Upgrade to Pro — share decks privately, control downloads, hide ads and more …

FreeIPA tutorial - linux.conf.au 2016

FreeIPA tutorial - linux.conf.au 2016


Fraser Tweedale

February 03, 2016

More Decks by Fraser Tweedale

Other Decks in Technology


  1. • Click to edit the outline text format – Second

    Outline Level • Third Outline Level – Fourth Outline Level • Fifth Outline Level • Sixth Outline Level • Seventh Outline Level • Eighth Outline Level • Ninth Outline Level Open Source identity management with FreeIPA Fraser Tweedale Software Engineer, Red Hat
  2. 2 Fraser Tweedale Workshop goals • Learn what is identity

    management? • Understand high-level architecture of FreeIPA • Gain experience and become comfortable with... • Deploying FreeIPA • Enrolling client machines • Managing users, services and access policies • Using IPA for authentication and authorisation on web
  3. 3 Fraser Tweedale Workshop outline • Brief introduction to FreeIPA

    and identity management • Set up Vagrant + VirtualBox environment • Hopefully you already did this! • Workshop curriculum • Installing FreeIPA server • Enrolling client machine • User management • Host-based Access Control (HBAC) • Web app authnz using FreeIPA • … and more!
  4. 4 Fraser Tweedale Identity Management

  5. 5 Fraser Tweedale Motivations • Security: avoid password fatigue; implement

    password policies, access policies, secure authentication • Productivity: avoid identity silos, avoid repetitive administrative actions, avoid downtime; simplify administration
  6. 6 Fraser Tweedale Concerns • Identities: users, services, hosts, groups

    • Authentication: passwords, 2FA, SSO • Authorisation: identity-related policies • Management: how to manage these concerns in a large organisation (thousands of users/machines)?
  7. 7 Fraser Tweedale Related technologies • LDAP (directory services) •

    Kerberos (authentication) • X.509 (digital certificates, public key infrastructure) • DNS • NFS (Network File System)
  8. 8 Fraser Tweedale

  9. 9 Fraser Tweedale Components • 389 Directory Server • MIT

    Kerberos KDC • Dogtag Certificate System • Apache httpd (Web UI, API) • BIND (DNS) • SSSD (client agent)
  10. 10 Fraser Tweedale Architecture – high level Web UI CLI

    JSON Admin FreeIPA LDAP PKI KDC HTTP DNS CLI/UI NTP identity authentication policies certificates SSSD SSSD Active Directory Kerberos Cross-Realm Trust
  11. 11 Fraser Tweedale Architecture – SSSD Network Boundary Identity Server

    Authentication Server Client Client Client SSSD NSS Responder PAM Responder Domain Provider Auth Provider Identity Provider Cache
  12. 12 Fraser Tweedale Kerberos basics • Client authenticates to authentication

    service (AS); receives Ticket Granting Ticket (TGT) • When client want to talk to service, requests service ticket from ticket granting service (TGS), presenting TGT • Client uses service ticket to authenticate to application • AS and TGS together comprise the Key Distribution Centre (KDC)
  13. 13 Fraser Tweedale Workshop

  14. 14 Fraser Tweedale FreeIPA resources • http://www.freeipa.org/page/Main_Page • http://www.freeipa.org/page/Demo •

    https://www.redhat.com/mailman/listinfo/freeipa-users • #freeipa (Freenode) • https://serverfault.com/questions/tagged/freeipa • http://www.freeipa.org/page/Troubleshooting
  15. 15 Fraser Tweedale Attribution and license • Architecture diagrams by

    Dmitri Pal, Martin Kosek • AD trust diagram © 2012 Red Hat, Inc. (GFDL) • Copyright 2015 Red Hat, Inc. This work is licensed under the Creative Commons Attribution 4.0 International License. To view a copy of this license, visit http://creativecommons.org/licenses/by/4.0/.
  16. 16 Fraser Tweedale Please leave feedback: https://goo.gl/forms/UOkcsVROqV