 Hello, everyone. Welcome to today's session. My name is Hemant Koth. I'm working with Red Hat. So today we would be talking about security benefits of free IPA. Considering the audience and difficulty level as beginner, I have created this session. So you will be getting an introduction and idea about the free IPA. Overview. After this session, you would be able to identify what is free IPA. What are the use cases? I mean the integration wherein you can fit a free IPA in your organization. Security benefits of free IPA. That is how you can use the free IPA in your organization to build up a security. And then last but not the least, future scope of free IPA moving forward. So when I say free IPA, those who don't know about the free IPA, they might be thinking that is it something free and then IPA collectively called as free IPA? Yes, it's the same way. Free IPA is upstream project and downstream it is called as Red Hat identity management. Likewise, it is free upstream with the downstream with the Red Hat. If you have real subscription, you can use it free of cost. Now what is free IPA? Free IPA or IDM is having collectively all Linux native tools and they have created a bundle of a software or application which will have different component inside it. 389DS, which is acting as LDAP, the backend to store all the information such as your user information, your certificates, your groups, and whatever you want to store in your free IPA. Considering the data. MIT Kerberos. MIT Kerberos used by free IPA for the Kerberos authentication. DOCTAC, when you want to go ahead and set up a CEA server, this component will help you out with free IPA in order to communicate all different services. So the different services which are present in IPA communicate with each other using the certificates issued by this DOCTAC. To make it simple and easier for some of the Linux administrator who are not much comfortable with CLI, free IPA also has web UI. So if you want to get a high level overview, it would be something like this, wherein you would see that these are the components using which you can interact with the free IPA. Now what are the use cases? So when I say use cases, you might be thinking, is it something that how I can use free IPA, where I can use free IPA, why I can, you know why I should use free IPA. So the first question will come in my mind. Can I use free IPA in my organization? I mean when we are discussing about free IPA, you tell me, can I use it in my organization? So the answer is yes, you can use it in your organization. Can I integrate with Active Directory? Now we know that I'll be very generic when I compare free IPA. I would like to compare it with the Active Directory, which is widely used by most of the organization. Then can I integrate with VMware? So most of the customers rely on VMware in order to have some of the VMs for testing and development purposes. So is it possible to integrate free IPA with VMware? So yes, it's quite possible. Moving on, can I integrate OpenStack? Can I integrate what is again alternate open source solution to VMware? Then OpenShift, can I use OpenShift with free IPA? So I mean there are tons of integrations possible with free IPA. I have not included entire list of it, but yes, if you want to find a list, you can just simply visit this link and you will be able to find the third party application integration with a free IPA. Now, can I use a free IPA in my organization? So basically, when I want to compare it, I have chosen the AD, which is most widely used by customers. So the first question would be, my Active Directory gives me the user authentication, so does the free IPA. It has privileged access management. The name itself says, where in free IPA, IPA stands for identity policy and audit. So yes, it also provides you the privilege access management, wherein you can restrict, you can define the access to be given to certain specific users, to host and to specific services. Replication, I can do replication with my Active Directory, whereas I can do the trust. It is quite possible with Active Directory. With free IPA, yes, you can do replication, one replica can handle up to 20k clients of free IPA. When it comes to trust, as of now free IPA is able to perform, able to do the trust with Active Directory. Free IPA trust is still, I mean, we are evaluating that part. Then in the Active Directory, we have the sites. Sites option available to ensure that the connectivity within the specific location or specific sites is improved so that it don't have to go to other location for connectivity. Same thing is available with the free IPA called as DNS location. So let's say if you have a branch in New York, so the systems within the New York should get connected to that specific DNS location server. We already know that LDAP is one of the component of free IPA. Certificate service, yes. Certificate service is available with the free IPA. You can issue certificates for the users, for the host and for the services. Tightly integrated and flexible security. Well, these are the terms which are, I mean, I would like to give a definition in the layman language. Tightly integrated and flexible security. We have all possible tunable configuration with free IP, wherein you can achieve your requirement just in order to achieve that you should know the capabilities of free IPA and how to do that. DNS. DNS is one of the component of free IPA. So yes, you can also manage your DNS using the free IPA. Kerberos, I have already given the information that Kerberos is available with the free IPA for the authentication, which is MIT Kerberos. Now you could see almost all the features which are available with active directory are almost present with the free IPA. I have not mentioned the entire list of all possible features, but I just tried to compare with a highly used feature by the customers. Now can I integrate with Active Directory? Now we have compared it with Active Directory. So can I integrate with Active Directory? So it says yes, you just need to set up a trust with Active Directory