FreeIPA: Open Source Identity Management

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

talk to you about Identity Management yes we do have a four-room so yeah if you are there any seats left no okay everyone can give it up for fraser tweto hello everyone it's nice to have a back room and yeah I'm Fraser and I'm going to tell you about free IPA which is an open-source identity management solution so I'm a developer at Red Hat where I work on free IPA and in particular on the dog tag certificate system which provides all the public key infrastructure needs for free IPA and I have a development blog the link is up there and my twitter handle is a quad so I'm going to introduce identity management and in particular free IPA as a solution for enterprise scale identity management and open source solution of course so we'll have a look at the features of free IPA a little bit about how to deploy it we'll have a look at the overall architecture of free IPA and the client components and we'll conclude with a look ahead to what's on the roadmap so identity management what what is identity management well wikipedia defines it us and I'll just read this out because it's quite a mouthful identity management or IDM describes the management of identity principles asari individual principles their authentication authorization and privileges within or across system and enterprise boundaries with the goal of increasing security and productivity while decreasing cost downtime and repetitive tasks so there's a lot in that let's break it down a bit identities entities like users hosts and services within an organization authentication are your concerns where you need to gain a degree of assurance that someone is or something is what it says it is so these are passwords for authenticating users two-factor authentication systems are certificates single sign-on and so on our authorizations are the policies concerning identities and what they are or are not allowed to do within a system and that concern only becomes relevant after you have authenticated an entity and finally the management concern is about how to manage these policies and identities in an efficient and scalable way so you know if you're a small company you know maybe 10 20 people you might have one sysadmin he can manage it all by hand you scale up to a large organization with thousands of users thousands of machines or services that is not a situation where you're going to want to have to scale the number of sis admins you have looking after this these things linearly that's that's a waste of money and there's a lot of duplication of effort so some of the technologies in this space include LDAP which is the lightweight directory access protocol or directory service Kerberos which is a it's an authentication protocol where there's a shared secret on a key distribution center or KDC and hosts and users can authenticate to that system x.509 is the public infrastructure you're probably familiar with for securing the web and also email services and many other network protocols so it describes a system of digital certificates where you can have chains of certificates each verifying other certificates below it so when you get a certificate chain you can verify it right back up to a root certificate DNS is the domain name system for binding names to network addresses and NFS is the network file system for mounting user home directories on different machines they login to for example so that's identity management what's free IP a free IPA stands for identity policy and audit we do do identity and policy we don't do the audit thing so when the project was started or it was intended to be part of it at this point it's been realized that it's better handled by other software but it's still there in the name it's a centralized identity management suite so by centralized we're not talking about a single server when you deploy free IPA there are a variety of topologies with replication agreements between different servers so you have the ability to scale out and have redundancy in the system centralized really means that one deployment of free IPA is going to manage identities and policies for one system and outside systems aren't really going to be consulting a different free IP a system for information so it's not a federated system typically one organization will have one deployment or one set of deployments of free IPA specifically for that organization it has a simple web UI and a simple command-line interface so we want to make it easy for people to manage the identities and the policies got to hide the complexity and also provide user self-service for some facilities where an organization might decide well we can let individual users manage for example their ssh public keys simple deployment is a priority of the project how simple it's one command to install a or to deploy rather the server free IPA server and it's one command to install a quiet and enroll it in a domain when you've already established a server and finally we have Active Directory Integration so that is quite important because many organizations already have a lot of their identity data in Active Directory they're probably not going to change wholesale across the industry anytime soon so for free IPA to be successful we need ways to integrate with Active Directory but our our organizations to avoid a duplication of effort and avoid having separate identity silos so if you have a largely Windows organization but they need a UNIX group or individual people using UNIX hosts or providing unique services we want ways for people who are clients of the Active Directory realm to be able to get tickets for accessing the UNIX services and vice versa ok so and that's just a screenshot of the web UI so it's some well I've seen worse you guys than that one so just to prove to you that it doesn't look horrible well I don't think it looks horrible UX people might disagree so the components of free IPA are the 389 directory server the MIT Kerberos KDC the dog tag certificates assist the dog tag certificate system and that's the component that I mainly work on although we do support other CAS the Apache HTTP D is used to serve up the web UI and the api's and we also have bind for the DNS component so onto the features now in authentication we have password policies say things like patterns that you know that old thing you know