Ohio LinuxFest 2014 Integrating Linux Systems with Active Directory Dmitri Pal Sr. Engineering Manager Red Hat, Inc. Agenda ● ● ● 2 Problem statement Aspects of integration Options Ohio LinuxFest 2014 Problem Statement ● ● ● ● 3 For most companies AD is the central hub of the user identity management inside the enterprise All systems that AD users can access (including Linux) need (in some way, i.e. directly or indirectly) to have access to AD to perform authentication and identity lookups In some cases the AD is the only allowed central authentication server due to compliance requirements In some cases DNS is tightly controlled by the Windows side of the enterprise and non Windows systems need to adapt to this Ohio LinuxFest 2014 Aspects of Integration ● Authentication – ● ● Identity lookup – How system knows about the right accounts? – How AD accounts are mapped to POSIX? Name resolution and service discovery – ● How system knows where is its authentication and identity server? Policy management – 4 User logs into a Linux system, how is he authenticated? How other identity related policies are managed on the system? Ohio LinuxFest 2014 Third Party Integration Option 3rd Party Plugin AD DNS LDAP KDC Policies via GPO ID mapping is implementation specific or uses SFU/IMU extensions in AD Linux System 3rd party client Client may also use native AD protocols Authentication can use LDAP or Kerberos 5 Policies Authentication sudo Identities hbac automount Name resolution selinux Ohio LinuxFest 2014 rd Pros and Cons of the 3 Party Option ● ● 6 Pros – Everything is managed in one place including policies – Requires third party vendor – Extra cost per system (adds up) – Limits UNIX/Linux environment independence – Requires software on AD side Cons Ohio LinuxFest 2014 Legacy Integration Option AD DNS LDAP KDC AD can be extended to serve basic sudo and automount Policies are delivered via configuration files managed locally or via a config server like Puppet ID mapping uses SFU/IMU extensions in AD Linux System LDAP/KRB Policies Authentication sudo Identities hbac automount Authentication can use LDAP or Kerberos 7 Name resolution selinux Ohio LinuxFest 2014 Pros and Cons of the Legacy Option ● ● 8 Pros: – Free – No third party vendor is needed – Intuitive – Requires SFU/IMU AD extension – Policies are not centrally managed – Hard to configure securely Cons: Ohio LinuxFest 2014 Traditional Integration Option AD DNS LDAP KDC AD can be extended to serve basic sudo and automount Policies are delivered via configuration files managed locally or via a config server like Puppet Map AD SID to POSIX attributes Join system into AD domain Uses native AD protocols Linux System Samba Winbind Policies Authentication sudo Identities hbac automount Authentication can use LDAP, Kerberos or NTLM 9 Name resolution selinux Ohio LinuxFest 2014 Pros and Cons of the Traditional Option ● ● 10 Pros: – Well known – Does not require third party – Does not require SFU/IMU – Supports trusted domains – Can connect only to AD and very MSFT focused – Has some perceived stability issues – Policies are not centrally managed Cons: Ohio LinuxFest 2014 Contemporary Integration Option AD DNS LDAP KDC AD can be extended to serve basic sudo and automount Can map AD SID to POSIX attributes or use SFU/IMU Can join system into AD domain (realmd) Policies are delivered via configuration files managed locally or via a config server like Puppet Linux System SSSD Policies Authentication sudo Identities hbac automount Authentication can use LDAP or Kerberos 11 Name resolution selinux Ohio LinuxFest 2014 Pros and Cons of the Contemporary Option ● ● 12 Pros: – Does not require third party – Does not require SFU/IMU – Supports trusted domains with FreeIPA – Supports heterogeneous environments – Support transitive trusts in AD domains – Does not support CIFS integration (SSSD 1.12) Cons: Ohio LinuxFest 2014 Option Comparison Feature LDAP/KRB Winbind SSSD Authenticate using Kerberos or LDAP Yes Yes Yes Identities are looked up in AD Yes Yes Yes Requires SFU/IMU Yes No No ID mapping None Multiple ways Most popular way System is joined into AD Manual Has join utility Realmd Supports trusts for AD domains No Yes Yes Supports heterogeneous domains and advanced features No No Yes Support file sharing No Yes In development 13 Ohio LinuxFest 2014 Limitations of the Direct Integration Options ● ● ● Policy management is left out Per system CALs add to cost Linux/UNIX administrators do not have control of the environment All these limitations prevent growth of the Linux environment inside the enterprise! 