Use Case Comparison:

RedHat Directory Server vs Identity

Management in RHEL
Juan Carlos Sugajara
TME Senior Solutions Architect

1
 CONFIDENTIAL Designator

The Identity Suite

2
 The Three Pillars of Identity
Identity and Access Management

Red Hat Certificate Identity Management on Red Hat Directory

System RHEL Server
 CONFIDENTIAL Designator

Our Vision:

Red Hat Identity Products (RHCS, RHDS and IdM) will provide a
consistent authentication experience across all of the RH
platforms (OCP, OSP, RHV, Ansible Tower, Satellite, RHEL).

When integrated with RH SSO (Keycloak), they will provide

stable and consistent user authentication and access
management in all RH environments.

We are portfolio enhancers and completers, striving to create a

unified feel to authentication and identity for Red Hat’s
4 Portfolio of Products
Identity Management in RHEL (IdM)
 Introducing IdM (FreeIPA)

● IdM – Identity Management in Red Hat Enterprise Linux

● Based on FreeIPA open source technology
● IPA stands for Identity, Policy, Audit
○ Focused on identities and related policies
○ A separate project is ongoing in the audit space
● Built into operating system - comes with RHEL subscription

6
 Problems that IdM Solves

● Central management of authentication and identities for Linux clients

○ Improvement over standalone LDAP/Kerberos/NIS based solutions
○ Simplify management of infrastructure

● Gateway between the Red Hat Enterprise Linux and Active Directory.
○ Supports Active Directory forest trusts (recommended)
○ User and Password synchronization (not recommended)

7
 FreeIPA/IdM
High Level Architecture

MIT Kerberos Dogtag Linux

UNIX
KDC PKI

CLI/UI
389 DS Bind

LDAP DNS

Admin

https://access.redhat.com/articles/1586893

8
Red Hat Directory Server
 Introducing Red Hat Directory Server
● LDAPv3 Compliant directory server
● Red Hat distributed and supported version of 389 DS project
○ Identity Management uses 389 DS as it’s foundation

● Flexible and extensible

○ Schema and DIT can be extended at customer discretion

● High performance
○ Scales to globally distributed deployments

● Reliable and Robust

● Offered as a stand alone product

1
0
 Problems that Directory Server Solves
Need for:
● General purpose replicated identity storage
● A reliable storage for user accounts and other related data as a back end of a
business application
● High volume of read and authentication operations
● Custom design of objects and data
● Distributed and complex topologies with replication
i. Allows read only replicas and replication policy

● Near Drop-in replacement for existing costly 3rd party LDAP solutions

1
1
Use Cases
 Use cases for IdM
Best fit:

● Manage user population inside the enterprise

● Manage Linux/UNIX systems, policies and access
● Integrate with Active Directory
● As a replacement for existing LDAP solutions used for internal identities

Can be used:

● As a back end for external facing applications (but not generally recommended)
● As a replacement for existing LDAP solutions used for external identities

Not a good fit when:

● Highly customizable back end is required

● Huge amount of data (hundreds of thousands of entries)

1
3
 Why is it not recommended outside best fit
cases?

● It is better to have different policies for internal and external users thus it is
better to store them in different places and federate using IdP like Red Hat SSO
● IdM is focused on the specific set of attributes and objects tilted towards inside
the enterprise use case; application might require completely new objects and
attributes - high levels of customisation are not supported with IdM
● IdM can scale to tens of thousands of users it is yet not good in handling
hundreds of thousands or millions
● IdM does not support read only replicas

1
4
 Use Cases for RHDS

● Best fit:
○ Back end for externally facing applications (usually large volume of data)
○ Cases where a lot of customization is required
○ A drop-in replacement for the existing LDAP solution - quick win

● Can be used:
○ To manage identities inside the enterprise (ldap-only)
● Not a good fit:
○ When Systems, policies, certificate, key management inside enterprise needed

1
5
 Why is it not recommended outside best fit
cases?

● It will be too much effort to adapt RHDS to manage internal identities and related
policies, customer would have to do a lot of integration work that is already done
in IdM
● Directory Server does not provide any systems, policies, certificate, and key
management capabilities for inside the enterprise use case
● Active Directory integration is very basic

1
6
Comparison
 Area Red Hat Directory Server IdM in RHEL

Use General purpose LDAP server Domain controller for Linux/UNIX

Extensibility Highly customizable Preconfigured data and object model

Interfaces LDAP, command line tools, admin console Rich CLI, JSON RPC API, Web UI

Schema & tree LDAPv3 compliant, tree design up to deployment Optimized for domain controller use case

Authentication LDAP LDAP, Kerberos with SSO, Certificate based

AD integration User synchronization Advanced integration via cross forest trusts

Replication Up to 20 masters + unlimited read only replicas and Up to 60 active masters

hubs

Scalability Scales well beyond 100K objects Has limitations beyond 100K objects

18
 CONFIDENTIAL Designator

Conclusion

19
 Summary

● Use IdM for internal namespace - this is an identity management solution for
users and systems inside the enterprise

● Use RHDS as a “general purpose” directory server that allows a large amount of
customization and fits very well as a back end for external facing business
applications or as a drop-in replacement of an existing costly 3rd party LDAP
solutions.

2
0
 Thank you linkedin.com/company/red-hat

youtube.com/user/RedHatVideos
Red Hat is the world’s leading provider of enterprise

open source software solutions. Award-winning

facebook.com/redhatinc
support, training, and consulting services make

Red Hat a trusted adviser to the Fortune 500.

twitter.com/RedHat

21