 Good morning, how are you doing? Okay, still not awake. So I'll try to not to bore you to death. So hi I'm Christian. Hi miss. I'm from Hamburg, Germany Some of you may know me. I'm a python co-occurring to put contributor I work on mostly security stuff for Python cores. So as I'll headslip model and those of you who saw use Python 2 I'll also help you to do bytes and the beep String prefix in Python 2 back then so some of the stuff I did in the past So I'm from Hamburg and I'm really glad I could make it here Usually Hamburg looks like that Exactly if you have the G20 summit and looks like that. So these are burning Things in the streets and riots and they burnt like lots of cars and shops and it was fun Not So in my professional life, I also do security things. I'm a senior software engineer at Red Hat Now for over two years our work on the surface like I'm not going to present to you So free IPA dock tag with a part of free IPA and costura secrets management with also part of free IPA So free IPA case you wondered. It's not bad. It's not Indian pale ale So won't give you free beer in the morning sorry And that one so it's identity policy and auditing. It's an open source stack of lots of components I'll show you in a minute. So first the agenda of the plan for today or the morning So first I will run you to a small scenario where you could benefit from identity management. Then I will Oh, sorry I'll explain what is identity management. We go through the surface like a free IPA the components how to Integrate free IPA and then I'm doing a bit of demoing. So installation I'm not going to show the actual installation because going to take like 10 minutes. We don't have that much time but I'm going to show you how to Actually integrate that into like a HTTP application and summary at the end so the scenario very Simple case you want to have a bulletin board for your company where you just share notes. What do you need? So first of all Users need to log in. Oh the fonts aren't showing up correctly. Oh That's new. Oh that one works So there should be locking in password for some reason the fonts don't show up You need a user database because you also want to show real name email address Maybe a phone number where you can reach a co-worker You need to handle parents permissions. You don't want to have like the intro looking at notes from like the CTO Of course these days you want to secure all your networks with proper TLS You need certificates for that and private key and some infrastructure You maybe you need to renew your search every one in a while and Finally for the people who are going to deploy the application you need to SSH into a machine and Maybe have pseudorold so they can get root privileges Yeah, that's going to be a bit complicated if you have like not like one machine and ten users but like 50 services like that and Maybe 50 users or 500 or 10,000 10,000 users So the worry be happy We want to make first human resources happy so we Don't want them to add new users like to 50 databases and also that the meter router in one place So if somebody get married change the name, they don't want it like 50 user database all over place just one We want to make the admins happy. So we want to have them centralized all the access control Don't mess with certificates manually because open as all the command line interface is just painful to use 2FA for some services would be nice developers You as a voter probably don't want to learn about all that Kebbers or Osamu works or how to interface with LDAP So we want to use all of them Kebbers, but don't actually code that Have that automated and wrapped away for you very easily and finally Planned users or the coworkers just want to have one password one login for all stuff you have from the company That sounds a bit familiar to you. There was actually a talk by a coworker of mine two years ago at Europe Python who explained that using a Django app You want to know more about actually integrating the whole stack? Watch that talk. I'm more explain like the deaf of C part of free IPA and bit more the techie part What's identity management? So who of you heard the term of any management before or actually uses one I? see well like One third 50% man, okay Just press start. Obviously Wikipedia definition Identity management describe the management of individual principles their authentication Authentication authorization and privileges within or across system and enterprise boundaries with the goal of increasing Increasing security and productivity while decreasing cost downtime or birdative tasks So a couple of terms I make bold some of you may know the terms but more of them so Get on the same page What are they so principle? It's just a fancy name to describe some kind of entity you want to identify so it's not only users because we also want to identify machines and services Authentication just to make it clear Authentication is about proving who you are so like using a password and a login name using a smart card or some other fancy ways authorization is Actually giving you access to something so for example One across to another country you show your passport so you're authenticating yourself. You're proving your name and Giving if you're authorized to enter or not the border guard will let you in or not And this often coupled with privileges to make it a bit easier So you're in a certain group a certain group is allowed to do something Or you can delegate permissions to somebody temporarily. Yeah now free IPA The bit teaser what the web page of free IPA tells you about free IPA so identity Managing links users and client hosts on your realm from one central location with CLI web UR RPC and And have a single sign-on for the application. So that's the energy part policy something if you're an admin also very important thing Once you authenticated you want to also grant users certain kinds of access and you also want to centrally manage like For your web servers who's allowed to lock in who's allowed to gain route privileges So you can do like as a Linux rules out of S rules if you have NFS pseudo