14 Ohio LinuxFest 2014 FreeIPA Based Integration (sync) AD A DNS zone is delegated by AD to IdM to manage Linux environment FreeIPA Users are synchronized from AD to IdM DNS LDAP KDC DNS LDAP KDC Linux System SSSD Name resolution and service discovery queries are resolved against FreeIPA 15 Policies Authentication sudo Identities hbac automount Name resolution selinux Policies are centrally managed over LDAP Ohio LinuxFest 2014 Pros and Cons of the FreeIPA Integration ● ● 16 Pros: – Reduces cost – no CALs or 3rd party – Policies are centrally managed – Gives control to Linux admins – Enabled independent growth of the Linux environment – Requires user and password sync – Authentication does not happen in AD – Requires proper DNS setup Cons: Ohio LinuxFest 2014 FreeIPA Based Integration (Split Brain – DO NOT DO) AD A DNS zone is delegated by AD to IdM to manage Linux environment FreeIPA Users are synchronized from AD to IdM DNS LDAP KDC DNS LDAP KDC Linux System SSSD Name resolution and service discovery queries are resolved against FreeIPA 17 Policies Authentication sudo Identities hbac automount Name resolution selinux Policies are centrally managed over LDAP Ohio LinuxFest 2014 Pros and Cons of the Split Brain Solution ● ● Pros: – All authentication happens against AD – We can’t do clean upgrades from this configuration – It is a manual configuration Cons: We do not recommend this configuration. 18 Ohio LinuxFest 2014 FreeIPA Based Integration (AD DNS) AD FreeIPA Users are synchronized from AD to IdM DNS LDAP KDC DNS LDAP KDC Linux System SSSD Requires changes to config files after installation and initial client enrollment 19 Policies Authentication sudo Identities hbac automount Name resolution selinux Policies are centrally managed over LDAP Ohio LinuxFest 2014 Pros and Cons of Integration without FreeIPA DNS ● ● Pros: – AD DNS is used – Either each client needs to be explicitly configured with the list of the servers or AD DNS needs to configure a subdomain and clients should be configured to use this subdomain – The service discovery is turned off or discovery is done via subdomain Cons: This option effectively more work for everybody. 20 Ohio LinuxFest 2014 FreeIPA Based Integration (Trust) AD DNS LDAP KDC A DNS zone is can be delegated by AD to IdM to manage Linux environment. Can be a subdomain. Domains trust each other. Users stay where they are, no synchronization needed FreeIPA DNS LDAP KDC Linux System SSSD Client software connects to the right server depending on the information it needs 21 Policies Authentication sudo Identities hbac automount Name resolution selinux Policies are centrally managed over LDAP Ohio LinuxFest 2014 Pros and Cons of the FreeIPA Trust Integration ● ● Pros: – Reduces cost – no CALs or 3rd party – Policies are centrally managed – Gives control to Linux admins – Enabled independent growth of the Linux environment – No synchronization required – Authentication happens in AD Requirement: – 22 Proper DNS setup Ohio LinuxFest 2014 Summary While direct integration is possible and in some cases required the FreeIPA based integration option is the most cost efficient and feature rich option that is currently available so it is recommended as a preferred choice for the integration of the Linux infrastructure into existing AD environments. 23 Ohio LinuxFest 2014 Resources ● ● FreeIPA – Project wiki: www.freeipa.org – Project trac: https://fedorahosted.org/freeipa/ – Code: http://git.fedorahosted.org/git/?p=freeipa.git – Mailing lists: 24 [email protected] ● [email protected] ● [email protected] SSSD: https://fedorahosted.org/sssd/ – ● ● Mailing lists: ● [email protected] ● [email protected] Certmonger: https://fedorahosted.org/certmonger/ Ohio LinuxFest 2014 Questions? 25 Ohio LinuxFest 2014
© Copyright 2024 ExpyDoc
