Identity management, single sign-on and certificates with FreeIPA
This is a modal window.
The media could not be loaded, either because the server or network failed or because the format is not supported.
Formal Metadata
| Title |
| |
| Title of Series | ||
| Number of Parts | 160 | |
| Author | ||
| License | CC Attribution - NonCommercial - ShareAlike 3.0 Unported: You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal and non-commercial purpose as long as the work is attributed to the author in the manner specified by the author or licensor and the work or content is shared also in adapted form only under the conditions of this | |
| Identifiers | 10.5446/33691 (DOI) | |
| Publisher | ||
| Release Date | ||
| Language |
Content Metadata
| Subject Area | ||
| Genre | ||
| Abstract |
|
EuroPython 2017131 / 160
10
14
17
19
21
32
37
39
40
41
43
46
54
57
70
73
85
89
92
95
98
99
102
103
108
113
114
115
119
121
122
130
135
136
141
142
143
146
149
153
157
158
00:00
Identity managementPublic key certificateSoftwareCore dumpSoftware developerPauli exclusion principleSoftware maintenanceHash functionModule (mathematics)Core dumpString (computer science)Information securityEndliche ModelltheorieBEEPComputer-assisted translationComputer animation
00:39
Video gameSoftwareInformation securityIdentity managementPublic-key infrastructureData managementVideo gameDigital electronicsMereologyInformation securityStress (mechanics)SurfaceFreewareRight angleIdentity managementSoftwareSoftware engineeringStack (abstract data type)
01:17
Video gameSoftwareInformation securityIdentity managementPublic-key infrastructureData managementDisintegrationDemo (music)CASE <Informatik>FreewarePlanningConnectivity (graph theory)Open sourceIdentity managementMeasurementLecture/ConferenceMeeting/Interview
01:50
Identity managementDisintegrationDemo (music)Bulletin board systemWhiteboardDatabaseEmailBitPhysicalismConnectivity (graph theory)Cartesian coordinate systemDomain nameMultiplication signIdentity managementSurfaceDemo (music)Bulletin board systemComputer fontCASE <Informatik>PasswordDatabaseComputer animation
02:42
Bulletin board systemWhiteboardDatabaseEmailDatabaseSoftwareNumberEmailReal numberProper mapAddress spaceTransport Layer SecurityInternet forumSpeech synthesisCategory of beingExecution unitVirtual machinePublic-key cryptographyCartesian coordinate systemRootRule of inferencePublic key certificateLecture/Conference
03:18
DatabaseDatabaseInformationMathematicsVirtual machineRouter (computing)Service (economics)MetreLecture/Conference
03:50
System administratorDatabaseData managementZugriffskontrollePublic key certificateSoftware developerCodePasswordService (economics)AuthenticationSystem administratorAssembly languageCodeBitMereologyPlanningCovering spaceVotingPasswordLoginFreewarePublic key certificateService (economics)Software developerMobile appUsabilityNetwork topologySoftware testingSpectrum (functional analysis)Data miningKey (cryptography)Identity managementLecture/Conference
05:02
Identity managementAuthenticationAuthorizationPrincipal idealPhysical systemBoundary value problemEnterprise architectureInformation securityTask (computing)Data managementTerm (mathematics)Identity managementMedical imagingProduct (business)Physical systemInformation securityAuthenticationAuthorizationBoundary value problemEnterprise architectureLevel (video gaming)Task (computing)Web pageMultiplication signLecture/ConferenceComputer animation
05:47
Principal idealVirtual machineAuthenticationSmart cardToken ringPasswordKerberos <Kryptologie>Public key certificateAuthorizationZugriffskontrolleGroup actionVirtual machineAuthenticationPlastikkartePasswordAuthorizationLoginIdentifiabilityService (economics)Price indexAreaWeightProcess (computing)Lecture/ConferenceComputer animation
06:31
Principal idealAuthenticationAuthorizationVirtual machineSmart cardToken ringPasswordKerberos <Kryptologie>Public key certificateZugriffskontrolleGroup actionCorrelation and dependenceSystem programmingSign (mathematics)Single-precision floating-point formatService (economics)Direct numerical simulationWechselseitige InformationIdentity managementClient (computing)Control flowDirectory serviceCommon Language InfrastructureRemote procedure callBitGroup actionWeb pageFreewareArithmetic meanMetropolitan area networkRoutingCartesian coordinate systemSign (mathematics)Web serviceRule of inferenceUniform resource locatorIdentity management1 (number)MereologyCentralizer and normalizerLink (knot theory)Server (computing)System administratorRootFood energySingle sign-onCommon Language InfrastructureWeb 2.0Computer animation
07:38
System programmingAuthenticationSign (mathematics)Single-precision floating-point formatService (economics)Direct numerical simulationWechselseitige InformationIdentity managementClient (computing)Common Language InfrastructureControl flowAuthorizationKerberos <Kryptologie>Directory serviceDirectory serviceDomain nameReal numberCore dumpFreewareDatabaseProjective planeVirtual machineBitServer (computing)System administratorVideo game consoleSingle-precision floating-point formatLecture/ConferenceMeeting/Interview
08:16
WebsiteEncryptionGoogolLoginTwitterFacebookServer (computing)Public key certificateTwitterFacebookConnected spaceInternetworkingEncryptionGoogolCryptographyUniverse (mathematics)Menu (computing)Internet service providerOpen sourceView (database)Service (economics)Denial-of-service attackComputer animation
09:04
