Red Hat Security: Identity Management and Authentication

There are two graphical interfaces for managing IdM: IdM web UI, an interface designed for managing IdM configurations and identities, and the Red Hat Enterprise Linux web console that can be used for some domain tasks.

The IdM web UI is a graphical application for IdM administration. The application performs all tasks through the REST API. This interface is ideal for beginning administrators, or those who are not familiar with the Linux command line.

Figure 1.7: The IdM web UI

Your assigned access rights determine the management operations that you can perform. For the admin user and other users with administrative privileges, all management tasks are available. You can also assign a user role to grant a subset of predefined access rights. For regular users, a limited set of operations is available.

In addition to password authentication, the IdM web UI supports Kerberos, one-time password (OTP), and certificate authentication methods.

The web UI is intuitive, so its features are not described in detail here.

Any Linux host can be managed using the web console. Although the normal management of the IdM service is performed from the command line, the service can also be managed from the web console.

Figure 1.8: Managing the IdM service in the web console

When connected to an IdM server you can manage all IdM services. However, as with the command-line tools, you should not start and stop individual IdM services; instead, use the ipa.service unit to manage them as a set. In specific troubleshooting circumstances, it is common to restart an individual service without restarting the whole set of IdM services.

You can use the web console to join a host to an IdM domain. Navigate to Overview → Configuration and then click Join domain.

Figure 1.9: Joining an IdM domain in the web console

On a host that is a member of an IdM domain, you can also use Kerberos to authenticate to the web console.

The ipa command is used to manage all domain objects and servers, and also performs all its tasks through the REST API. Commands are specified as subcommands in the form topic-operation:

The built-in help describes all the available commands. The following output highlights the commands available for user and group management.

[user@host ~]$ ipa help commands
...output omitted...
group-add                   Create a new group.
group-add-member            Add members to a group.
group-add-member-manager    Add users that can manage members of this group.
group-del                   Delete group.
group-detach                Detach a managed group from a user.
group-find                  Search for groups.
group-mod                   Modify a group.
group-remove-member         Remove members from a group.
group-remove-member-manager Remove users that can manage members of this group.
group-show                  Display information about a named group.
...output omitted...
user-add                    Add a new user.
user-add-cert               Add one or more certificates to the user entry
user-add-certmapdata        Add one or more certificate mappings to the user entry.
user-add-manager            Add a manager to the user entry
user-add-principal          Add new principal alias to the user entry
user-del                    Delete a user.
user-disable                Disable a user account.
user-enable                 Enable a user account.
user-find                   Search for users.
user-mod                    Modify a user.
user-remove-cert            Remove one or more certificates to the user entry
user-remove-certmapdata     Remove one or more certificate mappings from the user entry.
user-remove-manager         Remove a manager to the user entry
user-remove-principal       Remove principal alias from the user entry
user-show                   Display information about a user.
user-stage                  Move deleted user into staged area
user-status                 Lockout status of a user account
user-undel                  Undelete a delete user account.
user-unlock                 Unlock a user account
...output omitted...

Note that objects that can contain other objects usually have the add-member and remove-member operations available.

Two options are available that expand on the attributes of the displayed object. The --all option displays all available attributes of the object; otherwise only the most often used attributes are shown. The following attributes are some that are not shown by default:

  ipantsecurityidentifier: S-1-5-21-1996420358-1936117745-1222801274-500
  ipauniqueid: 808f56f4-ab91-11ed-ac32-52540000fa08
  krbextradata: AAItIOpjcm9vdC9hZG1pbkBJTlRFUk5BTC5MQUIuRVhBTVBMRS5DT00A
  krblastadminunlock: 20230213113405Z
  krblastpwdchange: 20230213113405Z
  objectclass: top, person, posixaccount, krbprincipalaux, krbticketpolicyaux, inetuser, ipaobject, ipasshuser,
               ipaSshGroupOfPubKeys, ipaNTUserAttrs

The --rights option works with the --all option to show the effective rights for each object attribute as a Python dictionary. You can apply the following rights to an attribute:

