Identity Management in the FOSS World - FreeIPA › images › 5 › 5a › FreeIPA-FOSDEM.pdf ·...
Transcript of Identity Management in the FOSS World - FreeIPA › images › 5 › 5a › FreeIPA-FOSDEM.pdf ·...
![Page 1: Identity Management in the FOSS World - FreeIPA › images › 5 › 5a › FreeIPA-FOSDEM.pdf · Identity Management in the FOSS World Simo Sorce Principal Software Engineer Red](https://reader033.fdocuments.net/reader033/viewer/2022053008/5f0c20797e708231d433df18/html5/thumbnails/1.jpg)
FreeIPAwww.freeipa.org
Identity Management in the FOSS World
Simo SorcePrincipal Software Engineer
Red Hat, Inc.
![Page 2: Identity Management in the FOSS World - FreeIPA › images › 5 › 5a › FreeIPA-FOSDEM.pdf · Identity Management in the FOSS World Simo Sorce Principal Software Engineer Red](https://reader033.fdocuments.net/reader033/viewer/2022053008/5f0c20797e708231d433df18/html5/thumbnails/2.jpg)
What is FreeIPA ?
• Acronym: Free Identity, Policy, Audit
• Purpose: Make it simpler to manage a complex problem
• Means: Use standard protocols and components
• Target: System Administrators form 7 to 100 years old :-)
![Page 3: Identity Management in the FOSS World - FreeIPA › images › 5 › 5a › FreeIPA-FOSDEM.pdf · Identity Management in the FOSS World Simo Sorce Principal Software Engineer Red](https://reader033.fdocuments.net/reader033/viewer/2022053008/5f0c20797e708231d433df18/html5/thumbnails/3.jpg)
Why should I care ?
Organizations and companies need to manage their users and resources.
So far IdM has been the realm of proprietary vendors● That means the keys of our organizations are in their
hands
We can't have a fully free environment if the Identity space can't be managed through Free Software
Security + Freedom
![Page 4: Identity Management in the FOSS World - FreeIPA › images › 5 › 5a › FreeIPA-FOSDEM.pdf · Identity Management in the FOSS World Simo Sorce Principal Software Engineer Red](https://reader033.fdocuments.net/reader033/viewer/2022053008/5f0c20797e708231d433df18/html5/thumbnails/4.jpg)
The Identity Management Problem
Needs:● Single source for Identities (duplication = confusion)● Single-Sign-On / Single-Password● Single data store for auditing/reporting (compliance)● Single point of Management (comprehensive view)
Implementation problems:● Synchronization and/or Integration● Distribution of data/credentials● Single points of failure● Integrated Management Interfaces
![Page 5: Identity Management in the FOSS World - FreeIPA › images › 5 › 5a › FreeIPA-FOSDEM.pdf · Identity Management in the FOSS World Simo Sorce Principal Software Engineer Red](https://reader033.fdocuments.net/reader033/viewer/2022053008/5f0c20797e708231d433df18/html5/thumbnails/5.jpg)
FreeIPA Components
Directory(LDAP)
Why a Directory ?
![Page 6: Identity Management in the FOSS World - FreeIPA › images › 5 › 5a › FreeIPA-FOSDEM.pdf · Identity Management in the FOSS World Simo Sorce Principal Software Engineer Red](https://reader033.fdocuments.net/reader033/viewer/2022053008/5f0c20797e708231d433df18/html5/thumbnails/6.jpg)
Why a Directory ?
We need a storage mechanism to:● store identity information● perform fine grained access control● organize Identities and allow group relationships● distribute Information across all clients● replicate Information on multiple servers
Yes, but why LDAP ?● Standard● Extensible● Flexible
![Page 7: Identity Management in the FOSS World - FreeIPA › images › 5 › 5a › FreeIPA-FOSDEM.pdf · Identity Management in the FOSS World Simo Sorce Principal Software Engineer Red](https://reader033.fdocuments.net/reader033/viewer/2022053008/5f0c20797e708231d433df18/html5/thumbnails/7.jpg)
FreeIPA Components
Kerberos
Directory
Why Kerberos ?
![Page 8: Identity Management in the FOSS World - FreeIPA › images › 5 › 5a › FreeIPA-FOSDEM.pdf · Identity Management in the FOSS World Simo Sorce Principal Software Engineer Red](https://reader033.fdocuments.net/reader033/viewer/2022053008/5f0c20797e708231d433df18/html5/thumbnails/8.jpg)
Why Kerberos ?
