 So, we're supposed to have it from the start of this time and end it at 16.20, right? 16.20. So we can make one break if you want, if not? Yeah, we want a break. Okay. 15 minutes. Maybe 10, because really people can't wait from court and so on. Okay. So the break will be from 15.30, half past three to 20 minutes to four, okay? Okay. Do you want questions after your talk or during your talk? Well, we don't have a talk. So mostly the people are working, so we can do it really interactively. Okay, so I will show you, I have a lot of time. So before the break, I will show you 10 and 5 minutes left. Yeah. Okay, like this. It's been for the break. Yeah. And in the end also, I will show you. I will leave like maybe 5 minutes for questions because people really do have questions, okay? That's fine, yeah. So unfortunately... Yes, ma'am. No, it's not working. Yeah, it's not working. Okay. That's fine. Thank you. Thank you. You're welcome. Yeah, thank you. Thank you. Okay, so we will leave it like this. Okay. And we will leave it like this. Okay. I'm going to show you. Okay, so the break will be from 15.30 to 20.30. Okay. Okay, so we'll leave it like this. Okay. Okay. Please let me know how I can introduce you, like what can I say about you, who wants to introduce yourself. We can do it on our own. Okay. Thanks. Thanks. So we set up a few minutes. Yeah, like two minutes. Okay. Yeah, yeah, yeah. Yeah, yeah, yeah, yeah. Yeah, yeah, yeah. Yeah, yeah, yeah. Yeah, yeah, yeah. It's in the workshop folder and the free IPA. Yeah. We don't need them right now, but later on we definitely need them. So it's okay if you disappear. Okay, good. So then I would say, let's start. So welcome everybody, pleasure for me to be here and presenting about free IPA. My name is Thorsten Scher. I work for WETED as a software maintenance engineer in the global identity management team. So I'm mostly touching things like L after everything that was related to care was X509 and such interesting things. Yeah, I'm located in Germany. And for me, actually it's the second time that I'm here in Bruno. And I really like to thank you and to thank also the city of Bruno and whoever went to the airport of Bruno because this time it was really easy to get here. So since we know I have this direct flight from Germany to Bruno, it just took me like 20 or 90 minutes or so to get here. Last year it was much, much more difficult. So it took me like one and a half days to get here. I think I heard it over to Bratislava and then we had to spend the night in Bratislava to train to get back to Bruno. So really thank you that we have this direct flight connection. Okay, so I'm not alone. I have a colleague with me. My name is Hermann Parente. I'm working also in Thorsten team as support engineer in identity management aspects. I'm more a specialist in the backend that we will see that is using free IPA. That is Red Hat Directory server, the app server of Red Hat. And I will be here assisting you in the different exercise that we are going to propose for you to discover this technology free IPA. So before we start with the actual workshop a little overview about the agenda. So we have actually two parts. So obviously this is the first part today where we do a little introduction about free IPA. Actually what is already some, so which of your app has already some experience about free IPA? Which of your app has hands-on experience with free IPA? Okay, so you will get some hands-on experience during this workshop. I will promise there will be a lot of exercises. You can go to school and you will hopefully get hands-on as well as later on. So as I said, we will start with an introduction on free IPA. So what it is, why it is the best thing since sliced bread, why you want to use it, why it is so much better than other products in that area. What you can do with it, some overview about the features and so on and so forth. And so then it is really up to you. So as I said, this workshop, it is really a workshop. It is not a presentation. It is an introduction part. But then it is up to you to work with this product. So we have an environment repair which is based on wait-ment. I will talk a little bit about the environment later on. So you are supposed to set up a wait-ment environment on your boxers. We have some modules prepared and you are supposed to go through all of those modules. So the idea is to finish the main server installation and client installation today. And we also have another module which we would like to go through today which is about user end and movement management. It might take some time to set up everything properly but I would really like to ask you to take the time and to set up a proper environment on your machine because the whole workshop relies on a properly working environment. So if something is not working properly on your box please let us know. We really should take the time to fix problems today so that we can go through the rest of the workshop and through the remaining modules tomorrow. So as you can see tomorrow is the second part. It starts at 10.40 and it also lasts for one and a half hour just like the one today. And we will cover topics like host-based access control, web-service configuration and the movement of the web-service into the free IPA domain. We will cover weekly certificate management. We will show you how you can install a website card so that you don't have to rely on a single saw. And then at the end we talk a little bit about SXA's public key management for users and then hosts. As I said, we will briefly cover all of the topics and give you a little introduction about the topics but then it's up to you to set it up on your own box and that's why it's really so