We're sorry but this page doesn't work properly without JavaScript enabled. Please enable it to continue.
Feedback

Identity management, single sign-on and certificates with FreeIPA

00:00

Formal Metadata

Title
Identity management, single sign-on and certificates with FreeIPA
Title of Series
Number of Parts
160
Author
License
CC Attribution - NonCommercial - ShareAlike 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal and non-commercial purpose as long as the work is attributed to the author in the manner specified by the author or licensor and the work or content is shared also in adapted form only under the conditions of this
Identifiers
Publisher
Release Date
Language

Content Metadata

Subject Area
Genre
Abstract
Identity management, single sign-on and certificates with FreeIPA [EuroPython 2017 - Talk - 2017-07-13 - PythonAnywhere Room] [Rimini, Italy] Authentication, authorization and public key infrastructure are complicated and hard to get right, yet crucial for every infrastructure. Manifold user databases in each application as well as ad-hoc self-signed TLS/SSL certificates don't scale and are hard to administrate. Users don't want to remember a password for each service, admins prefer a centralized PKI, and developers struggle with correct handling of password. FreeIPA is an Open Source, Python-based identity management solution. It is much more than a simple user database. FreeIPA combines multiple mature products under an easy-to-use installer, command line and web interface: 389-DS LDAP server, MIT Kerberos, Dogtag PKI certificate system, BIND DNS with DNSSEC, SSSD, certmonger and more. It provides identities for users, services and machines with single sign-on (optionally 2FA) and role or host based ACL. Keycloak and Ipsilon IdP can be integrated to offer OpenIDC or SAML. Mutual trust with Active Directory is possible, too. Installation of a FreeIPA server and integration with a WSGI application is much simpler than you might think. At the end of my talk you will know how to deploy a FreeIPA server with just one command, how to add replicas for redundancy, how to authenticate users and access user data like name, email and group membership without adding a single line of Kerberos or LDAP code to your application, and how to issue TLS certificates with auto-renewal and OCSP
95
Thumbnail
1:04:08
102
119
Thumbnail
1:00:51
Identity managementPublic key certificateSoftwareCore dumpSoftware developerPauli exclusion principleSoftware maintenanceHash functionModule (mathematics)Core dumpString (computer science)Information securityEndliche ModelltheorieBEEPComputer-assisted translationComputer animation
Video gameSoftwareInformation securityIdentity managementPublic-key infrastructureData managementVideo gameDigital electronicsMereologyInformation securityStress (mechanics)SurfaceFreewareRight angleIdentity managementSoftwareSoftware engineeringStack (abstract data type)
Video gameSoftwareInformation securityIdentity managementPublic-key infrastructureData managementDisintegrationDemo (music)CASE <Informatik>FreewarePlanningConnectivity (graph theory)Open sourceIdentity managementMeasurementLecture/ConferenceMeeting/Interview
Identity managementDisintegrationDemo (music)Bulletin board systemWhiteboardDatabaseEmailBitPhysicalismConnectivity (graph theory)Cartesian coordinate systemDomain nameMultiplication signIdentity managementSurfaceDemo (music)Bulletin board systemComputer fontCASE <Informatik>PasswordDatabaseComputer animation
Bulletin board systemWhiteboardDatabaseEmailDatabaseSoftwareNumberEmailReal numberProper mapAddress spaceTransport Layer SecurityInternet forumSpeech synthesisCategory of beingExecution unitVirtual machinePublic-key cryptographyCartesian coordinate systemRootRule of inferencePublic key certificateLecture/Conference
DatabaseDatabaseInformationMathematicsVirtual machineRouter (computing)Service (economics)MetreLecture/Conference
System administratorDatabaseData managementZugriffskontrollePublic key certificateSoftware developerCodePasswordService (economics)AuthenticationSystem administratorAssembly languageCodeBitMereologyPlanningCovering spaceVotingPasswordLoginFreewarePublic key certificateService (economics)Software developerMobile appUsabilityNetwork topologySoftware testingSpectrum (functional analysis)Data miningKey (cryptography)Identity managementLecture/Conference
Identity managementAuthenticationAuthorizationPrincipal idealPhysical systemBoundary value problemEnterprise architectureInformation securityTask (computing)Data managementTerm (mathematics)Identity managementMedical imagingProduct (business)Physical systemInformation securityAuthenticationAuthorizationBoundary value problemEnterprise architectureLevel (video gaming)Task (computing)Web pageMultiplication signLecture/ConferenceComputer animation
Principal idealVirtual machineAuthenticationSmart cardToken ringPasswordKerberos <Kryptologie>Public key certificateAuthorizationZugriffskontrolleGroup actionVirtual machineAuthenticationPlastikkartePasswordAuthorizationLoginIdentifiabilityService (economics)Price indexAreaWeightProcess (computing)Lecture/ConferenceComputer animation
Principal idealAuthenticationAuthorizationVirtual machineSmart cardToken ringPasswordKerberos <Kryptologie>Public key certificateZugriffskontrolleGroup actionCorrelation and dependenceSystem programmingSign (mathematics)Single-precision floating-point formatService (economics)Direct numerical simulationWechselseitige InformationIdentity managementClient (computing)Control flowDirectory serviceCommon Language InfrastructureRemote procedure callBitGroup actionWeb pageFreewareArithmetic meanMetropolitan area networkRoutingCartesian coordinate systemSign (mathematics)Web serviceRule of inferenceUniform resource locatorIdentity management1 (number)MereologyCentralizer and normalizerLink (knot theory)Server (computing)System administratorRootFood energySingle sign-onCommon Language InfrastructureWeb 2.0Computer animation
