Red Hat Summit Red Hat SummitSupportoConsoleSviluppatoriInizia una provaContatti

Questo contenuto non è disponibile nella lingua selezionata.

Chapter 2. Viewing, starting and stopping the Identity Management services

Monitor Identity Management (IdM) services to ensure domain availability and to apply any changes you make to the system. By using the systemctl and ipactl utilities, you can verify service status, restart components after manual configuration changes, and recover from system interruptions.

2.1. Overview of IdM server and client services
Copia collegamento

Identify the core system services that run on Identity Management (IdM) servers and clients. Understand the relationship between IdM functions, such as authentication, directory storage, and certificate management, and their corresponding system daemons.

2.1.1. List of services hosted by IdM servers
Copia collegamento

Most of the following services are not strictly required to be installed on the IdM server. For example, you can install services such as a certificate authority (CA) or DNS server on an external server outside the IdM domain.

  • Kerberos: The krb5kdc and kadmin services.

IdM uses the Kerberos protocol to support single sign-on. With Kerberos, users only need to present the correct username and password once and can access IdM services without the system prompting for credentials again.

Kerberos is divided into two parts:

  • The krb5kdc service is the Kerberos Authentication service and Key Distribution Center (KDC) daemon.
  • The kadmin service is the Kerberos database administration program.

For information about how to authenticate using Kerberos in IdM, see Logging in to Identity Management from the command line

Logging in to IdM in the Web UI: Using a Kerberos ticket.

  • LDAP directory server: The dirsrv service.

The IdM LDAP directory server instance stores all IdM information, such as information related to Kerberos, user accounts, host entries, services, policies, DNS, and others. The LDAP directory server instance is based on the same technology as Red Hat Directory Server. However, it is tuned to IdM-specific tasks.

  • Certificate Authority: The pki-tomcatd service.

The integrated certificate authority (CA) is based on the same technology as Red Hat Certificate System. pki is the command line for accessing Certificate System services.

You can also install the server without the integrated CA if you create and provide all required certificates independently.

For more information, see Planning your CA services.

  • Domain Name System (DNS): The named service.

IdM uses DNS for dynamic service discovery. The IdM client installation utility can use information from DNS to automatically configure the client machine. After the client is enrolled in the IdM domain, it uses DNS to locate IdM servers and services within the domain. The BIND (Berkeley Internet Name Domain) implementation of the DNS (Domain Name System) protocols in Red Hat Enterprise Linux includes the named DNS server.

For information, see Planning your DNS services and host names.

  • Apache HTTP Server: The httpd service.

The Apache HTTP web server provides the IdM Web UI, and also manages communication between the Certificate Authority and other IdM services.

  • Samba / Winbind: The smb and winbind services.

Samba implements the Server Message Block (SMB) protocol, also known as the Common Internet File System (CIFS) protocol, in Red Hat Enterprise Linux. Via the smb service, the SMB protocol enables you to access resources on a server, such as file shares and shared printers. If you have configured a Trust with an Active Directory (AD) environment, the`Winbind` service manages communication between IdM servers and AD servers.

  • One-time password (OTP) authentication: The ipa-otpd services.

One-time passwords (OTP) are passwords that are generated by an authentication token for only one session, as part of two-factor authentication. OTP authentication is implemented in Red Hat Enterprise Linux via the ipa-otpd service.

For more information, see Logging in to the Identity Management Web UI using one time passwords.

  • OpenDNSSEC: The ipa-dnskeysyncd service.

OpenDNSSEC is a DNS manager that automates the process of keeping track of DNS security extensions (DNSSEC) keys and the signing of zones. The ipa-dnskeysyncd service manages synchronization between the IdM Directory Server and OpenDNSSEC.

The Identity Management Server: Unifying Services
View larger image
The Identity Management Server: Unifying Services
Note

DNSSEC is only available as Technology Preview in IdM.

2.1.2. List of services hosted by IdM clients
Copia collegamento

  • System Security Services Daemon: The sssd service.

The System Security Services Daemon (SSSD) is the client-side application that manages user authentication and caching credentials. Caching enables the local system to continue normal authentication operations if the IdM server becomes unavailable or if the client goes offline.

For more information, see Understanding SSSD and its benefits.

  • Certmonger: The certmonger service.

The certmonger service monitors and renews the certificates on the client. It can request new certificates for the services on the system.

For more information, see Obtaining an IdM certificate for a service using certmonger.

Interactions Between IdM Services
View larger image
Interactions Between IdM Services

2.2. Viewing the status of IdM services
Copia collegamento

Verify the operational state of Identity Management (IdM) components by using the ipactl utility. Monitoring these services ensures that core domain functions, such as authentication and directory lookups, are active and responding to requests.

Procedure

  • To view the status of the IdM services that are configured on your IdM server, run the ipactl status command: 

    [root@server ~]# ipactl status
    Copy to Clipboard Toggle word wrap 
    Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
httpd Service: RUNNING
pki-tomcatd Service: RUNNING
smb Service: RUNNING
winbind Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful
    Copy to Clipboard Toggle word wrap

    The output of the ipactl status command on your server depends on your IdM configuration. For example, if an IdM deployment does not include a DNS server, the named service is not present in the list.