WebsiteEncryptionGoogolLoginTwitterKey (cryptography)Rule of inferenceScale (map)System administratorEmailService (economics)Transport Layer SecuritySoftwareFiber bundleLink (knot theory)Public-key cryptographyCASE <Informatik>Web pageCartesian coordinate systemService (economics)Moment (mathematics)QuicksortSystem administratorFreewareLecture/Conference
09:38
System administratorEmailService (economics)Transport Layer SecurityKey (cryptography)Rule of inferenceSingle sign-onScale (map)InformationEmailJava appletClient (computing)Web serviceLoginSpeech synthesisVirtual machineCentralizer and normalizerGoodness of fitSystem administratorPlastikkarteKey (cryptography)FreewareCategory of beingScaling (geometry)InternetworkingComputer-assisted translationComputer animation
10:37
Component-based software engineeringOpen sourceIdentity managementKerberos <Kryptologie>Server (computing)Public-key infrastructureDirect numerical simulationLine (geometry)Virtual machineServer (computing)Connectivity (graph theory)Distribution (mathematics)Set (mathematics)AuthenticationDirect numerical simulationKey (cryptography)Public-key infrastructureSingle sign-onQuicksortWeb 2.0
11:12
Open setComponent-based software engineeringIdentity managementKerberos <Kryptologie>Server (computing)Public-key infrastructureDirect numerical simulationMereologyVirtual machineRevision controlProcess (computing)Open setPublic-key infrastructureServer (computing)Java appletSoftware developerModule (mathematics)CodeDemonInstallation artKeyboard shortcutPatch (Unix)
11:50
Component-based software engineeringOpen sourceIdentity managementKerberos <Kryptologie>Server (computing)Public-key infrastructureDirect numerical simulationSign (mathematics)Single-precision floating-point formatCodeInstallation artIdentity managementWindowPhysical systemDifferent (Kate Ryan album)Enterprise architectureDirectory serviceCommunications protocolKerberos <Kryptologie>Computer animation
12:49
Kerberos <Kryptologie>Sign (mathematics)Single-precision floating-point formatRow (database)Principal idealKerberos <Kryptologie>Asynchronous Transfer ModeWordBus (computing)Right angleReal numberServer (computing)Service (economics)Meeting/InterviewComputer animationLecture/Conference
13:22
Kerberos <Kryptologie>Service (economics)Single-precision floating-point formatPrincipal idealSign (mathematics)Server (computing)AuthenticationBus (computing)Server (computing)AuthenticationService (economics)Identity managementPrice indexMessage passingComputer-assisted translationComputer animationLecture/Conference
13:54
Kerberos <Kryptologie>Principal idealService (economics)Server (computing)AuthenticationSingle-precision floating-point formatCache (computing)Sign (mathematics)Service (economics)Validity (statistics)Bus (computing)Formal verificationDevice driverKey (cryptography)Computer animation
14:33
Kerberos <Kryptologie>Principal idealService (economics)Server (computing)AuthenticationCache (computing)Sign (mathematics)Single-precision floating-point formatDatabaseData structureHierarchyCommunications protocolReplication (computing)ZugriffskontrollePrice indexPresentation of a groupMarkup languageMultiplication signType theoryAuthenticationPlastikkarteDatabaseInformationSoftwareNetwork topologyWindowMereologyDevice driverGoodness of fitServer (computing)Operator (mathematics)Numbering schemeSequelCommunications protocolReplication (computing)OracleRight angleService (economics)Computer animation
15:52
Server (computing)Directory serviceDatabaseData structureHierarchyCommunications protocolReplication (computing)ZugriffskontrolleAuthenticationKerberos <Kryptologie>Arithmetic meanReplication (computing)Web applicationDatabaseConnected spaceMereologyQuery languageService (economics)System callInjektivitätState observerServer (computing)Computer animationLecture/Conference
16:37
DatabaseData structureServer (computing)HierarchyCommunications protocolReplication (computing)ZugriffskontrolleAuthenticationTopologyMaxima and minimaExecution unitMotion blurDatabaseNetwork topologyReplication (computing)SoftwareServer (computing)Directory serviceRight angleLoginInheritance (object-oriented programming)FreewareLecture/ConferenceSource codeXMLProgram flowchart
17:16
Replication (computing)Server (computing)Direct numerical simulationReplication (computing)Data centerStructural loadRevision controlMultiplication signServer (computing)Software testingScaling (geometry)Direct numerical simulationIdentity managementModal logicPhase transitionLecture/ConferenceMeeting/InterviewComputer animationDiagram
17:53
Server (computing)Direct numerical simulationTime zoneReverse engineeringEmpennageTime zoneServer (computing)Reverse engineeringDirect numerical simulationMappingService (economics)Row (database)State observerData centerFingerprintUniform resource locatorLecture/Conference
18:31
Server (computing)Direct numerical simulationTime zoneReverse engineeringFingerprintDemo (music)Raster graphicsKerberos <Kryptologie>Physical systemPublic key certificateCommunications protocolRow (database)InformationSet (mathematics)Service (economics)Server (computing)Profil (magazine)Virtual machineCommunications protocolAuthorizationPublic key certificateWeb 2.0Video gameGroup actionCycle (graph theory)Computer-assisted translationComputer animationLecture/Conference
19:23
Physical systemPublic key certificateCommunications protocolEncryptionSmart cardInformation securityDemonService (economics)AuthenticationModule (mathematics)Cache (computing)Client (computing)Maxima and minimaData storage deviceEncryptionMarkup languageIP addressPlastikkarteFreewareInformationGroup actionVirtual machineDirectory serviceDemonVideo game consoleClient (computing)Element (mathematics)MappingRight angleRootLecture/ConferenceComputer animation
