freeipa
play

FreeIPA www.freeipa.org Identity Management in the FOSS World Simo - PowerPoint PPT Presentation

Aug 11, 2023 •438 likes •730 views

FreeIPA www.freeipa.org Identity Management in the FOSS World Simo Sorce Principal Software Engineer Red Hat, Inc. What is FreeIPA ? Acronym: Free Identity, Policy, Audit Purpose: Make it simpler to manage a complex problem

  1. FreeIPA www.freeipa.org Identity Management in the FOSS World Simo Sorce Principal Software Engineer Red Hat, Inc.

  2. What is FreeIPA ? • Acronym: Free Identity, Policy, Audit • Purpose: Make it simpler to manage a complex problem • Means: Use standard protocols and components • Target: System Administrators form 7 to 100 years old :-)

  3. Why should I care ?  Organizations and companies need to manage their users and resources.  So far IdM has been the realm of proprietary vendors ● That means the keys of our organizations are in their hands  We can't have a fully free environment if the Identity space can't be managed through Free Software  Security + Freedom

  4. The Identity Management Problem  Needs: ● Single source for Identities (duplication = confusion) ● Single-Sign-On / Single-Password ● Single data store for auditing/reporting (compliance) ● Single point of Management (comprehensive view)  Implementation problems: ● Synchronization and/or Integration ● Distribution of data/credentials ● Single points of failure ● Integrated Management Interfaces

  5. FreeIPA Components Directory (LDAP) Why a Directory ?

  6. Why a Directory ?  We need a storage mechanism to: ● store identity information ● perform fine grained access control ● organize Identities and allow group relationships ● distribute Information across all clients ● replicate Information on multiple servers  Yes, but why LDAP ? ● Standard ● Extensible ● Flexible

  7. FreeIPA Components Why Kerberos ? Kerberos Directory

  8. Why Kerberos ?  We need an authentication system that: ● provides Single Sing On authentication ● allows administrators and users alike to carry on their identity while they access various services ● is a tested standard and is a validated secure solution ● is extensible/extended to use new authentication technologies like Smart Cards and new encryption algorithms as need arises.  Is kerberos the only way within FreeIPA? ● Predominant ● Ldap binds as an alternative for some services

  9. FreeIPA components NTP Kerberos Audit Server (Certification DNS Directory Authority) Web Server Client (WebUI & admin tools) Policies

  10. FreeIPA (v1) components  Fedora Directory Server  MIT Kerberos  Apache (+ mod_nss, mod_auth_krb, mod_proxy)  Python, Turbogears  Custom FDS plugins and CLI tools  nss_ldap,pam_krb5 (clients)  Self Signed CA  NO policies  NO Audit

  11. Directory structure  Accounts, configuration and Kerberos data are kept in separate containers. This allows simpler ACIs and makes it simpler to add more subtrees later without having to reconfigure clients. In v1.2 a subtree called cn=compat was added to help legacy clients (Solaris) that do not yet support rfc2307bis

  12. The Kerberos/directory integration kpasswd ipa_kpasswd Password plugin ldappaswd Directory Server kinit LDAP plugin krb5kdc

  13. Management Interfaces in v.1  Everything revolves around the Directory apache Browser mod_nss mod_auth_krb mod_proxy CLI xmlrpc ipagui Directory Server

  14. Web Interface

  15. Command Line Interface  More than 20 distinct command line tools  Examples: ● Ipa-adduser[group/service/delegation] ● ipa-deluser[group/service/delegation] ● ipa-finduser[group/service/delegation] ● ipa-moduser[group/service/delegation] ● ipa-passwd ● ipa-pwpolicy ● ipa-defaultoptions ● Ipa-change-master-key ● ...

  16. Not enough low level for you ?  ldapadd  ldapmodify  ldapdelete  ldappasswd  … and the joy of manually writing ldif files and horribly breaking your own installation :-) Hey, wait a moment! Didn't we say we want to make it SIMPLE ?