you gotta have so many special characters and uppercase and lowercase and also password expiry policies Kerberos ticket policies so how long is a ticket issued for Kerberos over HTTP so for users who might be outside the corporate firewall or on a mobile device where only port 80 and 443 are accessible and you can actually have a Kerberos proxy running on one of those widely accessible ports and they can do Kerberos over that port one-time password so we have native hash based and time-based OTP or external OTP systems like your own what's the company with the tokens RSA SecurID that sort of thing and we also have the free OTP app for Android and iOS and this is a free replacement for Google Authenticator we also have some special commands for writing keys in to yubi keys if you want to use a Yubikey based OTP system we also do authorized keys management for SSH so for a server where users will be logging in with SSH if they provide their public key then on those servers instead of the regular authorized keys file containing the keys of people that are authorized to log in there it can consult a database and look it up in the free IPA system to decide whether that key is known and this is also subject to authorization checks so we can authenticate a user say yeah we recognize that key now let's do some checks using Pam to determine whether they actually are allowed to access this host for users in groups we have automatic group membership rules pseudo integration so you can bind particular commands and command groups to the user groups or the users that are allowed to execute those programs via pseudo SELinux user roles the auto mount capabilities and role based access control which is more of a free IP a specific concern so who is an admin for free IPA itself hosts host groups and that groups so similar to user groups we have automatic host group membership rules one command host enrollment so again this is this ease of deployment and ease of enrollment the IPA client install command is used to once you've you know young installed or apt-get installed the free IP a client just issue that command enter a few answer a few questions like where's the host or whatever or via DNS order discovery without prompting it will install the client and enroll it in the domain host base access control rules and SSH known hosts management so similar to the authorized keys there's a facility in OpenSSH where instead of just checking a flat file it can go and look it up in a database and this can avoid you know the first time a user connects to a server there's always that prompt are you know here's the key fingerprint and everyone just says yes and never checks it so with the 9 hostess management thumb no one gets prompted it's already known within the system services are first classified entities in free IPA we provide Kerberos key tab management and certificate provisioning via the cert manga tool which also has the very nice feature of automatic renewal so as the expiry date of a certificate approaches certain manga can go and perform a new certificate request to get a newer certificate so users don't encounter warnings about expired certificates when they're accessing servers that are authenticated with the x.509 key infrastructure so on the client side we have SSS D which is the system security services daemon this connects a UNIX client to one or more central identity stores it's available on most Linux distributions and also on FreeBSD and it supports free IPA it also has special special knowledge of Active Directory and some of active directory's features but it can also talk to a bear LDAP server so this is something we use when you install free free IPA clients SSS D is configured but you can use SSS D independently of free IPA and it is a useful program it provides credential caching and offline support so if someone goes offline or if your KGC goes down they can still log into systems and get work done it works by providing Pam and NSS responders know how to talk to the identity store and can look up names can perform authentications and so on and there's also a d-bus api but that's not a stable API and it's not very well fleshed out yet but if you have use cases for that we definitely want to hear about it and we'd like to see what people can can do with a d-bus API for SSST so Active Directory Integration as I mentioned earlier is an important part of what will make free IP a successful the main feature for free for free IPA and Active Directory Integration is the cross realm trust so we used to do synchronization but that is actively discouraged in the recent versions since cross ROM trust arrived so this allows you to manage your users for example in Active Directory and manage hosts and services on UNIX systems and Active Directory users so users of systems that are enrolled in the Active Directory domain can access the resources in the free IPA domain POSIX attributes can be stored in Active Directory or you can use views which I don't know a lot about but I think it basically does a some transformation of active Active Directory data or attributes to something that's understood in the POSIX domain there's simple configuration so there's no Active Directory specific postal service configuration it can all be configured and just by issuing commands on the UNIX system there's no data synchronization and there's no additional software needed on the Active Directory machine for all clients that don't have s SSD or maybe an older version of s SSD without the active directory support we also provide what we call the legacy compliant the legacy client compatibility tree so this basically provides a a tree with a I remember the name of the scheme of it does that there's an RFC that defines the appropriate schema with that tree we can intercept binds and look up whether that user is an Active Directory user or a free IPA user if there are free IPA user we then perform the bind against the free IPA directory tree but if they're an Active Directory user we authenticate them to Active Directory via the local that is running on the server so local to the free IPA server SSST instance for server deployment we support fedora rail and CentOS it's quite recently I think as of about October last year available on Debian and Ubuntu but this is less supported so there are a few people working on that but most of the developers on free IPA