20:09
User interfaceInstallation artTouchscreenIdentity managementINTEGRALBitOpen sourceMobile appAndroid (robot)Lecture/ConferenceComputer animation
20:41
DisintegrationEmailAddress spaceConfluence (abstract rewriting)Enterprise architectureVirtuelles privates NetzwerkOpen setStack (abstract data type)RadiusIPSecDirect numerical simulationStack (abstract data type)Fluid staticsCovering spaceInformationBit rateEnterprise architectureEmailServer (computing)Shift operatorInformation securityOpen setVirtuelles privates NetzwerkComputer animationXML
21:29
Demo (music)Kerberos <Kryptologie>Time domainConfiguration spaceFirewall (computing)Direct numerical simulationServer (computing)Data structureServer (computing)AdditionDirect numerical simulationSign (mathematics)Service (economics)Data recoveryPublic-key cryptographyMotion captureKey (cryptography)Demo (music)Revision controlFreewareSoftware testingVirtual machineCASE <Informatik>Software repositorySelectivity (electronic)Streaming mediaView (database)Lecture/ConferenceMeeting/InterviewXML
22:12
Demo (music)Kerberos <Kryptologie>Time domainConfiguration spaceFirewall (computing)Direct numerical simulationServer (computing)Installation artOpen setFirewall (computing)FlagVirtual machineServer (computing)Direct numerical simulationType theoryPasswordComputer animationLecture/Conference
22:58
Client (computing)Installation artPasswordConfiguration spaceServer (computing)Sound effectClient (computing)Virtual machineSimilarity (geometry)Service (economics)Row (database)MathematicsNetwork topologyConfiguration spaceVotingDirect numerical simulationMultiplication signBitPower (physics)Directory serviceIP addressLecture/ConferenceMeeting/Interview
23:51
Internet forumMaxima and minimaPasswordRandom numberDemo (music)Installation artRootMultiplication signPasswordLimit (category theory)Virtual machineComputer fileBootstrap aggregatingMedical imagingType theoryClient (computing)System administratorBackupComputer animationLecture/ConferenceMeeting/Interview
24:28
Virtual machineClient (computing)Installation artDemo (music)BuildingGroup actionExecution unitVirtual machineField (computer science)Installation artPasswordType theoryServer (computing)Direct numerical simulationService (economics)Multiplication signDemo (music)Software repositoryJSONXML
25:11
Row (database)Slide ruleWebsiteKerberos <Kryptologie>Service (economics)Row (database)Cartesian coordinate systemMedical imagingEncryptionComputer animationLecture/ConferenceMeeting/Interview
25:45
Group actionDemo (music)Server (computing)Rule of inferenceIcosahedronGroup actionPrice indexLogical constantAuthorizationSystem administratorAuthenticationUsabilitySemiconductor memoryBefehlsprozessorPower (physics)ResultantVirtual machineServer (computing)Cartesian coordinate systemReplication (computing)Rule of inferenceFreewareService (economics)Open sourceWeb 2.0Web applicationComputer animation
26:55
Group actionVirtual machineService (economics)Identity managementMeasurementHidden Markov modelRight angleInterface (computing)Uniqueness quantificationExecution unitNumberSound effectLecture/ConferenceMeeting/InterviewComputer animation
28:02
Row (database)Row (database)Perfect groupThumbnailMotion captureEndliche ModelltheorieDomain nameInterface (computing)User interfaceWeb pageFreewareServer (computing)Lecture/ConferenceComputer animation
28:45
Virtual machineServer (computing)System administratorCartesian coordinate systemDirect numerical simulationFingerprintKey (cryptography)Domain nameRule of inferenceFreewarePlug-in (computing)Mathematical analysisTrailWeb 2.0Source code
29:25
Rule of inferenceCategory of beingVirtual machineDemo (music)Cartesian coordinate systemRight angleService (economics)Lecture/ConferenceSource codeJSON
30:01
Virtual machineCellular automatonKey (cryptography)Thresholding (image processing)Right angleService (economics)Renewal theoryQuicksortServer (computing)CASE <Informatik>Exterior algebraData storage deviceDirect numerical simulationMultiplication signPublic key certificateSource codeLecture/Conference
31:19
InformationMereologyData storage deviceDirect numerical simulationComputer fileKey (cryptography)Right angleService (economics)Demo (music)Software testingGraph coloring
32:19
Demo (music)TouchscreenFigurate numberLie groupEmailAddress spaceRight angleBitInformationCase moddingCache (computing)Identity managementEndliche ModelltheorieTupleComputer animationSource code
33:03
Demo (music)Twin primeHydraulic jumpLemma (mathematics)EmailData managementIdentity managementService (economics)RootMaxima and minimaWeb 2.0InformationRevision controlSet (mathematics)Configuration spaceMultiplication signBitComputer animation
33:36
Smith chartDemo (music)FluidEmailRobotBitBlock (periodic table)Group actionCartesian coordinate systemWeb 2.0Endliche ModelltheorieAuthorizationDemo (music)Extension (kinesiology)Computer animationLecture/ConferenceSource code
34:08
Smith chartCausalityDemo (music)Group actionIdentity managementView (database)Service (economics)Rule of inferenceLocal GroupDirected setElement (mathematics)ParsingSystem administratorEmailUniform boundedness principleRobotGroup actionWeb 2.0Information2 (number)Computer animation
34:41