  17. Making it simpler ...  Example: initial configuration made very simple ● Install packages ● Run ipa-server-install ● Answer a few questions: ● DNS Domain and Realm name (defaults suggested) ● Directory Manager password (required) ● Admin User Password (required) ● Done!  The installation program configures all necessary components: NTP, Directory Server, Kerberos, apache, ipa-kpasswd, ipa-gui, client side bits

  18. Basic IPA v1 network diagram Client NTP Directory Users&Groups Server (DNS) nss_ldap IPA Core pam_krb5 Authentication XMLRPC Kerberos & KDC WEBUI Authentication Client Browser Management Station CLI

  19. A little more complex: multiple servers.  Directory server supports Multi Master Replication ● All information including Kerberos keys is replicated se ● no need for kpropd ● Replication is performed at the attribute level ● DS does automatic conflict resolution  Setting up replication is done with just 2 commands ● ipa-replica-prepare on one master ● Ipa-replica-install on the new server  Replicas are managed with one command ● ipa-replica-manage

  20. IPA v1 network topology  We fully tested up to 4 masters so far, but there is no inherent limitation in the replication protocols IPA IPA IPA IPA

  21. Version 2: new components  Client agent ● SSSD: System Security Services Daemon + IPA plugin ● Manages all connections, caches, support offline ops.  Policy infrastructure ● Policy processor + Management interfaces  Host Based Access Control ● Centrally managed, rules stored in LDAP  Roles ● Centrally defined in LDAP  Audit Daemon ● Audit API and client daemon + collecting server daemon

  22. Version2: new components (continued)  New Web UI ● Better User Interface ● Extensible through a plugin system  DNS Integration ● LDAP BIND Plugin + GSS-TSIG for Dynamic Updates  Registration Authority ● This component will simplify using a Certification Authority and installing certificates on client machines  Legacy LDAP services ● Automount maps ● Translation plugin to present legacy netgroups to clients

  23. Simplified IPA v2 network diagram NTP Client RA/CA Kerberos Authentication KDC DNS Users&Groups&Roles / HBAC SSSD & Directory IPA Core Audit IPA plugin Server Authentication Policies AUDIT XMLRPC WEBUI Client Browser Management Station CLI

  24. Clients and Machine Identities  In version 1 creation of kerberos keytabs for hosts is a manual operation (except for the ipa server) ● ipa-addservice/ipa-getkeytab  In version 2 we will finally have an agent that is run on client machines. ● The client installation process will automatically retrieve credentials for the client (host/xyz.foo.bar@FOO.BAR) ● Agent can be trusted by the server + sign&seal of connections to the server is possible using GSSAPI. ● Increases security of logins and perform validation by default ● Allows clients to perform operations like requesting certificates form the Registration Authority

  25. Policies  Policies use XML and RelaxNG based templates ● Interpreted and merged with local configuration files on the client by the policy processor ● Also used to build the UI used to manage them  Policies can be grouped in Policy Groups  The association between policies and machines is stored in the directory ● Group of Machines associated to Group of Policies ● Delegation to junior admins possible through ACLs ● Roles are also distributed together with policies ● (SELinux Users, PolicyKit roles, etc...)

  26. Auditing  Log collection on clients ● Audit logs from the kernel ● Syslog files collection / rsyslog ● API to send audit events ● Store and forward client based on AMQP  Log collection on the server ● AMQP queues ● Potential for routing audit events to different servers depending on the queue ● Storage of audit events to allow analysis through common reporting tools

  27. Client diagram monitor Application XYZ info_pipe (ex: GDM) server XYZ plugin data provider (dispatcher) sssd_pam IPA plugin sssd_nss Application IPA DB server auditd Policy pam_sss processor SSSD nss_sss File System

  28. Thank You! Questions? http://freeipa.org

Recommend

FREEIPA INSTALLATION USING ANSIBLE-FREEIPA FOSDEM - 2018-02-03 Thomas Wrner Senior Software

FREEIPA INSTALLATION USING ANSIBLE-FREEIPA FOSDEM - 2018-02-03 Thomas Wrner Senior Software

FREEIPA INSTALLATION USING ANSIBLE-FREEIPA FOSDEM - 2018-02-03 Thomas Wrner Senior Software Engineer, Red Hat Inc. https://github.com/freeipa/ansible-freeipa/ AGENDA Project goals IPA installers vs. ansible-freeipa IPA client installation

406 views • 16 slides
Identity and Directories with FreeIPA Simo Sorce Sr. Principal Sw. Eng., Red Hat 2015/01/21 1

Identity and Directories with FreeIPA Simo Sorce Sr. Principal Sw. Eng., Red Hat 2015/01/21 1

Identity and Directories with FreeIPA Simo Sorce Sr. Principal Sw. Eng., Red Hat 2015/01/21 1 Simo Sorce What is FreeIPA ? FreeIPA is a Directory and Authentication Server aka a Domain Controller Primarily targets at Linux servers.

