Red Hat IDM & Microsoft AD Integration

6/6/2020 2:00 AM Version: 1.0

Contents
1. Assumptions .......................................................................................................................................... 3
2. Prepare the IDM servers prerequisites: ................................................................................................ 3
3. Common Tasks for Primary and Secondary IDM servers ...................................................................... 3
4. Primary IDM Server Installation ............................................................................................................ 3
5. Secondary IDM Server Installation........................................................................................................ 3
6. Red Hat IDM & Microsoft AD Integration ............................................................................................. 4
A) DNS Forwarding ................................................................................................................................ 4
1) Active Directory Side - for each IDM server, add a similar entry per server ................................ 4
2) IDM Side - for each AD server, add a similar entry per server...................................................... 4
B) Verification ........................................................................................................................................... 4
1) AD Side .......................................................................................................................................... 4
2) IDM Side ........................................................................................................................................ 5
C) Establish Trust Relationship .................................................................................................................. 5
1) Establish Trust on IDM Side .......................................................................................................... 5
2) Verification .................................................................................................................................... 5
3) Allow Access for Active Directory User Groups ............................................................................ 5
7. References ............................................................................................................................................ 6

6/6/2020 2:00 AM Version: 1.0

1. Assumptions
- This guide is intended to provide quick and verified instructions for how to build new Red Hat IDM
servers and integrate them with Microsoft Active Directory.
- This guide assumes that Microsoft Active Directory is up and running.
- This guide will help establishing one-way trust relationship instead of two-way trust so Active
Directory can be used as trusted single source of authentication for all users.
- Intended readers: Experienced System Engineers/Administrators with RHCE level knowledge or
higher with good background of Microsoft Active Directory.
- This guide will not cover OS installation nor basic tasks such as setting IP addresses or hostnames,
- This guide has been tested and proved to be working as is for RHEL 8.2. You can use it with no
warranty from the author that it’ll work for your environment as you might need to adjust your
network settings to allow firewalls or ensuring reachability between Red Hat IDM servers and
Microsoft Active directory servers. You can use it on your own risk.
- The terms IDM and IPA will be used interchangeably to refer to Red Hat Identity Management
solution. IPA is the name of the open source project free-ipa.
- Microsoft Active Directory will be referred as AD in this guide.
- If you would like to submit bug report or need to enhance it, please email me at:
mharbi@redhat.com

2. Prepare the IDM servers prerequisites:

- Set Static IP addresses.
- Configure Hostnames
- Configure static entries in /etc/hosts for IDM servers
- Install necessary Packages on IDM & AD servers.
- Configure firewall rules to allow remote access if necessary.

3. Common Tasks for Primary and Secondary IDM servers

#yum -y update && yum -y module install idm:DL1 && yum -y install ipa-server ipa-server-dns ipa-
server-trust-ad.x86_64 bash-completion net-tools vim
#firewall-cmd --add-service={freeipa-4,dns,ntp}
#firewall-cmd --add-service=freeipa-replication
#firewall-cmd --runtime-to-permanent

4. Primary IDM Server Installation

#ipa-server-install --setup-kra --setup-dns --mkhomedir --reverse-zone=44.10.in-addr.arpa --allow-
zone-overlap

5. Secondary IDM Server Installation

#ipa-client-install

6/6/2020 2:00 AM Version: 1.0

 #kinit admin
#ipa-replica-install --setup-ca --setup-kra --setup-dns --mkhomedir --allow-zone-overlap --reverse-
zone=44.10.in-addr.arpa --forwarder=8.8.8.8

6. Red Hat IDM & Microsoft AD Integration

A) DNS Forwarding

1) Active Directory Side - for each IDM server, add a similar entry per server
//Method 1 - Add A records in MS AD to point to IDM:

#dnscmd 127.0.0.1 /RecordAdd example.com idm-01.linux A

X.X.X.X(IPA.SRV.IP.ADDR)
#dnscmd 127.0.0.1 /RecordAdd example.com linux NS idm-01.linux.example.com
#dnscmd 127.0.0.1 /ClearCache
//Restart Windows DNS Service from Windows DNS Management GUI.

//Method 2:

#dnscmd 127.0.0.1 /ZoneAdd linux.example.com /Forwarder

X.X.X.X(IPA.SRV.IP.ADDR)

2) IDM Side - for each AD server, add a similar entry per server

#ipa dnsforwardzone-add example.com --forwarder=Y.Y.Y.Y(AD.SRV.IP.ADDR) --

forward-policy=only --skip-overlap-check
//Disable DNS Validation on IDM Servers ad AD has DNS-SEC disabled by default:

#vim /etc/named.conf
#dnssec-validation no;
// Restart DNS on IDM:

#systemctl restart named-pkcs11.service

B) Verification
1) AD Side

6/6/2020 2:00 AM Version: 1.0

 C:\>nslookup
> set type=srv
> _ldap._tcp.example.com
> _ldap._tcp.linux.example.com
exit

2) IDM Side

#dig SRV _ldap._tcp.linux.example.com

#dig SRV _ldap._tcp.example.com

C) Establish Trust Relationship

1) Establish Trust on IDM Side

// Make sure ipa-server-trust-ad packages are installed & Firewall is configured then run
the following commands:

#ipa-adtrust-install
#ipa trust-add --type=ad example.com --admin administrator

2) Verification
#ipa trustdomain-find example.com
#ipa trust-fetch-domains "example.com"
#kinit administrator@example.com
#ipa config-mod –defaultshell=/bin/bash

3) Allow Access for Active Directory User Groups

// Mapping can be done in 2 steps:

a) Add users and groups from AD trusted domain to an external group in IDM. External
group serves as a container to reference trusted domain users and groups by their
security identifiers(SID):
//Create external group in IDM for trusted domain admins:

#ipa group-add --desc='Linux Admins' linux_admins_external --external

//Add trusted domain users to the external group - When asked for member user and
member group, just leave it blank and hit Enter.

6/6/2020 2:00 AM Version: 1.0

 #ipa group-add-member linux_admins_external --external 'EXAMPLE.COM\Domain
Admins'

b) Map external group to an existing POSIX group in IDM. This POSIX group will be
assigned proper group id (gid) that will be used as default group for all incoming trusted
domain users mapped to this group
//Create POSIX group for external ad_admins_external group:

#ipa group-add --desc='Linux Admins' linux_admins

//Allow members of linux_admins_external group to be associated with linux_admins
POSIX group:

#ipa group-add-member linux_admins --groups linux_admins_external

c) Verification
//Try to login using any AD account

#su - EXAMPLE.COM\\administrator
#getent passwd administrator@example.com
#ssh 10.44.129.132 -l administrator@example.com

7. References
https://access.redhat.com/articles/1586893 Red Hat Identity Management Documentation

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-
single/integrating_rhel_systems_directly_with_windows_active_directory/index Integrating RHEL
systems directly with Windows Active Directory

6/6/2020 2:00 AM Version: 1.0