rules, whatever and Finally trust so free IPA can also do trust Cross-realm trust with other domains for example active directory Now if you wonder where the a where the audit We haven't got to that yet So we're still have an added actual auditing to the core of free IPA That's something is currently developed external projects For example console logging where you come to order one admin does on a machine. That's not yet into crazies Actually, should you actually use free IPA? Oh Depends a bit if you want to use free IPA just as your user database for single servers that's public on the internet Probably not because these days you have lots of crypts. You get a public trusted certificate You have like social log in Get up Twitter Facebook Google. They all have like open-medicine act Providers if you're in university you have all of them a sample or cheap left-based solution And Just use that if you have just one public service But if you have lots of internal services, we don't want to disclose your services to the public for example for let's encrypt you have to actually Create a certificate with all the host names in them So everybody could see your names because they also publish their certificates in a log Although they're not adding wildcard certs, but still wildcarts are very dangerous One of your hosts gets compromised then you can throw away your wildcard third You have to re-roll your whole application you hold basically network because your whole networks got compromised Just one service link to the private key for your certificates. So For a non-trivial case if you have to deal much more than simple web pages or more than one simple case Free API is actually a good solution. So if you have more than triple amount of users or admins If you want to reuse all your information not only for just a web service and for a H log in but even for like email or you have Java client all comes with that later and You want to manage your own internal CA for all your services Maybe even for VPN log-ins for smart kind of application Yeah also I still remember from my my first job was rather tiresome to get locked into all machines because the admin had to copy my Propic SSH key to all the machines and admins is to the rules. So you want to automate that the central way Free API is also very useful. And finally we want to scale up You like it start up with things. Oh, we might go from a couple of users to a lot of users Yeah That's free of here might be a good solution for you. So what is it actually? And it's a it's a lot of components. So these are five of the most important components You have KDC and the cabros key distribution center You have an all-up server. You have a public key infrastructure server You have a DNS server built in and you have a set of tools both web base and common line base to manage the whole solution and much more so MIT cabros The single sign on and the authentication between machines for most parts can do more three at 90 s is in all-up server Origin developer Netscape and now maintain Barat had Doctech public key infrastructure is a Java Tomcat based solution Which is built for all the large entities now also wrapped internally free IPA to give you a CIA infrastructure We have bind DNS bound to all up. Yeah, we have SSSD A demo probably most of you don't know come to that also in a manner We have a patch HTTP with a couple of modules I'm going to explain later and finally all the tooling around the glue code between all the stuff including the installer Management is all written in Python so Who knows so how cabros works? Oh Okay, yeah, then so cabros is a Both like three-headed hounds also a protocol Both of you assigned with enterprise and think it's already dead for years No, it's not if you use active directory from windows. It's basically cabros and L up and in big enterprise You also use cabros Not that complicated for end users. So I give you a small example how actually cabros mostly works It's good enough to understand how it works. So imagine public transport system So public transport system like for example, we have remini You want to ride a bus in remini? So you have in cabros. It's called real and it's mostly written always written uppercase so I as a user want to ride a bus in remini. So I need an account So that's mostly written like that. So it's me see hymers at remini it. That's my user principle and We also have services and hosts so like a place like bus stop would be like here palace concazi remini it at realm remedy it and Finally the service written like that. So you have like a service and if I shuttle bus Starting at Palinso Krause remini it. Yeah So in the morning, I like to ride the bus So the first thing I have to do I have to prove my identity to something called an authentication server This authentication server once I prove my identity. I'm getting a ticket back It's called a ticket granting ticket like a daily pass So when I want to ride the bus I show this ticket granting ticket to an ticket Granting service. Oh, no, sorry. First of all, I have to store my ticket like in my wallet. It's called credential cash about that so I Show my ticket my ticket on ticket to a ticket granting server and that one giving me back a ticket that's only valid for this shuttle bus and Finally, I show this ticket to the bus driver and he has internally like a verification thingy called a key tab and they can verify my ticket the tickets are usually valid for a couple of hours half a day and That's how single-sign on works. So you have to type your password only one time Maybe it's 2FA maybe the smart card authentication and then you have something you can use all over the place to request new tickets And we also have all information stored in the LAP server. So that's the central database All up is in hierarchical database like a tree and Good thing is it's all standardized so both of protocols standardized So you don't need like in the sequel world the process for my sequel driver You just use an LAP driver can talk to any LAP server Also, the database schemer is Standardized for everything you basically