Presentation is loading. Please wait.

Presentation is loading. Please wait.

Migrating to IdM in a large Linux Environment

Published byJennifer Sims Modified over 6 years ago

Similar presentations

Presentation on theme: "Migrating to IdM in a large Linux Environment"— Presentation transcript:

1 Migrating to IdM in a large Linux Environment
Dustin Minnich Senior Information Systems Engineer 02/03/2018

2 The Environment Known Knowns Known Unknowns “Organized” Chaos
~ 3000 IT managed VMs At least 800 IT managed cloud instances ~ employees ~ 100 SSO integrations Mostly config managed or blessed builds on IT systems Server environment 95% RHEL Complex account lifecyle processes Ridiculously high LDAP traffic hitting legacy LDAP (389 DS) Caching is hard, abusing IT systems is easy Engineering and lab traffic Shadow-IT node traffic Containers everywhere Windows, Mac and BYOD counts “Mission critical” applications running under desks Vendors and applications are getting LDAP data and are using it

3 Old Config

4 DC1 DC2,3,X Replication MIT Kerberos Master MIT Kerberos Slave
RHCS/Dogtag PKI Masters RHCS/Dogtag PKI Slave RHDS/389 LDAP Multi-Master RHDS/389 LDAP Multi-Master DNS Master DNS Slave

5 IT Manged Systems EL6: nss-pam-ldapd + pam_krb5 + nslcd + nscd
EL7: SSSD Puppet managed IT Supported clients – RHEL 7 / Windows / Mac OS X Self configured BYOD or self-managed systems (Fedora, RHEL, and literally everything else)

6 Perfect World Config

7

8 IT Manged Systems EL6: SSSD / ipa-client EL7: SSSD / ipa-client
Puppet managed RPM and remote support managed Instructions for common BYOD setups

9 Getting There

10 Migration Plan Existing infra + IDM cross realm trust + DNS zone delegation RHDS cutoff or reduced OTP BIND? Phase 1 Phase 3 Phase 5 Phase 2 Phase 4 MIT kerberos cutoff RHCS cutoff

11 Known Limits IdM migration is still rough
Cross realm kerberos support is not a supported configuration. It works, but there are some bugs, etc. Out-of-the-box migration tools are limited Some internal applications store their data in LDAP in custom OU’s using custom schemas. IDM is built and optimized for standard user and group data. So we either dirty up IDM or continue running a reduced RHDS offering. Our current RHCS system uses an HSM fo key storage. IDM doesn’t support that yet, but HSM support is on the radar. Some networking gear talks RADIUS to our current OTP solution Our DNS infrastructure is large and managed in a way that people are used to

12 Phase 1 Challenges

13 Password Migration ldapsearch -LLL -Y GSSAPI 'uid=dminnich' cn userPassword cn: Dustin Minnich ldapsearch -LLL -Y GSSAPI -b “cn=PAM Pass Through Auth,cn=plugins,cn=config” nsslapd-pluginEnabled nsslapd-pluginEnabled: on

14 Password Migration Problem IDM officially supports
Mass setting passwords and communicating those to users. Management nightmare. SSSD. Tries userPassword then sets krb hash. We don’t have userPassword. Web UI migration. Tries userPassword then sets krb hash. We don’t have userPassword.

15 Password Migration Solution
dn: cn=ipa_pwd_extop,cn=plugins,cn=config passsyncmanagersdns: uid=passwordservice… Can set passwords on any account. Custom SAML-authenticated webapp that requires end users legacy credentials to access it has been created. This application then uses the custom super powerful passwordservice account and the IDM REST API to set any users new password. Bypasses user password reset requirement Normally, when an admin sets a user password, that user is forced to change it upon first use

16 Data Synchronization Problem IDM officially supports ipa migrate-ds
Used it for initial data import. Good for a one and done approach. To support gradual migrations we need to have both the old and new data sources running simultaneously. RHDS will be source of authority for some data and IDM for others, based on migration status and business logic. migrate-ds doesn’t support this kind of stuff. DO NOT DO THIS if you can help it.

17 Data Synchronization Solution
Complex custom code that is ran out of cron Compares entries on a per attribute level taking into account different OU structures If attribute(s) don’t match update other data source with what SOA has while taking into account schema differences. Add / Purge full entries based on similar logic.

18 Poor bi-directional trust support in apps
Problem Some applications force check Via code: RHSSO Via per-user config: Zimbra Via global configs: SSH, mod_auth_kerb

19 Poor bi-directional trust support in apps
Solution File RFEs for code issues Make application and/or per user config changes based on vendor recommendations auth_to_local krb5.conf code changes and hacks to get around bugs for SSH and applications that use system settings

20 Other Issues We Hit automembering doesn’t remove people from groups on condition changes IE: Changing user attribute deaprtment from IT to Finance doesn’t remove the user from the IT group “Size limit exceeded (4)” and “Search result has been truncated: Configured size limit exceeded” errors on CLI and GUI despite lookthrough being infinite. The products Full Server Backup solution requires you taking a node offline. However you can’t currently build a node and have IDM not advertise it to clients via SRV records. You also can’t adjust the priority on the SRV records as ipa-client-install just chooses one at random.