Local GroupParsingGroup actionView (database)Service (economics)Directed setElement (mathematics)Public key certificateData storage deviceAuthenticationServer (computing)RadiusTexture mappingRule of inferenceIdentity managementLemma (mathematics)Service (economics)InformationAuthenticationWeb servicePublic key certificateMessage passingLecture/ConferenceXMLComputer animation
35:28
NumberEmailGroup actionError messageExplosionBlock (periodic table)Public key certificateCodeWeb pageView (database)WebsiteColor managementWindowBitCache (computing)Public key certificateBit rateComputer animationSource code
36:07
Identity managementConnected spaceSimilarity (geometry)Shared memoryCartesian coordinate systemState of matterCovering spaceProjective planeLinearizationFamilySampling (statistics)Open setInternet service providerLecture/ConferenceComputer animation
36:48
Assembly languageConnected spaceSummierbarkeitInternet service providerMonster groupEndliche ModelltheorieIdentity managementInformationServer (computing)Open setWebsiteDemo (music)Lecture/ConferenceComputer animation
37:28
Mach's principleIdentity managementPhysical systemWebsiteCase moddingInformationLimit of a functionCovering spaceSampling (statistics)BitComputer animation
38:01
Shift operatorAtomic numberOpen setAtomic numberProjective planeFile formatGreedy algorithmGroup actionExtension (kinesiology)Virtual machineSingle-precision floating-point formatService (economics)Flow separationLecture/Conference
38:39
Group actionService (economics)Data managementZugriffskontrolleSign (mathematics)Kerberos <Kryptologie>Single-precision floating-point formatDisintegrationPublic key certificateDistribution (mathematics)Kerberos <Kryptologie>Computer animationMeeting/Interview
39:21
Hazard (2005 film)Distribution (mathematics)CuboidCovering spaceKerberos <Kryptologie>Freeware
39:57
InformationINTEGRALMereologyResultantCASE <Informatik>File formatFreewareSoftwareInstitut für Didaktik der MathematikCase moddingLecture/Conference
40:36
Physical systemSource codeMathematicsPasswordAuthenticationModule (mathematics)Mobile WebCombinational logicBitSlide ruleAuthorizationLoginMultiplication signTelecommunicationComputer animation
41:15
PasswordApproximationDatabaseInformationPhysical lawCloningPhysical systemSlide ruleCartesian coordinate systemLoginMultiplication signRow (database)Routing
Transcript: English(auto-generated)
00:05
Good morning How are you doing? Okay, still not awake. So I'll try to not to bore you to death. So hi I'm Christian Heimers. I'm from Hamburg, Germany Some of you may know me. I'm a Python core contributor
00:22
I work on mostly security stuff for Python core So SSL hashlet model and those of you who still use Python 2 I also Hope you to do you buy it on the beep String prefix in Python 2 back there. So some of the stuff I did in the past So I'm from Hamburg and I'm really glad I could make it here
00:42
Usually Hamburg looks like that exact if you have the g20 summit and looks like that so these are burning things in the streets and riots and they built like lots of cars and shops and It was fun not So in my professional life, I also do security things
01:02
I'm a senior software engineer at Red Hat now for over two years. I work on the software stack I'm not going to present to you So free IPA doc tag was a part of free IPA and because to the secrets management was also part of free IPA So free IPA in case you wondered it's not bad
01:22
It's not Indian pale ale so won't give you free beer in the morning Sorry At that one, so it's identity policy and auditing. It's an open-source stack built of lots of components I'll show you in a minute. So first the agenda of the plan for today or the morning
01:42
So first I will run you to a small scenario where you could benefit from identity management, then I will Oh, sorry Will explain what is identity management we go through the surface echo free IPA the components how to
02:00
Integrate free IPA and then I'm doing a bit of demoing. So installation I'm not going to show the actual installation because it's going to take like 10 minutes. We don't have that much time but I'm going to show you how to Actually integrate that into like a HTTP application and Summary at the end so
02:21
the scenario very Simple case you want to have a bulletin board for your company where you just share notes. What do you need? So first of all You just need to log in. Oh the fonts aren't showing up correctly. Oh That's new. Oh That one works. So there should be login password for some reason the fonts don't show up
02:42
You need a user database because you also want to show real name email address Maybe a phone number where you can reach a co-worker You need to handle Paris permissions. You don't want to have like the intro looking at notes from like the CTO Of course these days you want to secure all your networks with proper TLS
03:03
You need certificates for that and private key and some infrastructure you maybe you need to renew your search everyone in a while and finally for people who are going to apply the application you to SSH into machine and Maybe have pseudo rules where they can get root privileges
03:20
Yeah, that's going to be complicated if you have like not like one machine and ten users but like 50 services like that and Maybe 50 users or 500 or 10,000 10,000 users. So don't worry be happy
03:40
We want to make first human resources happy So we don't want them to add new users like to 50 databases and also that the meter router in one place So if somebody get married change the name, they don't want to add like 50 user database all over the place. Just one Want to make the admins happy so we want to have them centralize all the access control