working on Red Hat systems and indeed many are working for Red Hat so fedora rail CentOS these are our main focus so there's one command to install the server IP a server install and you answer the questions it asks you and wait a few minutes has it tested all up and you're done all your infrastructure will be up and running and you can begin enrolling clients in that domain or hitting the web interface and adding users adding group settings to do rules whatever it is you need to do it is slightly more work to set up a replica that's two commands for client enrollment again a single command you can answer some questions wait a few minutes and you're done there's also auto discovery by a DNS which means you have to answer fewer questions there's options for unattended install and what IP a client install does is it configures SSST configures Pam NSS sshd all of these services that are working together to provide this nice experience for users of the domain get set up when you run IPA client install there's also some integration with provisioning systems including satellite or spacewalk which is the upstream of satellite Roundy with the open LMI which i think is open linux management infrastructure and the foreman smart proxy I actually don't know a lot about these technologies but maybe some of you do and people on the mailing list do so if you have questions ya askin and usual point so the architecture at a high level we have the free IPA server with the LDAP directory and the certificate authority KDC DNS the HTTP server all of these services talk to the one LDAP directory you have an administrator that can administrate the domain using the web UI or the command-line tool or the api's and we have hosts that enroll in the domain typically using IP a client install which will configure SSST and related services but possibly using the LDAP compatibility tree in an old client so without SSST you know solaris box can be configured as a client of a free IP a realm freebsd openbsd most unix systems you can set up we have a Active Directory domain with Active Directory hosts and users yeah question you mentioned before you are trying to avoid solid use the stores but effectively you have got to because you've got ad and you've got the old app store on your free IPA so I'm kind of confused by that yeah so that's a great question so what we want to avoid is duplication of identity data and so we we want to avoid silos with the same identity data existing in them so if you have a situation where you have your users in Active Directory you might have services running in the free IPA realm and only the only user identities you might have over there are administrators for the UNIX service and that sort of thing but your main organizational identity data would well it's common very very common to have an Active Directory domain with most of your organization's users in there but you might have a UNIX group with just a few UNIX admins and servers there but everyone needs access to those servers in that situation you'd set up a cross ground trust yes you mention there's you prevent duplication of data between pick up a pre IP in Active Directory the Spree IPA has the mechanism to detect if the let's say the user is already exists has already been existing on the Active Directory and also there's a nice I said the picker like the PKI as well if there's already an existing a PKI record for that user does pre IP succeed or does it had no mechanism to do so ok so if I understand correctly your question is is there any facility for detecting whether a user exists in in both Active Directory and free IPA as far as I know there isn't but it wouldn't it wouldn't be hard to write a script to to go through and check for that sort of thing okay for SSST the architecture so we have the free ipi server over here which includes the identity data and also the authentication services this year by the way is one host so the clients are programs on the same host that s SSD is running s SSD provides the NSS responder for name lookup and Pam for authentication and authorization so clients talk to NSS and and Pam according to their needs these go through the cache which provides the offline in credential patient and then these talk to the domain provider and the domain provider routes requests for general identity data or for authorization or authentication our services accordingly and yeah there's just way too much detail in that diagram to explain but if you want you can snap a picture of that now but the slides will be available online anyway okay so the roadmap short-term efforts so these are things that efforts that are well and truly underway in many cases these have already been released in free IPA 4.1 which is available on fedora 21 and there's also a copper to use free IPA 4.1 on fedora 20 so DNS sex support see a certificate renewal so they automatically renewal not just of the service certificates but actually the CA certificate and pushing the new CA certificate out to clients backup and restore scripts for your free IPA domain data the updated web UI so the the screenshot I showed earlier is actually the updated UI if you use free IPA 3 dot something then the UI is a little bit it doesn't quite look as nice as what you saw improve permissions and fine grained read access is a big improvement that landed in free IPA for integration with the Red Hat support portal for rel subscribers and these features are available in SSS D 1.12 and free IPA 4.1 and this is being considered for release in rel 71 longer-term efforts so these are efforts that are just starting or were laying the groundwork for these enforcing stronger authentication for select services so if you imagine a situation where you have some services that maybe you're not particularly sensitive so you say anyone who has a ticket granting ticket from the KDC anyone who's authenticated can get a ticket to access those services but you may have more sensitive services and you might want to enforce a policy that says well if anyone wants to talk to this service we want to make sure that they both indicated using two-factor authentication currently there's no way to make those policy decisions the Kerberos kmac facility which I think stands for container something multiple max one of which can be the authentication indicator data will be used to implement the ability to define and make these