21 Other Issues We Hit Topology graph for replication agreement management only shows short host names. If we have master01.dc01 and master01.dc02 you can’t tell which is which. Setting custom kerberos config in /etc/krb5.conf.d/* that include a realm definition for the realm ipa-client-install is going to configure cause the ipa-client-install to bomb out. ipa-client-install doesn’t force /etc/openldap/ldap.conf to GSSAPI binds by default

22 Bugs and RFEs have been filed
Some have already been fixed and some will be fixed in upcoming versions of the product.

23 Questions?

24 THANK YOU linkedin.com/in/dustinminnich

Download ppt "Migrating to IdM in a large Linux Environment"

Similar presentations

What’s New in Windows Server 2008 AD?

What’s New in Windows Server 2008 AD?
Configuring SharePoint 2013 and Office 365 Hybrid – Part 1

Configuring SharePoint 2013 and Office 365 Hybrid – Part 1
UAG Authentication and Authorization- part1

UAG Authentication and Authorization- part1
Identity and Security Management Kevin Unthank Senior Product Manager Red Hat Security Management Products Cloud Business Unit.

Identity and Security Management Kevin Unthank Senior Product Manager Red Hat Security Management Products Cloud Business Unit.
Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.

Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.
Federated sign-in WS-Federation WS-Trust SAML 2.0 Metadata Shibboleth Graph API Synchronize accounts Authentication.

Federated sign-in WS-Federation WS-Trust SAML 2.0 Metadata Shibboleth Graph API Synchronize accounts Authentication.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.
Authenticating REST/Mobile clients using LDAP and OERealm

Authenticating REST/Mobile clients using LDAP and OERealm
Understanding Active Directory

Understanding Active Directory
Making Apache Hadoop Secure Devaraj Das Yahoo’s Hadoop Team.

Making Apache Hadoop Secure Devaraj Das Yahoo’s Hadoop Team.
03/07/08 © 2008 DSR and LDAP Authentication Avocent Technical Support.

03/07/08 © 2008 DSR and LDAP Authentication Avocent Technical Support.
TAM STE Series 2008 © 2008 IBM Corporation WebSEAL SSO, Session 108/2008 TAM STE Series 2008 - WebSEAL SSO, Session 1 Presented by: Andrew Quap.

TAM STE Series 2008 © 2008 IBM Corporation WebSEAL SSO, Session 108/2008 TAM STE Series WebSEAL SSO, Session 1 Presented by: Andrew Quap.
MS systems use one of the following: LanManager Hash (LM) LanManager Hash (LM) NT LanManager (NTLM) NT LanManager (NTLM) Cached passwords Cached passwords.

MS systems use one of the following: LanManager Hash (LM) LanManager Hash (LM) NT LanManager (NTLM) NT LanManager (NTLM) Cached passwords Cached passwords.
Square Pegs in Round Holes: Linux in a Windows World Eric G. Wolfe © 2008 Senior Linux Administrator Marshall University Slides, and code available at.

Square Pegs in Round Holes: Linux in a Windows World Eric G. Wolfe © 2008 Senior Linux Administrator Marshall University Slides, and code available at.
Best Practices in Moodle Administration Best Practices in Moodle Administration A variety of topics from technical to practical Jonathan Moore Vice President.

Best Practices in Moodle Administration Best Practices in Moodle Administration A variety of topics from technical to practical Jonathan Moore Vice President.
Linux Operations and Administration

Linux Operations and Administration
Windows interoperability with Unix/Linux. Introduction to Active Directory Integration for Unix and Linux Systems Unix/Linux interoperability components.

Windows interoperability with Unix/Linux. Introduction to Active Directory Integration for Unix and Linux Systems Unix/Linux interoperability components.
Building a KDC. Kerberos Implementations RedHat 5 comes with MIT Kerberos 1.6 Ubuntu 10.04 LTS comes with MIT Kerberos 1.8.1 Admin through CLI, but from.

Building a KDC. Kerberos Implementations RedHat 5 comes with MIT Kerberos 1.6 Ubuntu LTS comes with MIT Kerberos Admin through CLI, but from.
70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network Chapter 7: Domain Name System.

70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network Chapter 7: Domain Name System.
Lawrence Livermore National Laboratory A system for strong local account management. SLAM David Frye Lawrence Livermore National Laboratory, P. O. Box.

Lawrence Livermore National Laboratory A system for strong local account management. SLAM David Frye Lawrence Livermore National Laboratory, P. O. Box.

Similar presentations

Ads by Google