04:02
Don't mess with certificates manually because open as a common lander face is just painful to use To fa for some services would be nice developers You as a voter probably don't want to learn about all the covers or assemble works or how to interface well up
04:20
So we want to use all of our covers, but don't actually code that Have that automated and wrapped away for you very easily and finally the plan uses all the your coworkers Just want to have one password one login for all stuff you have from the company If that sounds a bit familiar to you there was actually a talk by a co-worker of mine
04:44
Two years ago euro Python who explained that using a Django app You want to know more about actually integrating the whole stack? Watch that talk. I'm more explained like the DevOps II part of free IPA and bit more the techie part
05:03
What's identity management? So who of you heard the term at any mention before or actually uses one I see well like one third 50% Okay Just first off obviously Wikipedia definition
05:21
Identity management describe the management of individual principles the authentication authorization and privileges within or across system and enterprise boundaries with the goal of increasing increasing security and productivity while decreasing cost downtime or repetitive tasks So a couple of terms I make bold
05:42
Some of you may know the terms, but more of them, so Get on the same page What are they so principle? It's just a fancy name describe some kind of entity you want to identify So it's not only users because we also want to identify machines and services
06:02
Authentication just to make it clear Authentication is about proving who you are so like using a password and a login name or using a smart card or some other fancy ways Authorization is Actually giving you access to something so for example
06:22
one across to another country you show your passport, so you're authenticating yourself you're proving your name and Giving if you're authorized to enter or not Water gap will let you in or not and this often coupled with privileges to make the bit easier So you in a certain group a certain group is allowed to do something Or you can delegate permissions to somebody temporarily yeah now free IPA
06:49
The bit teaser what the web page of free IPA tells you about free IPA so identity And Many links users incline host on your realm from one central location with CLI web you are a PC and
07:05
Have a single sign-on for your applications, so that's the energy part policy Something if you're an admin also very important thing Once you authenticated you want to also grant users certain kinds of access
07:21
And you also want to centrally manage like for your web servers who's allowed to log in who's allowed to gain root privileges So you can do like as a Linux rules out of s rules if you have NFS pseudo rules whatever and finally Trust so for a PA can also do trust
07:41
Cross real trust with other domains for example active directory Now if you wonder where VA where the audit We haven't got to that yet We saw Haven't added actual auditing to the core of free IPA That something is currently developed external projects for example console logging where you come to order what an admin does on a machine
08:04
That's not yet integrated Actually should you actually use free IPA? All depends a bit if you want to use free IPA just as your user database for single servers That's public on the internet Probably not because these days you have let's encrypts you get a public trusted certificate you have like social log in
08:29
GitHub Twitter Facebook Google they all have like open ID connect Providers if you're in university you have of them a similar ship left based solution
08:40
Just use that if you have just one public service But if you have lots of internal services where you don't want to disclose your services to the public For example for let's encrypt you have to actually Create a certificate with all the host names in them so everybody could see your names because they also publish their Certificates in a lock although they're now adding wildcard certs
09:05
But still while culture are very dangerous one of your hosts gets compromised Then you can throw away to buy called third you have to reroll your whole application you hope basically network Because your whole networks got compromised with just one service link the private key of your certificates, so
09:24
For a non trivial case if you have to deal much more than simple web pages or more than one simple case Free IPA is actually a good solution, so if you have more than trouble amount of users or admins If you want to reuse all your information not only for just a web service and for SH login
09:46
But even for like email or just Java client. I'll come to that later You want to manage your own internal CA For all your services, maybe even for VPN lock-ins for smart kind of education
10:02
Yeah also I still remember from my First draw was rather tiresome to get locked into all machines because the admin had to copy my Propic SSH key to all the machines, and it means a pseudo rules, so you want to automate that the central way
10:20
free API is also Very useful and finally we want to scale up you like start up with things Oh, we might go from couple of users to a lot of users Yeah That's Might be a good solution for you, so what is it actually?
