In Linux, user and permission management is crucial for maintaining system security and controlling access to files, directories, and resources.
Redhat provides such enterprise-level solution called redhat Identity management (IdM), also with its opensource free version called freeIPA, to offer centralized authentication, authorization, and identity management services such as Single Sign-On (SSO), Role-Based Access Control (RBAC), Identity Federation, Integration with Microsoft AD and AAD, also can cross-cloud access with AWS SSO as external identity provider.
when a company facing challenge to manage its Linux environments across local and public cloud, RedHat Identity management can be the solution to achieve:
With Local AD and Azure AD (AAD) Integration
With AWS SSO Integration as externel identity provider
LDAP – an LDAP directory (389 Directory Server) is embedded
Kerberos – KDC (MIT Kerberos) for Kerberos key management and single signon
DNS – BIND (bind-dyndb-ldap) for domain name services
PKI – Red Hat Certificate System (Dogtag certificate system) provides public key infrastructure for certificate management
NTP – Network Time Protocol service for time sync
A web-based management front-end running on Apache
A Typical AD User Authentication Flow across AWS and IdM would be:
When a user attempts to access AWS resources, they first authenticate through Azure AD using their Azure AD credentials.
Azure AD authenticates the user and issues a security token.
The user accesses AWS SSO, which is configured to use Red Hat IDM as an identity provider.
AWS SSO redirects the user to the Red Hat IDM authentication page.
The user enters their Red Hat IDM credentials and authenticates against the IdM server.
Red Hat IDM validates the user’s credentials and issues a SAML assertion to AWS SSO.
AWS SSO validates the SAML assertion and grants the user access to the requested AWS resources.
FreeIPA: the opensource version of RedHat IdM
Here I am going to install and configure a local lab IdM portal using the opensource version of RedHat IdM called “freeIPA”, with 3 linux boxes to validate the user permission and client hosts (both CentOS and Ubuntu) enrollment, requirement and design as bellow:
On freeIPA Server freeipa-server.zackz.oonline 11.0.1.150 (CentOS 7.9)
Console login
login freeIPA console with serverIP or DNS name
list the 2 users “alice” and “vincent” previously created
Add and enroll client hosts into IdM
To add client hosts into freeIPA can be done via command or console, but to enroll the host can only be done via each client host by install “freeipa-client” and condigure domain.
For CentOS client (11.0.1.151 freeipa-client1.zackz.oonline) enrollment:
for Ubuntu client host (11.0.1.72 freeipa-client2.zackz.oonline) enrollment:
First back to freeIPA server, add DNS record for Ubuntu
Then login Ubuntu host to install freeipa-client and enroll:
now back to console, the 2 client hosts had been added and enrolled into freeIPA server
verify to use user “alice” and its passwd to ssh login to ubuntu client from freeIPA server
Conclusion
Now we install Redhat IdM server and be able to enroll client hosts, looking at the user details, IdM using Kerberos for authentication, together with user group, policy, HBAC and Sudo roles, provides a flexible and robust authentication framework that supports multiple authentication mechanisms, enabling organizations to authenticate users securely across their Linux and Unix environments.