important to have a proper networking environment. Any questions regarding the agenda and so forth? So let's start with the introduction part and then we can talk later on about the setup what you are supposed to do on your own box. So what is free IPA? Free IPA, it's short for identity policy and audit. So it's a framework that provides identity information or policy information. And yes, we, the focus so far definitely has been on the identity and on the policy part but I can tell you that it works and we can't expect to see something regarding this component in the near future as well hopefully. And yeah, it's an open source project that has been started already a couple of years ago the last release was in December, it was version 4.3. It's all based on well-known open source tools and open source projects so we are not reinventing the wheel but what we are doing with free IPA is to provide so to say the glue between the different components. So for example, we have an LDAP server which acts as kind of a back end for all the information which is also here in the framework and instead of coming up with a new solution which is known as LDAP server which is actually the 389 home directory server and the same is true for the other components as well. You will see that on one of the next slides. Free IPA is actually the FSTEME project for Wet-Head's identity management solution which is part of Wet-Head Enterprise Linux so it comes for free so people don't need an access subscription to get access to the bits it's part of the actual operating system. Okay, so here's a little architecture overview and which components are involved. As I said, we have a directory server. The component which is used here was as I just said the 389 DS. We have a Kerberos server. This is the MIT Kerberos software which is used here with a DNS, a bind DNS. NDP is also used to synchronize time between all the different machines and also a certificate system to manage certificates. This one is actually also based on Doctech. So that's the architecture. So we have a web user interface which can be used to actually manage the whole environment which can also be used as kind of a self-service portal for users to edit their own data. Of course this is limited to certain attributes and not change the manager if you would like to do that but that's not possible at all but for example you could change your office number or office address or whatever. Kerberos also has a command line tool which can also be used to manage the whole thing, the whole framework. And as always, most of the time it's more convenient to just use a command line tool to add something quickly instead of using the web UI but of course that's completely up to you. If you're a GUI fan then you should GUI if you like the command line. So some of the features. So IPA provides centralized authentication via Kerberos and that's what I already mentioned. So you can store user information you can store group information you can store host groups you can store services and then add groups that's all part of the IPA framework and IPA can handle all of those identity information. It's really really easy to set up the whole thing. So if you know how difficult it can be to already set up a single let's say Kerberos environment it's really different now with free IPA because you just have a single tool to set up the server and the single tool creates and configures all the different components for you but actually configures the components doesn't create them but configures them and after a while it's all done it's finished. So it takes a while it depends on which components you want to use which might be optional in your environment but in average it takes not more than 10 minutes to complete an whole installation and the same is actually true for the client as well in order to enroll a client into a free IPA domain it's just one tool that can be executed and ideally it finds also necessary information to which server it has to talk to and which realm it should be used in DNS so it does a DNS audience cover week so that you really just have to enter the tool name push enter button and then it's all done so it's really, really easy now with pluggable and extendable framework for the user interface and the save is also true for the command line so basically when you use the command line it's all based on modules so you just have one tool one little IPA tool and then it depends on which module you have to pass an argument to the tool what kind of information you want to manage in the free IPA environment so for example if you want to do something related to users you call the user module if you want to do something which is related to host you call the host module and so on yeah, self service portal that's what I already mentioned so some more features so you can create and manage x5.9 certificates so in the past it was limited to host and services but with the latest releases you can also request the user certificates for example if you want to do S5 and you have the need to release user certificates for your user that's not possible with IPA so it's not just limited to users to host and to service certificates you can configure a host-based access control so for instance you can define user A is allowed to log in to host D but user A is only allowed to use as data on host P but no other service and such things that's possible centralized managed student so before I moved into the current department I was working as a consultant for weather and I had to do with a lot of different customers and I did a lot of installations at customer sites and customers really told me the centralized service thing that's really one of the key features