Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.

3

Compartir

Descargar para leer sin conexión

Integrating Linux Systems with Active Directory Using Open Source Tools

Descargar para leer sin conexión

Dmitri Pal - Red Hat, Inc. - Director of Engineering

Integrating Linux Systems with Active Directory Using Open Source Tools

  1. 1. Integrating Linux systems with Active Directory Using Open Source Tools All Things Open Dmitri Pal Engineering Director, Red Hat, Inc. 10-23-2017
  2. 2. Integrating Linux systems with Active Directory Using Open Source Tools2 ● Problem statement ● Aspects of integration ● Integration options ● Recommendations Agenda
  3. 3. Problem Statement and Aspects of Integration
  4. 4. Integrating Linux systems with Active Directory Using Open Source Tools4 ● For most companies AD is the central hub of the user identity management inside the enterprise ● All systems that AD users can access (including Linux) need (in some way, i.e. directly or indirectly) to have access to AD to perform authentication and identity lookups ● In some cases the AD is the only allowed central authentication server due to compliance requirements ● In some cases DNS is tightly controlled by the Windows side of the enterprise and non Windows systems need to adapt to this Problem Statement
  5. 5. Integrating Linux systems with Active Directory Using Open Source Tools5 ● Identities ○ Where are my users stored? What properties do they have? How is this data made available to systems and applications? How this data is delivered to the right endpoints? Is it cached and how it is refreshed? ● Authentication ○ What credentials do my users use to authenticate? Passwords? Smart Cards? Special devices? Is there SSO? How can the same user access file stores and web applications without requiring re-authentication? Integration Aspects Main aspects
  6. 6. Integrating Linux systems with Active Directory Using Open Source Tools ● Access control ○ Which users have access to which systems, services, applications? What commands can they run on those systems? What SELinux context is a user is mapped to? ● Policies ○ What is the type and strength of the credential? What are the SSO ticket/assertion policies? How to express what is allowed and what not in my environment to be compliant with known regulations (PCI, STIG, etc.)? 6 Integration Aspects Main aspects, continued
  7. 7. Integration Options
  8. 8. Integrating Linux systems with Active Directory Using Open Source Tools Direct Integration 8 Integration options Linux system Linux system Linux system Active Directory Indirect Integration Linux system Linux system Linux system Active Directory Central Identity Server
  9. 9. Integrating Linux systems with Active Directory Using Open Source Tools Direct Integration 9 Integration options Linux system Linux system Linux system Active Directory
  10. 10. Integrating Linux systems with Active Directory Using Open Source Tools10 ● 3rd party ● Legacy (pam_krb5, pam_ldap, nss_ldap, nslcd) ● Traditional – winbind ● Contemporary – SSSD (with realmd) Direct Integration Options
  11. 11. Integrating Linux systems with Active Directory Using Open Source Tools11 Third Party Direct Integration Active Directory 3rd Party Plugin Policies via GPO DNS LDAP KDC Linux System Policies3rd party client Authentication Identities Name Resolution sudo HBAC automount selinux Client may use native AD protocols Authentication can be LDAP or Kerberos ID mapping is implementation specific or uses SFU/IMU extensions in AD ssh keys
  12. 12. Integrating Linux systems with Active Directory Using Open Source Tools12 ● Pros ● Everything is managed in one place including policies ● SSO can be accomplished via Kerberos ● Cons ● Requires third party vendor ● Extra cost per system (adds up) ● Limits UNIX/Linux environment independence ● Requires software on AD side ● Policies are not managed or require extra addons Third Party Direct Integration Pros and Cons
  13. 13. Integrating Linux systems with Active Directory Using Open Source Tools13 Legacy Direct Integration Active Directory DNS LDAP KDC Linux System PoliciesLDAP/Kerberos Authentication Identities Name Resolution sudo HBAC automount selinux Authentication can be LDAP or Kerberos ID mapping SFU/IMU extensions are in AD AD can be extended to serve basic sudo and automount ssh keys Policies are delivered via configuration files and managed locally or via a config server like Ansible or Puppet.