10:42
It's a Lot of components, so these are five of the most important components you have KDC and the cameras key distribution center you have an all up server you have a public key infrastructure server You have a DNS server built in and you have a set of tools both web-based and common line based
11:05
manage the whole solution and much more so MRT cameras The single sign-on and the authentication between machines for most parts. You can do more 3 at 90 s is in all up server
11:21
origin developer Netscape and now maintain for Red Hat Doctor top tech public key infrastructure is a Java Tomcat based solution Which is both for all the large entities now also wrapped into only free IPA to give you a CA infrastructure We have bind DNS bound to all up now
11:42
We have SSSD a demon probably most of you don't know come to that also in a minute We have a patch HTTP with a couple of modules I'm going to explain later and finally all the tooling around the glue code between all the stuff including the installer management is all written in Python
12:00
So who knows her how cameras works? okay, yeah, so cameras is a Both like three headed hounds Also a protocol Both of you sign with enterprise and things already dead for years. No, it's not if you use active directory from Windows
12:24
It's basically Kerberos and all up and in big enterprise you also use Kerberos Not that complicated for end-users, so I give you a small example how actually Kerberos mostly works It's good enough to understand how it works. So imagine
12:41
public transport system So public transport system like for example, we have Rimini You want to write about some Rimini? So you have in Kerberos is called real and it's mostly written. I always written uppercase so I as a user want to ride a bus in Rimini. So I need an account
13:03
So that's mostly written like that. So it's me. See hi miss at Rimini. It that's my user principle We also have services and hosts so like a place like bus stop would be like here palace concasi Rimini it at
13:20
realm Rimini it and Finally the service written like that. So you have like a service and if I shuttle bus Starting at palace-concasi Rimini it. Yeah So in the morning, I like to ride the bus So the first thing I have to do I have to prove my identity to something called an authentication server
13:44
This authentication server once I prove my identity. I'm getting a ticket back It's called a ticket granting ticket like a daily pass So when I want to ride the bus, I show this ticket granting ticket to and ticket
14:00
Granting service. Oh, no, sorry. First of all, I have to store my ticket like in my wallet. It's called credential cash that so I show my ticket my ticket on click it to a ticket granting server and that one gives me back a ticket that's only valid for this shuttle bus and
14:22
Finally I show this ticket to the bus driver and he has internally like a verification thingy called the key tab and they can verify Hi ticket. The stickets are usually valid for a couple of hours half a day and That's how single sign-on works. So you have to type you press it only one time maybe 2fa maybe with smart card authentication and then you have something you can use all over the place to request new tickets and
14:51
We also have all information stored in the OLAP server, so that's a simple database all up is an hierarchical database like a tree and
15:01
Good thing is it's all standardized So both the protocol is standardized so you don't need like in the sequel world the ProseQuest or MySQL driver You just use an OLAP driver can talk to any OLAP server also, the database schemer is standardized for everything you basically need so No matter what if you talk to Windows or
15:20
Linux if they implement the correct schema part like POSIX user it works OLAPs heavily optimized for reading so You don't write that often to OLAP and they also can heavily optimize all reading operations and replication So you can have like a distributed network of OLAP servers
15:41
We have fine-grained access control. You can actually Combine with a delegation Make sure that every user only sees what he's allowed to see so delegation means Typically in a web application you have a user that logs into web application Then you have from the web application to a database saver and a database user for that web application
16:04
We don't do that the user logs into the web application or the command line interface Gets delegated through the OLAP database the OLAP database only sees the actual user There's no kind of special service user for the database connection And so we can actually fine-grained which part of the data users can see, modify, query
16:27
So any kind of SQL Injection wouldn't work for OLAP so you can even let any user directly query access the OLAP server They can't do any harm And even the front-end doesn't do extra permission checks. It's all handled by the database
16:44
And finally master-master replication with a replication topology that's so That's how OLAP server looks from software stack called Apache directory studio on the left you see a tree on the right you see one of the leaf nodes
17:02
with my user login and Of Course if you just have one free IPA server wouldn't be very redundant So you probably want to have like two three five or ten users ten servers or more So that's handled by something called replication. Here's two example how you would do like a replication between
17:24
Four data centers with three or four servers to create a couple of replication agreements And they will distribute the data and the load over time The scales are very nicely here's another example we did for a performance test with 60 servers
17:40
Each of these small green things the server We also have a DNS server. You might wonder why DNS server. Yeah host names are also identities So we have host names and the DNS server and also the reverse zone so you don't have to create your own reverse zone mappings
18:02
We use DNS for service discovery and failover so We are able to get all like elop servers from DNS even location-based and If some of the servers fall off, then we automatically try another one. We don't have to configure that With the location support we make sure you try to stay in your own data center and only go to another one
18:25
It's all the servers locally fail We store your SSH Fingerprints and the DNS server and we also do DNS sec Because we can do that. So Here's example what we can get from old ups. You see like cameras information a service record for old up and
18:44
SSH Next thing is doc tag that our CA servers Can you like it's a certification authority you can have sub CAs you can have Can do all the lifecycle of a certificate for a server
19:01
Can have different profiles if you need special profile for your VPN server or your web server or whatever other server you have CLN OCSP to revoke and check certificates SCAP protocol used by some I think Cisco machines and also a way to
19:21
Do escrow if you want to? Encrypt data and store it in there. It's also HSM smartcard support, but that's not supported with free IP address with standalone doc tag and Finally SSSD, it's a daemon running on all your machines even the client machines when you're all a client hooks into
19:43
PAM and NSS PAM does when you log into Linux machine on the console or nkde gnome or SSH your passport check and NSS the name service which provides user information like give me username give me like the root membership give me