We need an authentication system that:● provides Single Sing On authentication● allows administrators and users alike to carry on their
identity while they access various services● is a tested standard and is a validated secure solution● is extensible/extended to use new authentication
technologies like Smart Cards and new encryption algorithms as need arises.
Is kerberos the only way within FreeIPA?● Predominant● Ldap binds as an alternative for some services
![Page 9: Identity Management in the FOSS World - FreeIPA › images › 5 › 5a › FreeIPA-FOSDEM.pdf · Identity Management in the FOSS World Simo Sorce Principal Software Engineer Red](https://reader033.fdocuments.net/reader033/viewer/2022053008/5f0c20797e708231d433df18/html5/thumbnails/9.jpg)
FreeIPA components
Directory
Kerberos
DNS
Web Server(WebUI & admin tools)
Client
NTP
(CertificationAuthority)
Audit Server
Policies
![Page 10: Identity Management in the FOSS World - FreeIPA › images › 5 › 5a › FreeIPA-FOSDEM.pdf · Identity Management in the FOSS World Simo Sorce Principal Software Engineer Red](https://reader033.fdocuments.net/reader033/viewer/2022053008/5f0c20797e708231d433df18/html5/thumbnails/10.jpg)
FreeIPA (v1) components
Fedora Directory Server MIT Kerberos Apache (+ mod_nss, mod_auth_krb, mod_proxy) Python, Turbogears Custom FDS plugins and CLI tools nss_ldap,pam_krb5 (clients) Self Signed CA NO policies NO Audit
![Page 11: Identity Management in the FOSS World - FreeIPA › images › 5 › 5a › FreeIPA-FOSDEM.pdf · Identity Management in the FOSS World Simo Sorce Principal Software Engineer Red](https://reader033.fdocuments.net/reader033/viewer/2022053008/5f0c20797e708231d433df18/html5/thumbnails/11.jpg)
Directory structure
Accounts, configuration andKerberos data are kept inseparate containers. Thisallows simpler ACIs and makesit simpler to add more subtreeslater without having toreconfigure clients.
In v1.2 a subtree calledcn=compat was added to helplegacy clients (Solaris) that donot yet support rfc2307bis
![Page 12: Identity Management in the FOSS World - FreeIPA › images › 5 › 5a › FreeIPA-FOSDEM.pdf · Identity Management in the FOSS World Simo Sorce Principal Software Engineer Red](https://reader033.fdocuments.net/reader033/viewer/2022053008/5f0c20797e708231d433df18/html5/thumbnails/12.jpg)
The Kerberos/directory integration
krb5kdc
DirectoryServer
ipa_kpasswd
ldappaswd Password plugin
kpasswd
kinit LDAP plugin
![Page 13: Identity Management in the FOSS World - FreeIPA › images › 5 › 5a › FreeIPA-FOSDEM.pdf · Identity Management in the FOSS World Simo Sorce Principal Software Engineer Red](https://reader033.fdocuments.net/reader033/viewer/2022053008/5f0c20797e708231d433df18/html5/thumbnails/13.jpg)
Management Interfaces in v.1 Everything revolves around the Directory
apache
xmlrpc
mod_nss
DirectoryServer
ipagui
mod_proxymod_auth_krb
CLIBrowser
![Page 14: Identity Management in the FOSS World - FreeIPA › images › 5 › 5a › FreeIPA-FOSDEM.pdf · Identity Management in the FOSS World Simo Sorce Principal Software Engineer Red](https://reader033.fdocuments.net/reader033/viewer/2022053008/5f0c20797e708231d433df18/html5/thumbnails/14.jpg)
Web Interface
![Page 15: Identity Management in the FOSS World - FreeIPA › images › 5 › 5a › FreeIPA-FOSDEM.pdf · Identity Management in the FOSS World Simo Sorce Principal Software Engineer Red](https://reader033.fdocuments.net/reader033/viewer/2022053008/5f0c20797e708231d433df18/html5/thumbnails/15.jpg)
Command Line Interface More than 20 distinct command line tools Examples:● Ipa-adduser[group/service/delegation]● ipa-deluser[group/service/delegation]● ipa-finduser[group/service/delegation]● ipa-moduser[group/service/delegation]● ipa-passwd● ipa-pwpolicy● ipa-defaultoptions● Ipa-change-master-key● ...
