >>
root
replica.idm.example.com | CHANGED | rc=0 >>
root
    Copy to Clipboard Toggle word wrap

    If the command returns root, you configured sudo on the managed nodes correctly.

12.1.4. Installing an IdM cluster in a virtual machine
Copier lien

Learn how to install the IdM primary server, client and replica on your virtual machines by using a single Ansible command on the control node.

Prerequisites

Procedure

  • Install the IdM cluster: 

    [root@controller]$ ansible-playbook -i inventory -vv install-cluster.yml
    Copy to Clipboard Toggle word wrap
    Important

    If you encounter recurring errors when installing the server, client, or replica, it’s best to wipe the host and perform a clean reinstallation rather than attempt to troubleshoot a failed setup.

12.2.1. Accessing the IdM Web UI in a PoC setup
Copier lien

Learn how to log in to the IdM Web UI with a password for the first time.

Procedure

  1. Type the URL of the IdM server or replica into the browser address bar: 

    https://replica.idm.example.com
    Copy to Clipboard Toggle word wrap

    This opens the IdM Web UI login screen in your browser.

    Screenshot of the IdM Web UI accessed within a web browser displaying a "Username" field and a "Password" field. There is a blue "Log in" button below and to the right of those two fields.

  2. On the Web UI login screen, enter the admin in to the Login field. Enter Secret123 in to the Password field.

    A Screenshot of the IdM Web UI with the "Username" field filled in with "admin" and the "Password" field displays several black circles obfuscating the password by replacing the characters tat were typed in.

  3. Click Log in.

    After the successful login, you can start configuring the IdM server.

Learn how to use the IdM Web UI to add an IdM user and set the IdM user password.

Procedure

  1. Log in to the IdM Web UI as IdM admin. For details, see Accessing the IdM Web UI in a PoC setup.
  2. Go to Users Active Users tab.
  3. Click the + Add icon.

  4. Optional: In the User login field, add a login name, for example idmuser01.

    If you leave it empty, the IdM server creates the login name in the following pattern: The first letter of the first name and the surname. The whole login name can have up to 32 characters.

  5. Enter First name and Last name of the new user, for example Alice and Acme.

  6. Optional: In the Password and Verify password fields, enter the user password and confirm it, ensuring they both match.

    This is an initial, temporary password. The user will be asked to reset the password at the first login.

  7. Click the Add button.

    At this point, you can see the user account in the Active Users table.

    If you click on the user name, you can edit advanced settings, such as adding a phone number, address, or occupation.

Automating user management with Ansible is more efficient than using the Web UI approach described in Adding an IdM user using an Ansible playbook in a PoC setup.

Learn how to use a single Ansible playbook to add multiple IdM users. Because of Ansible idempotence, if any of the users already exists in IdM, the script skips them.

Prerequisites

  • You are logged in to controller.idm.example.com as the ansible user.

Procedure

  1. In your ~/MyPlaybooks directory, create an add-multiple-users.yml Ansible playbook file with the data of the users whose presence you want to ensure in IdM, for example: 

    ---
- name: Playbook to handle users
  hosts: ipaserver

  tasks:
  - name: Create user idm_users
    freeipa.ansible_freeipa.ipauser:
      ipaadmin_password: Secret123
      users:
      - name: idmuser01
        first: Alice
        last: Acme
        password: "Password123"
      - name: idmuser03
        first: Bob
        last: Acme
        password: "RedHat123&"
    Copy to Clipboard Toggle word wrap

    You must use the following options to add a user:

    • name: the login name
    • first: the first name string
    • last: the last name string

    The rest is optional.

    You can see the full list of available user options in the /usr/share/ansible/collections/ansible_collections/freeipa/ansible_freeipa/README-user.md Markdown file.

