Red Hat Identity Manager (IdM), is designed to provide an integrated identity management service for a wide range of clients, including Linux, Mac, and even Windows. At its core, IdM combines LDAP, Kerberos, DNS, and PKI with a rich management framework. Frequently, IdM is described as "Active Directory for Linux". Although, to be fair, Active Directory is really just a management framework around LDAP, Kerberos, DNS and PKI -- all of which were well established in the unix community long before Active Directory ever existed. In any case, the primary use for IdM is to provide these identity services to linux clients using these well established and open protocols.
This article will provide an overview of Red Hat Identity Manager, and demonstrate how to get started with IdM quickly.
Technical Overview
IdM is built upon Red Hat Directory Server and takes advantage of Directory Server's mature multi-master support, which supports up to 20 LDAP masters (both read and write). MIT Kerberos and ISC Bind sit on top of Directory Server, using LDAP for their back-end data stores - this takes care of replicating changes between IdM servers.
For those of you who have managed MIT Kerberos propagation and Bind configuration and zone transfers, you'll appreciate the simplicity of simply using LDAP replication rather than maintaining distinct replication systems for each service.
Finally, Red Hat Certificate System is also included in IdM, providing full PKI services. IdM's PKI system can operate as either a root certificate authority or as an intermediate authority, integrating existing trust models.
Getting started
Part of the beauty of this software, aside from it being 100% open source, is the simplicity of installation and maintenance. It is very easy to get a highly available, enterprise-level deployment up and running. If you are a Red Hat Enterprise Linux (RHEL) customer, you already have everything you need to start using it - there is no additional subscription required.
Both the server as well as the client installer are also available in Fedora, if you want to check out the latest code. It is quite common to use host the IdM servers on RHEL and for developer machines to be running Fedora. The upstream project is called FreeIPA, as such you'll see the packages called freeipa-* in Fedora. (Editor's note, RHEL is now available for developer use. You may download it by signing up with Red Hat Developers.)
To install on RHEL, simply execute:
yum install ipa-server bind-dyndb-ldap ipa-server-install --setup-dns --forwarder=<dns_server1> --forwarder=<dns_server2>
Take a look at ipa-server-install --help
for full details. Once installed, log in to https://<ipa_server_fqdn>.
You'll also want to trust the new CA certificate, which is located on the IdM server at /etc/ipa/ca.crt
Of course, nobody wants just one IdM server. The first step would be to create a replica, which is a full read/write copy of the first installation. Take a look at the product docs for full details, but creating the replica is easy as well:
[root@firstserver ~]# ipa-replica-prepare --ip-address <replicas_ip> <replica_fqdn} [root@replica ~]# ipa-replica-install --setup-ca --ip-address=<ipaddr> --setup-dns --forwarder=<dns_server1> --forwarder=<dns_server2> /root/replica-info-<replica_fqdn>.gpg
Behold! You now have a highly available identity management system offering all the services that would normally take weeks to build separately. These services are secured by default using the strongest standards currently available for enterprise markets. For example, IdM fully supports using one time passwords and DNSSEC.
Additional integrations
Unless you have a complete greenfield infrastructure, you'll probably want to integrate IdM with your existing environment. IdM gives you mechanisms to:
- Have an external certificate authority sign the IdM CA certificate
- Import LDAP users
- Setup a trust relationship with Active Directory
These are well covered in the IdM documentation. Where things get interesting is the non-standard integration that you can perform:
- Cross-realm trust with an existing Kerberos realm
- Replicating the IdM data store to existing RHDS nodes
- Using configuring IdM servers to provide a highly available DHCP service, backed by the replicated IdM data store.
These lesser-known features and hacks will be the subject of future articles. There are a ton of great resources on IdM out there, hopefully this article has given you a quick-start to begin playing:
Additional Resources:
Upstream design docs:
https://www.freeipa.org/page/Main_Page
Last updated: October 30, 2023