Post on 08-Jul-2018
8/19/2019 Pal Crittenden f 1100 Ipa Overview Rev3
1/27
8/19/2019 Pal Crittenden f 1100 Ipa Overview Rev3
2/27
Dmitri PalSr. Engineering Manager, Red Hat Inc.
Robert Crittenden
Sr. Engineer, Red Hat Inc.05/06/11
Red Hat Enterprise Identity (IPA) Centralized Management of Identities & Authentication
8/19/2019 Pal Crittenden f 1100 Ipa Overview Rev3
3/27
Agenda
● Wat i! IP"#
● Main $al%e!
● "rcitect%re
● &eat%re!
● Direction
● Roadma'
● Re!o%rce!
8/19/2019 Pal Crittenden f 1100 Ipa Overview Rev3
4/27
hat is IPA!
●
IP" !tand! (or Identit), Polic), "%dit● &reeIP" %'!tream 'ro*ect +a! !tarted in 00-
● &reeIP" $1 +a! relea!ed in 00
● Since ten +ored on te $er!ion tat +a! relea!ed in
late Marc 011
● IP" i! a domain controller (or in%/23I4 en$ironment
● in "cti$e Director) b%t (or in%
●
Central !er$er tat !tore! identit) in(ormation, 'olicie!related to identitie! and 'er(orm! a%tentication
8/19/2019 Pal Crittenden f 1100 Ipa Overview Rev3
5/27
High "e#el Architecture
DC
D"P CI/72I
2ni/in%
"dmin
PI
D3S
8/19/2019 Pal Crittenden f 1100 Ipa Overview Rev3
6/27
hy IPA!
●
Identit) and a%tentication i! a com'le 'roblem 8man) di!*oint tecnologie! ei!t
● We +ant to mae it more !im'le to de'lo) and %!e
● Wit te gro+t o( te in% !are o( !er$er! in te
enter'ri!e! tere !o%ld be a !er$er tat a! need! o(in% client! in it! eart
8/19/2019 Pal Crittenden f 1100 Ipa Overview Rev3
7/27
hy IPA! (continued)
●
Clo%d ba!ed de'lo)ment! re9%ire e$en more !ec%rit):● &leible identit) and 'olic) management
● "%tentication and !ingle !ign on
● Certi(icate and e) 'ro$i!ioning and rotation
8/19/2019 Pal Crittenden f 1100 Ipa Overview Rev3
8/27
$eatures
●
Centrali;ed a%tentication $ia erbero! or D"P● Identit) management:
● %!er!, gro%'!, o!t!, o!t gro%'!, netgro%'!, !er$ice!
● Integrated identitie!
● Manageabilit):
● Pl%ggable and eten!ible (rame+or (or 2I/CI
● Ric CI and +eb
8/19/2019 Pal Crittenden f 1100 Ipa Overview Rev3
9/27
$eatures (Continued)
●
Certi(icate 'ro$i!ioning (or o!t! and !er$ice!● Ser$ing !et! o( a%tomo%nt ma'! to di((erent client!
● "d$anced (eat%re!:
●
Ho!t
8/19/2019 Pal Crittenden f 1100 Ipa Overview Rev3
10/27
$eatures (Continued)
●
='tional integrated D3S !er$er managed b) IP"● Re'lication:
● S%''ort! m%lti
● 2!er re'lication +it MS "cti$e Director)
● Com'atibilit) +it broad !et o( client!
8/19/2019 Pal Crittenden f 1100 Ipa Overview Rev3
11/27
%nder the Hood
IPA Core
Director)Ser$er
erbero!DC
3P
D3S
Management(rame+or
Managed host(client)
SSSD
Management tationCI
>ro+!er
Certmonger
i'a
8/19/2019 Pal Crittenden f 1100 Ipa Overview Rev3
12/27
%nder the Hood
IPA Core
.irectoryer#er
/er0eros/.C
3P
D3S
Management(rame+or
Managed host(client)
SSSD
Management tationCI
>ro+!er
Certmonger
i'a
8/19/2019 Pal Crittenden f 1100 Ipa Overview Rev3
13/27
%nder the Hood
IPA Core
.irectoryer#er
/er0eros/.C
3P
D3S
Management(rame+or
Managed host(client)
.
