https://access.redhat.com/solutions/3816971
SOLUTION 已验证 - 已更新 2019年四月1日16:39 -
环境
- Red Hat Enterprise Linux 8
问题
- The
openldap-servers
package was removed in RHEL8. - What should I use instead, Red Hat Directory Server or Identity Management?
- How should I migrate my LDAP servers from RHEL7 to RHEL8 ?
决议
Overview
The openldap-servers
package was removed in Red Hat Enterprise Linux 8. The openldap-clients
package is still shipped though.
If you use openldap-servers
in Red Hat Enterprise Linux 7 (RHEL7), you need to consider to change your LDAP server from OpenLDAP to Red Hat Directory Server (RHDS) in Red Hat Enterprise Linux 8 (RHEL8).
RHDS is provided as an add-on subscription in RHEL8, so you need buy the subscriptions in addition to RHEL subscription.
However, if you use your LDAP server as a Back-End DB of Identity Management like user management , you might be able to use Identity Management (IdM) which is included in Red Hat Enterprise Linux without buying RHDS.
What is Red Hat Directory Server?
Product Outline |
---|
◼LDAPv3 Compliant directory server ◼ Red Hat distributed and supported version of 389 DS project Identity Management uses 389 DS as it’s foundation ◼ Flexible and extensible Schema and DIT can be extended at customer discretion ◼High performance Scales to globally distributed deployments ◼ Reliable and Robust ◼ Offered as a stand alone product |
Solving Problems |
---|
◼General purpose replicated identity storage ◼A reliable storage for user accounts and other related data as a back end of a business application ◼High volume of read and authentication operations ◼Custom design of objects and data ◼Distributed and complex topologies with replication Allows read only replicas and replication policy ◼Drop-in replacement for existing costly 3rd party LDAP solutions |
Use Cases |
---|
◼Best fit Back end for externally facing applications (usually large volume of data) Cases where a lot of customisation is required ◼Can be used: To manage identities inside the enterprise (but not recommended) ◼Not a good fit: Systems, policies, certificate, key management inside enterprise |
Why is it not recommended outside best fit cases? |
---|
◼It will be too much effort to adapt RHDS to manage internal identities and related policies, customer would have to do a lot of integration work that is already done in IdM ◼Directory Server does not provide any systems, policies, certificate, and key management capabilities for inside the enterprise use case ◼Active Directory integration is very basic |
What is Identity Management ?
Product Outline |
---|
◼IdM – Identity Management in Red Hat Enterprise Linux ◼Based on FreeIPA open source technology ◼IPA stands for Identity, Policy, Audit Focused on identities and related policies A separate project is ongoing in the audit space ◼Built into operating system - comes with RHEL subscription |
Solving Problems |
---|
◼Central management of authentication and identities for Linux clients Improvement over standalone LDAP/Kerberos/NIS based solutions Simplify management of infrastructure ◼Gateway between the Red Hat Enterprise Linux and Active Directory. Supports Active Directory forest trusts (recommended) User and Password synchronization (not recommended) |
Use Cases |
---|
◼Best fit Manage user population inside the enterprise Manage Linux/UNIX systems, policies and access Integrate with Active Directory As a replacement for existing LDAP solutions used for internal identities ◼Can be used As a back end for external facing applications (but not generally recommended) As a replacement for existing LDAP solutions used for external identities ◼Not a good fit (yet):Highly customizable back end is required Huge amount of data (hundreds of thousands of entries) |
Why is it not recommended outside best fit cases? |
---|
◼It is better to have different policies for internal and external users thus it is better to store them in different places and federate using IdP like Red Hat SSO ◼IdM is focused on the specific set of attributes and objects tilted towards inside the enterprise use case; application might require completely new objects and attributes - high levels of customisation are not supported with IdM ◼IdM can scale to tens of thousands of users it is yet not good in handling hundreds of thousands or millions ◼IdM does not support read only replicas |
Comparison
Area | Red Hat Directory Server | Identity Management |
---|---|---|
Use | General purpose LDAP server | Domain controller for Linux/UNIX |
Extensibility | Highly customizable | Preconfigured data and object model |
Interfaces | LDAP, command line tools, admin console | Rich CLI, JSON RPC API, Web UI |
Schema & tree | LDAPv3 compliant, tree design up to deployment | Optimized for domain controller use case |
Authentication | LDAP | LDAP, Kerberos with SSO, Certificate based |
AD integration | User synchronization | Advanced integration via cross forest trusts |
Replication | Up to 20 masters + unlimited read only replicas and hubs | Up to 60 active masters |
Scalability | Scales well beyond 100K objects | Has limitations beyond 100K objects |