CentOS 7 Overview. Part 2: Identity Management
In a previous CentOS 7 review article, we talked about Linux container support in Cent OS 7. This article is about identity management and integration with Active Directory. At the end of the post a link to the free testing of CentOS 7 in the InfoboxCloud cloud.
Every day we read news about user data leaks. The ability to provide important information to just the right people with the right accounts is critical to ensuring information security in your infrastructure. Critical, but not always easy to implement.
Until recently, the possibilities for centralized identity management in Linux were limited. There was no ready "turnkey" domain controller. Some Linux distributions built in Kerberos and DNS open-source tools to create a centralized identity management mechanism based on Linux. This method could take a lot of time to set up and maintain. Some integrated Linux clients directly into Microsoft Active Directory, but this approach limited the use of some standard Linux tools, such as sudo and automount .
Since the release of 6.4, CentOS has included Identity Management (IdM), a set of functions that provide a centralized and easy way to manage the identities of users, machines, and services in large Linux / Unix corporate installations. IdM provides a way to define access security policies for managing these identifiers. The identity management framework was developed as part of the open FreeIPA project, which integrates standard network-based general-purpose services into a single management system: PAM, LDAP, Kerberos, DNS, NTP, and certification services. This allows systems on CentOS to operate as domain controllers in a Linux environment. Due to the fact that the identity management function is built into CentOS - it’s enough just to add policy and identification management to your workflow.
')
For many organizations, Active Directory (AD) is the center for managing users' identities within an enterprise. All systems that AD users can access should be able to work with AD to perform authentication and identity verification.
Identity management on CentOS 7 allows you to organize two ways to integrate Linux systems into an Active Directory environment:
Identity management on CentOS 7 adds new features to the SSSD (client) and IdM server that make identity management simpler and more functional, including support for domain trust, improvements in the user interface, and a prototype backup and restore function.
Sources used in the preparation of the article:
Linux Domain Identity, authentication, and policy guide in Red Hat Network, applicable for CentOS 7
RedHat official blog
RedHat Knowledge Base
CentOS Official Blog
Especially for our readers, we provided the opportunity to try CentOS 7 in the InfoboxCloud cloud in one of the data centers in Moscow and Amsterdam. Register the trial version for 15 days via this link . If you need more resources for testing than in the trial version - write to trukhinyuri@infoboxcloud.com . CentOS 7 is also available in VPS from Infobox in data centers in St. Petersburg, Krasnoyarsk and Amsterdam.
Successful use of CentOS 7! To be continued.
Every day we read news about user data leaks. The ability to provide important information to just the right people with the right accounts is critical to ensuring information security in your infrastructure. Critical, but not always easy to implement.
Until recently, the possibilities for centralized identity management in Linux were limited. There was no ready "turnkey" domain controller. Some Linux distributions built in Kerberos and DNS open-source tools to create a centralized identity management mechanism based on Linux. This method could take a lot of time to set up and maintain. Some integrated Linux clients directly into Microsoft Active Directory, but this approach limited the use of some standard Linux tools, such as sudo and automount .
IdM Identity Management
Since the release of 6.4, CentOS has included Identity Management (IdM), a set of functions that provide a centralized and easy way to manage the identities of users, machines, and services in large Linux / Unix corporate installations. IdM provides a way to define access security policies for managing these identifiers. The identity management framework was developed as part of the open FreeIPA project, which integrates standard network-based general-purpose services into a single management system: PAM, LDAP, Kerberos, DNS, NTP, and certification services. This allows systems on CentOS to operate as domain controllers in a Linux environment. Due to the fact that the identity management function is built into CentOS - it’s enough just to add policy and identification management to your workflow.
')
Integration of IdM and Active Directory in Cent OS 7
For many organizations, Active Directory (AD) is the center for managing users' identities within an enterprise. All systems that AD users can access should be able to work with AD to perform authentication and identity verification.
Identity management on CentOS 7 allows you to organize two ways to integrate Linux systems into an Active Directory environment:
- Direct integration . Linux systems can be connected to Active Directory directly using the System Security Services Daemon (SSSD) component. The component acts as an authentication and identity gateway to the central identity repository. SSSD can be easily configured using the new realmd component. Realmd detects available domains based on DNS records and configures SSSD to interact with the correct identification source. With Realmd, you can connect any Linux system with IdM or AD, as shown below. After the system has entered the domain, domain users can access it. Users will be able to use the authentication and management of POSIX attributes, and Linux will learn about joining the group. SSSD in this installation replaces the winbind component used previously. However, if you plan to use CIFS file sharing on Linux, you will have to configure winbind.
- Indirect integration. Direct integration is limited to using only authentication and identity related to users. The system does not receive policies and data controlling access in corporate environments. Linux systems can receive policies (for example, sudo), host access control rules, automount, netgroups, SELinux, and other features from a central authentication server. Identity Management Server provides centralized management of Linux systems, giving them identifiers, rights, and providing centrally managed policies for Linux listed above. In most corporate environments, Active Directory users must have access to Linux resources. This can be achieved by establishing a trusted relationship between IdM servers and AD. The diagram below shows how users from the Active Directory forest access Linux systems by entering the IdM domain.
Identity management on CentOS 7 adds new features to the SSSD (client) and IdM server that make identity management simpler and more functional, including support for domain trust, improvements in the user interface, and a prototype backup and restore function.
Sources used in the preparation of the article:
Linux Domain Identity, authentication, and policy guide in Red Hat Network, applicable for CentOS 7
RedHat official blog
RedHat Knowledge Base
CentOS Official Blog
Especially for our readers, we provided the opportunity to try CentOS 7 in the InfoboxCloud cloud in one of the data centers in Moscow and Amsterdam. Register the trial version for 15 days via this link . If you need more resources for testing than in the trial version - write to trukhinyuri@infoboxcloud.com . CentOS 7 is also available in VPS from Infobox in data centers in St. Petersburg, Krasnoyarsk and Amsterdam.
Successful use of CentOS 7! To be continued.
Source: https://habr.com/ru/post/230781/
All Articles