Skip to main content
Redhat Developers  Logo
  • Products

    Platforms

    • Red Hat Enterprise Linux
      Red Hat Enterprise Linux Icon
    • Red Hat AI
      Red Hat AI
    • Red Hat OpenShift
      Openshift icon
    • Red Hat Ansible Automation Platform
      Ansible icon
    • View All Red Hat Products

    Featured

    • Red Hat build of OpenJDK
    • Red Hat Developer Hub
    • Red Hat JBoss Enterprise Application Platform
    • Red Hat OpenShift Dev Spaces
    • Red Hat OpenShift Local
    • Red Hat Developer Sandbox

      Try Red Hat products and technologies without setup or configuration fees for 30 days with this shared Openshift and Kubernetes cluster.
    • Try at no cost
  • Technologies

    Featured

    • AI/ML
      AI/ML Icon
    • Linux
      Linux Icon
    • Kubernetes
      Cloud icon
    • Automation
      Automation Icon showing arrows moving in a circle around a gear
    • View All Technologies
    • Programming Languages & Frameworks

      • Java
      • Python
      • JavaScript
    • System Design & Architecture

      • Red Hat architecture and design patterns
      • Microservices
      • Event-Driven Architecture
      • Databases
    • Developer Productivity

      • Developer productivity
      • Developer Tools
      • GitOps
    • Automated Data Processing

      • AI/ML
      • Data Science
      • Apache Kafka on Kubernetes
    • Platform Engineering

      • DevOps
      • DevSecOps
      • Ansible automation for applications and services
    • Secure Development & Architectures

      • Security
      • Secure coding
  • Learn

    Featured

    • Kubernetes & Cloud Native
      Openshift icon
    • Linux
      Rhel icon
    • Automation
      Ansible cloud icon
    • AI/ML
      AI/ML Icon
    • View All Learning Resources

    E-Books

    • GitOps Cookbook
    • Podman in Action
    • Kubernetes Operators
    • The Path to GitOps
    • View All E-books

    Cheat Sheets

    • Linux Commands
    • Bash Commands
    • Git
    • systemd Commands
    • View All Cheat Sheets

    Documentation

    • Product Documentation
    • API Catalog
    • Legacy Documentation
  • Developer Sandbox

    Developer Sandbox

    • Access Red Hat’s products and technologies without setup or configuration, and start developing quicker than ever before with our new, no-cost sandbox environments.
    • Explore Developer Sandbox

    Featured Developer Sandbox activities

    • Get started with your Developer Sandbox
    • OpenShift virtualization and application modernization using the Developer Sandbox
    • Explore all Developer Sandbox activities

    Ready to start developing apps?

    • Try at no cost
  • Blog
  • Events
  • Videos

Red Hat Identity Manager: Part 1 - Overview and Getting started

April 29, 2016
Brian Atkisson
Related topics:
Security
Related products:
Red Hat Single sign-on

Share:

    Red Hat Identity Manager (IdM), is designed to provide an integrated identity management service for a wide range of clients, including Linux, Mac, and even Windows. At its core, IdM combines LDAP, Kerberos, DNS, and PKI with a rich management framework.  Frequently, IdM is described as "Active Directory for Linux". Although, to be fair, Active Directory is really just a management framework around LDAP, Kerberos, DNS and PKI -- all of which were well established in the unix community long before Active Directory ever existed.  In any case, the primary use for IdM is to provide these identity services to linux clients using these well established and open protocols.

    This article will provide an overview of Red Hat Identity Manager, and demonstrate how to get started with IdM quickly.

    Technical Overview

    IdM is built upon Red Hat Directory Server and takes advantage of Directory Server's mature multi-master support, which supports up to 20 LDAP masters (both read and write).  MIT Kerberos and ISC Bind sit on top of Directory Server, using LDAP for their back-end data stores - this takes care of replicating changes between IdM servers.

    For those of you who have managed MIT Kerberos propagation and Bind configuration and zone transfers, you'll appreciate the simplicity of simply using LDAP replication rather than maintaining distinct replication systems for each service.

    Finally, Red Hat Certificate System is also included in IdM, providing full PKI services.  IdM's PKI system can operate as either a root certificate authority or as an intermediate authority, integrating existing trust models.

