CentOS 7 overview. Part 2: identity management

    A previous CentOS 7 review article talked about Linux container support in Cent OS 7. This article focuses on identity management and Active Directory integration. At the end of the post, a link to CentOS 7 free testing in the InfoboxCloud cloud .

    Every day we read the news about user data leaks. The ability to provide access to important information only to the right people with the right accounts is critical to ensure information security in your infrastructure. Critical, but not always easy to implement.

    Until recently, Linux’s centralized identity management capabilities were limited. There was no turnkey domain controller. Some Linux distributions have integrated Kerberos and DNS open-source tools to create a centralized Linux-based identity management mechanism. This method could take a long time to configure and maintain. Some have integrated Linux clients directly into the Microsoft Active Directory, but this approach has limited the ability to use some standard Linux tools, such as sudo and automount .

    IdM Identity Management

    Since the release of 6.4, CentOS has included Identity Management (IdM), a set of features that provide a centralized and easy way to manage user, machine, and service identifiers in large Linux / Unix enterprise installations. IdM provides a way to define access security policies to manage these identifiers. The identity management framework was developed as part of the FreeIPA open source project ., combining standard general-purpose network services into a single management system: PAM, LDAP, Kerberos, DNS, NTP and certification services. This allows CentOS systems to act as domain controllers in a Linux environment. Because the identity management feature is built into CentOS, simply adding policy and identity management to your workflow is as simple as that.

    IdM and Active Directory Integration in Cent OS 7

    For many organizations, Active Directory (AD) is an enterprise identity management center. All systems that AD users can access must be able to work with AD to authenticate and verify identity.

    Identity management in CentOS 7 provides two ways to integrate Linux systems into the Active Directory environment:
    • Direct integration. Linux systems can be connected directly to Active Directory using the System Security Services Daemon (SSSD) component. The component acts as an authentication and identity verification gateway to a central identity store. SSSD can be easily configured using the new realmd component. Realmd discovers available domains based on DNS records and configures SSSD to interact with the correct authentication source. Using Realmd, you can connect any Linux system to IdM or AD, as shown below. After the system has entered the domain, domain users can access it. Users will be able to use authentication and POSIX attribute management, and Linux will learn about joining the group. SSSD in this installation replaces the previously used winbind component.

    • Indirect integration.Direct integration is limited to using only authentication and user credentials. The system does not receive policies and data that control access in corporate environments. Linux systems can receive policies (such as sudo), host access control rules, automount, netgroups, SELinux, and other features from a central authentication server. The identity management server provides centralized management of Linux systems by giving them identifiers, rights, and the centrally managed Linux policies listed above. In most corporate environments, Active Directory users must have access to Linux resources. This can be achieved by establishing trust between the IdM and AD servers.

    Identity management in CentOS 7 adds new features to the SSSD (client) and IdM server that make identity management easier and more functional, including support for domain trusts, improvements in the user interface and prototype backup and recovery functions.

    Sources used in preparing the article:
    Linux Domain Identity, authentication, and policy guide on Red Hat Network, applicable for CentOS 7
    Official RedHat blog RedHat
    knowledge base
    Official CentOS blog

    Especially for our readers we provided the opportunity to try CentOS 7 in the InfoboxCloud cloud in one of data centers in Moscow and Amsterdam. Register a trial version for 15 days at this link. If you need more resources for testing than in the trial version, write to trukhinyuri@infoboxcloud.com . CentOS 7 is also available on VPS from Infobox at data centers in St. Petersburg, Krasnoyarsk and Amsterdam.

    Successful use of CentOS 7! To be continued.

    Also popular now: