3.10 Identity Management

Oracle Linux 8 introduces several major identity management features and enhancements, including a major change to how the packages that are necessary for installing an Identity Management (IdM) server and client are distributed. The following are details of this and other noteworthy identity management changes:

  • IdM packages now distributed as a module.  Starting with Oracle Linux 8, the packages that are necessary to install an IdM (Identity Management) server and client are distributed as a module. The client stream is the default stream for the idm module. Note that you can download the packages that are necessary to install the client without enabling the stream.

    The IdM server module stream is called the DL1 stream and it contains multiple profiles that correspond to the following different types of IdM servers: server, dns, adtrust, client, and default.

    To download the packages to a specific profile of the DL1 stream, do the following:

    1. Enable the stream.

    2. Switch to using the RPMs that are delivered through the stream.

    3. Run the following command:

      # yum module install idm: DL1/profile-name
  • Directory Server enhancements.  This release includes the following Directory Server enhancements:

    • New password syntax checks: This enhancement for Directory Server enables dictionary checks and allows or denies the use of character sequences and palindromes. The password policy syntax check employed by Directory Server enforces more secure passwords when it is enabled.

    • Improved internal operations logging support: Directory Server now logs the real connection and operation ID, thereby enabling you to trace the internal operation to the server or client operation that caused the operation. Previously, the server only logged the Internal connection keyword for internal operations. Also, the operation ID was always set to -1.

  • Enterprise Security Client uses the opensc library for token detection.  The Enterprise Security Client (ESC) now uses the opensc library for token detection instead of the coolkey library, which has been removed. This change causes applications to correctly detect supported tokens.

  • Certificate System supports log rotation.  Certificate System now uses the java.logging.util framework, which supports log rotation. As a result of this change, you can now configure log rotation in the /var/lib/pki/instance-name/conf/logging.properties file, instead of using the previous logging framework method that did not support log rotation.

    See the documentation for the java.util.logging package for more details.

  • Local user and group resolution cached by SSSD and served through the nss_sss module.  The resolution of local users and groups is faster in Oracle Linux 8. Note that the root user is never handled by the System Security Services Daemon (SSSD). As such, root resolution cannot be impacted by a potential bug in SSSD. Also, if SSSD is not running, the nss_sss module falls back to nss_files. Note that you do not have to configure SSSD because the files domain is automatically added.

  • KCM replaces KEYRING.  In Oracle Linux 8, the default credential cache storage is the Kerberos Credential Manager (KCM), which is backed by the sssd-kcm daemon. This enhancement provides better support for containerized environments and is the basis for adding more features in subsequent releases. KCM overcomes the limitations of KEYRING, which is difficult to use in containerized environments because the feature does not use name-spacing and therefore cannot be used to view and manage quotas.

  • Support for administering identity management with Active Directory added.  In this release, you can add a user ID override for an Active Directory (AD) user as a member of an Identity Management (IdM) group. This change enables the IdM LDAP server to apply access control rules to the AD user for the IdM group.

    In addition, an AD administrator can now fully administer idM without having two separate accounts. AD users can also use self-service features of the IdM user interface (UI), such as uploading SSH keys and changing personal data. However, note that some IdM features still might not be available to AD users.

  • Support for printing a HBAC rules report for an IdM domain by using sssctl added.  In Oracle Linux 8, you can use the SSSD sssctl command to print an access control report for an IdM domain. This enhancement provides the ability, in certain environments (for regulatory reasons), to view the list of users and groups that can access a specific client system. Running the sssctl access-reportdomain-name command on an IdM client prints the parsed subset of the host-based access control (HBAC) rules in the IdM domain that applies to the client's system.

  • Support for session recording solution added.  Oracle Linux 8 provides a session recording solution. The new tlog package and its associated Cockpit session player enable you to record and play back user terminal sessions. The recording can then be configured per-user or per user group by using the SSSD service. All terminal input and output is captured and stored in text-based format in a system journal. For security reasons, the input is inactive by default.

    You can also use the recording solution to audit user sessions on security-sensitive systems. You can review and analyze the recorded sessions in the event of a security breach. In addition, you can configure session recording locally and then view the result from either the Cockpit web-based interface or by using the tlog-play command.

  • authselect command replaces authconfig command.  In this release, the authselect command replaces the authconfig command. The authselect command simplifies user authentication configuration on Oracle Linux 8. The authselect command also provides a safer approach to Pluggable Authentication Modules (PAM) stack management.

    You can use the authselect command to configure the following authentication methods: passwords, certificates, smart cards, and fingerprints. However, note that you cannot use the authselect command to configure services that are required to join remote domains. For this type of configuration, use the realmd or ipa-client-install command.