System programmingAuthenticationSign (mathematics)Single-precision floating-point formatService (economics)Direct numerical simulationWechselseitige InformationIdentity managementClient (computing)Common Language InfrastructureControl flowAuthorizationKerberos <Kryptologie>Directory serviceDirectory serviceDomain nameReal numberCore dumpFreewareDatabaseProjective planeVirtual machineBitServer (computing)System administratorVideo game consoleSingle-precision floating-point formatLecture/ConferenceMeeting/Interview
WebsiteEncryptionGoogolLoginTwitterFacebookServer (computing)Public key certificateTwitterFacebookConnected spaceInternetworkingEncryptionGoogolCryptographyUniverse (mathematics)Menu (computing)Internet service providerOpen sourceView (database)Service (economics)Denial-of-service attackComputer animation
WebsiteEncryptionGoogolLoginTwitterKey (cryptography)Rule of inferenceScale (map)System administratorEmailService (economics)Transport Layer SecuritySoftwareFiber bundleLink (knot theory)Public-key cryptographyCASE <Informatik>Web pageCartesian coordinate systemService (economics)Moment (mathematics)QuicksortSystem administratorFreewareLecture/Conference
System administratorEmailService (economics)Transport Layer SecurityKey (cryptography)Rule of inferenceSingle sign-onScale (map)InformationEmailJava appletClient (computing)Web serviceLoginSpeech synthesisVirtual machineCentralizer and normalizerGoodness of fitSystem administratorPlastikkarteKey (cryptography)FreewareCategory of beingScaling (geometry)InternetworkingComputer-assisted translationComputer animation
Component-based software engineeringOpen sourceIdentity managementKerberos <Kryptologie>Server (computing)Public-key infrastructureDirect numerical simulationLine (geometry)Virtual machineServer (computing)Connectivity (graph theory)Distribution (mathematics)Set (mathematics)AuthenticationDirect numerical simulationKey (cryptography)Public-key infrastructureSingle sign-onQuicksortWeb 2.0
Open setComponent-based software engineeringIdentity managementKerberos <Kryptologie>Server (computing)Public-key infrastructureDirect numerical simulationMereologyVirtual machineRevision controlProcess (computing)Open setPublic-key infrastructureServer (computing)Java appletSoftware developerModule (mathematics)CodeDemonInstallation artKeyboard shortcutPatch (Unix)
Component-based software engineeringOpen sourceIdentity managementKerberos <Kryptologie>Server (computing)Public-key infrastructureDirect numerical simulationSign (mathematics)Single-precision floating-point formatCodeInstallation artIdentity managementWindowPhysical systemDifferent (Kate Ryan album)Enterprise architectureDirectory serviceCommunications protocolKerberos <Kryptologie>Computer animation
Kerberos <Kryptologie>Sign (mathematics)Single-precision floating-point formatRow (database)Principal idealKerberos <Kryptologie>Asynchronous Transfer ModeWordBus (computing)Right angleReal numberServer (computing)Service (economics)Meeting/InterviewComputer animationLecture/Conference
Kerberos <Kryptologie>Service (economics)Single-precision floating-point formatPrincipal idealSign (mathematics)Server (computing)AuthenticationBus (computing)Server (computing)AuthenticationService (economics)Identity managementPrice indexMessage passingComputer-assisted translationComputer animationLecture/Conference
Kerberos <Kryptologie>Principal idealService (economics)Server (computing)AuthenticationSingle-precision floating-point formatCache (computing)Sign (mathematics)Service (economics)Validity (statistics)Bus (computing)Formal verificationDevice driverKey (cryptography)Computer animation
Kerberos <Kryptologie>Principal idealService (economics)Server (computing)AuthenticationCache (computing)Sign (mathematics)Single-precision floating-point formatDatabaseData structureHierarchyCommunications protocolReplication (computing)ZugriffskontrollePrice indexPresentation of a groupMarkup languageMultiplication signType theoryAuthenticationPlastikkarteDatabaseInformationSoftwareNetwork topologyWindowMereologyDevice driverGoodness of fitServer (computing)Operator (mathematics)Numbering schemeSequelCommunications protocolReplication (computing)OracleRight angleService (economics)Computer animation
Server (computing)Directory serviceDatabaseData structureHierarchyCommunications protocolReplication (computing)ZugriffskontrolleAuthenticationKerberos <Kryptologie>Arithmetic meanReplication (computing)Web applicationDatabaseConnected spaceMereologyQuery languageService (economics)System callInjektivitätState observerServer (computing)Computer animationLecture/Conference
DatabaseData structureServer (computing)HierarchyCommunications protocolReplication (computing)ZugriffskontrolleAuthenticationTopologyMaxima and minimaExecution unitMotion blurDatabaseNetwork topologyReplication (computing)SoftwareServer (computing)Directory serviceRight angleLoginInheritance (object-oriented programming)FreewareLecture/ConferenceSource codeXMLProgram flowchart
Replication (computing)Server (computing)Direct numerical simulationReplication (computing)Data centerStructural loadRevision controlMultiplication signServer (computing)Software testingScaling (geometry)Direct numerical simulationIdentity managementModal logicPhase transitionLecture/ConferenceMeeting/InterviewComputer animationDiagram