  14. 14. Integrating Linux systems with Active Directory Using Open Source Tools14 ● Pros: ● Free ● No third party vendor is needed ● Intuitive ● LDAP OTP authentication in Azure (have not tried) ● Available on UNIXes ● Cons: ● Requires SFU/IMU AD extension (which are deprecated as of fall 2014) ● Policies are not centrally managed ● Hard to configure securely ● No SSO with OTP Legacy Direct Integration Pros and Cons
  15. 15. Integrating Linux systems with Active Directory Using Open Source Tools15 Traditional Direct Integration Active Directory DNS LDAP KDC Linux System PoliciesSamba Winbind Authentication Identities Name Resolution sudo HBAC automount selinux Authentication can be LDAP, Kerberos or NTLM AD can be extended to serve basic sudo and automount Can map AD SID to POSIX attributes or use SFU/IMU Can join system into AD domain (net join or realmd) Leverages native AD protocols and LDAP/Kerberos ssh keys Policies are delivered via configuration files and managed locally or via a config server like Ansible or Puppet.
  16. 16. Integrating Linux systems with Active Directory Using Open Source Tools16 ● Pros: ● Well known ● Does not require third party ● Does not require SFU/IMU but can use them ● Supports trusted forests ● Supports NTLM fallback ● Cons: ● Can connect only to AD and very MSFT focused ● Policies are not centrally managed ● No OTP support Traditional Direct Integration Pros and Cons
  17. 17. Integrating Linux systems with Active Directory Using Open Source Tools17 ● SSSD = System Security Services Daemon ● SSSD is a service used to retrieve information from a central identity management system. ● SSSD connects a Linux system to a central identity store: ● Active Directory ● FreeIPA ● Any other directory server ● Provides authentication and access control ● Top technology in the evolution chain of the client side IdM components SSSD Introduction
  18. 18. Integrating Linux systems with Active Directory Using Open Source Tools18 ● Multiple parallel sources of identity and authentication – domains ● All information is cached locally for offline use ● Remote data center use case ● Laptop or branch office system use case ● Advanced features for: ● FreeIPA integration ● AD integration SSSD Capabilities
  19. 19. Integrating Linux systems with Active Directory Using Open Source Tools19 SSSD Architecture Simplified Identity Server Authentication Server Client Client Client SSSD Domain Provider PAM Responer Identity Provider Authentication Provider NSS Responer Cache
  20. 20. Integrating Linux systems with Active Directory Using Open Source Tools20 ● Supports everything that previous UNIX solutions support and more ● Brings architecture to the next level ● Supports multiple sources – domains ● Supports IdM specific features ● Supports trusts between AD and IdM ● Has a feature parity with winbind in core areas and surpasses in some SSSD Why?
  21. 21. Integrating Linux systems with Active Directory Using Open Source Tools21 ● Component of Linux ● Main goal is to detect domain environment using DNS (detection) ○ AD ○ FreeIPA ○ Kerberos ● Join system to the domain (using SSSD or Winbind) ● Do it in one command or click ● Availability: command line, D-BUS interface, system installer, desktop Realmd Couple words
  22. 22. Integrating Linux systems with Active Directory Using Open Source Tools22 SSSD Based Direct Integration Active Directory DNS LDAP KDC Linux System PoliciesSSSD Authentication Identities Name Resolution sudo HBAC automount selinux Authentication can be LDAP or Kerberos AD can be extended to serve basic sudo and automount Can map AD SID to POSIX attributes or use SFU/IMU Can join system into AD domain (realmd) Leverages native AD protocols and LDAP/Kerberos ssh keys GPO support for HBAC is available Other policies are delivered via configuration files and managed locally or via a config server like Satellite or Puppet.
  23. 23. Integrating Linux systems with Active Directory Using Open Source Tools23 ● Pros: ● Does not require SFU/IMU but can use them ● Can be used with different identity sources ● Support transitive trusts in AD domains and trusts with FreeIPA ● Supports CIFS client and Samba FS integration ● GPO for Windows based HBAC ● Well known now? ● Cons: ● No NTLM support, no support for AD forest trusts ● No SSO with OTP ● Not all policies are centrally managed SSSD Based Direct Integration Pros and Cons
  24. 24. Integrating Linux systems with Active Directory Using Open Source Tools24 ● Use SSSD - it provides good enough integration out of box, free and well supported ● Use Winbind if you have special cases when NTLM or cross forest trusts are needed (*) ● Use 3rd party if you want super advanced functionality and have extra money ● Do not use legacy setup Direct Integration Option Summary
