Red Hat SummitCe contenu n'est pas disponible dans la langue sélectionnée.
Chapter 26. Identity Management
Identity Management (IdM) provides a unifying environment for standards-defined, common network services, including PAM, LDAP, Kerberos, DNS, NTP, and certificate services. IdM allows Red Hat Enterprise Linux systems to serve as domain controllers.[25]
In Red Hat Enterprise Linux, the ipa-server package provides the IdM server. Enter the following command to see if the ipa-server package is installed:
Copy to Clipboard
Copied!
Toggle word wrap
Toggle overflow
If it is not installed, enter the following command as the root user to install it:
Copy to Clipboard
Copied!
Toggle word wrap
Toggle overflow
rpm -q ipa-server
~]$ rpm -q ipa-server
package ipa-server is not installedyum install ipa-server
~]# yum install ipa-server26.1. Identity Management and SELinux
Copier lienLien copié sur presse-papiers!
Identity Management can map IdM users to configured SELinux roles per host so that it is possible to specify SELinux context for IdM access rights. During the user login process, the System Security Services Daemon (
SSSD) queries the access rights defined for a particular IdM user. Then the pam_selinux module sends a request to the kernel to launch the user process with the proper SELinux context according to the IdM access rights, for example guest_u:guest_r:guest_t:s0.
For more information about Identity Management and SELinux, see the Linux Domain, Identity, Authentication, and Policy Guide for Red Hat Enterprise Linux 7.
26.1.1. Trust to Active Directory Domains
Copier lienLien copié sur presse-papiers!
In previous versions of Red Hat Enterprise Linux, Identity Management used the
WinSync utility to allow users from Active Directory (AD) domains to access data stored on IdM domains. To do that, WinSync had to replicate the user and group data from the AD server to the local server and kept the data synchronized.
In Red Hat Enterprise Linux 7, the
SSSD daemon has been enhanced to work with AD and users are able to create a trusted relationship between IdM and AD domains. The user and group data are read directly from the AD server. Additionally, Kerberos cross-realm trust allowing single sign-on (SSO) authentication between the AD and IdM domains is provided. If SSO is set, users from the AD domains can access data protected by Kerberos that is stored on the IdM domains without requiring a password.
This feature is not installed by default. To use it, install the additional ipa-server-trust-ad package.
[25]
For more information about Identity Management, see the Linux Domain, Identity, Authentication, and Policy Guide for Red Hat Enterprise Linux 7.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}