Server (computing)Direct numerical simulationTime zoneReverse engineeringEmpennageTime zoneServer (computing)Reverse engineeringDirect numerical simulationMappingService (economics)Row (database)State observerData centerFingerprintUniform resource locatorLecture/Conference
Server (computing)Direct numerical simulationTime zoneReverse engineeringFingerprintDemo (music)Raster graphicsKerberos <Kryptologie>Physical systemPublic key certificateCommunications protocolRow (database)InformationSet (mathematics)Service (economics)Server (computing)Profil (magazine)Virtual machineCommunications protocolAuthorizationPublic key certificateWeb 2.0Video gameGroup actionCycle (graph theory)Computer-assisted translationComputer animationLecture/Conference
Physical systemPublic key certificateCommunications protocolEncryptionSmart cardInformation securityDemonService (economics)AuthenticationModule (mathematics)Cache (computing)Client (computing)Maxima and minimaData storage deviceEncryptionMarkup languageIP addressPlastikkarteFreewareInformationGroup actionVirtual machineDirectory serviceDemonVideo game consoleClient (computing)Element (mathematics)MappingRight angleRootLecture/ConferenceComputer animation
User interfaceInstallation artTouchscreenIdentity managementINTEGRALBitOpen sourceMobile appAndroid (robot)Lecture/ConferenceComputer animation
DisintegrationEmailAddress spaceConfluence (abstract rewriting)Enterprise architectureVirtuelles privates NetzwerkOpen setStack (abstract data type)RadiusIPSecDirect numerical simulationStack (abstract data type)Fluid staticsCovering spaceInformationBit rateEnterprise architectureEmailServer (computing)Shift operatorInformation securityOpen setVirtuelles privates NetzwerkComputer animationXML
Demo (music)Kerberos <Kryptologie>Time domainConfiguration spaceFirewall (computing)Direct numerical simulationServer (computing)Data structureServer (computing)AdditionDirect numerical simulationSign (mathematics)Service (economics)Data recoveryPublic-key cryptographyMotion captureKey (cryptography)Demo (music)Revision controlFreewareSoftware testingVirtual machineCASE <Informatik>Software repositorySelectivity (electronic)Streaming mediaView (database)Lecture/ConferenceMeeting/InterviewXML
Demo (music)Kerberos <Kryptologie>Time domainConfiguration spaceFirewall (computing)Direct numerical simulationServer (computing)Installation artOpen setFirewall (computing)FlagVirtual machineServer (computing)Direct numerical simulationType theoryPasswordComputer animationLecture/Conference
Client (computing)Installation artPasswordConfiguration spaceServer (computing)Sound effectClient (computing)Virtual machineSimilarity (geometry)Service (economics)Row (database)MathematicsNetwork topologyConfiguration spaceVotingDirect numerical simulationMultiplication signBitPower (physics)Directory serviceIP addressLecture/ConferenceMeeting/Interview
Internet forumMaxima and minimaPasswordRandom numberDemo (music)Installation artRootMultiplication signPasswordLimit (category theory)Virtual machineComputer fileBootstrap aggregatingMedical imagingType theoryClient (computing)System administratorBackupComputer animationLecture/ConferenceMeeting/Interview
Virtual machineClient (computing)Installation artDemo (music)BuildingGroup actionExecution unitVirtual machineField (computer science)Installation artPasswordType theoryServer (computing)Direct numerical simulationService (economics)Multiplication signDemo (music)Software repositoryJSONXML
Row (database)Slide ruleWebsiteKerberos <Kryptologie>Service (economics)Row (database)Cartesian coordinate systemMedical imagingEncryptionComputer animationLecture/ConferenceMeeting/Interview
Group actionDemo (music)Server (computing)Rule of inferenceIcosahedronGroup actionPrice indexLogical constantAuthorizationSystem administratorAuthenticationUsabilitySemiconductor memoryBefehlsprozessorPower (physics)ResultantVirtual machineServer (computing)Cartesian coordinate systemReplication (computing)Rule of inferenceFreewareService (economics)Open sourceWeb 2.0Web applicationComputer animation
Group actionVirtual machineService (economics)Identity managementMeasurementHidden Markov modelRight angleInterface (computing)Uniqueness quantificationExecution unitNumberSound effectLecture/ConferenceMeeting/InterviewComputer animation
Row (database)Row (database)Perfect groupThumbnailMotion captureEndliche ModelltheorieDomain nameInterface (computing)User interfaceWeb pageFreewareServer (computing)Lecture/ConferenceComputer animation
Virtual machineServer (computing)System administratorCartesian coordinate systemDirect numerical simulationFingerprintKey (cryptography)Domain nameRule of inferenceFreewarePlug-in (computing)Mathematical analysisTrailWeb 2.0Source code
Rule of inferenceCategory of beingVirtual machineDemo (music)Cartesian coordinate systemRight angleService (economics)Lecture/ConferenceSource codeJSON
Virtual machineCellular automatonKey (cryptography)Thresholding (image processing)Right angleService (economics)Renewal theoryQuicksortServer (computing)CASE <Informatik>Exterior algebraData storage deviceDirect numerical simulationMultiplication signPublic key certificateSource codeLecture/Conference
InformationMereologyData storage deviceDirect numerical simulationComputer fileKey (cryptography)Right angleService (economics)Demo (music)Software testingGraph coloring
Demo (music)TouchscreenFigurate numberLie groupEmailAddress spaceRight angleBitInformationCase moddingCache (computing)Identity managementEndliche ModelltheorieTupleComputer animationSource code
Demo (music)Twin primeHydraulic jumpLemma (mathematics)EmailData managementIdentity managementService (economics)RootMaxima and minimaWeb 2.0InformationRevision controlSet (mathematics)Configuration spaceMultiplication signBitComputer animation
