RedHat Identity Management (IdM) with AD Intergration
About Linux Identity Management
When a company faces challenge to manage its Linux environments across local and public cloud, RedHat Identity management can be the solution to achieve:
With Local AD and Azure AD (AAD) Integration
With AWS SSO Integration as externel identity provider
LDAP, Kerberos and NTP
A web-based management front-end running on Apache
A Typical AD User Authentication Flow End-to-End:
User Creation and Management:
Azure AD / Local AD: Users are created in the Azure Active Directory or local Active Directory.
Synchronization to RedHat IdM: The users are synchronized from AD to RedHat IdM using the two-way trust established between AD and IdM.
Accessing EC2 Instances via SSH:
User Sync to RedHat IdM: Users synchronized to RedHat IdM are assigned roles and permissions, including SSH access to specific EC2 instances.
Host-Based Access Control (HBAC):
HBAC Rules: RedHat IdM enforces HBAC rules to control which users can access specific EC2 instances.
SSH Access Control: When a user attempts to SSH into an EC2 instance, RedHat IdM verifies the user’s identity and permissions, allowing or denying access based on the defined HBAC rules.
The design:
For Idm on AWS, configure the security groups to allow ports required by IdM. IdM desires below to be open:
HTTP/HTTPS — 80, 443 — TCP
LDAP/LDAPS — 389, 636 — TCP
Kerberos — 88, 464 — Both TCP and UDP
DNS — 53 — Both TCP and UDP
NTP — 123 — UDP
Here I am going to:
install and configure a local freeIPA server
enroll 2 Linux client machines (both CentOS and Ubuntu)
Setup a local AD,
build a 2 way trust between idm and AD
Validate IDM and AD user to ssh into idm client machines.
Prerequisites:
Windows AD Domain ad.zack.world and Idm Domain ipa.zack.world
Windows AD: 11.0.1.181 dc01.ad.zack.world (win server 2019)
Windows client1: 11.0.1.182 win-client.ad.zack.world (win server 2019)
On freeIPA Server server1.ipa.zack.world 11.0.1.180 (CentOS 9):
Idm client Enrollment
Now the idm web portal should be accessible, by adding “11.0.1.180 server1.ipa.zack.world” into local “c:/wondows/system32/drivers/etc/hosts.
Then enrol both centos and Ubuntu IDM client machines
On FreeIPA Server, add DNS entry for FreeIPA Client machines
Setup idm and AD trust
On Windows DC, setup AD
install ADDC role and feature
create forest “ad.zack.world”
promote to primary DC
test AD to join Windows client machine to domain
create AD user joez@ad.zack.world
add idm domain to Windows AD zones
Install required packages then setup trust on FreeIPA Server
Validation of both idm clients with idm and AD user
Validate ssh into ubuntu client with AD user “joez@ad.zack.world”
Validate ssh into Centos client with idm user “tina”
Conclusion
Now we install Redhat IdM server and can enrol client hosts, set up AD trust, ssh and authenticate with both idm and AD users. IdM using Kerberos for authentication, together with user group, policy, HBAC and Sudo roles, provides a flexible and robust authentication framework that supports multiple authentication mechanisms, enabling organizations to authenticate users securely across their Linux and Unix environments.