6 Replies Latest reply on Aug 8, 2019 12:28 AM by Dude!

    Oracle Linux IdM

    jkinninger

      I am researching various solutions that would allow us to eliminate our use of Centrify. We are using Centrify to bridge our Linux system to AD so we don't have local accounts but rather all users are created and stored in AD. With Centrify we also prevent all authenticated users and create specific AD groups which allow users assigned to these server AD groups to login. Centrify gives us Group Policy which we use to disable root login on the SSH config.

       

      To replace Centrify I am looking at IdM which is included with Oracle Linux. I was using this link - https://www.linuxsysadmins.com/step-by-step-installing-an-identity-management-server-in-linux-using-ipa/ to try and get things stood up but I don't want to use the IdM DNS but rather keep our Microsoft DNS. Is that possible? I don't want to, actually I am a bit scared to install this, break anything in our AD environment. Anyone have a good guide on installing IdM using Microsoft DNS, not the DNS with IdM? I was going to look at leveraging something like Ansible to maintain the SSH config that disables root login. I believe I can also disable authenticated users and then use the current AD groups and assign them to the servers in IdM to allow approved user to login to the system. I thought I read where IdM can also keep and maintain sudo files for each server.

       

      Is there anything that would work better or would IdM fit the bill. Not needing anything extravagant, at least I don't think I need anything too great, to replace our current use of Centrify.

       

      Any advice, tips, or helpful hints are greatly appreciated.

        • 1. Re: Oracle Linux IdM
          feeble

          I am currently in the middle of a project in which we are migrating to AD. We have been using openldap for auth for a few years and it's been fine. My favorite part is having sudoers in LDAP. But for this project we are just joining hosts to AD using realmd. It's really simple and works well. I create an ansible role for adding machines to the domain. Part of the role is creating a group for each server. Then when users want access to a host they request that they be added to that group. Realmd has a simple_allow_group directive that is in sssd. The process added the group.

           

          My only gripe is now we are moving back to handling sudo locally per machine. It's not horrible, we actually manage it via ansible as well. I have been using this role to manage sudo on hosts.

           

          https://github.com/ahuffman/ansible-sudoers

           

          Since the functionality is there, I did not opt for having a separate IDM that syncs with AD.

          • 2. Re: Oracle Linux IdM
            jkinninger

            Nice! That is what I am thinking as well but still need to gain more knowledge with Ansible. I like the way you are doing it as that is what I am envisioning as well. Don't want to over complicate this and in a dominant Windows environment I am dealing with less than 150 Oracle Linux servers. Several are web servers that users just access the web dirs with Samba so they don't SSH into them at all.

             

            I'll check out your Ansible stuff, thanks for the share! 

            • 3. Re: Oracle Linux IdM
              Dude!

              From what I understand, Centrify Authentication Service allows to join Linux and UNIX to Active Directory, whereas Linux idM is AD for Linux, designed to provide an integrated identity management service for a wide range of clients, including Linux, Mac, and Windows.

               

              What is the reason to replace Centrify?

               

              What about Red Hat SSSD?

               

              https://www.linuxtechi.com/integrate-rhel7-centos7-windows-active-directory/

              https://blog.centrify.com/centrify-vs-sssd-for-integrating-linux-with-active-directory/

              • 4. Re: Oracle Linux IdM
                jkinninger

                For our use case and in my opinion we are paying way too much money for a product that we use a 1/3 of its capability for. I am looking at SSSD and have a few test systems running with just that and it appears to be find. My issue is the administration of the sudo file files which I am going to look more into the suggestion the feeble provided. Just needing a way to allow only AD users to access a Linux server I believe SSSD will fit the bill. One major issue will be when I migrate those Centrify machines over maintaining the UID and GIDs that are currently in place. I also didn't know about maintaining sudo within AD so going to research that as an option as well.

                 

                Again, we disable authenticated users and have AD groups assigned to each server. When users get placed into these AD groups they get access to the OL Linux server. I don't think paying what we do for that is necessary. Would be nice to take those funds and put it towards something more useful. If that makes sense.

                 

                Thanks for the links!

                • 5. Re: Oracle Linux IdM
                  jkinninger

                  One issue I am experiencing is how to prevent all authenticated users from gaining access. I thought the 'realm permit -g activedirectorydomaingroup@domain' would deny everyone and only allow users in this group but on my test server this doesn't appear to be the case. I have a user who tried to ssh into the server and was able to do so even though they weren't part of the AD group I permitted to have access.

                   

                  Is there something else I need to do?

                  • 6. Re: Oracle Linux IdM
                    Dude!

                    I'm no expert to configure AD access under Linux, but the following URL seems to address your problem.

                     

                    https://access.redhat.com/solutions/70472

                     

                    You can create a developer ID without paying for a subscription to browse the knowledge-base.

                     

                    From what I understand, realm -g restricts AD access to a specific group, but you need to configure /etc/security/access.conf or /etc/sssd/sssd.conf to restrict local access. Apparently PAM offers more security options if you require more complexity.

                     

                    https://www.centos.org/forums/viewtopic.php?t=53403

                    https://access.redhat.com/solutions/715173

                     

                    Btw, I suggest to create a new thread for better topic alignment and avoid creating single threads that address multiple topics.