![Page 16: Identity Management in the FOSS World - FreeIPA › images › 5 › 5a › FreeIPA-FOSDEM.pdf · Identity Management in the FOSS World Simo Sorce Principal Software Engineer Red](https://reader033.fdocuments.net/reader033/viewer/2022053008/5f0c20797e708231d433df18/html5/thumbnails/16.jpg)
Not enough low level for you ?
ldapadd ldapmodify ldapdelete ldappasswd … and the joy of manually writing ldif files and horribly
breaking your own installation :-)
Hey, wait a moment!Didn't we say we want to make it SIMPLE ?
![Page 17: Identity Management in the FOSS World - FreeIPA › images › 5 › 5a › FreeIPA-FOSDEM.pdf · Identity Management in the FOSS World Simo Sorce Principal Software Engineer Red](https://reader033.fdocuments.net/reader033/viewer/2022053008/5f0c20797e708231d433df18/html5/thumbnails/17.jpg)
Making it simpler ...
Example: initial configuration made very simple● Install packages● Run ipa-server-install● Answer a few questions:
● DNS Domain and Realm name (defaults suggested)● Directory Manager password (required)● Admin User Password (required)● Done!
The installation program configures all necessary components: NTP, Directory Server, Kerberos, apache, ipa-kpasswd, ipa-gui, client side bits
![Page 18: Identity Management in the FOSS World - FreeIPA › images › 5 › 5a › FreeIPA-FOSDEM.pdf · Identity Management in the FOSS World Simo Sorce Principal Software Engineer Red](https://reader033.fdocuments.net/reader033/viewer/2022053008/5f0c20797e708231d433df18/html5/thumbnails/18.jpg)
Basic IPA v1 network diagram
IPA Core
DirectoryServer
KerberosKDC
NTP
XMLRPC&
WEBUI
(DNS)
Client
pam_krb5
nss_ldap
Authentication
ManagementStation
Users&Groups
ClientBrowser
CLIAuthentication
![Page 19: Identity Management in the FOSS World - FreeIPA › images › 5 › 5a › FreeIPA-FOSDEM.pdf · Identity Management in the FOSS World Simo Sorce Principal Software Engineer Red](https://reader033.fdocuments.net/reader033/viewer/2022053008/5f0c20797e708231d433df18/html5/thumbnails/19.jpg)
A little more complex: multiple servers.
Directory server supports Multi Master Replication● All information including Kerberos keys is replicated se
● no need for kpropd● Replication is performed at the attribute level● DS does automatic conflict resolution
Setting up replication is done with just 2 commands● ipa-replica-prepare on one master● Ipa-replica-install on the new server
Replicas are managed with one command● ipa-replica-manage
![Page 20: Identity Management in the FOSS World - FreeIPA › images › 5 › 5a › FreeIPA-FOSDEM.pdf · Identity Management in the FOSS World Simo Sorce Principal Software Engineer Red](https://reader033.fdocuments.net/reader033/viewer/2022053008/5f0c20797e708231d433df18/html5/thumbnails/20.jpg)
IPA v1 network topology We fully tested up to 4 masters so far, but there is no
inherent limitation in the replication protocols
IPA
IPA IPA
IPA
![Page 21: Identity Management in the FOSS World - FreeIPA › images › 5 › 5a › FreeIPA-FOSDEM.pdf · Identity Management in the FOSS World Simo Sorce Principal Software Engineer Red](https://reader033.fdocuments.net/reader033/viewer/2022053008/5f0c20797e708231d433df18/html5/thumbnails/21.jpg)
Version 2: new components
Client agent● SSSD: System Security Services Daemon + IPA plugin● Manages all connections, caches, support offline ops.