    Note

    You cannot use the IdM web UI to view the status of all the IdM services running on a particular IdM server. Kerberized services running on different servers can be viewed in the Identity Services tab of the IdM web UI.

2.3. Starting and stopping the entire Identity Management server
Copia collegamento

Use the ipa systemd service to stop, start, or restart the entire IdM server along with all the installed services. Using the systemctl utility to control the ipa systemd service ensures all services are stopped, started, or restarted in the appropriate order.

The ipa systemd service also upgrades the RHEL IdM configuration before starting the IdM services, and it uses the proper SELinux contexts when administrating with IdM services. You do not need to have a valid Kerberos ticket to run the systemctl ipa commands.

Important
  • Do not directly use the ipactl utility to start, stop, or restart IdM services. Use the systemctl ipa commands instead, which call the ipactl utility in a predictable environment.
  • You cannot use the IdM web UI to perform the ipactl commands.

Procedure

  • To start the entire IdM server: 

    # systemctl start ipa
    Copy to Clipboard Toggle word wrap

  • To stop the entire IdM server: 

    # systemctl stop ipa
    Copy to Clipboard Toggle word wrap

  • To restart the entire IdM server: 

    # systemctl restart ipa
    Copy to Clipboard Toggle word wrap

Verification

  • To show the status of all the IdM services, use the ipactl utility: 

    # ipactl status
    Copy to Clipboard Toggle word wrap

2.4. Starting and stopping an individual Identity Management service
Copia collegamento

Manage individual Identity Management (IdM) services when troubleshooting or applying manual configuration updates. While most administrative tasks are handled through the IdM tools, specific scenarios, such as tuning the System Security Services Daemon (SSSD), might require manual configuration. In such situations, you must stop, start, or restart an individual service to ensure the system recognizes and applies your configuration changes.

Important

To restart multiple IdM domain services, always use systemctl restart ipa. Because of dependencies between the services installed with the IdM server, the order in which they are started and stopped is critical. The ipa systemd service ensures that the services are started and stopped in the appropriate order.

Procedure

  • To start a particular IdM service: 

    # systemctl start <name>.service
    Copy to Clipboard Toggle word wrap

  • To stop a particular IdM service: 

    # systemctl stop <name>.service
    Copy to Clipboard Toggle word wrap
    Important

    You cannot use the IdM web UI to start or stop the individual services running on IdM servers. You can only use the web UI to modify the settings of a Kerberized service by navigating to Identity Services and selecting the service.

  • To restart a particular IdM service: 

    # systemctl restart <name>.service
    Copy to Clipboard Toggle word wrap

    For example, to apply the changes you have made in the /etc/sssd/sssd.conf file: 

    # systemctl restart sssd.service
    Copy to Clipboard Toggle word wrap

    Note that for changes that affect IdM identity ranges, a complete server reboot is recommended.

Verification

  • To view the status of a particular IdM service: 

    # systemctl status <name>.service
    Copy to Clipboard Toggle word wrap

2.5. Displaying IdM software version
Copia collegamento

Identify the version of your Identity Management (IdM) installation to ensure compatibility with client systems or to provide technical details during troubleshooting.

You can display the IdM version number with:

  • The IdM WebUI
  • ipa commands
  • rpm commands

Procedure

  • To view the version through the Web UI, select About from the user menu in the upper-right corner.

    Checking IdM Software Version
    View larger image
    Checking IdM Software Version

  • To display the version from the command line, use the ipa --version command: 

    [root@server ~]# ipa --version
    Copy to Clipboard Toggle word wrap 
    VERSION: 4.8.0, API_VERSION: 2.233
    Copy to Clipboard Toggle word wrap

  • To display the version when IdM services are not operating properly, use the rpm utility to determine the version number of the ipa-server package that is currently installed: 

    [root@server ~]# rpm -q ipa-server
    Copy to Clipboard Toggle word wrap 
    ipa-server-4.8.0-11.module+el8.1.0+4247+9f3fd721.x86_64
    Copy to Clipboard Toggle word wrap
Torna in cima
Red Hat logoGithubredditYoutubeTwitter

Formazione

Prova, acquista e vendi

Community

Informazioni sulla documentazione di Red Hat

Aiutiamo gli utenti Red Hat a innovarsi e raggiungere i propri obiettivi con i nostri prodotti e servizi grazie a contenuti di cui possono fidarsi. Esplora i nostri ultimi aggiornamenti.

Rendiamo l’open source più inclusivo

Red Hat si impegna a sostituire il linguaggio problematico nel codice, nella documentazione e nelle proprietà web. Per maggiori dettagli, visita il Blog di Red Hat.

Informazioni su Red Hat

Forniamo soluzioni consolidate che rendono più semplice per le aziende lavorare su piattaforme e ambienti diversi, dal datacenter centrale all'edge della rete.

Theme

© 2026 Red Hat