Smith chartDemo (music)FluidEmailRobotBitBlock (periodic table)Group actionCartesian coordinate systemWeb 2.0Endliche ModelltheorieAuthorizationDemo (music)Extension (kinesiology)Computer animationLecture/ConferenceSource code
Smith chartCausalityDemo (music)Group actionIdentity managementView (database)Service (economics)Rule of inferenceLocal GroupDirected setElement (mathematics)ParsingSystem administratorEmailUniform boundedness principleRobotGroup actionWeb 2.0Information2 (number)Computer animation
Local GroupParsingGroup actionView (database)Service (economics)Directed setElement (mathematics)Public key certificateData storage deviceAuthenticationServer (computing)RadiusTexture mappingRule of inferenceIdentity managementLemma (mathematics)Service (economics)InformationAuthenticationWeb servicePublic key certificateMessage passingLecture/ConferenceXMLComputer animation
NumberEmailGroup actionError messageExplosionBlock (periodic table)Public key certificateCodeWeb pageView (database)WebsiteColor managementWindowBitCache (computing)Public key certificateBit rateComputer animationSource code
Identity managementConnected spaceSimilarity (geometry)Shared memoryCartesian coordinate systemState of matterCovering spaceProjective planeLinearizationFamilySampling (statistics)Open setInternet service providerLecture/ConferenceComputer animation
Assembly languageConnected spaceSummierbarkeitInternet service providerMonster groupEndliche ModelltheorieIdentity managementInformationServer (computing)Open setWebsiteDemo (music)Lecture/ConferenceComputer animation
Mach's principleIdentity managementPhysical systemWebsiteCase moddingInformationLimit of a functionCovering spaceSampling (statistics)BitComputer animation
Shift operatorAtomic numberOpen setAtomic numberProjective planeFile formatGreedy algorithmGroup actionExtension (kinesiology)Virtual machineSingle-precision floating-point formatService (economics)Flow separationLecture/Conference
Group actionService (economics)Data managementZugriffskontrolleSign (mathematics)Kerberos <Kryptologie>Single-precision floating-point formatDisintegrationPublic key certificateDistribution (mathematics)Kerberos <Kryptologie>Computer animationMeeting/Interview
Hazard (2005 film)Distribution (mathematics)CuboidCovering spaceKerberos <Kryptologie>Freeware
InformationINTEGRALMereologyResultantCASE <Informatik>File formatFreewareSoftwareInstitut für Didaktik der MathematikCase moddingLecture/Conference
Physical systemSource codeMathematicsPasswordAuthenticationModule (mathematics)Mobile WebCombinational logicBitSlide ruleAuthorizationLoginMultiplication signTelecommunicationComputer animation
PasswordApproximationDatabaseInformationPhysical lawCloningPhysical systemSlide ruleCartesian coordinate systemLoginMultiplication signRow (database)Routing
Transcript: English(auto-generated)
Good morning How are you doing? Okay, still not awake. So I'll try to not to bore you to death. So hi I'm Christian Heimers. I'm from Hamburg, Germany Some of you may know me. I'm a Python core contributor
I work on mostly security stuff for Python core So SSL hashlet model and those of you who still use Python 2 I also Hope you to do you buy it on the beep String prefix in Python 2 back there. So some of the stuff I did in the past So I'm from Hamburg and I'm really glad I could make it here
Usually Hamburg looks like that exact if you have the g20 summit and looks like that so these are burning things in the streets and riots and they built like lots of cars and shops and It was fun not So in my professional life, I also do security things
I'm a senior software engineer at Red Hat now for over two years. I work on the software stack I'm not going to present to you So free IPA doc tag was a part of free IPA and because to the secrets management was also part of free IPA So free IPA in case you wondered it's not bad
It's not Indian pale ale so won't give you free beer in the morning Sorry At that one, so it's identity policy and auditing. It's an open-source stack built of lots of components I'll show you in a minute. So first the agenda of the plan for today or the morning
So first I will run you to a small scenario where you could benefit from identity management, then I will Oh, sorry Will explain what is identity management we go through the surface echo free IPA the components how to
Integrate free IPA and then I'm doing a bit of demoing. So installation I'm not going to show the actual installation because it's going to take like 10 minutes. We don't have that much time but I'm going to show you how to Actually integrate that into like a HTTP application and Summary at the end so
the scenario very Simple case you want to have a bulletin board for your company where you just share notes. What do you need? So first of all You just need to log in. Oh the fonts aren't showing up correctly. Oh That's new. Oh That one works. So there should be login password for some reason the fonts don't show up
You need a user database because you also want to show real name email address Maybe a phone number where you can reach a co-worker You need to handle Paris permissions. You don't want to have like the intro looking at notes from like the CTO Of course these days you want to secure all your networks with proper TLS
You need certificates for that and private key and some infrastructure you maybe you need to renew your search everyone in a while and finally for people who are going to apply the application you to SSH into machine and Maybe have pseudo rules where they can get root privileges
Yeah, that's going to be complicated if you have like not like one machine and ten users but like 50 services like that and Maybe 50 users or 500 or 10,000 10,000 users. So don't worry be happy