need so no matter what if you talk to a windows or Linux if they implement the correct schema part like POS X user it works LAP server optimized for reading. So You don't write that often to all up and they also can heavily optimize all reading operations and replication So you can have like a distributed network of all observers We have fine-grained access control you can actually Combined with a delegation Make sure that every user only sees what he's allowed to see so delegation means typically in a web application you have A user that locks into a replication then you have from the replication to a database saver and a database user for that Web application we don't do that the user locks into the web application or the command line interface Gets delegated through the LAP database. The LAP database only sees the actual user there's no kind of special service user for the database connection and so we can actually fine-grained which part of the daters a user can see modify query So any kind of sequel Injection wouldn't work for all up so you can even let any user directly query except the LAP server They can't do any harm And even the front end doesn't do extra permission checks. It's all handled by the database And finally master master replication with a replication topology that's so That's how I'll have several looks from softwares that called a page directory studio on the left you see a tree on the right you see one of the leaf nodes with my user log in and Of course, if you just have one free IPA server, it wouldn't be very redundant So you probably want to have like two three five or ten users ten servers or more So that's handled by something called replication and here's two example how we would do like a replication between Four data centers with three or four servers to create a couple of reputation agreement and they will distribute the data and the load over time The scales are worry nicely. He's not example. We did for a performance test with 60 servers Each of these small green things the server. We also have a DNS server. You might wonder why DNS server? Yeah, host names are also identities so we have host names and the DNS server and also the rust zone so you don't have to create your own reverse zone mappings We use DNS for service discovery and fail over so We are able to get all like L up servers from DNS even location based and If some of the servers fall out, then we automatically try another one. We don't have to configure that With location support, we make sure that you try to stay in your own data center and only go to the low one It's all the servers locally fail We store your SSH Fingerprints and the DNS server and we also do DNS sec Because we can do that. So Here's example of what we can get from Maldives. You see like keywords information the service record for old up and SSH Next thing is doc tech that our CA servers Can do like it's a certification authority you can have sub CAs you can have Can do all the lifecycle of the certificate for a server Can have different profiles you need special profile for your VPN server or your web server or whatever other server you have see a lot of OCSP to revoke and check certificates scap protocol used by some I think Cisco machines and also a way to Do escrow if you want to Cryptator and store it in there. It's also HSM smart card support, but that's not supported with free IPH just was then alone doc tech and Finally SSSD it's a demon the running on all your machines even the client machines when you roll a client hooks into Pam and NSS Pam does when you log into your Linux machine on the console or NKDE known or SSH your passport check and NSS the name service which provides user information like give me username. Give me like your root membership. Give me your autofs mapping for NFS and Does caching and lots of more so and Finally with the user interface. That's all written Python Look, it looks kind of funny. Oh, no, not here. Good only my screen management and the installers and a bunch more stuff so OTP support UB key support summer degration BMF in an Android and Apple app to the OTP like the Google one, but actually ours work with shot 256 OTP So I'll already mentioned that you can integrate the whole Stack a lot covers DNS into other things because of the old sender eyes So just give you a couple of ideas an example of what you could do what customers did what we did to integrate that You can store your email information in the L up server and use that use covers for single sign on you can have radios for WPA enterprise for your wifey so you can have roaming users VPN For some users like nowadays even for Kubernetes open shift you sometimes need NFS you can just cab rise to you NFS mistake use internally so a lot now How do you actually install like this huge stack? It's a lot so you L up server cabra server DNS server your public key infrastructure You decide key you have a couple of additional services Sounds complicated Well, it's not so quick demo set up. So I'm using Fedora 26 at 25 26 came out like just two days ago Didn't want to update my demo setup now But I'm using a new version of free IPA. That's actually not in Fedora, but From a copper so like a private repo review for testing Cabra stream was called IPA example and DNS same lowcase all the machines have The same suffix so it's like name IPA example, and they all pointed to the master DNS server Have enabled some as a Linux flex and firewall or open. Yeah, so installation These two commands in about five to seven minutes depending on how fast your machine is and you have a full running free IPA stack is enough. Oh You don't even have to specify all this flex you can even do it interactively so if you don't give me any flex then it just will ask you a couple of questions and Have to type in two passwords and That's it. Yeah, if you're full running a lap server cabra server and CA internally, of course You also want to enroll your client so you can use all the feature on your client machines or on your servers So if you don't roll a client you have a similar command you install a client package to run