  2. [Optional] Clear the SSSD cache to improve the performance of the ansible-playbook command: 

    $ sudo sss_cache -E
    Copy to Clipboard Toggle word wrap 
    [sudo] password for ansible:
    Copy to Clipboard Toggle word wrap

  3. Run the playbook: 

    $ ansible-playbook -i inventory add-multiple-users.yml
    Copy to Clipboard Toggle word wrap

Next steps

  1. Log into the IdM Web UI as idmuser01:

    1. Use "Password123", the temporary password configured by the Ansible script above, as idmuser01 password.
    2. Set a new password.
  2. Repeat for idmuser03.

Additional resources

12.2.4. Host-based access control rules in IdM
Copier lien

Host-based access control (HBAC) rules define which users or user groups can access which hosts or host groups by using which services or services in a service group. As a system administrator, you can use HBAC rules to achieve the following goals:

  • Limit access to a specified system in your domain to members of a specific user group.
  • Allow only a specific service to be used to access systems in your domain.

By default, IdM is configured with a default HBAC rule named allow_all, which means universal access to every host for every user via every relevant service in the entire IdM domain.

You can fine-tune access to different hosts by replacing the default allow_all rule with your own set of HBAC rules. For centralized and simplified access control management, you can apply HBAC rules to user groups, host groups, or service groups instead of individual users, hosts, or services.

Learn how to use the Identity Management (IdM) Web UI to define a host-based access rule (HBAC) rule to allow a set of RHEL IdM users to access IdM clients using the SSH protocol. The example below describes how to:

  • Enable the IdM user idmuser01 to access an IdM client client.idm.example.com remotely by using the SSH protocol.
  • Disable the IdM user idmuser03 from using the SSH protocol to access the IdM client client.idm.example.com.

Prerequisites

Procedure

  1. Create and customize the allow_remote_access rule:

    1. Navigate to Policy > Host Based Access Control > HBAC Rules and then click Add. Set allow_remote_access as the name of the rule and click Add and Edit.
    2. In the Who section, verify that Specified Users and Groups is selected, and then click Add. Select the idmuser01 user, and then click > to move the user to the Prospective column. Click Add.
    3. In the Accessing section, verify that Specified Hosts and Groups is selected, and then click Add. Select the client.idm.example.com machine and click > to move it to the Prospective column. Click Add.
    4. In the Via Service section, verify that Specified Services and Groups is selected, and then click Add. Select the ftp, sshd, and vsftpd services from the Available column and click > to move them to the Prospective column. Click Add.
    5. Return to the HBAC rules list by clicking HBAC Rules at the top of the window.

  2. For security reasons, modify the allow_all rule so that only IdM admins have universal access to every host via every relevant service in the entire IdM domain:

    1. Navigate to Policy > Host Based Access Control > HBAC Rules.
    2. Click the allow_all rule.
    3. In the Who section, verify that Specified Users and Groups is selected, and then click Add. Select the admins group, and then click > to move it to the Prospective column. Click Add.

Verification

  1. Navigate to Policy > Host Based Access Control > HBAC Test. Select the parameters of the test according to the following table:

    Expand
    ListSelect

    WHO

    idmuser03

    ACCESSING

    client.idm.example.com

    VIA SERVICE

    sshd

    RULES

    allow_remote_access

  2. On the Run Test tab, click Run Test to run the simulation. On the right side of the Run Test tab, the console shows an ACCESS DENIED message because the idmuser03 user is not a member of the HBAC rule.

  3. Now select the test parameters according to the following table:

    Expand
    ListSelect

    WHO

    idmuser01

    ACCESSING

    client.idm.example.com

    VIA SERVICE

    sshd

    RULES

    allow_remote_access

  4. On the Run Test tab, click Run Test to run the simulation. On the right side of the Run Test tab, the console shows an ACCESS GRANTED message because the idmuser01 user is a member of the HBAC rule.

  5. Open a terminal and log in to the client machine as the idmuser03 user. The connection fails because the user is not a member of the rule: 

    $ ssh idmuser03@client
Connection closed by 172.25.250.11 port 22
    Copy to Clipboard Toggle word wrap

  6. Try to log in to the client machine as the idmuser01 user. The connection is successful because the user is a member of the rule: 

    $ ssh idmuser01@client
...output omitted...
[idmuser01@client /]$*
    Copy to Clipboard Toggle word wrap

Automating host-based access control configuration with Ansible is more efficient than using the Web UI approach described in Adding multiple IdM users by using an Ansible playbook in a PoC setup.