policy decisions the Kerberos authentication for mobile devices so we had some people looking at actually getting the Kerberos client running on Android devices I'm not quite sure where that work is at but there was definitely some work in that area DNS SEC improvements so our DNS sex support is fairly basic at this point DNS SEC is going to allow key rotation and revocation of that and that sort of thing smart card login for s SSD so instead of authenticating with a password you can insert a smart card to your computer and use that for authentication customizable x.509 certificate profiles at the moment we only deal with service certificates this will allow people to define new profiles for servers and also down the track lead to user certificates so we'll be able to provision certificates for users to for example access a VPN server or whatever is you may wish to do these can be short-lived certificates as well so you can say well we want a certificate for them to authenticate to a VPN service rather than having to have them do it manually using an OTP or a passphrase so we can provision a short-lived certificate maybe an expiry of one hour they can use that to connect to the VPN one hour passes that certificate will never accept it again and finally the password vault which is a user accessible secure key and password store so this is something that will allow free IPA administrators to provide to their users as a self-service and it's basically a free IPA front-end to what we call the dog tag key Recovery Manager so a secure a secret store we have efforts to integrate with cloud forms we also are playing with docker which is so hot right now so we're looking at s SSD running in containers so free IPA client in a container for other services in that container to use and also running the free IP a server in a container we have some methods in OpenStack particularly with Keystone for authorization Barbican which is the OpenStack secret store and we're looking at a back-end for the Barbican using free IPA or dog tag and the designate dns component also with OpenShift v3 coming up soon which i'm sure some of you will have seen in cadiz talk yesterday we're going to do another round of integration so we have free IPA support there for people who want to deploy OpenShift within their enterprises calamari which is a safe management platform and yeah insert your project here maybe your project is one that could benefit from integrating with free IPA if so let's let's start the conversation so adopting free IPA the genome infrastructure team recently adopted free IPA fall of their identity infrastructure there's a really good blog post it's actually a series of blog posts but done start here and you can learn about what their requirements were why they decided on three IPA and then in subsequent posts what was their journey of adopting and migrating to free IPA you might have knowledge of or be involved in an open-source project or community that is currently suffering from a proliferation of identity silos containing the same identities over and over again if that's so then you might also benefit from migrating to free IPA and we would love to talk to you and find out what your requirements are and work out how we can help you do that there's a demo where you can go and play with the web UI you can enroll clients to see what that experience is like and to use some of these features information about how to use the demo is it that link it's sandbox and it gets blown away every 24 hours and started afresh you could put some really cool stickers on your laptop if you if you think three IPAs is a cool and an interesting project and we also got dog tag and s SSD and OpenShift which I didn't talk about really and docker which is so hot right now I've got sticker stickers out on the Reggio desk and I've got spares if they run out there so in conclusion free IPA is an advanced open-source enterprise identity management solution with a focus on ease of use and deployment so the you know the goals of the ease and use and deployment of course to reduce the cost of managing your identity infrastructure the Active Directory Integration helps avoid duplication of effort and duplication of data for enterprises who are already using Active Directory but have a need to run UNIX services as well so you might have a project or nova project that can benefit from integrating with free IPA or benefit by adopting free IPA for your identity infrastructure we'd love to talk to you if that's the case resources as a free IPA website there's a page on how to adapt your web applications to use the authentication and the authorization facilities provided by free IPA it's a number of mailing lists including the below traffic interest list which is used primarily for release announcements the users list which is general discussion and questions and of course the devel list which is where we make the design decisions and do patch review and so on freenode free IPA channel and there's also a blog what do you call this a blogroll blog planet i don't really know but planet free IPA that's blog a gator also SSS D if you're just interested in that we have Fedora hosted /s s SD is the main website and mailing lists of course and IRC and whatnot thanks to Dimitri and Martin who made the diagrams because I really suck at that and now we have time for questions yes thank you it's one thing that I wonder about is how to secure the Kerberos server know like if it sort of holds the crown jewels you know how do you actually you know you need to make it available for configuration management and so on and it needs its own management and I have I've wondered about how this you know you prevent people from just say oh I'll just go go and get all the everyone's accounts from here yeah that's a good question I'm not nor have I ever been a systems administrator so I don't have any firm answers for you there if you were just in Olivia's talk and maybe he would have some good advice for you in terms of securing UNIX servers yeah sure I mean same with the certificate authority you know you need to secure the private keys so even though credentials aren't typically travelling across across the wire in an x.509 public key infrastructure or in you know network services they're using x.509 to secure their communications you still have those high-value targets my understanding is SSS