Что нового в управлении аутентификацией и...

RHEL 6.4

Andrey MarkelovRHCARed Hat, Presales Solution Architect

?

?

AD POSIX?

?

?

- AD

AD

AD

DNS AD

ADLinux System3rd party clientAuthentication3rd PartyPlugin

Policies via GPO KDCLDAPDNSIdentitiesName resolutionPoliciessudohbacautomountselinux

Authentication can use LDAP or Kerberos

ID mapping is implementation specific or uses SFU/IMU extensions in AD

Client may also use native AD protocols

UNIX/Linux

AD

ADLinux SystemLDAP/KRBAuthenticationKDCLDAPDNSIdentitiesName resolutionPoliciessudohbacautomountselinux


ID mapping uses SFU/IMU extensions in AD

Policies are delivered via configuration files managed locally or via a config server like Puppet

AD can be extended to serve basic sudo and automount

-

:

3

: SFU/IMU

ADLinux SystemWinbindAuthenticationKDCLDAPDNSIdentitiesName resolutionPoliciessudohbacautomountselinux


Map AD SID to POSIX attributesJoin system into AD domainUses native AD protocols



:

3

SFU/IMU

: AD

(RHEL 6.4)

ADLinux SystemSSSDAuthenticationKDCLDAPDNSIdentitiesName resolutionPoliciessudohbacautomountselinux


Can map AD SID to POSIX attributesCan join system into AD domain



: 3

SFU/IMU (RHEL 6.4)

IPA (RHEL 6.4)

Winbind

: AD (1.10)

AD (1.10)

FeatureLDAP/KRBWinbindSSSD

Authenticate using Kerberos or LDAPYesYesYes

Identities are looked up in ADYesYesYes

Requires SFU/IMUYesNoYes until SSSD 1.9

ID mappingNoneMultiple waysOne way starting SSSD 1.9 (RHEL 6.4)

System is joined into ADManualHas join utilitySamba join utility needs to be used (realmd project makes it easy)

Supports multiple AD domainsNoYesWill in SSSD 1.10

Supports heterogeneous domainsNoNoYes

Support advanced AD featuresNoYesSome

ReliabilityHighMediumHigh

CommunityN/AHard to deal withFriendly

AD

CAL

Linux/UNIX

IdM

IdM CoreDirectoryServerKerberosKDCNTPDNSManagementframeworkManaged host (client)SSSDManagement StationCLIBrowserCertmongeripa-client

CA

ConfiguresConfiguresnss_ldap

WEBUIAuthentication

Name lookupsand servicediscovery

Cert tracking &provisioning

Other maps

Enrollment & un-enrollment

Management

Users, Groups, Netgroups, HBAC

IdM ()


Policies are centrally managed over LDAP

IdMKDCLDAPDNS

A DNS zone is delegated by ADto IdM to manage Linux environment

Name resolution and service discovery queries are resolved against IdM

Users are synchronizedfrom AD to IdM

IdM

: 3

Linux-

:

AD

DNS

IdM (split brain)



IdMKDCLDAPDNS

A DNS zone isdelegated by ADto IdM to manageLinux environment

Name resolution and service discovery queries are resolved against IdM

Users are synchronizedfrom AD to IdM

Requires changes to config files after installation and initial clientenrollment

Split Brain

: AD

:

IdM (RHEL 6.4)



IdMKDCLDAPDNS

Domains trust eachother. Users stay where they are, no synchronizationneeded

A DNS zone is delegated

by AD to IdM to manage Linux systems or IdM has an independent namespace

Client software connects to the right server depending on the information it needs

: CAL

Linux-

AD

Cons: DNS

SSSD

!

[email protected]
twitter.com/amarkelov

Click to edit the title text format

Click to edit the outline text formatSubtextEven subber text

Click to edit the outline text formatSecond Outline LevelThird Outline LevelFourth Outline LevelFifth Outline LevelSixth Outline LevelSeventh Outline LevelEighth Outline LevelNinth Outline Level

Click to edit the title text format

Click to edit the outline text formatSecond Outline LevelThird Outline LevelFourth Outline LevelFifth Outline LevelSixth Outline LevelSeventh Outline LevelEighth Outline LevelNinth Outline Level

Что нового в управлении аутентификацией и...

Technology