20:02
your autofs mapping for NFS and it does caching and what stuff more so and Finally will be user interface. That's all written and Python Looks kind of funny. Oh, no, not here. Good only my screen
20:21
Management and the installers and a bunch more stuff. So OTP support Yubikey support some integration we may have in an Android and Apple app to the OTP like the Google one, but actually I was work with shot 256 OTP
20:42
So Already mentioned that you can integrate the whole Stack a lot covers DNS into all the things because they'll send rise So just give you a couple of ideas an example of what you could do what customers did what we did to integrate that you can store your email information and the elop server and you that
21:04
Use covers for single sign-on. You can have radios for WPA enterprise for your wifey so you can have roaming users VPN for some users like nowadays even for Kubernetes open shift you sometimes need NFS. You can use the camera secure NFS
21:26
mistake use internally so a lot now How do you actually install like this huge stack? It's a lot. So you develop server camera server DNS server your public key structure. You take sign key
21:42
You have a couple of additional services Sounds complicated Well, it's not so quick demo setup. So I'm using fedora 26 at 25 Like just two days ago Didn't want to update my demo setup now But I'm using a new version of free IPA. That's actually not in fedora, but
22:03
From a copper so like a private repo view for testing Capra stream is called IPA example and DNS same low case all the machines have the same Suffix so it's like name IPA example and they all pointed to the master DNS server
22:21
Have enabled some as a Linux flags and firewall or open. Yeah, so installation These two commands in about five to seven minutes depending on how fast your machine is and you have a full running free IPA stack Easy enough. Oh
22:43
You don't even have to specify all this flags. You can even do it interactively so if you don't give me any flags, then it just will ask you a couple of questions and Have to type in two passwords and that's it There if you're full running a lab server camera server and CA internally, of course
23:04
You also want to enroll your client so you can use all the feature on your client machines or on your your servers So general a client you have a similar command install a client package you run this command You don't even have to specify where your server is Effect you shouldn't do that
23:20
If you don't give it the server name It will just use DNS find the next server enroll and will ultimately fall back to another server than one to roof Just maybe as power issue or doesn't work anymore And that one even make sure you create home directory to look in first time Configure your Firefox if you use like a UI and will also update DNS records if your machine changes
23:46
IP address Looks like that. So what running through that because you need to be a bit short on time For automatic enrollment, so if you don't want to do it manually you can also create the host before use like in OTP so one-time enrollment password and
24:06
That one-time enrollment password and the hostname to your Kickstarter file or a bootstrap file or a golden image for the machine and Just enroll the machine with that. So you don't even have to type in your admin credentials when you enroll the machine
24:21
So now we have a master we have a client when I have a replica So we want to replicate all the data to another machine have a backup and a failover That's easy to Just announce that the machine is in replica So you add it to the IPA service host group and ROM IP replica install. You don't even have to type in a password
24:45
And we'll set up a failover DNS over all of server camera server and CA server now The interesting time hope it works demo time So my demos are all prepared. So I don't install the full stack now because would take too long
25:05
It's all scripted with ansible I will add the URL to github repo of my ansible playbook shortly before I upload the slide so you can do that at home, too and I'm going to show you
25:21
Okay, interesting How you can run an Apache service so a website on Apache without actually doing any kind of Kerberos and All up in your application, but just use Apache to do the heavy lifting for you
25:41
So these are my off juice API my SSL for SSL encryption and I wasn't sad for authentication for authorization and two other Holes I will explain in a minute The setup had a couple of users and groups. So I have three users an admin user let me user
26:02
myself and use a Bob With three different groups, so we have admin group. We have a web app in group. You administer the application on the server and more than the user to Machines, so I don't have a replica here right now because taking too much power and too much CPU and memory
26:23
I have to host group 30 servers group on the web servers group a couple of H back rules It's a host base access control so we can control which use allowed to a source on which host With a special user for the web application. I have a studio role So a lot of the web I mean to actually lock into the machine and I also have a role based access control
26:45
That's for roles inside the IP server called source admin so you can delegate Free IPA permissions to user or to a group of users For example, you can give a group of use permission to manage your user account
27:01
But not manage machine accounts or manage services or manage enrollment of hosts Okay Now you should see yeah, perfect Okay that
27:22
You know my notes Hmm doesn't want to show me the notes. Yeah, no, it works. So
27:46
To the command the right or so first of all Let's show you the interface. So now I'm using k-init to get my ticket granting tickets So you see here big enough for you. Can you see that?
28:03
Okay, perfect thumbs up from the back row so the Caribbean TGT that's my ticket granted ticket from my domain. I'm a look in and admin and so that the interface it's refresh because
28:21
I'm not going to use My duty to actually accept the web page so that the main interface of free IPA web interface You look again you see we have a the ticket for the HTTP server for the master Okay, now let's look in another user
28:43
To show you I'm going to look in so I'm a web admin. So I have to employ my Application. No So just show you how the SH plugin works. I see you see here
29:02
It found my DNS the fingerprint of the server DNS have never locked in My machine is not enrolled in the domain. I'm working on here so it would be enrolled on the actual free IPA domain and would not even see that would just Automatically approve the keys
29:21
So now I'm in Okay, we also need to sudo so but we already have a pseudo rules for my user Got that already so I can look in but first see I Delegated also my ticket to the other machine and now using the command line tools to create the demo service
29:49
Well, so we have now a service and it's managed by the machine so that's the machine Oh, yeah, so now to deploy the application I need pseudo rights and
30:07
What we need for the application, oh we want to have SSL so we need to fetch SSL, but I don't have Yeah, I don't have any credentials here Which is actually good thing because I don't want to get these certs and the key tab for the service as my own user