this command You don't even have to specify where your server is the effect You shouldn't do that if you don't give it the server name It will just use DNS find the next server and roll and will ultimately fall back to another server than one sort of Just maybe as a power issue or doesn't work anymore And that one even make sure you create home directories look in first time Configure your Firefox if you use like in UI and will also update DNS record if your machine changes the IP address It looks like that. So I'm not running through that because you need to be a bit short of time For automatic enrollment, so if you don't want to do it manually You can also create the host before use like in OTP so one-time enrollment password and that one-time enrollment password and the host name to your Kickstarter file or a bootstrap file or a little image for the machine and Just enroll the machine with that. So you don't even have to type in your admin credentials when you enroll the machine So now we have a master. We have a client where I have a replica So we want to replicate all the data to another machine have a backup and a failover That's easy to Just announced that the machine is in replica So you added to the IPA servers host group and run IP replica install. You don't even have to type in a password and We'll set up a failover DNS server all of server cabra server and CA server now The interesting time. I hope it works demo time So my demos are all prepared. So I don't install the full stack now because would take too long It's all script with Ansible. I will add the URL to GitHub repo of my ansible playbook shortly before I upload the slides so you can do that at home, too and I'm going to show you Okay, interesting How you can run an Apache Service so a website on a patchy without actually doing any kind of covers and All up in your application, but just use a patchy to do the have a lifting for you So these are not off to use the API and SSL for SL encryption and I was on set for authentication for authorization and two other Also explain a minute The setup had a couple of users in groups So I have three users an admin user before that main user Myself and user Bob With three different groups. So we have admin group. We have a web admin group you administer the application on the server I'm not any user To machines, so I don't have a replica here right now because taking too much power and too much CPU and memory I have to house group 30 servers group on the web servers group a Couple of age back rules. These are host base access controls We can control which use allowed to a source on which host with a special user for the web application I have a pseudo role. So a lot of the web. I'm actually lock into the machine and I also have a role-based access control. That's for roles inside the IPA server called service admin So you can delegate pre IPA permissions to a user or to a group of users For example, you can give a group of user permission to manage your user account But not manage machine accounts or manage services or manage enrollment of hosts Okay, so Play settings Now you should see yeah, perfect Okay, call that My notes Doesn't want to show me the notes. No, it works. So To the command the right order so first of all Let's show you the interface. So now I'm using k in it to get my ticket granting tickets So you see here big enough for you. Can you see that? Okay, perfect thumbs up from the back row. So the Caribbean tgt. That's my ticket granted ticket for my domain. I'm a look in an admin admin And so that the interface Let's refresh because I'm not going to use My duty to actually accept the web page. So that's the main interface of free IPA web interface You look again, you see we have a the ticket for the HTTP server for the master Okay, now let's look in another user To show you Are you going to log in? So I'm a web admin. So I have to deploy my application No, it's one. So just to show you how PSH login works. You see you see here It found my DNS The fingerprint of the server DNS have never locked in My machine is not enrolled in the domain. I'm working on here So it would be enrolled mission on the actual free IPA domain. I would not even see that would just Automatically approve the keys So now I'm in Okay, we also need to sudo. So but we already have a Two rules for my user. We have that or a so I can look in but first see I Delegated also my ticket to the other machine and now using the command line tools to create the demo service Well, so we have now a service and it's managed by the machine. So that's the machine Yeah so now to deploy the application I need pseudo rights and What we need for the application. Oh, we want to have SSL. So we need to fetch SSL, but I don't have Yeah, I don't have any credentials here Which is actually a good thing because I don't want to get the search and the key tab for the service as my own user I'd rather want the machine to manage them. So I'm going to log in as machine So now I'm locked in the actual machine and run to commands I've prepared to not make any typos So now I'm using a tool called IPA get served and sort monger to Get my certificates for the machine. See here is store my key store my search. I asked for Subject alternative name DNS IPA example The search Maintained by the service and every time the search is downloaded or renewed I want to reload my HTTP server. This tool also track the sort will do automatically renewal in case Your cert runs out Okay, that's the server request Well, we're fine see some in couple influence from the search and that's how I'll see the search. So Trusting part is Yeah, yeah, here's a DNS name. There are a couple of other names that are supported by opens all that's the service information Okay, now we have the search now we're going to do the first demo step Ah Good thing I made that right. We also need a key tap, right? Because every cover cover I serve with the key tap Get key tap Well, okay, that's easy to so IPA get key tap store it in the file Done and now I can actually do my first demo step So it prepared a couple of contact files