Learn how to ensure the presence of a host-based access control (HBAC) rule in Identity Management (IdM) using an Ansible playbook. The example below describes how to:

  • Enable the IdM user idmuser01 to access an IdM client client.idm.example.com remotely by using the SSH protocol.
  • Disable the IdM user idmuser03 from using the SSH protocol to access the IdM client client.idm.example.com.

Prerequisites

Procedure

  1. In your ~/MyPlaybooks/ directory, create an ensure-new-hbacrule-present.yml Ansible playbook file with the content below that defines the desired HBAC policy: 

    ---
- name: Playbook to handle hbacrules
  hosts: ipaserver

  tasks:
  # Ensure idmuser01 can access client.idm.example.com via the sshd service
  - freeipa.ansible_freeipa.ipahbacrule:
      ipaadmin_password: Secret123
      name: allow_remote_access
      user: idmuser01
      host: client.idm.example.com
      hbacsvc:
      - sshd
      state: present
  # Ensure allow_all rule is modified so that only admins are members
  - freeipa.ansible_freeipa.ipahbacrule:
      ipaadmin_password: Secret123
      name: allow_all
      group: admins
      usercat: ""
    Copy to Clipboard Toggle word wrap

    If an HBAC rule already exists and you are only modifying it, you must set the action option to member. Otherwise the playbook fails. In the example, the Ensure allow_all rule is modified so that only admins are members task modifies the allow_all built-in rule, and therefore, requires action: member.

    Tip

    To avoid writing your HBAC-related playbooks from scratch, you can copy and modify the sample playbooks in the /usr/share/ansible/collections/ansible_collections/freeipa/ansible_freeipa/playbooks/hbacrule/ directory.

    These samples correspond to the freeipa_hbacsvc, freeipa_hbacsvcgroup, and freeipa_hbacrule modules, for which you can find README files in the /usr/share/ansible/collections/ansible_collections/freeipa/ansible_freeipa directory.

  2. Run the playbook: 

    $ ansible-playbook -i inventory ensure-new-hbacrule-present.yml
    Copy to Clipboard Toggle word wrap

Verification

  1. Log in to the IdM Web UI as IdM admin. In the Password field, enter Secret123.

  2. Navigate to Policy > Host Based Access Control > HBAC Test. Select the parameters of the test according to the following table:

    Expand
    ListSelect

    WHO

    idmuser03

    ACCESSING

    client.idm.example.com

    VIA SERVICE

    sshd

    RULES

    allow_remote_access

  3. On the Run Test tab, click Run Test to run the simulation. On the right side of the Run Test tab, the console shows an ACCESS DENIED message because the idmuser03 user is not a member of the HBAC rule.

  4. Now select the test parameters according to the following table:

    Expand
    ListSelect

    WHO

    idmuser01

    ACCESSING

    client.idm.example.com

    VIA SERVICE

    sshd

    RULES

    allow_remote_access

  5. On the Run Test tab, click Run Test to run the simulation. On the right side of the Run Test tab, the console shows an ACCESS GRANTED message because the idmuser01 user is a member of the HBAC rule.

  6. Open a terminal and log in to the client machine as the idmuser03 user. The connection fails because the user is not a member of the rule: 

    $ ssh idmuser03@client
(idmuser03@client) Password: RedHat123&
Connection closed by 172.25.250.11 port 22
    Copy to Clipboard Toggle word wrap

  7. Try to log in to the client machine as the idmuser01 user. The connection is successful because the user is a member of the rule: 

    $ ssh idmuser01@client
(idmuser01@client) Password: Password123
...output omitted...
[idmuser01@client /]$*
    Copy to Clipboard Toggle word wrap

12.2.7. Role-based access control in RHEL IdM
Copier lien

Learn more about role-based access control (RBAC) in Identity Management (IdM). RBAC is a security feature that restricts access to authorized users. You can define roles with specific permissions and then assign those roles to users.