in the whole environment that's what customers really like that works well it's not limited to this feature but this is one of them I think it's really a cool thing that you can now store pseudo rules as part of the IPA framework and that there is no need anymore to store them locally on the different systems yeah, I agree that's also possible it was a way to add up server but with free IPA it's much, much easier to do it and to set it up it's a Linux policy management which I think is actually using as a means in enforcing rules so just type enforcement we also care about ways to access them more than such things no, okay you should think about it again because with IPA it's really easy to implement this as well so if you want to create a mapping between a system user so a user who locks into a system and as a Linux user identity instead of doing this mapping locally on the client's system you can do that on IPA so you just define mapping on the IPA framework and as soon as the user locks in the mapping is stuck so there is no need to do that locally on the system so, oops, sorry so you have group-based policy so you can configure the whole server as a NIST server if there is still a need for it so there are some people out there using the NIST if you want to migrate slowly from this legacy solution to a more modern solution then you can configure the IPA system as a NIST server so you can import your NIST maps the client is still able to talk NIST to the server and then you can start slowly to migrate over from NIST to IPA so that in the end clients are not talking this anymore about more modern protocols like L or Kervos or painless password migration that's also a quite interesting thing if you want to migrate to IPA from a other solution like another L for example also it's pretty easy to migrate the password the problem here is that when you want to use Kervos you have to have a principle with a password assigned to the principle so if you use this password migration thing it's really easy to let IPA create the Kervos principle for the users you are migrating over to the IPA environment automatically without a lot of manual interventions so DNS as shown in the architecture picture IPA is also able to handle DNS that's part of the bind service it's optional so you don't have to use it but it's really convenient if you use it because if you don't use it then it's really up to you to manually add the required DNS records to the already existing DNS server for example if you have to deal with service records for example or regular A or PTR records you have to add to the existing server mostly manually I mean there are other ways to do it but customers I have seen when they don't use the integrated server they mostly do it so the application I already said that you can set up more than just one server so you can set up replicas as I think and she's correct if I'm wrong there is no technical limitation in the number of replicas that can be set up but what we test in-house is a setup of up to 20 replicas that's what we test in-house so if there was a need to have more than 20 replicas technically it's definitely possible but from a performance point of view it might be something that is not because the more replicas you have the more replicas traffic happens there might be some issues with the number of replicas you add to your environment so you can also replicate data from an existing active directory domain so free IPA is able to talk to the main controller which is part of an active directory domain even though we call this kind of replication legacy because there are more modern methods available these days but if there is a need for it it's still possible that you replicate existing user entries from an active directory domain over to the free IPA domain and then those windows users can also access resources in the IPA domain the problem here and that's what I've seen in the field as well is just replicating user entries of course is not enough AD accounts can log in and access IPA resources what is of course also required is the password so you also have to replicate the user password from the AD side to the IPA side and the way how we do it is we have a little utility called pass terms it's a package which can be installed on the domain controls and it captures the password from the users and send it over to the IPA server and then it's stored on the IPA side so you have to come up with some mechanism that people are somehow forced to change their password for example in order to capture it with this utility and then send it over to the IPA side and that's actually also the problem so if you go to a customer they have the whole thing usually in large enterprises there are different departments who take care of the Linux side and the Windows side and when you as a Linux guy go to the Windows team and tell them that they have to install a little shiny utility which is capturing the user password which you then send over to the IPA system that's crazy people usually don't like that but you have to do it in order to get the password so another method to integrate IPA systems into an existing AD domain is a Kervos VM trust what you can do on the IDM side is to set up some some required services to have the necessary functionality available and if those services are available the IDM system more or less looks like to the IDM domain controllers the IDM service looks like a regular DC just like another domain controller of course then you can set up a trust between those between those two systems and then there is no need to replicate information from the AD side to the IDM side so all the accounts can still be stored on the AD domain controller there's