reloads HP and now let's show it works Okay, I'm a bigger Well, I'm locked in as my own user So I have another Okay, but just having the users a bit boring won't also have like my complete name. We want to have my email address Okay, next step. We're going to add a tool called mod Lookup identity and that talks directly to SSD. So SSD Downloads all information from a lot for me double caching and uses a tool called info pipe to add the information to my web request so and now see with a new tool You actually see more information about me So I have a couple of conflict settings But we'll just get the information from my user Okay, I'm almost all the time so we're going to speed up a bit and Next thing is so try user Bob user Bob It's actually not and the web user group. So it shouldn't be able to access the application, but in fact You can so we're missing something with in Check of the authorization. That's done by the actual Pam model. So Let's do the next demo step and now The Bob is no longer allowed to log in but actually won't use a Bob to log in. So She's the front side of it You're to use a Bob Bob to The next user group. So we're into the web users safe again Okay Works so takes a couple of seconds to propagate the information now user Bob at locked and so that the That's how you do. So you have a very simple PAM service again, all the examples are and The answer will play books so you can talk about just information So it uses for authentication account information at PAM SSS SSD and the work service So And finally, we also have a way to maintain a certificate. So just to show you we Want to revoke a certificate? Just say well, maybe He has been compromised. That's a fun message So he has been compromised Now since Apache over does a bit of caching and I have to show you that in your window It's going to take like two three minutes until Firefox and Apache show up and but in your window the direct check and now see Certificate has been revoked, but we can use Certmonger just to request a new search so rekey that just Resumits a new request to certmonger it does with the magic reloads Apache Creates a new certificate and a new so a new private key and try again and No, okay, we're not in but again, so it works again okay So Kevors is nice, but Bad applications on mobile phone rather want to use SAML or open by deconnect Sure, no problem. We also have that covered with two external tools So these days you probably rather want to use keycloak It's the new shiny thing if you have fedora contributor a known contributor you probably know epsilon project. It's also an open ID Connect and SAML provider that use the same features are just so so SSD the mod lookup identity and Kevors thing to provide SAML assertions and open by deconnect information and if you're locked in directly with a Kevors ticket, then you just Get directly a similar assertion so you can show you that I have a demo site. So epsilon server Just log in I'm very locked in as user Bob and then go to a Site so that use it now mod of melon to talk to Epsilon IDP using SAML and you get the same information so And finally these days all but containers So containers are still a bit of an issue because they behave differently and they transient on that like persistent machines, but We're going to work on that. So I'm currently changing teams We're building up a new team to try to integrate the whole stack I just showed into OpenShift Kubernetes and project atomic so OpenShift origin project atomic from Red Hat Kubernetes is a joint venture followed by Google for running containers and we could only look into that a few quick summary So you can with free IPA manage the user's group machines and service accounts centrally you can Centrally control access control and policies Can do single-time with Kevors with third-party extension also SAML and OpenD connect And you have your own CA internally questions we have like Two minutes one or two questions Hi, thank you for this. I was wondering about the Hadoop ecosystem that Is heavily using Kerberos. Are you guys? looking into it with a Major Hadoop distributions like Cloudera or Hortonworks or something. I didn't get the last to You speak up a bit please. Yeah, sorry I can I can go Clouder. I Was wondering since the Hadoop Distributions use Kerberos heavily and it's kind of a mess over there Do you know if you guys are working with major Hadoop distributions such as Cloudera or Hortonworks to get free IPA Actually, I don't know anything about Hadoop. I never tried to deploy Hadoop cluster and free IPA, but If they just use Kerberos Should work out of the box So you can use the same tool set to do all the Kerberos setup But I would have asked a couple of co-workers to do an integration into that Cool, thank you. Any more questions? Anyone? Yeah By the way, I have a couple of stickers here. I have info material about free IPA, SSSD and The commercial parts so IDM format have the same software just with commercial support all over here If you want to have some more information, yeah Which is the name of the MPC module for authentication? for authentication that was Okay, sorry It's a bit slow. It's not off and set that one so It can both do Authentication and authorization and in combination with the other module I didn't show because we're running bit of time We can also do direct authentication by intercepting a post request and having one-time log in But actually see how the locking works. I'll watch the slides by Jan Pizzura The Django application because you actually want to do only the log in when you lock in the first time I will not do all get all the information for every request so you for the log in route you get all the information use your Django, Plane Flake, Flask whatever a persistent login system and store the information on the first log in your database and the next time user logs in Thank you. I'm running out of time. You want to catch me? You can find me by my Not red fedora because my red fedora is just too hot in the summer, but what I want and Grab a sticker or grab some information material you like. Thank you so much