FreeIPA tutorial - linux.conf.au 2016

Transcript

1. • Click to edit the outline text format – Second

   Outline Level • Third Outline Level – Fourth Outline Level • Fifth Outline Level • Sixth Outline Level • Seventh Outline Level • Eighth Outline Level • Ninth Outline Level Open Source identity management with FreeIPA Fraser Tweedale Software Engineer, Red Hat

2. 2 Fraser Tweedale Workshop goals • Learn what is identity

   management? • Understand high-level architecture of FreeIPA • Gain experience and become comfortable with... • Deploying FreeIPA • Enrolling client machines • Managing users, services and access policies • Using IPA for authentication and authorisation on web

3. 3 Fraser Tweedale Workshop outline • Brief introduction to FreeIPA

   and identity management • Set up Vagrant + VirtualBox environment • Hopefully you already did this! • Workshop curriculum • Installing FreeIPA server • Enrolling client machine • User management • Host-based Access Control (HBAC) • Web app authnz using FreeIPA • … and more!

4. 4 Fraser Tweedale Identity Management

5. 5 Fraser Tweedale Motivations • Security: avoid password fatigue; implement

   password policies, access policies, secure authentication • Productivity: avoid identity silos, avoid repetitive administrative actions, avoid downtime; simplify administration

6. 6 Fraser Tweedale Concerns • Identities: users, services, hosts, groups

   • Authentication: passwords, 2FA, SSO • Authorisation: identity-related policies • Management: how to manage these concerns in a large organisation (thousands of users/machines)?

7. 7 Fraser Tweedale Related technologies • LDAP (directory services) •

   Kerberos (authentication) • X.509 (digital certificates, public key infrastructure) • DNS • NFS (Network File System)

8. 8 Fraser Tweedale

9. 9 Fraser Tweedale Components • 389 Directory Server • MIT

   Kerberos KDC • Dogtag Certificate System • Apache httpd (Web UI, API) • BIND (DNS) • SSSD (client agent)

10. 10 Fraser Tweedale Architecture – high level Web UI CLI

    JSON Admin FreeIPA LDAP PKI KDC HTTP DNS CLI/UI NTP identity authentication policies certificates SSSD SSSD Active Directory Kerberos Cross-Realm Trust

11. 11 Fraser Tweedale Architecture – SSSD Network Boundary Identity Server

    Authentication Server Client Client Client SSSD NSS Responder PAM Responder Domain Provider Auth Provider Identity Provider Cache

12. 12 Fraser Tweedale Kerberos basics • Client authenticates to authentication

    service (AS); receives Ticket Granting Ticket (TGT) • When client want to talk to service, requests service ticket from ticket granting service (TGS), presenting TGT • Client uses service ticket to authenticate to application • AS and TGS together comprise the Key Distribution Centre (KDC)

13. 13 Fraser Tweedale Workshop

14. 14 Fraser Tweedale FreeIPA resources • http://www.freeipa.org/page/Main_Page • http://www.freeipa.org/page/Demo •

    https://www.redhat.com/mailman/listinfo/freeipa-users • #freeipa (Freenode) • https://serverfault.com/questions/tagged/freeipa • http://www.freeipa.org/page/Troubleshooting

15. 15 Fraser Tweedale Attribution and license • Architecture diagrams by

    Dmitri Pal, Martin Kosek • AD trust diagram © 2012 Red Hat, Inc. (GFDL) • Copyright 2015 Red Hat, Inc. This work is licensed under the Creative Commons Attribution 4.0 International License. To view a copy of this license, visit http://creativecommons.org/licenses/by/4.0/.

16. 16 Fraser Tweedale Please leave feedback: https://goo.gl/forms/UOkcsVROqV