in order to share the Linux resources with AD. So this would be something like this. You have IDM domain. You have the AD domain. You create a trust between them. And once you have the successful trust, your AD resources would be able to access your Linux resources. Moving further, can I integrate with VMware? Yes, you can integrate with VMware. In fact, you can achieve SSO with VMware with the help of free IPA. It's just that you need to set up free IPA as an identity provider with your vCenter server appliances. So it would be like when you want to perform the SSO authentication, your identity provider should be set as a free IPA and then you can achieve the SSO as well. So this is the open stack plus free IPA where with the open stack keystone would be your service provider and key clock would be your identity provider. With the help of this identity provider, you can actually access the dashboard of it without revealing your credentials. So it is quite possible to have the open stack and free IPA integration as well. We have seen IPA and AD trust. So let's say I have IPA and AD trust available in my environment, but now I wanted to go ahead and I wanted to do some testing with OpenShift. Can I make use of my current environment in order to access the OpenShift? Yes, that is quite possible. You can also do that. So I'm just giving you an idea, high overview wherein you can fit in the IPA as per your requirement. Over the same way, you would be configuring your identity source as free IPA and here you will see that once you are trying to access the console, it will check the backend, it will check for the user and then it will allow you for any of its web services, web app or any resource that you are trying to access within the O word. Now coming to the core part of our discussion, I just wanted you to understand what is free IPA and wherein you can use free IPA. So you will understand what are the other security features that can be used or how they can be used to build security. Now first, smart card authentication. When I say smart card authentication, you would be having a smart card with you. You will just chip in your smart card to the system and you will get authenticated to the system. Now with the help of free IPA, you can also configure two-factor authentication. First, you will chip in your smart card, then you will chip in your password or you will input your password and then bingo, you got authenticated to the system. But let's try to understand if I have multiple users and I do not have the certificates. I just wanted to share single certificate with multiple users. Can I make use of this use case? Yes, it's quite possible. You can distribute the same certificate with multiple users. It's just that you need to use or make use of username hint feature. So when you have, when a user tries to authenticate with smart card certificate that matches to multiple user accounts, the following will occur. Now, if the username hit policy is enabled, user is prompted for the name and then proceed with the authentication. If the username hint policy is disabled, IPA won't be able to identify which user is actually trying to access the system because the same certificate is shared by multiple users. So that is where the authentication will fail without prompting. Now host based access control, the HVAC. HVAC is one of, I would say one of the easy and easy to implement feature. Let's say you have a system A, system B, system C, D and E wherein you just want to allow specific access to specific servers. You can make use of HVAC. You can allow them to perform SSH. You can make them allow to do the pseudo access on those specific system or you can allow the entire access to, you know, quite other systems. So let's say I want to allow CDE with full access, but I just want to restrict the SSH access to A. It is quite possible with free IPA. You can, you can make use of HVAC feature. Certificates, as I mentioned, the doc tag is acting as a core component of free IPA. You can make use of that component in order to issue certificates. Now, these are three different types of certificates that can be issued by free IPA. Host certificate or certificate for the host. Let's say if I'm issuing a certificate for the host, I can make use of that certificate for configuring different services. Or I can make use of service certificate, which would be specific to the specific service. As an example, I would take STTPS, that is the Apache certificate. We all are aware about it, then use a certificate. I can, I can issue a certificate to specific user in order to authenticate that user with certificate. Now password policy. Password policy is, let's say, one of the important features of free IPA. Where in you can define the maximum lifetime, you can define minimum lifetime of user history size. Then the character classes, where you can define the complexity level, the upper case, lower case. And then you can define the minimum length of the password, maximum failure, failure reset after interval. Let's say, for an example, now we all are working from home. So if I'm typing in my password for three times, and what if my account got locked, you can use the failure reset interval option. And your ID will get, your password will get reset after the specified time duration, the lockout duration. Now IDM in FIPS, this is something which is highly demanded by customers who are actually using FIPS. So we can proudly say that this IPA, this IDM is compatible with free IPA. Now, I'm sorry, compatible with FIPS. Now what is FIPS? FIPS is Federal Information Processing Standard. It's a publication 140 by 240-2. It's a computer security standard. So some of the customers who are following this FIPS standard, they were not able to make use of free IPA. So now a free IPA is compatible with FIPS. You can make use of it and you can have this IDM in your FIPS-enabled environment. So for Red Hat Identity Management, I have shared the list wherein you can find the documented response for the FIPS-enabled system can have IPA IDM. And for IPA as well, I