RHEL 6.4
Andrey MarkelovRHCARed Hat, Presales Solution Architect
?
?
AD POSIX?
?
?
- AD
AD
AD
DNS AD
ADLinux System3rd party clientAuthentication3rd PartyPlugin
Policies via GPO KDCLDAPDNSIdentitiesName resolutionPoliciessudohbacautomountselinux
Authentication can use LDAP or Kerberos
ID mapping is implementation specific or uses SFU/IMU extensions in AD
Client may also use native AD protocols
UNIX/Linux
AD
ADLinux SystemLDAP/KRBAuthenticationKDCLDAPDNSIdentitiesName resolutionPoliciessudohbacautomountselinux
Authentication can use LDAP or Kerberos
ID mapping uses SFU/IMU extensions in AD
Policies are delivered via configuration files managed locally or via a config server like Puppet
AD can be extended to serve basic sudo and automount
-
:
3
: SFU/IMU
ADLinux SystemWinbindAuthenticationKDCLDAPDNSIdentitiesName resolutionPoliciessudohbacautomountselinux
Authentication can use LDAP or Kerberos
Map AD SID to POSIX attributesJoin system into AD domainUses native AD protocols
Policies are delivered via configuration files managed locally or via a config server like Puppet
AD can be extended to serve basic sudo and automount
:
3
SFU/IMU
: AD
(RHEL 6.4)
ADLinux SystemSSSDAuthenticationKDCLDAPDNSIdentitiesName resolutionPoliciessudohbacautomountselinux
Authentication can use LDAP or Kerberos
Can map AD SID to POSIX attributesCan join system into AD domain
Policies are delivered via configuration files managed locally or via a config server like Puppet
AD can be extended to serve basic sudo and automount
: 3
SFU/IMU (RHEL 6.4)
IPA (RHEL 6.4)
Winbind
: AD (1.10)
AD (1.10)
FeatureLDAP/KRBWinbindSSSD
Authenticate using Kerberos or LDAPYesYesYes
Identities are looked up in ADYesYesYes
Requires SFU/IMUYesNoYes until SSSD 1.9
ID mappingNoneMultiple waysOne way starting SSSD 1.9 (RHEL 6.4)
System is joined into ADManualHas join utilitySamba join utility needs to be used (realmd project makes it easy)
Supports multiple AD domainsNoYesWill in SSSD 1.10
Supports heterogeneous domainsNoNoYes
Support advanced AD featuresNoYesSome
ReliabilityHighMediumHigh
CommunityN/AHard to deal withFriendly
AD
CAL
Linux/UNIX
IdM
IdM CoreDirectoryServerKerberosKDCNTPDNSManagementframeworkManaged host (client)SSSDManagement StationCLIBrowserCertmongeripa-client
CA
ConfiguresConfiguresnss_ldap
WEBUIAuthentication
Name lookupsand servicediscovery
Cert tracking &provisioning
Other maps
Enrollment & un-enrollment
Management
Users, Groups, Netgroups, HBAC
IdM ()
ADLinux SystemSSSDAuthenticationKDCLDAPDNSIdentitiesName resolutionPoliciessudohbacautomountselinux
Policies are centrally managed over LDAP
IdMKDCLDAPDNS
A DNS zone is delegated by ADto IdM to manage Linux environment
Name resolution and service discovery queries are resolved against IdM
Users are synchronizedfrom AD to IdM
IdM
: 3
Linux-
:
AD
DNS
IdM (split brain)
ADLinux SystemSSSDAuthenticationKDCLDAPDNSIdentitiesName resolutionPoliciessudohbacautomountselinux
Policies are centrally managed over LDAP
IdMKDCLDAPDNS
A DNS zone isdelegated by ADto IdM to manageLinux environment
Name resolution and service discovery queries are resolved against IdM
Users are synchronizedfrom AD to IdM
Requires changes to config files after installation and initial clientenrollment
Split Brain
: AD
:
IdM (RHEL 6.4)
ADLinux SystemSSSDAuthenticationKDCLDAPDNSIdentitiesName resolutionPoliciessudohbacautomountselinux
Policies are centrally managed over LDAP
IdMKDCLDAPDNS
Domains trust eachother. Users stay where they are, no synchronizationneeded
A DNS zone is delegated
by AD to IdM to manage Linux systems or IdM has an independent namespace
Client software connects to the right server depending on the information it needs
: CAL
Linux-
AD
Cons: DNS
SSSD
!
[email protected]
twitter.com/amarkelov
Click to edit the title text format
Click to edit the outline text formatSubtextEven subber text
Click to edit the outline text formatSecond Outline LevelThird Outline LevelFourth Outline LevelFifth Outline LevelSixth Outline LevelSeventh Outline LevelEighth Outline LevelNinth Outline Level
Click to edit the title text format
Click to edit the outline text formatSecond Outline LevelThird Outline LevelFourth Outline LevelFifth Outline LevelSixth Outline LevelSeventh Outline LevelEighth Outline LevelNinth Outline Level