We want to make first human resources happy So we don't want them to add new users like to 50 databases and also that the meter router in one place So if somebody get married change the name, they don't want to add like 50 user database all over the place. Just one Want to make the admins happy so we want to have them centralize all the access control
Don't mess with certificates manually because open as a common lander face is just painful to use To fa for some services would be nice developers You as a voter probably don't want to learn about all the covers or assemble works or how to interface well up
So we want to use all of our covers, but don't actually code that Have that automated and wrapped away for you very easily and finally the plan uses all the your coworkers Just want to have one password one login for all stuff you have from the company If that sounds a bit familiar to you there was actually a talk by a co-worker of mine
Two years ago euro Python who explained that using a Django app You want to know more about actually integrating the whole stack? Watch that talk. I'm more explained like the DevOps II part of free IPA and bit more the techie part
What's identity management? So who of you heard the term at any mention before or actually uses one I see well like one third 50% Okay Just first off obviously Wikipedia definition
Identity management describe the management of individual principles the authentication authorization and privileges within or across system and enterprise boundaries with the goal of increasing increasing security and productivity while decreasing cost downtime or repetitive tasks So a couple of terms I make bold
Some of you may know the terms, but more of them, so Get on the same page What are they so principle? It's just a fancy name describe some kind of entity you want to identify So it's not only users because we also want to identify machines and services
Authentication just to make it clear Authentication is about proving who you are so like using a password and a login name or using a smart card or some other fancy ways Authorization is Actually giving you access to something so for example
one across to another country you show your passport, so you're authenticating yourself you're proving your name and Giving if you're authorized to enter or not Water gap will let you in or not and this often coupled with privileges to make the bit easier So you in a certain group a certain group is allowed to do something Or you can delegate permissions to somebody temporarily yeah now free IPA
The bit teaser what the web page of free IPA tells you about free IPA so identity And Many links users incline host on your realm from one central location with CLI web you are a PC and
Have a single sign-on for your applications, so that's the energy part policy Something if you're an admin also very important thing Once you authenticated you want to also grant users certain kinds of access
And you also want to centrally manage like for your web servers who's allowed to log in who's allowed to gain root privileges So you can do like as a Linux rules out of s rules if you have NFS pseudo rules whatever and finally Trust so for a PA can also do trust
Cross real trust with other domains for example active directory Now if you wonder where VA where the audit We haven't got to that yet We saw Haven't added actual auditing to the core of free IPA That something is currently developed external projects for example console logging where you come to order what an admin does on a machine
That's not yet integrated Actually should you actually use free IPA? All depends a bit if you want to use free IPA just as your user database for single servers That's public on the internet Probably not because these days you have let's encrypts you get a public trusted certificate you have like social log in
GitHub Twitter Facebook Google they all have like open ID connect Providers if you're in university you have of them a similar ship left based solution
Just use that if you have just one public service But if you have lots of internal services where you don't want to disclose your services to the public For example for let's encrypt you have to actually Create a certificate with all the host names in them so everybody could see your names because they also publish their Certificates in a lock although they're now adding wildcard certs
But still while culture are very dangerous one of your hosts gets compromised Then you can throw away to buy called third you have to reroll your whole application you hope basically network Because your whole networks got compromised with just one service link the private key of your certificates, so
For a non trivial case if you have to deal much more than simple web pages or more than one simple case Free IPA is actually a good solution, so if you have more than trouble amount of users or admins If you want to reuse all your information not only for just a web service and for SH login
But even for like email or just Java client. I'll come to that later You want to manage your own internal CA For all your services, maybe even for VPN lock-ins for smart kind of education
Yeah also I still remember from my First draw was rather tiresome to get locked into all machines because the admin had to copy my Propic SSH key to all the machines, and it means a pseudo rules, so you want to automate that the central way
free API is also Very useful and finally we want to scale up you like start up with things Oh, we might go from couple of users to a lot of users Yeah That's Might be a good solution for you, so what is it actually?