30:25
I'd rather want the machine to manage them. So I'm not locked in as machine So now I'm locked in the actual machine and wrong two commands I've prepared to not make any typos
30:42
so now I'm using a tool called IPA get cert and cert monger to Get my certificates for the machine see here store my key store my cert I ask for Subject alternative named DNS IPA example
31:02
These are Maintained by the service and every time the cert is downloaded or renewed I want to reload my HTTP server. This tool also tracked the sort will do automatic renewal in case Here cert runs out Okay, that's a request
31:21
Oh Work fine. See someone told influence from the cert and that's how I'll see the cert so testing part is Yeah, yeah here so DNS name there a couple of other names that are supported by openness, oh, that's the service information
31:42
Okay. Now we have the cert now we're going to do the first demo step Ah Good thing I made that right. We also need a key tab, right because every camera so with the key tab Get key tab Well, okay, that's easy too so IPA get key tab store it in the file
32:06
Done and now I can actually do My first demo step so it prepared a couple of contact files Reloads HTTP and now that's works. Okay bigger
32:22
Well, I'm locked in as my own user the other screen. So I have another Okay, okay, but just having the users bit boring won't also help like
32:42
My complete name when I have my email address Okay, next step we're going to add a tool called mod Lookup identity and that talks directly to SSD so SSD downloads all information from LDAP for me of the caching and uses a tool called info pipe to add the information to my
33:04
Web request so and now see with a new tool You actually see more information about me So I have a couple of config settings, I will just get the information from my user
33:34
Almost all the time so we're going to speed up a bit Next thing is so try use a bop use a bop
33:47
It's actually not and the web user group so you shouldn't be able to access the application but in fact You can so we're missing something within check of the authorization that's done by the actual Pam model, so
34:05
Let's do the next demo step The pub is no longer allowed to log in but actually what use the pop to lock in so You Could use a bop at bop to
34:26
The next user group so right into the web users safe Hold again Okay Works, so takes a couple of seconds to propagate the information
34:41
now use a bop at locked and so that the So you do so you have a very simple Pam service Again, all the examples are And the answer will playbook so you can download this information
35:00
So it uses for authentication account information at Pam SSS SSD and the web service so And finally, we also have a way to maintain certificates. So just to show you we Want to revoke a certificate?
35:22
Just say well, maybe He has been compromised. What's a fun message? So he has been compromised Now since Apache all the does a bit of caching and I have to show you that in a new window it's gonna take like two three minutes until Firefox and Apache show up and
35:42
But a new window the direct check and now I see So the thick has been revoked, but we can use Certain monger just to request a new search so we key it just Resubmits a new request for certain monger rate of the magic reloads Apache
36:04
creates a new certificate and a new set a new private key and try again and No, okay in but again, so it works again Okay
36:23
so cameras is nice, but Bad applications on mobile phone rather want to use similar open ID connect Sure, no problem. We also have that covered with two external tools. So these days you probably rather want to use key globe It's the new shiny thing if you have fedora contributor a known
36:43
Contributor you probably know epsilon project. It's also an open ID Connect and sample provider that you the same features are just so so SSD the look up identity and cameras thing to provide
37:02
Samba assertions and open ID connect information and if you're locked in directly with the cameras ticket Then you just get directly a similar assertion so you can show you that I've a demo site so epsilon server
37:21
just log in I'm directly locked in as user Bob and then go to Site so that use it now mod of melon to talk to Epsilon IDP using sample and you get the same information that's covered, too
37:47
and Finally these days all but containers So containers are still a bit of an issue because they behave differently and they transient and that like persistent machines but
38:02
We're going to work on that So I'm currently changing teams pulling up a new team to try to integrate the whole stack I just showed into OpenShift Kubernetes and project atomic so OpenShift origin project atomic format had Kubernetes is a
38:21
Looking into that If you quick summary So you can free IPA manage the users group machines and service accounts centrally you can Sentry control access control and policies can do single sound with cameras with third-party extension also Sam will nobody connects and you have your own CA internally
38:44
questions we have like Two minutes one or two questions
39:03
Hi, thank you for this. I was wondering about the Hadoop ecosystem that Is heavily using Kerberos are you guys? Looking into it with a major Hadoop distributions like Cloudera or autumn walks or something I didn't get the last two you speak up a bit, please. Yes
39:24
I Can I can go closer? I was wondering since the Hadoop Distributions use Kerberos heavily and it's kind of a mess over there Do you know if you guys are working with major Hadoop distributions such as Cloudera or autumn walks to get?
39:46
free IPA So actually I don't know anything about Hadoop and ever tried to deploy a deep cluster free IPA, but If they just use Kerberos Should work over the box so you can use the same tool set to do all the covers set up
40:03
But I would have asked a couple of co-workers to do an integration into that Cool, thank you any more questions anyone Yeah By the way, I have a couple of stickers here. I have info material about free IPA s SSD and
40:22
The commercial part so IDM format have it's the same software just with commercial support All over here if you want to have some more information. Yeah Which the which is the name of the Apache mod module for authentication for authentication
40:41
that was It's slow just it's more of and set that one so It can both both you Authentication and authorization and in combination with the other module didn't show because we're running bit of time
41:06
We can also do direct authentication by intercepting a post request and having one time login But actually see how the locking works. I'll watch the slides by young but Sura The Django application because you actually want to do only this login when you look in the first time
41:26
Do you all get all the way for every request so you for the lock in route you get all the information Use your Django clone Flake the flask whatever a persistent login system and story the information on the first lock in your database
41:41
And the next time user rocks in Thank you. I'm running out of time. You want to catch me you can find me by my Not red fedora because my third row is just too hot in the summer, but what they want and Grab a sticker or grab some information material. Thank you so much