487 views • 31 slides
Handling POSIX attributes for trusted Active Directory users and groups in FreeIPA Alexander

Handling POSIX attributes for trusted Active Directory users and groups in FreeIPA Alexander

Handling POSIX attributes for trusted Active Directory users and groups in FreeIPA Alexander Bokovoy <ab@samba.org> May 21th, 2015 Samba Team / Red Hat 0 A crisis of identity (solved?) FreeIPA What is FreeIPA? Cross Forest Trusts

298 views • 29 slides
GLOBAL CATALOG SERVICE IMPLEMENTATION IN FREEIPA Alexander Bokovoy Red Hat Inc. May 4th, 2017

GLOBAL CATALOG SERVICE IMPLEMENTATION IN FREEIPA Alexander Bokovoy Red Hat Inc. May 4th, 2017

GLOBAL CATALOG SERVICE IMPLEMENTATION IN FREEIPA Alexander Bokovoy Red Hat Inc. May 4th, 2017 ABOUT:ME Sr. Principal Software Engineer at Red Hat Samba Team member since 2003 Core FreeIPA developer since 2011 2 WHAT IS THIS TALK

669 views • 30 slides
Enhancements to FreeIPA Replication Topology Management Jan Pazdziora Sr. Principal Software

Enhancements to FreeIPA Replication Topology Management Jan Pazdziora Sr. Principal Software

Enhancements to FreeIPA Replication Topology Management Jan Pazdziora Sr. Principal Software Engineer Identity Management Special Projects, Red Hat 6 th October 2015 FreeIPA Integration of multiple identity-management tools. directory

352 views • 17 slides
Enterprise desktop at home with FreeIPA and GNOME Alexander Bokovoy ( abokovoy@redhat.com )

Enterprise desktop at home with FreeIPA and GNOME Alexander Bokovoy ( abokovoy@redhat.com )

January 30th, 2016 FOSDEM16 Enterprise desktop at home with FreeIPA and GNOME Alexander Bokovoy ( abokovoy@redhat.com ) Enterprise desktop at home with FreeIPA and GNOME 2 Enterprise? Enterprise desktop at home with FreeIPA and GNOME 3 *

978 views • 71 slides
FOSDEM 2019 Distributions devroom FreeIPA and cross-distribution packaging experience Alexander

FOSDEM 2019 Distributions devroom FreeIPA and cross-distribution packaging experience Alexander

FOSDEM 2019 Distributions devroom FreeIPA and cross-distribution packaging experience Alexander Bokovoy FreeIPA and cross-distribution packaging experience about:me Red Hat Sr. Principal software engineer at Red Hat Identity

793 views • 31 slides
Enterprise desktop: improving client side in the age of Samba AD and FreeIPA Alexander Bokovoy

Enterprise desktop: improving client side in the age of Samba AD and FreeIPA Alexander Bokovoy

Principal Software Engineer, Red Hat // Samba Team SambaXP16 Enterprise desktop: improving client side in the age of Samba AD and FreeIPA Alexander Bokovoy Enterprise desktop: improving client side in the age of Samba AD and FreeIPA 2

1.33k views • 106 slides
USER SESSION RECORDING An Open Source solution Fraser Tweedale @hackuador 2017-10-22 ABOUT ME

USER SESSION RECORDING An Open Source solution Fraser Tweedale @hackuador 2017-10-22 ABOUT ME

USER SESSION RECORDING An Open Source solution Fraser Tweedale @hackuador 2017-10-22 ABOUT ME Working at Red Hat Platform Engineering (Security) FreeIPA and Dogtag Certificate System 2 User Session Recording: An Open Source

618 views • 45 slides

More recommend