RH362 - ch01s06

Preface A: Introduction

Section A.1: Red Hat Security: Identity Management and Authentication

Section A.2: Orientation to the Classroom Environment

Section A.3: Performing Lab Exercises

Chapter 1: Identity Management in Red Hat Enterprise Linux

Section 1.1: The IdM Ecosystem

Section 1.2: Quiz: The IdM Ecosystem

Section 1.3: The IdM Infrastructure Topology

Section 1.4: Guided Exercise: The IdM Infrastructure Topology

Section 1.5: The IdM Administrative Interfaces

SectionSection 1.6: Guided Exercise: The IdM Administrative Interfaces

Section 1.7: Quiz: Identity Management in Red Hat Enterprise Linux

Section 1.8: Summary

Chapter 2: Identity Management Core Technologies

Section 2.1: The System Security Services Framework

Section 2.2: Guided Exercise: The System Security Services Framework

Section 2.3: The Kerberos Authentication Protocol

Section 2.4: Guided Exercise: The Kerberos Authentication Protocol

Section 2.5: The Public Key Infrastructure

Section 2.6: Guided Exercise: Managing Certificates

Section 2.7: Lab: Working with Identity Management Core Technologies

Section 2.8: Summary

Chapter 3: Installing Identity Management in Red Hat Enterprise Linux

Section 3.1: Installing an Identity Management Server

Section 3.2: Guided Exercise: Installing an Identity Management Server

Section 3.3: Installing an Identity Management Client

Section 3.4: Guided Exercise: Installing an Identity Management Client

Section 3.5: Installing an Identity Management Replica

Section 3.6: Guided Exercise: Installing an Identity Management Replica

Section 3.7: Automating an Identity Management Installation

Section 3.8: Guided Exercise: Automating an Identity Management Installation

Section 3.9: Lab: Installing Identity Management in Red Hat Enterprise Linux

Section 3.10: Summary

Chapter 4: Implementing an Identity Management Topology

Section 4.1: Establishing Replication Agreements

Section 4.2: Guided Exercise: Establishing Replication Agreements

Section 4.3: Managing the Essential IdM Server Roles

Section 4.4: Guided Exercise: Managing the Essential IdM Server Roles

Section 4.5: Lab: Implementing an Identity Management Topology

Section 4.6: Summary

Chapter 5: Managing the CA and DNS Integrated Services

Section 5.1: Managing the Integrated Certificate Authority

Section 5.2: Guided Exercise: Managing the Integrated Certificate Authority

Section 5.3: Managing the Integrated DNS Service

Section 5.4: Guided Exercise: Managing the Integrated DNS Service

Section 5.5: Lab: Managing the CA and DNS Integrated Services

Section 5.6: Summary

Chapter 6: Managing Users and Configuring User Access

Section 6.1: Managing IdM Users and Hosts

Section 6.2: Guided Exercise: Managing IdM Users and Hosts

Section 6.3: Implementing IdM User Access Control

Section 6.4: Guided Exercise: Managing IdM User Access Control

Section 6.5: Managing Kerberos Principals, Policies, and External Authentication

Section 6.6: Guided Exercise: Managing Kerberos Principals, Policies, and External Authentication

Section 6.7: Configuring Network-shared Home Directories

Section 6.8: Guided Exercise: Configuring Network-shared Home Directories

Section 6.9: Lab: Managing Users and Configuring User Access

Section 6.10: Summary

Chapter 7: Configuring Alternative Authentication Services

Section 7.1: Managing Smart Card Authentication

Section 7.2: Guided Exercise: Managing Smart Card Authentication

Section 7.3: Working with Vaults in Identity Management

Section 7.4: Guided Exercise: Working with Vaults in Identity Management

Section 7.5: Implementing Two-factor Authentication

Section 7.6: Guided Exercise: Implementing Two-factor Authentication

Section 7.7: Lab: Configuring Alternative Authentication Services

Section 7.8: Summary

Chapter 8: Integrating Identity Management with Active Directory

Section 8.1: Establishing a Trust Relationship between IdM and AD

Section 8.2: Guided Exercise: Establishing a Trust Relationship between IdM and AD