no need to copy them over but because of the trust users from the AD side are able to access resources on the IDM side and that's even true not just to the domain controller which is responsible for the actual domain where the domain controller belongs to but for all the domains that belong to the same AD folks of course you can blacklist certain domains here if you want to keep certain users out from specific domains you can blacklist those domains so that's the cost curve of 3M trust and that's the thing that we really like to encourage you to use when you want to integrate IDM into existing AD domains it's so much easier to do compared to the replicating thing it also has some requirements but in general it's definitely easier to get it up and run and then you also have various clients you can use as IPA client systems and we have one native client application we will talk about in the next slide but you can also make use out of your regular PAM and NSS stack in order to talk to IPA so every system which comes with the NSS and PAM stack should be able to talk to the framework and authenticate system users against the framework okay so that's the native client I just mentioned SSSD it's a system security services demon and it's part of of a finora and rel and it's easy to set up the native backend for SSSD as I just said is free IPA but you can also use it to point your client system to other backend systems so for example if you want to integrate a client directly into an AD domain without IDM in between that's also possible as advantages and disadvantages but that's also possible with SSSD so you can have various backends and free IPA is of course the native backend for this client application but it can also be a result of that. If you want to make use out of all of the features which are provided by IPA then actually you also have to use this client application so for example for the SLD node season mapping or for Centrelite SSH access we really recommend to use this client application so here's a little architecture picture so this is a client, sorry this is a SSSD client so here you have other systems and here you have the backend systems and as you can see you have a NSS responder here in front of the clients talking to the system you have a Pam responder so that's why I said every system which has NSS stack and the Pam stack should be able to talk to the framework then you have different providers in the backend which are then talked to the actual backend system so there was one provider for IPA of course there was a provider for AD for an ad observer and so forth and as you can see we also have a cache available here so that there was no need to open new connections for every new incoming request as long as the information is cached already here on the client and that's SSSD architecture so that's actually it for the overview some resources are mentioned here for reference so you have the slide deck available as part of the workshop which is on the use piece list so any questions regarding what we just talked about anything if not so if not I'd like to move over so we have to break in 10 minutes okay yeah that's perfect because then we can talk a little bit about the setup okay so can you read that so in the free IPA project there was a nice workshop available which I customized which we actually customized a little bit for the conference here okay it starts here so as you can see we have various modules available here as I said earlier the first module is about installing the free IPA server and then it continues then you're supposed to involve a client into the IPA domain do a whole space assessment and so on and so forth and the next thing is this all will only work if you carefully follow all the instructions mentioned here in the preparation section so as I said the whole workshop is based on vagrant anybody here who does not know what vagrant is okay so we use vagrant with a lip-read plug-in so that means what you have to do later on probably after the break is to install vagrant on your box when it's not already there together with a lip-read plug-in what you have on your USB sticks is a vagrant image file which can be imported and then what you will also find on your USB stick is a vagrant file and if you fire up the whole environment you will find three different systems on your box so you will find a server machine you will find a replica machine and you will find a client machine all of those three boxes are based on the image so you have to import into your very own machine but it's all described in very great detail here in the document so the document itself is also part of the USB stick so the original idea was to fetch the vagrant box from my machine but apparently that's not possible so you cannot connect from your box to my box so that's blocked on a network layer that's why the image is part of the USB stick so the original idea was also to clone my Git repository to your local machine but that's not necessary anymore because all the data is now also on the USB stick then you have to create entries for the virtual machines on your own box and then later on easily SSH into those machines even though it's not really possible if you're familiar with vagrant you can also use vagrant in SSH machine name to SSH into the box but for example if you want to use the web interface in order to talk to free IPA then of course you have to proper DNS names available on your local box so I would say is that after the break you fire up the document on your box go to the preparation section execute the commands outlined here to install a vagrant and the plugin and bash completion and so on and so forth that's convenient if you have bash completion