Red Hat IPA on RHEL 6 with Active Directory one-way-sync and self signed certificates

In principle, a central Linux / UNIX user authentication should be provided for every user. Basically you will find Microsoft`s Active Directory as single point of truth in customer environments regarding identity management (IdM). Unfortunately a lot of requirements within the Linux / UNIX world are not met by Active Directory like

  • Central sudo definitions
  • Central host-based-access (actually for Red Hat systems only)
  • Central unique user and group ID management

In this case Red Hat IPA server is the preferred solution to sync users and passwords between the Windows and the Linux / UNIX world. Red Hat IPA server is shipped with standard Red Hat Enterprise Linux 6 and is free of charge. Only the RHEL 6 standard server package YUM repository is needed. IPA uses standard tools like OpenLDAP, Kerberos etc. Because of this reason it is possible to connect nearly all UNIX based systems to the Red Hat IPA server. All user concerned actions within Active Directory (user creation, user deletion, password changes, user deactivation) are directly synced to Red Hat IPA server. This document describes the installation and configuration of Red Hat IPA server with one- way-sync from Active Directory to Red Hat IPA server. This document also deals with self- signed certificates for the syncronization between Red Hat IPA and Active Directory. But you can of course use a central Certification Authotrity (CA) if one is in place.

Unfortunately the domain trust feature in Red Hat IPA on RHEL 6 is only a technical preview but fully implemented in RHEL 7. Because of this it is recommended to install at minimum three Red Hat IPA server for each Active Directory domain you want to sync with due to availability reasons. All IPA server within an Active Directory domain sync are in sync with each other. In this document one of the IPA servers will be logically defined as IPA master server even if the IPA server are in active-active mode. The IPA master server will be synced with only one Windows 2008 R2 AD controller (even if there exist more than one AD controller per AD domain).

Afterwards all W2K8 AD controllers will have a password sync tool installed which will sync user passwords to the IPA master server. In general this environment runs in a so called multi master mode because of the sync agreements between IPA and AD controller and between all IPA servers. All Linux / UNIX clients will then authenticate to two IPA servers because of availability reasons. The third IPA server will be used for backup purposes. Because no IPA client will connect to the third IPA server you can stop all IPA services on the third IPA server and make consistent backups from the whole server.

There are also configuration hints to connect SuSE clients to IPA manually. Unfortunately SLES 11 does not implement SSSD ipa_provider. This is the reason why you can not use all advantages of IPA (especially host-based-access) directly.

technical_overview

Please read this document for further information: Red_Hat_IPA_Server_on_RHEL6_Howto_v-1.1

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.