Section 8.3: Managing AD User Integration with ID Views

Section 8.4: Guided Exercise: Managing AD User Integration with ID Views

Section 8.5: Quiz: Integrating Identity Management with Active Directory

Section 8.6: Summary

Chapter 9: Integrating Identity Management with Red Hat Utilities

Section 9.1: Implementing Single Sign-on

Section 9.2: Guided Exercise: Implementing Single Sign-on

Section 9.3: Integrating IdM with Red Hat Satellite

Section 9.4: Guided Exercise: Integrating IdM with Red Hat Satellite

Section 9.5: Configuring Automation Controller with IdM Authentication

Section 9.6: Guided Exercise: Configuring Automation Controller with IdM Authentication

Section 9.7: Lab: Integrating Identity Management with Red Hat Utilities

Section 9.8: Summary

Chapter 10: Troubleshooting and Disaster Recovery Planning for IdM

Section 10.1: Recovering IdM with Backups and Replication

Section 10.2: Guided Exercise: Recovering IdM with Backups and Replication

Section 10.3: Troubleshooting IdM

Section 10.4: Guided Exercise: Troubleshooting IdM

Section 10.5: Lab: Troubleshooting and Disaster Recovery Planning for IdM

Section 10.6: Summary

Chapter 11: Comprehensive Review

Section 11.1: Comprehensive Review

Section 11.2: Lab: Building a Multiple Server IdM Topology

Section 11.3: Lab: Working with Identity Management

Section 11.4: Lab: Working with Single Sign-on Technology

Bookmark this page

P 1 2 3 4 5 6 7 8 9 10 11

Guided Exercise: The IdM Administrative Interfaces

Manage centralized Identity Management content in a newly installed IdM environment.

Outcomes

Administer the Identity Management services.
Use the command-line interface.
Browse the API.

As the student user on the workstation machine, use the lab command to prepare your system for this exercise.

This command prepares your environment and ensures that all required resources are available.

[student@workstation ~]$ lab start idm-management

Instructions

On the idm machine, stop and start the IdM service.

[student@workstation ~]$ ssh idm
[student@idm ~]$ sudo -i
[sudo] password for student: student

Review the /usr/lib/systemd/system/ipa.service systemd unit.

[Unit]
Description=Identity, Policy, Audit
Wants=network.target
Wants=gssproxy.service
After=network.target

[Service]
Type=oneshot
Environment=LC_ALL=C.UTF-8
ExecStart=/usr/sbin/ipactl start
ExecStop=/usr/sbin/ipactl stop
RemainAfterExit=yes
TimeoutSec=0

[Install]
WantedBy=multi-user.target

Stop the ipa service.

[root@idm ~]# systemctl stop ipa.service

Verify the status of the IdM services.

[root@idm ~]# ipactl status
Directory Service: STOPPED
Directory Service must be running in order to obtain status of other services

Start the ipa service.

[root@idm ~]# systemctl start ipa.service

Verify the status of the IdM services.

[root@idm ~]# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa: INFO: The ipactl command was successful

List available topics on the ipa command. Determine and then use the appropriate commands to list all current IdM users. View variables related to the configuration of the IdM server.

Note

The lab command has already negotiated a Kerberos ticket as the admin user on the idm machine. Kerberos authentication is discussed in a later chapter.

List the available topics, and then get help for managing users.

[root@idm ~]# ipa help topics
automember         Auto Membership Rule.
automount          Automount
ca                 Manage Certificate Authorities
caacl              Manage CA ACL rules.
cert               IPA certificate operations
certmap            Certificate Identity Mapping
certprofile        Manage Certificate Profiles
config             Server configuration
delegation         Group to Group Delegation
dns                Domain Name System (DNS)
domainlevel        Raise the IPA Domain Level.
...output omitted...
[root@idm ~]# ipa help user
...output omitted...
EXAMPLES:

 Add a new user:
   ipa user-add --first=Tim --last=User --password tuser1

 Find all users whose entries include the string "Tim":
   ipa user-find Tim

 Find all users with "Tim" as the first name:
   ipa user-find --first=Tim

 Disable a user account:
   ipa user-disable tuser1
...output omitted...

List all IdM users.