  attributelevelrights: {'objectclass': 'rscwo', 'aci': 'rscwo', 'sn': 'rscwo', 'cn': 'rscwo', 'userpassword': 'swo', 'telephonenumber': 'rscwo', 'seealso': 'rscwo', 'description': 'rscwo', 'uid': 'rscwo', 'uidnumber': 'rscwo', 'gidnumber': 'rscwo', 'homedirectory': 'rscwo', 'loginshell': 'rscwo', 'gecos': 'rscwo', 'krbprincipalname': 'rscwo', 'krbcanonicalname': 'rscwo', 'krbupenabled': 'rscwo', 'krbprincipalkey': 'swo', 'krbticketpolicyreference': 'rscwo', 'krbprincipalexpiration': 'rscwo', 'krbpasswordexpiration': 'rscwo', 'krbpwdpolicyreference': 'rscwo', 'krbprincipaltype': 'rscwo', 'krbpwdhistory': '', 'krblastpwdchange': 'rsc', 'krbprincipalaliases': 'rscwo', 'krblastsuccessfulauth': 'rsc', 'krblastfailedauth': 'rsc', 'krbloginfailedcount': 'rscwo', 'krbextradata': 'rsc', 'krblastadminunlock': 'rscwo', 'krballowedtodelegateto': 'rscwo', 'krbprincipalauthind': 'rscwo', 'krbticketflags': 'rscwo', 'krbmaxticketlife': 'rscwo', 'krbmaxrenewableage': 'rscwo', 'krbauthindmaxticketlife': 'rscwo', 'krbauthindmaxrenewableage': 'rscwo', 'inetuserstatus': 'rscwo', 'inetuserhttpurl': 'rscwo', 'memberof': 'rsc', 'ipauniqueid': 'rsc', 'ipasshpubkey': 'rscwo', 'ipantsecurityidentifier': 'rscwo', 'ipanthash': 'wo', 'ipantlogonscript': 'rscwo', 'ipantprofilepath': 'rscwo', 'ipanthomedirectory': 'rscwo', 'ipanthomedirectorydrive': 'rscwo', 'nsaccountlock': 'rscwo'}

In the preceding output, the effective rights on the loginshell attribute are read, search, compare, write, and obliterate.

The ipa console command also provides an interactive Python console. However, discussion of the console is beyond the scope of this course.

[user@host ~]$ ipa console
(Custom IPA interactive Python console)
    api: IPA API object
    pp: pretty printer
>>>

The ipactl utility was previously used to stop, start, or restart the IdM server along with its associated services. Due to issues with SELinux and localization, Red Hat no longer recommends using this command to manage IdM services. The only reasons to use ipactl are when you want to run the status command explicitly, or to troubleshoot a partially working system.

All IdM component services are now managed using the ipa.service systemd unit. Red Hat recommends that you use the systemctl stop/start/restart ipa.service command for most operations. The ipa.service unit uses the ipactl start/stop command but does so with a predictable environment. Having a predictable environment is important because IdM runs upgrade code on startup.

All the management interfaces, such as the web UI, the command line, and Ansible, work through the IdM API, so that any tool creates the same results as the others. Using the API enables developers to bypass those other higher-level interfaces and work directly with the API in their preferred programming language, such as Python, Java, Ruby, or Go.

When developing against the API, it can be helpful to view the payloads and responses for various commands. Using the ipa -vv command shows the JSON data being sent and received:

[user@host ~]$ ipa -vv user-show admin
...output omitted...
ipa: INFO: Request: {
    "id": 0,
    "method": "user_show/1",
    "params": [
        [
            "admin"
        ],
        {
            "version": "2.228"
        }
    ]
}
ipa: INFO: Response: {
    "error": null,
    "id": 0,
    "principal": "admin@LAB.EXAMPLE.COM",
    "result": {
        "result": {
            "dn": "uid=admin,cn=users,cn=accounts,dc=lab,dc=example,dc=com",
            "gidnumber": [
                "852200000"
            ],
            "has_keytab": true,
            "has_password": true,
            "homedirectory": [
                "/home/admin"
            ],
            "krbprincipalname": [
                "admin@LAB.EXAMPLE.COM"
            ],
            "loginshell": [
                "/bin/bash"
            ],
            "memberof_group": [
                "admins",
                "trust admins"
            ],
            "nsaccountlock": false,
            "sn": [
                "Administrator"
            ],
            "uid": [
                "admin"
            ],
            "uidnumber": [
                "852200000"
            ]
        },
        "summary": null,
        "value": "admin"
    },
    "version": "4.5.0"
}
...output omitted...

To view available methods and their associated arguments and options, the IdM web UI provides an API browser. In a web browser, navigate to the IdM web interface at https://idm.lab.example.com and log in.

After you have logged in, you can find additional information by navigating to IPA Server → API Browser. Use the filter field at the top of the left pane to restrict the list to methods with matching names.

Figure 1.10: The IdM API browser

The freeipa.ansible_freeipa collection is an extensive set of recommended Ansible Playbooks and roles for installing and managing IdM. These playbooks also use the API and in some scenarios, they might be a better method to interact with other products or IdM tasks. Using Ansible Content Collections removes the need to keep up with API changes as you would with a custom program. Red Hat engineers have worked extensively to enhance this collection to cover all common tasks.

Red Hat recommends the collection playbooks for performing any task for which a playbook exists, because the playbooks include the correct steps and dependencies that are the source of most installation and management issues. The upcoming installation chapter shows how to install the product by using Ansible Playbooks, as recommended by Red Hat support.