  25. 25. Integrating Linux systems with Active Directory Using Open Source Tools25 ● Please read my blog :-) ○ http://rhelblog.redhat.com/author/dpalsecam/ ● Comparison: ○ http://rhelblog.redhat.com/2015/02/04/overview-of-direct-integration-options/ ○ It is 2.5 years old but gives a good foundation Direct Integration More information
  26. 26. Integrating Linux systems with Active Directory Using Open Source Tools26 ● Policy management is still not fully central ● Might require deprecated extensions on the AD side ● Per system CALs add to cost ● Linux/UNIX administrators do not have control over the environment Direct Integration Issues
  27. 27. FreeIPA/IdM
  28. 28. Integrating Linux systems with Active Directory Using Open Source Tools28 ● IdM – Identity Management in Red Hat Enterprise Linux ● Based on FreeIPA open source technology ● IPA stands for Identity, Policy, Audit ● So far we have focused on identities and related policies ● Audit is coming but it is bigger than FreeIPA FreeIPA/IdM Introduction
  29. 29. Integrating Linux systems with Active Directory Using Open Source Tools29 ● Central management of authentication and identities for Linux clients ○ Improvement over standalone LDAP/Kerberos/NIS based solutions ○ Simplify management of infrastructure ● Gateway between the Linux/UNIX infrastructure and Active Directory Problems FreeIPA/IdM Solves
  30. 30. Integrating Linux systems with Active Directory Using Open Source Tools30 FreeIPA/IdM High Level Architecture KDC LDAP PKI DNS CLI/UI MIT Kerberos Dogtag Bind389 DS Linux UNIX Admin
  31. 31. Integrating Linux systems with Active Directory Using Open Source Tools31 FreeIPA/IdM Integration FreeIPA/IdM DNS LDAP KDC Linux System PoliciesSSSD Authentication Identities Name Resolution sudo HBAC automount selinux Authentication can be LDAP or Kerberos ssh keysCertificates/Keys PKI And more: netgroups, automembership, OTP...
  32. 32. Integrating Linux systems with Active Directory Using Open Source Tools32 https://ipa.demo1.freeipa.org/ Demo I bet we will not have time!
  33. 33. Integrating Linux systems with Active Directory Using Open Source Tools33 ● Centralized authentication via Kerberos or LDAP ● Identity management: ○ users, groups, hosts, host groups, netgroups, services ○ user lifecycle management ● Manageability: ○ Simple installation scripts for server and client ○ Rich CLI and web-based user interface ○ Pluggable and extensible framework for UI/CLI ○ Flexible delegation and administrative model ■ Self, delegated, role based; read permissions FreeIPA/IdM Features
  34. 34. Integrating Linux systems with Active Directory Using Open Source Tools34 ● Host-based access control ● Centrally-managed SUDO ● SSH key management ● Group-based password policies ● Automatic management of private groups ● Can act as NIS server for legacy systems ● Painless password migration ● SELinux user mapping ● Auto-membership for hosts and users ● Serving sets of automount maps to different clients ● Different POSIX data and SSH keys for different sets of hosts FreeIPA/IdM Features Continued
  35. 35. Integrating Linux systems with Active Directory Using Open Source Tools35 ● DNS is optional but convenient ● Advantages (automation and security): ○ The SRV records get created automatically ○ Host records get created automatically when hosts are added ○ The clients can update their DNS records in a secure way (GSS-TSIG) ○ The admin can delegate management of the zones to whomever he likes ○ Built in DNSSEC support (Tech Preview) ● Disadvantages: ○ You need to delegate a zone FreeIPA/IdM Features DNS
  36. 36. Integrating Linux systems with Active Directory Using Open Source Tools36 ● Replication: ○ Supports multi-server deployment based on the multi-master replication (up to 60 replicas) ○ Recommended deployment 2K-3K clients per replica ○ Details depend on the number of data centers and their geo-location ● 2FA ○ Native HOTP/TOTP support with FreeOTP and Yubikey ○ Proxied 2FA authentication over RADIUS for other solutions ○ 2FA for AD users (in future) ● Backup and Restore ● Compatibility with broad set of clients (LINUX/UNIX) FreeIPA/IdM More Features
  37. 37. Integrating Linux systems with Active Directory Using Open Source Tools37 ● CA related capabilities ○ Certificate provisioning for users, hosts and services ○ Multiple certificate profiles ○ Sub CAs ○ Smart Card authentication ○ PKINIT authentication FreeIPA/IdM Features PKI