It's a Lot of components, so these are five of the most important components you have KDC and the cameras key distribution center you have an all up server you have a public key infrastructure server You have a DNS server built in and you have a set of tools both web-based and common line based
manage the whole solution and much more so MRT cameras The single sign-on and the authentication between machines for most parts. You can do more 3 at 90 s is in all up server
origin developer Netscape and now maintain for Red Hat Doctor top tech public key infrastructure is a Java Tomcat based solution Which is both for all the large entities now also wrapped into only free IPA to give you a CA infrastructure We have bind DNS bound to all up now
We have SSSD a demon probably most of you don't know come to that also in a minute We have a patch HTTP with a couple of modules I'm going to explain later and finally all the tooling around the glue code between all the stuff including the installer management is all written in Python
So who knows her how cameras works? okay, yeah, so cameras is a Both like three headed hounds Also a protocol Both of you sign with enterprise and things already dead for years. No, it's not if you use active directory from Windows
It's basically Kerberos and all up and in big enterprise you also use Kerberos Not that complicated for end-users, so I give you a small example how actually Kerberos mostly works It's good enough to understand how it works. So imagine
public transport system So public transport system like for example, we have Rimini You want to write about some Rimini? So you have in Kerberos is called real and it's mostly written. I always written uppercase so I as a user want to ride a bus in Rimini. So I need an account
So that's mostly written like that. So it's me. See hi miss at Rimini. It that's my user principle We also have services and hosts so like a place like bus stop would be like here palace concasi Rimini it at
realm Rimini it and Finally the service written like that. So you have like a service and if I shuttle bus Starting at palace-concasi Rimini it. Yeah So in the morning, I like to ride the bus So the first thing I have to do I have to prove my identity to something called an authentication server
This authentication server once I prove my identity. I'm getting a ticket back It's called a ticket granting ticket like a daily pass So when I want to ride the bus, I show this ticket granting ticket to and ticket
Granting service. Oh, no, sorry. First of all, I have to store my ticket like in my wallet. It's called credential cash that so I show my ticket my ticket on click it to a ticket granting server and that one gives me back a ticket that's only valid for this shuttle bus and
Finally I show this ticket to the bus driver and he has internally like a verification thingy called the key tab and they can verify Hi ticket. The stickets are usually valid for a couple of hours half a day and That's how single sign-on works. So you have to type you press it only one time maybe 2fa maybe with smart card authentication and then you have something you can use all over the place to request new tickets and
We also have all information stored in the OLAP server, so that's a simple database all up is an hierarchical database like a tree and
Good thing is it's all standardized So both the protocol is standardized so you don't need like in the sequel world the ProseQuest or MySQL driver You just use an OLAP driver can talk to any OLAP server also, the database schemer is standardized for everything you basically need so No matter what if you talk to Windows or
Linux if they implement the correct schema part like POSIX user it works OLAPs heavily optimized for reading so You don't write that often to OLAP and they also can heavily optimize all reading operations and replication So you can have like a distributed network of OLAP servers
We have fine-grained access control. You can actually Combine with a delegation Make sure that every user only sees what he's allowed to see so delegation means Typically in a web application you have a user that logs into web application Then you have from the web application to a database saver and a database user for that web application
We don't do that the user logs into the web application or the command line interface Gets delegated through the OLAP database the OLAP database only sees the actual user There's no kind of special service user for the database connection And so we can actually fine-grained which part of the data users can see, modify, query
So any kind of SQL Injection wouldn't work for OLAP so you can even let any user directly query access the OLAP server They can't do any harm And even the front-end doesn't do extra permission checks. It's all handled by the database
And finally master-master replication with a replication topology that's so That's how OLAP server looks from software stack called Apache directory studio on the left you see a tree on the right you see one of the leaf nodes
with my user login and Of Course if you just have one free IPA server wouldn't be very redundant So you probably want to have like two three five or ten users ten servers or more So that's handled by something called replication. Here's two example how you would do like a replication between
Four data centers with three or four servers to create a couple of replication agreements And they will distribute the data and the load over time The scales are very nicely here's another example we did for a performance test with 60 servers
Each of these small green things the server We also have a DNS server. You might wonder why DNS server. Yeah host names are also identities So we have host names and the DNS server and also the reverse zone so you don't have to create your own reverse zone mappings
We use DNS for service discovery and failover so We are able to get all like elop servers from DNS even location-based and If some of the servers fall off, then we automatically try another one. We don't have to configure that With the location support we make sure you try to stay in your own data center and only go to another one
It's all the servers locally fail We store your SSH Fingerprints and the DNS server and we also do DNS sec Because we can do that. So Here's example what we can get from old ups. You see like cameras information a service record for old up and
SSH Next thing is doc tag that our CA servers Can you like it's a certification authority you can have sub CAs you can have Can do all the lifecycle of a certificate for a server