available because there's also a bash completion file for IPA so that you don't have to remember all the commands you can just use tuftup and you're done so I assume please correct me if I'm wrong but I assume that most of you guys have a Fedora system available on your boxes please correct me if I'm wrong if not we have set up instructions for other legacy operating systems for the year as well but it's all tested on Fedora so I really like to encourage you to use Fedora do we have used B-sticks with a pre-installed Fedora that can be used okay so if you which of you don't have Fedora on the notebook machine okay so what operating systems do you guys have your Ubuntu what else again okay so give it a try let us know if it works if not we will find a way to make it work hopefully so just to give you an idea as I said so please install the necessary packages it's outlined here for a second so then as I said the idea was to clone my Git repository don't do it I mean you can do it but we have the same data also available on the USB sticks then in order to to have your local local user so to to have the local user to be able to manage the vagrant environment you have to put them into the vagrant group and install some policy kit rule set so that's required so that you can use your regular user account to manage the whole environment make sure you restart the services so then the idea was to fetch the box from my local machine as I just said that does not work use your local local USB stick again you can just point vagrant box at to your file so to the file path actually use the file path and point the tool to the box which lives on your USB stick now make the ETC host entries then hopefully everything is working okay so that you are ready to start with the first module we have three hours in total one and a half hour today one and a half hour tomorrow please make sure this is working okay if not again you won't be able to go through the module because all of the modules require a 430 setup okay so if you have questions ask us we are here to help you with the setup and so far any questions before we go into the wait okay so then we continue in 10 minutes okay so 10 minutes we see each other again so it doesn't take anything so it doesn't take anything you can just install it and cover it to whatever it is okay okay can you ask if you have any questions because I don't have any but if not let me know okay so so yeah so the file it says it's also on the usb stick so if you have a there are many files it's called workshop.html so you can just fire it up and your own browser yeah this one so there's a sub portal it's a usb stick called free IPA workshop and there are some files inside workshop.html that's the file yeah you need to which machine so so no instructions yes so if your copy I'm not sure there's none of them copy the old file copy the old file copy the old file copy the old file copy the old file copy the old file copy the old file there was so so necessarily it's free I'll I think there's no one there. There's no one like me. We can just sit there and fight. There's no one. We can just, uh... Yeah, we still have some of the stacking. Yeah, let's go. I think we'll go for the moon. Yeah, we'll try to go for the moon. There's no moon. There's no moon. There's no moon. There's no moon. There's no moon. There's no moon. There's no moon. There's no moon. There's no moon. There's no moon. There's no moon. There's no moon. There's no moon. There's no moon. There's no moon. There's no moon. There's no moon. There's no moon. We will try to change what would be accessible to all of you. This is the most difficult challenge. We will check after the break for those who have a problem. Maybe a bunch of questions. Because those guys play a power of 7. Thank you for panoramic. Yes, ma'am. These are some questions that we've seen these days. Good luck. Hey, thank you. I need to go. So you are leaving already? No, no, no. You come back to go. Copy and send your shots. So did you get it working? Yeah? Okay. Great. They are not part of the competition. So everybody finished with the coffee? Oh, I was preparing another one, but I don't need one. I have other things here. Yeah, exactly. Does anybody need a USB stick or something? No, I don't need a USB stick. Okay. So we continue the workshop. I'd like to remind you, please do leave us your feedback about the conference, about this particular workshop. You will find all the links for features and for telegram channels on the backside of your program. And if you will write a nice blog post about the event, you maybe will get some red hat. Thank you. How's the voice with the preparation? Do you think it's working okay so far? Yeah. You don't have to download it from there because it's on your USB stick. So you can't connect to my machine. That's the problem. That's why we had to put everything on the USB stick. So if you want to look at the instructions again, there was a file called workshop.html, which is also part of the workshop folder. So if you are done and if you are really sure that Vagrant is installed, you have the box file or actually the image called copy to your machine. You have imported it into Vagrant. This is Vagrant box ad, just like offline in the preparation section. You have your DNS entries into ETC host. That's what I already mentioned. Then you can start with the first module. And the first module is to install the IPA server on the server box, of course. And what you have to do is you can just run Vagrant up in the folder where the Vagrant file actually exists. That's important. So here's the Vagrant file. If you want to take a look to the file. So this is the box name. That's also important. So if