  38. 38. Integrating Linux systems with Active Directory Using Open Source Tools38 ● CA deployment types ○ CA-less ○ Chained to other CA ○ Self signed root ● Tool to change deployment type and rotate CA keys ○ Flexibility in deploying CAs on different replicas ● Key store (Vault) FreeIPA/IdM Features PKI
  39. 39. Indirect Integration using FreeIPA/IdM
  40. 40. Integrating Linux systems with Active Directory Using Open Source Tools40 Indirect Integration Linux system Linux system Linux system Active Directory FreeIPA IdM Integration Options
  41. 41. Integrating Linux systems with Active Directory Using Open Source Tools41 ● User and password synchronization (not recommended) ● Cross forest trusts (recommended) Integration Paths Overview
  42. 42. Integrating Linux systems with Active Directory Using Open Source Tools42 ● LDAP level synchronization ● AD is the authoritative source - one way sync ● No group synchronization, only users ● Only one domain can be synchronized ● Single point of failure - sync happens only on one replica ● Limited set of attributes is replicated ● Passwords need to captured and synced ○ Requires a plugin on every AD DC ○ Mismatch of password policies can lead to strange errors Synchronization Solution Overview
  43. 43. Integrating Linux systems with Active Directory Using Open Source Tools43 FreeIPA/IdM AD Integration with Trust FreeIPA/IdM DNS LDAP KDC Linux System SSSD Authentication Identities Name Resolution Certificates/Keys PKI Active Directory DNSLDAPKDC PKI Policies sudo HBAC automount selinux ssh keys
  44. 44. Integrating Linux systems with Active Directory Using Open Source Tools44 FreeIPA/IdM AD Integration with Trust FreeIPA/IdM DNS LDAP KDC Linux System SSSD Authentication Identities Name Resolution Certificates/Keys PKI Active Directory DNSLDAPKDC PKI Policies sudo HBAC automount selinux ssh keys Chain
  45. 45. Integrating Linux systems with Active Directory Using Open Source Tools45 FreeIPA/IdM AD Integration with Trust FreeIPA/IdM DNS LDAP KDC Linux System SSSD Authentication Identities Name Resolution Certificates/Keys PKI Active Directory DNSLDAPKDC PKI Policies sudo HBAC automount selinux ssh keys Delegate Zone
  46. 46. Integrating Linux systems with Active Directory Using Open Source Tools46 FreeIPA/IdM AD Integration with Trust FreeIPA/IdM DNS LDAP KDC Linux System SSSD Authentication Identities Name Resolution Certificates/Keys PKI Active Directory DNSLDAPKDC PKI Policies sudo HBAC automount selinux ssh keys Cross Forest Trust
  47. 47. Integrating Linux systems with Active Directory Using Open Source Tools47 FreeIPA/IdM AD Integration with Trust FreeIPA/IdM DNS LDAP KDC Linux System SSSD Authentication Identities Name Resolution Certificates/Keys PKI Active Directory DNSLDAPKDC PKI Policies sudo HBAC automount selinux ssh keys
  48. 48. Integrating Linux systems with Active Directory Using Open Source Tools48 ● Can leverage SFU/IMU for POSIX (brown field) ● Can do dynamic mapping of the SIDs to UIDs & GIDs (green field) ● Static override with ID views User Mapping Details
  49. 49. Integrating Linux systems with Active Directory Using Open Source Tools49 ● Two-way and one-way trust (FreeIPA trusts AD) ○ AD/Samba DC trusting FreeIPA is on the roadmap ● Trust agents (different behavior of different replicas) ● Migration from the sync to trust Trust Details
  50. 50. Integrating Linux systems with Active Directory Using Open Source Tools50 ● Pros: ○ Free (FreeIPA/IdM is a part of OS) ○ Reduces cost – no CALs or 3rd party ○ Policies are centrally managed ○ Gives control to Linux admins ○ Enabled independent growth of the Linux environment ○ No synchronization required ○ Authentication happens in AD ○ Great tool for troubleshooting AD misconfigurations Trust Based Solution Pros and Cons
  51. 51. Integrating Linux systems with Active Directory Using Open Source Tools51 ● Requirement: ○ Proper DNS setup ● Cons: ○ Separate server Trust Based Solution Pros and Cons
  52. 52. Integrating Linux systems with Active Directory Using Open Source Tools52 ● There are different paths to AD integration: direct or indirect ● SSSD is recommended for direct integration for small environments up to 30-50 systems ● FreeIPA/IdM is recommended for bigger environments where management needs to scale and be automated Summary
  53. 53. Integrating Linux systems with Active Directory Using Open Source Tools53 Questions?
  54. 54. THANK YOU!
  • MatthieuCassin2

    Jan. 4, 2020
  • 831jsh

    Oct. 31, 2018
  • cgshome

    Aug. 14, 2018

Dmitri Pal - Red Hat, Inc. - Director of Engineering

Vistas

Total de vistas

2.731

En Slideshare

0

De embebidos

0

Número de embebidos

0

Acciones

Descargas

109

Compartidos

0

Comentarios

0

Me gusta

3

×