Role-based access control is composed of three parts:

  • Permissions grant the right to perform a specific task such as adding or deleting users, modifying a group, and enabling read-access.
  • Privileges combine permissions, for example all the permissions needed to add a new user.
  • Roles grant a set of privileges to users, user groups, hosts or host groups.

The built-in Group Administrators privilege in RHEL Identity Management (IdM) contains the following permissions:

  • Add Groups
  • Modify External Group Membership
  • Modify Group Membership
  • Modify Groups
  • Remove Groups

Learn how to use the IdM Web UI to assign a role that grants the Group Administrator privilege to the IdM user idmuser01. As a result, idmuser01 can add the idmuser03 to the built-in editors group.

Prerequisites

Procedure

  1. Log in as IdM admin to the IdM Web UI.

  2. Create the groupadmin role:

    1. Navigate to IPA Server > Role-Based Access Control > Roles and then click Add.
    2. In the Role name field, enter groupadmin. In the Description field, enter Group Administrator. Click Add and Edit.

  3. Add the idmuser01 user to the role:

    1. On the Role: groupadmin page, ensure that you are on the Users tab, and click Add.
    2. In the Add users into role 'groupadmin' window, check the box next to idmuser01 and click > to move the user from the Available to the Prospective column.
    3. Click Add.

  4. Add the Group Administrators privilege to the role:

    1. On the Role: groupadmin page, ensure that you are on the Privileges tab, and click Add.
    2. In the Add role 'groupadmin' into privileges window, check the box next to Group Administrators and click > to move the user from the Available to the Prospective column.
    3. Click Add.

Verification

  1. Verify that idmuser01 is assigned to the groupadmin role:

    1. In the IdM Web UI, navigate as IdM admin to Identity > Users.
    2. Click idmuser01.

    3. Click Roles.

      You can see that groupadmin is listed among the roles.

  2. Verify that idmuser01 can assign group membership to idmuser03:

    1. Log in to the IdM Web UI as idmuser01.
    2. Navigate to Identity > Users.
    3. Click idmuser03.
    4. Click User Groups.
    5. Click Add.

    6. Select the editors group and then click > to move it to the Prospective column. Click Add.

      In the user profile, you can now see that idmuser03 is a member of the editors group.

Additional resources

Automating role-based access control configuration with Ansible is more efficient than using the Web UI approach described in Enabling an IdM user to manage IdM groups and group membership using the IdM Web UI in the PoC setup.

Learn how to use the role ansible-freeipa module in an Ansible playbook to assign a role that grants the IdM user idmuser01 the same Group Administrator privilege as configured using the Web UI method. As a result, idmuser01 can add the idmuser03 to the built-in editors group.

Prerequisites

Procedure

  1. In your ~/MyPlaybooks/ directory, create an assign-group-administrator-privilege-to-idmuser01.yml Ansible playbook file with the content below that defines the desired RBAC policy: 

    ---
- name: Make idmuser01 a member of an RBAC role that contains the Group Administrators privilege
  hosts: ipaserver

  tasks:
  - name: Create the groupadmin role
    freeipa.ansible_freeipa.iparole:
      ipaadmin_password: Secret123
      name: groupadmin
      user:
      - idmuser01
      privilege:
      - Group Administrators
      state: present
    Copy to Clipboard Toggle word wrap

    You can see the full list of available options in the /usr/share/ansible/collections/ansible_collections/freeipa/ansible_freeipa/README-role.md file.

  2. Run the playbook: 

    $ ansible-playbook -i inventory assign-group-administrator-privilege-to-idmuser01.yml
    Copy to Clipboard Toggle word wrap

Verification

  1. Verify that idmuser01 is assigned to the groupadmin role:

    1. In the IdM Web UI, navigate as IdM admin to Identity > Users.
    2. Click idmuser01.

    3. Click Roles.

      You can see that groupadmin is listed among the roles.