Can have different profiles if you need special profile for your VPN server or your web server or whatever other server you have CLN OCSP to revoke and check certificates SCAP protocol used by some I think Cisco machines and also a way to
Do escrow if you want to? Encrypt data and store it in there. It's also HSM smartcard support, but that's not supported with free IP address with standalone doc tag and Finally SSSD, it's a daemon running on all your machines even the client machines when you're all a client hooks into
PAM and NSS PAM does when you log into Linux machine on the console or nkde gnome or SSH your passport check and NSS the name service which provides user information like give me username give me like the root membership give me
your autofs mapping for NFS and it does caching and what stuff more so and Finally will be user interface. That's all written and Python Looks kind of funny. Oh, no, not here. Good only my screen
Management and the installers and a bunch more stuff. So OTP support Yubikey support some integration we may have in an Android and Apple app to the OTP like the Google one, but actually I was work with shot 256 OTP
So Already mentioned that you can integrate the whole Stack a lot covers DNS into all the things because they'll send rise So just give you a couple of ideas an example of what you could do what customers did what we did to integrate that you can store your email information and the elop server and you that
Use covers for single sign-on. You can have radios for WPA enterprise for your wifey so you can have roaming users VPN for some users like nowadays even for Kubernetes open shift you sometimes need NFS. You can use the camera secure NFS
mistake use internally so a lot now How do you actually install like this huge stack? It's a lot. So you develop server camera server DNS server your public key structure. You take sign key
You have a couple of additional services Sounds complicated Well, it's not so quick demo setup. So I'm using fedora 26 at 25 Like just two days ago Didn't want to update my demo setup now But I'm using a new version of free IPA. That's actually not in fedora, but
From a copper so like a private repo view for testing Capra stream is called IPA example and DNS same low case all the machines have the same Suffix so it's like name IPA example and they all pointed to the master DNS server
Have enabled some as a Linux flags and firewall or open. Yeah, so installation These two commands in about five to seven minutes depending on how fast your machine is and you have a full running free IPA stack Easy enough. Oh
You don't even have to specify all this flags. You can even do it interactively so if you don't give me any flags, then it just will ask you a couple of questions and Have to type in two passwords and that's it There if you're full running a lab server camera server and CA internally, of course
You also want to enroll your client so you can use all the feature on your client machines or on your your servers So general a client you have a similar command install a client package you run this command You don't even have to specify where your server is Effect you shouldn't do that
If you don't give it the server name It will just use DNS find the next server enroll and will ultimately fall back to another server than one to roof Just maybe as power issue or doesn't work anymore And that one even make sure you create home directory to look in first time Configure your Firefox if you use like a UI and will also update DNS records if your machine changes
IP address Looks like that. So what running through that because you need to be a bit short on time For automatic enrollment, so if you don't want to do it manually you can also create the host before use like in OTP so one-time enrollment password and
That one-time enrollment password and the hostname to your Kickstarter file or a bootstrap file or a golden image for the machine and Just enroll the machine with that. So you don't even have to type in your admin credentials when you enroll the machine
So now we have a master we have a client when I have a replica So we want to replicate all the data to another machine have a backup and a failover That's easy to Just announce that the machine is in replica So you add it to the IPA service host group and ROM IP replica install. You don't even have to type in a password
And we'll set up a failover DNS over all of server camera server and CA server now The interesting time hope it works demo time So my demos are all prepared. So I don't install the full stack now because would take too long
It's all scripted with ansible I will add the URL to github repo of my ansible playbook shortly before I upload the slide so you can do that at home, too and I'm going to show you
Okay, interesting How you can run an Apache service so a website on Apache without actually doing any kind of Kerberos and All up in your application, but just use Apache to do the heavy lifting for you
So these are my off juice API my SSL for SSL encryption and I wasn't sad for authentication for authorization and two other Holes I will explain in a minute The setup had a couple of users and groups. So I have three users an admin user let me user
myself and use a Bob With three different groups, so we have admin group. We have a web app in group. You administer the application on the server and more than the user to Machines, so I don't have a replica here right now because taking too much power and too much CPU and memory
I have to host group 30 servers group on the web servers group a couple of H back rules It's a host base access control so we can control which use allowed to a source on which host With a special user for the web application. I have a studio role So a lot of the web I mean to actually lock into the machine and I also have a role based access control
That's for roles inside the IP server called source admin so you can delegate Free IPA permissions to user or to a group of users For example, you can give a group of use permission to manage your user account
But not manage machine accounts or manage services or manage enrollment of hosts Okay Now you should see yeah, perfect Okay that
You know my notes Hmm doesn't want to show me the notes. Yeah, no, it works. So
To the command the right or so first of all Let's show you the interface. So now I'm using k-init to get my ticket granting tickets So you see here big enough for you. Can you see that?