you import the box to Vagrant, make sure you use the command Vagrant box ad box name key share slash free IPA workshop and then the path to the place where you actually stored the box or the image. So that's defined here. And then as you can see, we have three machines defined in the Vagrant file. So that's the server definition here with a specific IP address. So then we have a replica box defined here with a specific IP address. And then the third machine is a client with another IP address from the same network subnet. You don't have to take care about proper network configuration. That's all handled by Vagrant and the underlying weird framework. So when everything has been copied over, just run Vagrant up and then it creates three virtual machines based on the image you copy it over from the USB stick. It just takes a minute or so to get everything up and running. So configuration of the machines is done here. You're ready to go. So if you run virtual list, for example, you see three virtual machines available on your box now free IPA workshop server, client and replica. Make sure you have the policy kit file installed onto your systems. Make sure your local user is part of the Vagrant group. Otherwise, this will not work. So and then you can just run Vagrant SSH server, for example, to SSH into the server machine. And as you can see, that's indeed the server. It has a specific IP address assigned. That's the one we defined in the Vagrant file earlier here, 3310. You can also connect to the replica system. Here we have the replica available. And you can also connect to the client. Here we have the client. They have network access. So you can ping the server machine from the client and you can also ping the replica machine from the client. And the same is true for the other way around as well. So try to get this up and running. And then, as I said, you can start with the first module. Instructions can be found. Basically, what you have to do in the first module is to get the server up and running. So that is one thing I forgot to mention. So if you connect to the Vagrant box by running Vagrant SSH server name, you're automatically connected as a Vagrant user. And this Vagrant user has a sudo access. So you can just run sudo IPA server install, no host DNS, mkhomedia to set up to serve. But again, because it's really so important, before you do that, really make sure everything has been configured properly. There's already a server up and running who wants to get the first SCARF here. Anybody? You have it up and running? Okay, cool. Here's your SCARF. Sorry? If it is even possible to make it run OSX? Yeah, there are some setup instructions for OSX as well. But I didn't test this on OSX because I'm not really... I have the results provided and I think there's no root for OSX. That's true. That is correct. And the problem here is that the image we are using is for LibVit based environment. So you cannot use virtual box with this image. So maybe you should think about booting your box from a USB stick and boot up a Fedora. Is that possible? So do we have Fedora systems? So that they can boot the machine with a Fedora? So we don't have such... So you can boot your box with a USB stick and then you have a Fedora up and running. And then you can follow the instructions. It does not touch your other operating system. So you can also boot up a Fedora and then you can use LibVit. In theory, yes, it does work but the image we have available here is only for a LibVit based environment. Because the idea was that everybody used LibVit and if you don't have it available on your box you can boot up a Fedora system from the USB stick and then you have it. So if you encounter any problems that you set up, then that does work. We can... Probably we just don't travel on these things. I just wanted to mention something. If after having read all the teachers that this project includes, do you think it's not enough for you? We have the hidden in the app audience, the architects and program managers of VIMA and ETAB servers. So you can discuss with them about the roadmap. You have to find them first. They are here. Oh, a different one actually. Yeah, some of the sticks, they were damaged apparently. So there's a bunch of files and stuff. So you can just code it over to the app. Yes. So, anybody already with a working IK? We have some more scarves to give away. So you get definitely one. Sorry. Who was it? Okay, third one and then I think that's it. Who also has it up in money? Okay. So what I will do while you are still working on the setup, I will also execute the command on my server box so that you can take a look how it should look like. So this is the first vagrant machine which has been set up here. And that's the install up program. As I said, I don't want to do DNS look up for the server machine name. I do want to have home directories configured on the box when a user locks in for the first time, but the user does not have a home directory available. Yeah, there are other solutions available like auto-mount that can automatically mount a centralized NFS share for example. It's also described in the document, but here we don't have that. I just tell the installation program, please create a home directory. When a user locks in and the directory is not there, just create one for the user. And yeah, then you get some more information from the installer. We do tell the installer to set up binds. I just take the default server name, which is server IPADemo.local. I confirm the default domain name IPADemo.local. I also confirm the real name, which is equal to the DNS name in upper case. So this is the password of the directory manager, which is actually the manager of the...