Management tationCI
>ro+!er
Certmonger
i'a
8/19/2019 Pal Crittenden f 1100 Ipa Overview Rev3
14/27
%nder the Hood
IPA Core
.irectoryer#er
/er0eros/.C
3P
D3S
Management(rame+or
Managed host(client)
.
Management tationCI
>ro+!er
Certmonger
i'a
8/19/2019 Pal Crittenden f 1100 Ipa Overview Rev3
15/27
Client Configurations
●
SSSD● Wit IP" bac end
● D"P or Pro) (or identit)
● erbero! or D"P (or a%tentication
● n!!?lda' (or oter ma'!
● n!cd onl) (or to!e ma'!
● 3on
8/19/2019 Pal Crittenden f 1100 Ipa Overview Rev3
16/27
%nder the Hood
IPA Core
.irectory
er#er
/er0eros/.C
'2P
D3S
Management(rame+or
Managed host
(client)
.
Management tationCI
>ro+!er
Certmonger
i'a
8/19/2019 Pal Crittenden f 1100 Ipa Overview Rev3
17/27
%nder the Hood
IPA Core
.irectory
er#er
/er0eros/.C
'2P
.'
Management(rame+or
Managed host(client)
.
Management tationCI
>ro+!er
Certmonger
i'a
8/19/2019 Pal Crittenden f 1100 Ipa Overview Rev3
18/27
%nder the Hood
IPA Core
.irectory
er#er
/er0eros/.C
'2P
.'
Management(rame+or
Managed host(client)
.
Management tationCI
>ro+!er
Certmonger
i'a2I
Authentication
'ame looupsand ser#icedisco#ery
Cert tracing &pro#isioning
ther maps
Enrollment & un*enrollment
Management
%sers+ ,roups+%sers+ ,roups+'etgroups+ H-AC'etgroups+ H-AC
8/19/2019 Pal Crittenden f 1100 Ipa Overview Rev3
19/27
%nder the Hood
IPA Core
.irectory
er#er
/er0eros/.C
'2P
.'
Managementframe3or
Managed host(client)
.
Management tationCI
>ro+!er
Certmonger
i'a2I
Authentication
'ame looupsand ser#icedisco#ery
Cert tracing &pro#isioning
ther maps
Enrollment & un*enrollment
Management
%sers+ ,roups+%sers+ ,roups+'etgroups+ H-AC'etgroups+ H-AC
8/19/2019 Pal Crittenden f 1100 Ipa Overview Rev3
20/27
8/19/2019 Pal Crittenden f 1100 Ipa Overview Rev3
21/27
%nder the Hood
IPA Core
.irectory
er#er
/er0eros/.C
'2P
.'
Managementframe3or
Managed host(client)
.
Management tationC"I
-ro3ser
Certmonger
i'a
8/19/2019 Pal Crittenden f 1100 Ipa Overview Rev3
22/27
%nder the Hood
IPA Core
.irectory
er#er
/er0eros/.C
'2P
.'
Managementframe3or
Managed host(client)
.
Management tationC"I
-ro3ser
Certmonger
i'a
8/19/2019 Pal Crittenden f 1100 Ipa Overview Rev3
23/27
.irection
●
>%g (iing and clean%'● 2I im'ro$ement!
● SEin% contet!, SSH e) management
● Cro!! erbero! tr%!t!
● 3ati$e t+o (actor a%tentication
● More certi(icate !)!tem integration
● Policie! a! needed
● R"DI2S
8/19/2019 Pal Crittenden f 1100 Ipa Overview Rev3
24/27
Roadmap
●
&reeIP" .0
8/19/2019 Pal Crittenden f 1100 Ipa Overview Rev3
25/27
Resources
●
Pro*ect +ii: +++.(reei'a.org● Pro*ect trac: tt'!://(edorao!ted.org/(reei'a/
● Code: tt'://git.(edorao!ted.org/git/#'(reei'a.git
● SSSD: tt'!://(edorao!ted.org/!!!d/
● Certmonger: tt'!://(edorao!ted.org/certmonger/
● Mailing li!t!:
● (reei'a
8/19/2019 Pal Crittenden f 1100 Ipa Overview Rev3
26/27
8/19/2019 Pal Crittenden f 1100 Ipa Overview Rev3
27/27