Okay, perfect thumbs up from the back row so the Caribbean TGT that's my ticket granted ticket from my domain. I'm a look in and admin and so that the interface it's refresh because
I'm not going to use My duty to actually accept the web page so that the main interface of free IPA web interface You look again you see we have a the ticket for the HTTP server for the master Okay, now let's look in another user
To show you I'm going to look in so I'm a web admin. So I have to employ my Application. No So just show you how the SH plugin works. I see you see here
It found my DNS the fingerprint of the server DNS have never locked in My machine is not enrolled in the domain. I'm working on here so it would be enrolled on the actual free IPA domain and would not even see that would just Automatically approve the keys
So now I'm in Okay, we also need to sudo so but we already have a pseudo rules for my user Got that already so I can look in but first see I Delegated also my ticket to the other machine and now using the command line tools to create the demo service
Well, so we have now a service and it's managed by the machine so that's the machine Oh, yeah, so now to deploy the application I need pseudo rights and
What we need for the application, oh we want to have SSL so we need to fetch SSL, but I don't have Yeah, I don't have any credentials here Which is actually good thing because I don't want to get these certs and the key tab for the service as my own user
I'd rather want the machine to manage them. So I'm not locked in as machine So now I'm locked in the actual machine and wrong two commands I've prepared to not make any typos
so now I'm using a tool called IPA get cert and cert monger to Get my certificates for the machine see here store my key store my cert I ask for Subject alternative named DNS IPA example
These are Maintained by the service and every time the cert is downloaded or renewed I want to reload my HTTP server. This tool also tracked the sort will do automatic renewal in case Here cert runs out Okay, that's a request
Oh Work fine. See someone told influence from the cert and that's how I'll see the cert so testing part is Yeah, yeah here so DNS name there a couple of other names that are supported by openness, oh, that's the service information
Okay. Now we have the cert now we're going to do the first demo step Ah Good thing I made that right. We also need a key tab, right because every camera so with the key tab Get key tab Well, okay, that's easy too so IPA get key tab store it in the file
Done and now I can actually do My first demo step so it prepared a couple of contact files Reloads HTTP and now that's works. Okay bigger
Well, I'm locked in as my own user the other screen. So I have another Okay, okay, but just having the users bit boring won't also help like
My complete name when I have my email address Okay, next step we're going to add a tool called mod Lookup identity and that talks directly to SSD so SSD downloads all information from LDAP for me of the caching and uses a tool called info pipe to add the information to my
Web request so and now see with a new tool You actually see more information about me So I have a couple of config settings, I will just get the information from my user
Almost all the time so we're going to speed up a bit Next thing is so try use a bop use a bop
It's actually not and the web user group so you shouldn't be able to access the application but in fact You can so we're missing something within check of the authorization that's done by the actual Pam model, so
Let's do the next demo step The pub is no longer allowed to log in but actually what use the pop to lock in so You Could use a bop at bop to
The next user group so right into the web users safe Hold again Okay Works, so takes a couple of seconds to propagate the information
now use a bop at locked and so that the So you do so you have a very simple Pam service Again, all the examples are And the answer will playbook so you can download this information
So it uses for authentication account information at Pam SSS SSD and the web service so And finally, we also have a way to maintain certificates. So just to show you we Want to revoke a certificate?
Just say well, maybe He has been compromised. What's a fun message? So he has been compromised Now since Apache all the does a bit of caching and I have to show you that in a new window it's gonna take like two three minutes until Firefox and Apache show up and
But a new window the direct check and now I see So the thick has been revoked, but we can use Certain monger just to request a new search so we key it just Resubmits a new request for certain monger rate of the magic reloads Apache
creates a new certificate and a new set a new private key and try again and No, okay in but again, so it works again Okay
so cameras is nice, but Bad applications on mobile phone rather want to use similar open ID connect Sure, no problem. We also have that covered with two external tools. So these days you probably rather want to use key globe It's the new shiny thing if you have fedora contributor a known
Contributor you probably know epsilon project. It's also an open ID Connect and sample provider that you the same features are just so so SSD the look up identity and cameras thing to provide
Samba assertions and open ID connect information and if you're locked in directly with the cameras ticket Then you just get directly a similar assertion so you can show you that I've a demo site so epsilon server
just log in I'm directly locked in as user Bob and then go to Site so that use it now mod of melon to talk to Epsilon IDP using sample and you get the same information that's covered, too
and Finally these days all but containers So containers are still a bit of an issue because they behave differently and they transient and that like persistent machines but
We're going to work on that So I'm currently changing teams pulling up a new team to try to integrate the whole stack I just showed into OpenShift Kubernetes and project atomic so OpenShift origin project atomic format had Kubernetes is a
Looking into that If you quick summary So you can free IPA manage the users group machines and service accounts centrally you can Sentry control access control and policies can do single sound with cameras with third-party extension also Sam will nobody connects and you have your own CA internally
questions we have like Two minutes one or two questions
Hi, thank you for this. I was wondering about the Hadoop ecosystem that Is heavily using Kerberos are you guys? Looking into it with a major Hadoop distributions like Cloudera or autumn walks or something I didn't get the last two you speak up a bit, please. Yes
I Can I can go closer? I was wondering since the Hadoop Distributions use Kerberos heavily and it's kind of a mess over there Do you know if you guys are working with major Hadoop distributions such as Cloudera or autumn walks to get?
free IPA So actually I don't know anything about Hadoop and ever tried to deploy a deep cluster free IPA, but If they just use Kerberos Should work over the box so you can use the same tool set to do all the covers set up
But I would have asked a couple of co-workers to do an integration into that Cool, thank you any more questions anyone Yeah By the way, I have a couple of stickers here. I have info material about free IPA s SSD and
The commercial part so IDM format have it's the same software just with commercial support All over here if you want to have some more information. Yeah Which the which is the name of the Apache mod module for authentication for authentication
that was It's slow just it's more of and set that one so It can both both you Authentication and authorization and in combination with the other module didn't show because we're running bit of time
We can also do direct authentication by intercepting a post request and having one time login But actually see how the locking works. I'll watch the slides by young but Sura The Django application because you actually want to do only this login when you look in the first time
Do you all get all the way for every request so you for the lock in route you get all the information Use your Django clone Flake the flask whatever a persistent login system and story the information on the first lock in your database
And the next time user rocks in Thank you. I'm running out of time. You want to catch me you can find me by my Not red fedora because my third row is just too hot in the summer, but what they want and Grab a sticker or grab some information material. Thank you so much