[root@idm ~]# ipa user-find
--------------
1 user matched
--------------
  User login: admin
  Last name: Administrator
  Home directory: /home/admin
  Login shell: /bin/bash
  Principal alias: admin@LAB.EXAMPLE.COM, root@LAB.EXAMPLE.COM
  UID: 1138600000
  GID: 1138600000
  Account disabled: False
----------------------------
Number of entries returned 1
----------------------------

View variables related to the configuration of the IdM server.

[root@idm ~]# ipa env
  api_version: 2.249
  basedn: dc=internal,dc=lab,dc=example,dc=com
  bin: /usr/bin
  ca_agent_port: 443
  ca_host: idm.lab.example.com
  ca_install_port: None
  ca_port: 80
  certmonger_wait_timeout: 300
  conf: /etc/ipa/cli.conf
  conf_default: /etc/ipa/default.conf
  confdir: /etc/ipa
  config_loaded: True
...output omitted...
  tls_ca_cert: /etc/ipa/ca.crt
  tls_version_max: None
  tls_version_min: None
  validate_api: False
  verbose: 0
  version: 4.10.0
  wait_for_dns: 0
  webui_prod: True
  xmlrpc_uri: https://idm.lab.example.com/ipa/xml
-------------
120 variables
-------------

Reviewing these variables can be useful during troubleshooting.

Use a web browser to explore the IdM API.
1. On the workstation machine, open a web browser and navigate to https://idm.lab.example.com/.
2. The browser displays a certificate warning because IdM uses a self-signed certificate. Click Advanced, and then click Add Exception. Click Confirm Security Exception to accept the self-signed certificate. Click Advanced on the warning page, and then click Accept the Risk and Continue.
3. Log in as the admin user with RedHat123^ as the password.
4. Navigate to IPA Server → API Browser. In the Browse field, type ^group_ and then select group_show. Note the headings for options and arguments, and that the cn argument is required.

Switch back to the SSH session, and review the API interactions of the ipa command.

Use the ipa command to show the details of the admins group. Use the -vv option to show the JSON payload and response.

[root@idm ~]# ipa -vv group-show admins
ipa: INFO: Request: {
    "id": 0,
    "method": "ping",
    "params": [
        [],
        {}
    ]
}
ipa: INFO: Response: {
    "error": null,
    "id": 0,
    "principal": "admin@LAB.EXAMPLE.COM",
    "result": {
        "messages": [
            {
                "code": 13001,
                "data": {
                    "server_version": "2.249"
                },
                "message": "API Version number was not sent, forward compatibility not guaranteed. Assuming server's API version, 2.249",
                "name": "VersionMissing",
                "type": "warning"
            }
        ],
        "summary": "IPA server version 4.10.0. API version 2.249"
    },
    "version": "4.10.0"
}
ipa: INFO: Request: {
    "id": 0,
    "method": "group_show/1",
    "params": [
        [
            "admins"
        ],
        {
            "version": "2.249"
        }
    ]
}
ipa: INFO: Response: {
    "error": null,
    "id": 0,
    "principal": "admin@LAB.EXAMPLE.COM",
    "result": {
        "result": {
            "cn": [
                "admins"
            ],
            "description": [
                "Account administrators group"
            ],
            "dn": "cn=admins,cn=groups,cn=accounts,dc=lab,dc=example,dc=com",
            "gidnumber": [
                "1138600000"
            ],
            "member_user": [
                "admin"
            ]
        },
        "summary": null,
        "value": "admins"
    },
    "version": "4.10.0"
}
  Group name: admins
  Description: Account administrators group
  GID: 1138600000
  Member users: admin

Return to the workstation machine as the student user.

[root@idm ~]# exit
logout
[student@idm ~]$ exit
logout
Connection to idm closed.

Finish

On the workstation machine, change to the student user home directory and use the lab command to complete this exercise. This step is important to ensure that resources from previous exercises do not impact upcoming exercises.

[student@workstation ~]$ lab finish idm-management

Discuss Red Hat Security: Identity Management and Authentication

Go to community

Welcome to the Red Hat Security: Identity Management and Active Directory Integration group!

Syed

26 wrz 2023

We are excited to launch a space dedicated to the Red Hat Training course Red Hat Security: Identity Management and Active Directory Integration! To gain the most value from this group - click the "Join Group" button in the upper right hand corner of the group home page.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to RH362.Read more about Red Hat Security: Identity Management and Active Directory Integration here.

215

Revision: rh362-9.1-4c6fdb8