Policy infrastructure● Policy processor + Management interfaces
Host Based Access Control● Centrally managed, rules stored in LDAP
Roles● Centrally defined in LDAP
Audit Daemon● Audit API and client daemon + collecting server daemon
![Page 22: Identity Management in the FOSS World - FreeIPA › images › 5 › 5a › FreeIPA-FOSDEM.pdf · Identity Management in the FOSS World Simo Sorce Principal Software Engineer Red](https://reader033.fdocuments.net/reader033/viewer/2022053008/5f0c20797e708231d433df18/html5/thumbnails/22.jpg)
Version2: new components (continued) New Web UI● Better User Interface● Extensible through a plugin system
DNS Integration● LDAP BIND Plugin + GSS-TSIG for Dynamic Updates
Registration Authority● This component will simplify using a Certification Authority
and installing certificates on client machines Legacy LDAP services● Automount maps● Translation plugin to present legacy netgroups to clients
![Page 23: Identity Management in the FOSS World - FreeIPA › images › 5 › 5a › FreeIPA-FOSDEM.pdf · Identity Management in the FOSS World Simo Sorce Principal Software Engineer Red](https://reader033.fdocuments.net/reader033/viewer/2022053008/5f0c20797e708231d433df18/html5/thumbnails/23.jpg)
Simplified IPA v2 network diagram
IPA Core DirectoryServer
KerberosKDC
NTP
WEBUI
DNS
XMLRPCAUDIT
RA/CA Client
SSSD &IPA plugin
Authentication
ManagementStation
Users&Groups&Roles / HBAC
ClientBrowser
CLI
PoliciesAudit
Authentication
![Page 24: Identity Management in the FOSS World - FreeIPA › images › 5 › 5a › FreeIPA-FOSDEM.pdf · Identity Management in the FOSS World Simo Sorce Principal Software Engineer Red](https://reader033.fdocuments.net/reader033/viewer/2022053008/5f0c20797e708231d433df18/html5/thumbnails/24.jpg)
Clients and Machine Identities
In version 1 creation of kerberos keytabs for hosts is a manual operation (except for the ipa server)
● ipa-addservice/ipa-getkeytab In version 2 we will finally have an agent that is run on
client machines.● The client installation process will automatically retrieve
credentials for the client (host/[email protected])● Agent can be trusted by the server + sign&seal of
connections to the server is possible using GSSAPI.● Increases security of logins and perform validation by
default● Allows clients to perform operations like requesting
certificates form the Registration Authority
![Page 25: Identity Management in the FOSS World - FreeIPA › images › 5 › 5a › FreeIPA-FOSDEM.pdf · Identity Management in the FOSS World Simo Sorce Principal Software Engineer Red](https://reader033.fdocuments.net/reader033/viewer/2022053008/5f0c20797e708231d433df18/html5/thumbnails/25.jpg)
Policies Policies use XML and RelaxNG based templates● Interpreted and merged with local configuration files on the
client by the policy processor● Also used to build the UI used to manage them
Policies can be grouped in Policy Groups The association between policies and machines is stored
in the directory● Group of Machines associated to Group of Policies● Delegation to junior admins possible through ACLs ● Roles are also distributed together with policies
● (SELinux Users, PolicyKit roles, etc...)
![Page 26: Identity Management in the FOSS World - FreeIPA › images › 5 › 5a › FreeIPA-FOSDEM.pdf · Identity Management in the FOSS World Simo Sorce Principal Software Engineer Red](https://reader033.fdocuments.net/reader033/viewer/2022053008/5f0c20797e708231d433df18/html5/thumbnails/26.jpg)
Auditing
Log collection on clients● Audit logs from the kernel● Syslog files collection / rsyslog● API to send audit events● Store and forward client based on AMQP
Log collection on the server● AMQP queues● Potential for routing audit events to different servers
depending on the queue● Storage of audit events to allow analysis through common
reporting tools
![Page 27: Identity Management in the FOSS World - FreeIPA › images › 5 › 5a › FreeIPA-FOSDEM.pdf · Identity Management in the FOSS World Simo Sorce Principal Software Engineer Red](https://reader033.fdocuments.net/reader033/viewer/2022053008/5f0c20797e708231d433df18/html5/thumbnails/27.jpg)
Client diagram
SSSD
Application
nss_sss
pam_sssDB
monitor
sssd_pam
XYZ plugin
IPA plugin
Policyprocessor
data provider(dispatcher)
FileSystem
sssd_nss
info_pipeApplication(ex: GDM)
IPA server
XYZ server
auditd
![Page 28: Identity Management in the FOSS World - FreeIPA › images › 5 › 5a › FreeIPA-FOSDEM.pdf · Identity Management in the FOSS World Simo Sorce Principal Software Engineer Red](https://reader033.fdocuments.net/reader033/viewer/2022053008/5f0c20797e708231d433df18/html5/thumbnails/28.jpg)
Thank You!
Questions?
http://freeipa.org