  2. Verify that idmuser01 can assign group membership to idmuser03:

    1. Log in to the IdM Web UI as idmuser01.
    2. Navigate to Identity > Users.
    3. Click idmuser03.
    4. Click User Groups.
    5. Click Add.

    6. Select the editors group and then click > to move it to the Prospective column. Click Add.

      In the user profile, you can now see that idmuser03 is a member of the editors group.

12.2.10. Sudo access on an IdM client
Copier lien

System administrators can grant sudo access to allow non-root users to execute administrative commands that are normally reserved for the root user. Consequently, when users need to perform an administrative command normally reserved for the root user, they precede that command with sudo. After entering their password, the command is executed as if they were the root user. To execute a sudo command as another user or group, such as a database service account, you can configure a RunAs alias for a sudo rule.

If a Red Hat Enterprise Linux (RHEL) host is enrolled as an Identity Management (IdM) client, you can specify sudo rules defining which IdM users can perform which commands on the host in the following ways:

  • Locally in the /etc/sudoers file
  • Centrally in IdM

You can create a central sudo rule for an IdM client using the command line (CLI) and the IdM Web UI.

You can also configure password-less authentication for sudo using the Generic Security Service Application Programming Interface (GSSAPI), the native way for UNIX-based operating systems to access and authenticate Kerberos services. You can use the pam_sss_gss.so Pluggable Authentication Module (PAM) to invoke GSSAPI authentication via the SSSD service, allowing users to authenticate to the sudo command with a valid Kerberos ticket.

In Identity Management (IdM), you can grant sudo access for a specific command to an IdM user account on a specific IdM host. First, add a sudo command and then create a sudo rule for one or more commands.

Complete this procedure to create the idmuser01_reboot sudo rule to grant the idmuser01 account the permission to run the /usr/sbin/reboot command on the client.idm.example.com machine, or client.

Prerequisites

  • You are logged in to the IdM Web UI as admin.
  • You have created a user account for idmuser01 in IdM and unlocked the account by creating a password for the user. For details on adding a new IdM user using the command line, see Adding users using the command line.
  • No local idmuser01 account is present on the client host. The idmuser01 user is not listed in the local /etc/passwd file.
  • The client.idm.example.com host exists in IdM.

Procedure

  1. Add the /usr/sbin/reboot command to the IdM database of sudo commands:

    1. Navigate to Policy Sudo Sudo Commands.
    2. Click Add in the upper right corner to open the Add sudo command dialog box.

    3. Enter the command you want the user to be able to perform using sudo: /usr/sbin/reboot.

      A screenshot of a pop-up window labeled
      View larger image
      A screenshot of a pop-up window labeled
    4. Click Add.

  2. Use the new sudo command entry to create a sudo rule to allow idmuser01 to reboot the client machine:

    1. Navigate to Policy Sudo Sudo rules.
    2. Click Add in the upper right corner to open the Add sudo rule dialog box.
    3. Enter the name of the sudo rule: idmuser01_reboot.
    4. Click Add and Edit.

    5. Specify the user:

      1. In the Who section, check the Specified Users and Groups radio button.
      2. In the User category the rule applies to subsection, click Add to open the Add users into sudo rule "idmuser01_reboot" dialog box.
      3. In the Add users into sudo rule "idmuser01_reboot" dialog box in the Available column, check the idmuser01 checkbox, and move it to the Prospective column.
      4. Click Add.

    6. Specify the host:

      1. In the Access this host section, check the Specified Hosts and Groups radio button.
      2. In the Host category this rule applies to subsection, click Add to open the Add hosts into sudo rule "idmuser01_reboot" dialog box.
      3. In the Add hosts into sudo rule "idmuser01_reboot" dialog box in the Available column, check the client.idm.example.com checkbox, and move it to the Prospective column.
      4. Click Add.

    7. Specify the commands:

      1. In the Command category the rule applies to subsection of the Run Commands section, check the Specified Commands and Groups radio button.
      2. In the Sudo Allow Commands subsection, click Add to open the Add allow sudo commands into sudo rule "idmuser01_reboot" dialog box.
      3. In the Add allow sudo commands into sudo rule "idmuser01_reboot" dialog box in the Available column, check the /usr/sbin/reboot checkbox, and move it to the Prospective column.
      4. Click Add to return to the idm_sudo_reboot page.