    Getting started

    Part of the beauty of this software, aside from it being 100% open source, is the simplicity of installation and maintenance.  It is very easy to get a highly available, enterprise-level deployment up and running. If you are a Red Hat Enterprise Linux (RHEL) customer, you already have everything you need to start using it - there is no additional subscription required.

    Both the server as well as the client installer are also available in Fedora, if you want to check out the latest code.  It is quite common to use host the IdM servers on RHEL and for developer machines to be running Fedora.  The upstream project is called FreeIPA, as such you'll see the packages called freeipa-* in Fedora. (Editor's note, RHEL is now available for developer use. You may download it by signing up with Red Hat Developers.)

    To install on RHEL, simply execute:

    yum install ipa-server bind-dyndb-ldap
    ipa-server-install  --setup-dns --forwarder=<dns_server1> --forwarder=<dns_server2>

    Take a look at  ipa-server-install --help for full details. Once installed, log in to https://<ipa_server_fqdn>. You'll also want to trust the new CA certificate, which is located on the IdM server at /etc/ipa/ca.crt

    Of course, nobody wants just one IdM server.  The first step would be to create a replica, which is a full read/write copy of the first installation. Take a look at the product docs for full details, but creating the replica is easy as well:

    [root@firstserver ~]# ipa-replica-prepare --ip-address <replicas_ip> <replica_fqdn}
    [root@replica ~]# ipa-replica-install --setup-ca --ip-address=<ipaddr> --setup-dns --forwarder=<dns_server1> --forwarder=<dns_server2> /root/replica-info-<replica_fqdn>.gpg

    Behold! You now have a highly available identity management system offering all the services that would normally take weeks to build separately. These services are secured by default using the strongest standards currently available for enterprise markets.  For example, IdM fully supports using one time passwords and DNSSEC.

    Additional integrations

    Unless you have a complete greenfield infrastructure, you'll probably want to integrate IdM with your existing environment. IdM gives you mechanisms to:

    • Have an external certificate authority sign the IdM CA certificate
    • Import LDAP users
    • Setup a trust relationship with Active Directory

    These are well covered in the IdM documentation.  Where things get interesting is the non-standard integration that you can perform:

    • Cross-realm trust with an existing Kerberos realm
    • Replicating the IdM data store to existing RHDS nodes
    • Using configuring IdM servers to provide a highly available DHCP service, backed by the replicated IdM data store.

    These lesser-known features and hacks will be the subject of future articles.  There are a ton of great resources on IdM out there, hopefully this article has given you a quick-start to begin playing:

    Additional Resources:

    https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/index

    Upstream design docs:
    https://www.freeipa.org/page/Main_Page

     

     

     

     

     

     

     

     

     

    Last updated: October 30, 2023

    Recent Posts

    • A deep dive into Apache Kafka's KRaft protocol

    • Staying ahead of artificial intelligence threats

    • Strengthen privacy and security with encrypted DNS in RHEL

    • How to enable Ansible Lightspeed intelligent assistant

    • Why some agentic AI developers are moving code from Python to Rust

    Red Hat Developers logo LinkedIn YouTube Twitter Facebook

    Products

    • Red Hat Enterprise Linux
    • Red Hat OpenShift
    • Red Hat Ansible Automation Platform

    Build

    • Developer Sandbox
    • Developer Tools
    • Interactive Tutorials
    • API Catalog

    Quicklinks

    • Learning Resources
    • E-books
    • Cheat Sheets
    • Blog
    • Events
    • Newsletter

    Communicate

    • About us
    • Contact sales
    • Find a partner
    • Report a website issue
    • Site Status Dashboard
    • Report a security problem

    RED HAT DEVELOPER

    Build here. Go anywhere.

    We serve the builders. The problem solvers who create careers with code.

    Join us if you’re a developer, software engineer, web designer, front-end designer, UX designer, computer scientist, architect, tester, product manager, project manager or team lead.

    Sign me up

    Red Hat legal and privacy links

    • About Red Hat
    • Jobs
    • Events
    • Locations
    • Contact Red Hat
    • Red Hat Blog
    • Inclusion at Red Hat
    • Cool Stuff Store
    • Red Hat Summit
    © 2025 Red Hat

    Red Hat legal and privacy links

    • Privacy statement
    • Terms of use
    • All policies and guidelines
    • Digital accessibility

    Report a website issue