D will also talk directly to Active Directory as their own that's correct yeah and in fact you can configure it to have knowledge of multiple identity stores and authentication services at the same time know that IP a client install will specifically configure SSST as a client of a free IP a domain as well as configuring and the other related services hi I'm just want to ask quickly about in the the current IP a set up you know the the kind of domain AB and problem you have an ad where you you have to have someone that has the the rights to do absolutely anything with the directory that they like and you kind of kind of void that however is there any intention on the roadmap to provide a bit of segregation in those lower levels of administration about what they can mess with so for example you may have to two vendors that using to run Linux infrastructure you don't want to have to duplicate multiple free IPA stacks for each of those vendors but you want to be able to limit their ability to you know add pseudo rules for each other's hosts or or provision users in a way that would allow them to leverage the fact that they're using a shared directory yeah great question I'm not entirely sure on that I know that you can delegate administration responsibilities but I don't know if you can delegate them in a way whereby the responsibilities are branched into you know separate branches where people with the same responsibilities or the same level of authority in terms of what they can do but that authority only applies to a particular sub branch of the organization I'm not quite sure the mailing list would be a great place to find more about that so this has gone bit of a two-part question if you can get oh can you get Windows clients to earth to the free RP a server even though the user accounts it's on the windows ad box or does that require basically setting up the Windows machine to based instead of being trust by the window the windows ID the Ignite should go to free IPA basically this has led into the question of can you use for your IPA to phase out ad in the one scene was hit yes I believe you can configure Windows clients as clients of a free IPA domain that's not a particularly common use case or at least it's not something that I'm aware of people doing very much hey what was your what was the first part of your question can you put in frerp agent can you put in free IPA to be able to phase out a Windows ad server but if you go Windows clients as well as like units clients as well and yes yes yeah again I've never been in Active Directory administrator don't know a whole lot about that side of the system it's usually what people want to find out about those so I'm sorry I can't give you a direct answer to your question but time yeah and rubato would be great to speak to and the mailing list as well yeah I work for developed software development company a lot of the developers run max has any of this being tested with OSX I don't know if it has been tested with OS 10 but given that I was 10 his UNIX and you could you could definitely compile and run this software on it maybe not as is but it wouldn't be hard to patch it I think so if not today then yeah I'm sure with with a small amount of effort it would be doable ok great so I might um might hit you up for that information and then send it to the chat list or something afterwards yeah it's about the windows group policy or an ad I know it's quite helpful on the Linux or UNIX side to implement group policy is there any future plans to populate the group policy on the Windows domain that's used by the windows clients to pre IPA because I you you've mentioned that the sudo home and for the clients of pre APA can be controlled as well so instead of doing it manually I know like for example a installing application and said printer on the windows a true-blue policy is easy but with the linux windows linux unix we can do that through infrastructure management puppet ship so exporting the existing or populating the existing group policy on the windows ad domain to be used by preapare would be great yeah so i think that that is what the views feature is intended to be useful so where you take group attributes or other attributes of users on the active directory side and then kind of creating on the fly the corresponding policy on the free IPA side that the service will then reference the unique service is that what you were mean okay in Windows ad that you you couldn't export that into some one one file format and you I don't know how you could convert that or use it on pre IPA if that if there is any future plans to do it or to support that okay yeah I'm gonna have to punt on that one I'm afraid as well it's not an area I know much about yeah the mailing list will be so the users list would be a great place to ask these sorts of questions and I promise you there are people there who will understand much better than I do what your question is and be able to give you a firm answer we can have Linux coins directly as clients for AD so what's the benefit of putting a free IPA into the mix why should we ought indicate against three ipas2 instead of going directly to ad yes this again comes to the situation of your an organization with your identity infrastructure in Active Directory but maybe you have you no need for a UNIX group or you have a UNIX group they're going to want to manage their service and their administrator accounts in the UNIX way so they can deploy and a free IPA server and in enroll clients in that domain and you set up a cross realm trust and so it's more about the situation where you have separate groups that want to manage the identities that they're responsible for in the ways that make sense for those platforms and being able to Interop interoperate between those two different domains without duplicating identity data I suppose not all right so we have run out of time now um if you do have more questions I'm sure we all right like you can go and ask questions outside and take your questions out there but on behalf of the LCA team we'd just like to thank you again give you a small gift so a huge round of applause

Info

Channel: Linux.conf.au 2015 -- Auckland, New Zealand

Views: 11,357

Rating: 4.9245281 out of 5

Keywords: lca, lca_2015, FraserTweedale

Id: PZXsNt2_Ie8

Channel Id: undefined

Length: 43min 16sec (2596 seconds)

Published: Fri Jan 16 2015