      Figure 12.1. Adding IdM sudo rule

      A screenshot of an overview of the sudo rule that was added. There is a
      View larger image
      A screenshot of an overview of the sudo rule that was added. There is a

    8. Click Save in the top left corner.

      The new rule is enabled by default.

    Note

    Propagating the changes from the server to the client can take a few minutes.

Verification

  1. Log in to client as idmuser01.

  2. Reboot the machine using sudo. Enter the password for idmuser01 when prompted: 

    $ sudo /usr/sbin/reboot
[sudo] password for idmuser01:
    Copy to Clipboard Toggle word wrap

If the sudo rule is configured correctly, the machine reboots.

Learn how to use a single Ansible playbook to grant sudo access for a specific command to an IdM user account on a specific IdM host.First, add a sudo command and then create a sudo rule for one or more commands.

Complete this procedure to create the idmuser01_reboot sudo rule to grant the idmuser01 account the permission to run the /usr/sbin/reboot command on the client.idm.example.com machine, or client.

Prerequisites

  • You are logged in to controller.idm.example.com as the ansible user.

Procedure

  1. In your ~/MyPlaybooks directory, create an add-sudo-rule.yml Ansible playbook file with the parameters of the sudo rule, for example: 

    ---
- name: Playbook to handle SUDO rules
  hosts: ipaserver
  tasks:
  - name: Add reboot to sudo commands
    freeipa.ansible_freeipa.ipasudocmd:
      ipaadmin_password: Secret123
      name: /usr/sbin/reboot
      state: present
  - name: Create a sudo rule idmuser01_reboot
    freeipa.ansible_freeipa.ipasudorule:
      name: idmuser01_reboot
      ipaadmin_password: Secret123
  - name: Modify the idmuser01_reboot sudo rule by adding reboot command and idmuser01
    freeipa.ansible_freeipa.ipasudorule:
      ipaadmin_password: Secret123
      name: idmuser01_reboot
      allow_sudocmd:
        - /usr/sbin/reboot
      user:
        - idmuser01
      action: member
    Copy to Clipboard Toggle word wrap

    If a sudo rule already exists and you are only modifying it, you must set the action option to member. Otherwise the playbook fails. In the example, the Modify the idmuser01_reboot sudo rule by adding reboot command and idmuser01 task modifies the rule that the Create a sudo rule idmuser01_reboot task created previously, and therefore, requires action: member.

    You can see the full list of available options in the /usr/share/ansible/collections/ansible_collections/freeipa/ansible_freeipa/README-sudocmd.md and …​/README-sudorule.md files.

  2. Run the playbook: 

    $ ansible-playbook -i inventory add-sudo-rule.yml
    Copy to Clipboard Toggle word wrap

Verification

  1. Log in to client as idmuser01.

  2. Reboot the machine using sudo. Enter the password for idmuser01 when prompted: 

    $ sudo /usr/sbin/reboot
[sudo] password for idmuser01:
    Copy to Clipboard Toggle word wrap

If the sudo rule is configured correctly, the machine reboots.

Retour au début
Red Hat logoGithubredditYoutubeTwitter

Apprendre

Essayez, achetez et vendez

Communautés

À propos de la documentation Red Hat

Nous aidons les utilisateurs de Red Hat à innover et à atteindre leurs objectifs grâce à nos produits et services avec un contenu auquel ils peuvent faire confiance. Découvrez nos récentes mises à jour.

Rendre l’open source plus inclusif

Red Hat s'engage à remplacer le langage problématique dans notre code, notre documentation et nos propriétés Web. Pour plus de détails, consultez le Blog Red Hat.

À propos de Red Hat

Nous proposons des solutions renforcées qui facilitent le travail des entreprises sur plusieurs plates-formes et environnements, du centre de données central à la périphérie du réseau.

Theme

© 2026 Red Hat