have mentioned the link. Now moving on to single sign-on. I have seen most of the customers are actually looking forward for such feature wherein they have to type their password only once and then it should get authenticated to all the service and everywhere, wherever possible. So how that can be achieved? Let's say for an example, I will take an example of Red Hat Single Sign-on. If you configure your Red Hat Single Sign-on with Red Hat Identity Management, once you authenticate with your SSO, you would be able to access your host, your services, as well as you can, I mean the resources which you are trying to access, those can be also accessed, those can be also used or I'm sorry, the resources which you want to make use of, that can be also accessed using this SSO feature. Now RBAC, talking about RBAC, this is role-based access control. It actually holds three parts. One is permission, second is privilege, and third is role. Now how exactly we should define this RBAC? So permissions will grant you right to perform the specific task such as adding, deleting users or modifying a group or enabling the read access. Now privileges. Privilege is where you would be combining this permission to, let's say if you want to add a new user, you can combine those permissions because when you try to add a new user, you would require specific permissions wherein you can define the groups where it should get associated with the name, the UID, all these things. You can make use of RBAC and using this RBAC, you can define specific roles to specific users. Now if I want to give an example of RBAC, I will try to give you details using the already available information. So let's say if we want to have a group of people who would be working under help desk team, their job is to modify the user and reset the password. So you can simply assign this role to those specific users or the group of those users and your job will be simpler. You don't have to keep on assigning simple, every other permissions or privileges to those users. So likewise, we already have predefined set of roles which you can make use of. Now, pseudo, pseudo is something, pseudo is actually available with the base OS, but why we are actually calling it out with a free IPA is because this is where you centrally store the pseudo rules. You store the rules centrally and those get retrieved by the clients and those get passed by the client utility and making use of those rules. If the access is allowed, that will be permitted else it will be denied for the pseudo operation. Now everybody is moving towards Ansible. So I just thought of giving an Ansible example where then we'll create a rule, IPA pseudo rule. If you see at the end, state is present, username is IDM user and host is IDM client. So on the IDM client, I want to define the user should be able to perform the reboot only. So I'll simply write this rule and I'll deploy on specific machine, ensuring that I have already maintained my inventory. You can also make use of the already available Ansible configuration script under the user shared of Ansible free IPA. But in order to use Ansible free IPA, you should have this Ansible free IPA package installed. Now, as we are talking about the Ansible with free IPA, we have these many modules and these many features already present. So you can simply use any one of them and fulfill your requirement. You don't have to go on each server and do the task. Last but second last, it is quite interesting. Nowadays, we are getting news about the security breaches wherein a single authentication wherein people are getting security breach. So yes, you can make use of this OTP with free IPA you have HOTP and TOTP available. So HOTP is your hash message authentication code and TOTP is your time-based authentication code. This would be available for the specific time. I'll just give you a screenshot to make you understand. I have simply accessed the demo machine of free IPA. I created the time-based OTP and after fulfilling the information, I got the QR code which I would be scanning with the application. Here you would be able to see the tokens which are already enabled on the system. I make use of free OTP wherein I will just request for the OTP and while authenticating along with my password, I would be entering the OTP. Now encrypted backup. Everybody is taking the backup to ensure that in case of crash or in case of power failure or system issues, hardware failure, we can make use of those backup but what if those backup files are used by some other third-party person. So you can encrypt your backups as well. You just need to install the prerequisite packages and once you have installed, you just need to do some configuration and once you have configured, you can passphrase your GPG and making use of that IPA backup-GPG, you would be able to encrypt your backup. Identity management and admin mechanism in one central place, the IDM server, centrally manage the different type of credentials such as password, PK certificates, OTP tokens, SSH keys, apply policies to multiple machines at the same time, manage projects and other attributes for external Active Directory users and the list goes on. I mean, there are a number of things that you can do with free IPA provided that what actually is your use case or what is your requirement, you should look for that specific feature or the requirement and free IPA would be able to fulfill it. Now, the future features. We are trying to integrate with the USB Guard. We are trying to make it compatible with MS-Kyle specifications, which you can find on the Microsoft website. Support for the global catalog. We are also trying to make sure that users are able to do most of the tasks using UI and support one-time sessions such as a guest is there and he just wanted to use for a specific session. He just want to make use of IPA. So they can do that. Future scope of free IPM moving forward. We are primarily focusing on robustness, stability and testing and the troubleshooting capabilities to make users and the system administrator job easier.