Red Hat Summit Red Hat SummitSuporteConsoleDesenvolvedoresComeçar um testeContato

Este conteúdo não está disponível no idioma selecionado.

Chapter 50. Enabling authentication using AD User Principal Names in IdM

50.1. User principal names in an AD forest trusted by IdM
Copiar o link

As an Identity Management (IdM) administrator, you can allow AD users to use alternative User Principal Names (UPNs) to access resources in the IdM domain. A UPN is an alternative user login that AD users authenticate with in the format of user_name@KERBEROS-REALM. As an AD administrator, you can set alternative values for both user_name and KERBEROS-REALM, since you can configure both additional Kerberos aliases and UPN suffixes in an AD forest.

For example, if a company uses the Kerberos realm AD.EXAMPLE.COM, the default UPN for a user is user@ad.example.com. To allow your users to log in using their email addresses, for example user@example.com, you can configure EXAMPLE.COM as an alternative UPN in AD. Alternative UPNs (also known as enterprise UPNs) are especially convenient if your company has recently experienced a merge and you want to provide your users with a unified logon namespace.

UPN suffixes are only visible for IdM when defined in the AD forest root. As an AD administrator, you can define UPNs with the Active Directory Domain and Trust utility or the PowerShell command line tool.

Note

To configure UPN suffixes for users, Red Hat recommends to use tools that perform error validation, such as the Active Directory Domain and Trust utility.

Red Hat recommends against configuring UPNs through low-level modifications, such as using ldapmodify commands to set the userPrincipalName attribute for users, because Active Directory does not validate those operations.

After you define a new UPN on the AD side, run the ipa trust-fetch-domains command on an IdM server to retrieve the updated UPNs. See Ensuring that AD UPNs are up-to-date in IdM.

IdM stores the UPN suffixes for a domain in the multi-value attribute ipaNTAdditionalSuffixes of the subtree cn=trusted_domain_name,cn=ad,cn=trusts,dc=idm,dc=example,dc=com.

50.2. Ensuring that AD UPNs are up-to-date in IdM
Copiar o link

After you add or remove a User Principal Name (UPN) suffix in a trusted Active Directory (AD) forest, refresh the information for the trusted forest on an IdM server.

Prerequisites

  • IdM administrator credentials.

Procedure

  • Enter the ipa trust-fetch-domains command. Note that a seemingly empty output is expected: 

    [root@ipaserver ~]# ipa trust-fetch-domains
Realm-Name: ad.example.com
-------------------------------
No new trust domains were found
-------------------------------
----------------------------
Number of entries returned 0
----------------------------
    Copy to Clipboard Toggle word wrap

Verification

  • Enter the ipa trust-show command to verify that the server has fetched the new UPN. Specify the name of the AD realm when prompted: 

    [root@ipaserver ~]# ipa trust-show
Realm-Name: ad.example.com
  Realm-Name: ad.example.com
  Domain NetBIOS name: AD
  Domain Security Identifier: S-1-5-21-796215754-1239681026-23416912
  Trust direction: One-way trust
  Trust type: Active Directory domain
  UPN suffixes: example.com
    Copy to Clipboard Toggle word wrap

    The output shows that the example.com UPN suffix is now part of the ad.example.com realm entry.

50.3. Gathering troubleshooting data for AD UPN authentication issues
Copiar o link

Follow this procedure to gather troubleshooting data about the User Principal Name (UPN) configuration from your Active Directory (AD) environment and your IdM environment. If your AD users are unable to log in using alternate UPNs, you can use this information to narrow your troubleshooting efforts.

Prerequisites

  • You must be logged in to an IdM Trust Controller or Trust Agent to retrieve information from an AD domain controller.
  • You need root permissions to modify the following configuration files, and to restart IdM services.

Procedure

  1. Open the /usr/share/ipa/smb.conf.empty configuration file in a text editor.

  2. Add the following contents to the file. 

    [global]
log level = 10
    Copy to Clipboard Toggle word wrap
  3. Save and close the /usr/share/ipa/smb.conf.empty file.
  4. Open the /etc/ipa/server.conf configuration file in a text editor. If you do not have that file, create one.

  5. Add the following contents to the file. 

    [global]
debug = True
    Copy to Clipboard Toggle word wrap
  6. Save and close the /etc/ipa/server.conf file.

  7. Restart the Apache webserver service to apply the configuration changes: 

    [root@server ~]# systemctl restart httpd
    Copy to Clipboard Toggle word wrap

  8. Retrieve trust information from your AD domain: 

    [root@server ~]# ipa trust-fetch-domains <ad.example.com>
    Copy to Clipboard Toggle word wrap

  9. Review the debugging output and troubleshooting information in the following log files:

    • /var/log/httpd/error_log
    • /var/log/samba/log.*
Voltar ao topo
Red Hat logoGithubredditYoutubeTwitter

Aprender

Experimente, compre e venda

Comunidades

Sobre a documentação da Red Hat

Ajudamos os usuários da Red Hat a inovar e atingir seus objetivos com nossos produtos e serviços com conteúdo em que podem confiar. Explore nossas atualizações recentes.

Tornando o open source mais inclusivo

A Red Hat está comprometida em substituir a linguagem problemática em nosso código, documentação e propriedades da web. Para mais detalhes veja o Blog da Red Hat.

Sobre a Red Hat

Fornecemos soluções robustas que facilitam o trabalho das empresas em plataformas e ambientes, desde o data center principal até a borda da rede.

Theme

© 2025 Red Hat