WEBVTT

1
00:00:00.040 --> 00:00:02.759
<v Speaker 1>Welcome through another deep dive. Today. We're tackling a really

2
00:00:02.759 --> 00:00:06.559
<v Speaker 1>interesting and often pretty complex challenge in the world of computing.

3
00:00:07.200 --> 00:00:10.800
<v Speaker 1>How do organizations actually manage who gets access to what,

4
00:00:11.240 --> 00:00:14.599
<v Speaker 1>where and when, especially when they're running a mix of

5
00:00:14.839 --> 00:00:18.039
<v Speaker 1>Linux and Windows systems. We're talking identity and access management

6
00:00:18.120 --> 00:00:20.719
<v Speaker 1>really the keys to keeping your network secure, efficient, and,

7
00:00:20.800 --> 00:00:23.679
<v Speaker 1>let's be honest, manageable. Our mission today is to kind

8
00:00:23.679 --> 00:00:26.239
<v Speaker 1>of cut through that complexity, give you a clear roadmap,

9
00:00:26.280 --> 00:00:30.239
<v Speaker 1>a shortcut maybe to understanding how these critical technologies fit together.

10
00:00:30.120 --> 00:00:34.159
<v Speaker 2>Exactly in today's IT world, these hybrid setups are everywhere

11
00:00:34.159 --> 00:00:37.640
<v Speaker 2>and having solid unified identity management. It's not just like

12
00:00:38.000 --> 00:00:40.799
<v Speaker 2>a best practice anymore, it's absolutely essential. We're going to

13
00:00:40.840 --> 00:00:44.520
<v Speaker 2>pull back the curtain a bit on the foundational pieces

14
00:00:44.520 --> 00:00:47.520
<v Speaker 2>that let these different systems talk to each other, share information,

15
00:00:47.759 --> 00:00:51.439
<v Speaker 2>and ultimately give users a smooth, secure experience. Get ready,

16
00:00:51.640 --> 00:00:55.679
<v Speaker 2>because we're going to connect the dots, open, LDAP, SAMBA, free, IPA,

17
00:00:56.280 --> 00:00:57.880
<v Speaker 2>see how they all link up to give you that

18
00:00:57.920 --> 00:00:58.640
<v Speaker 2>bigger picture.

19
00:00:58.880 --> 00:01:02.079
<v Speaker 1>Okay, so let's start foundation when we talk about these

20
00:01:02.119 --> 00:01:05.760
<v Speaker 1>central directories for network resources like a smartphone, book for users,

21
00:01:05.760 --> 00:01:08.959
<v Speaker 1>group devices, all that stuff. LDP always comes up for

22
00:01:09.000 --> 00:01:11.120
<v Speaker 1>people who maybe hear the term or even use it.

23
00:01:11.480 --> 00:01:14.480
<v Speaker 1>What's its core job and why is open LDP sort

24
00:01:14.519 --> 00:01:17.040
<v Speaker 1>of the go to implementation right so?

25
00:01:17.239 --> 00:01:21.239
<v Speaker 2>LDP itself the lightweight Directory Access Protocol. It's it's basically

26
00:01:21.239 --> 00:01:24.280
<v Speaker 2>a standard open way to store and retrieve directory info.

27
00:01:24.319 --> 00:01:26.840
<v Speaker 2>It's built for speed, especially for reading lots of data quickly.

28
00:01:27.280 --> 00:01:30.239
<v Speaker 2>And open LDP well, that's the most popular free open

29
00:01:30.280 --> 00:01:33.760
<v Speaker 2>source version of it. It's incredibly flexible, runs pretty much

30
00:01:33.760 --> 00:01:36.840
<v Speaker 2>everywhere Linux, Windows, Mac os celearis unit it. Think of

31
00:01:36.920 --> 00:01:40.680
<v Speaker 2>it like a central database, super efficient for storing user accounts, groups,

32
00:01:40.840 --> 00:01:43.400
<v Speaker 2>network objects, things like that. The heart of it is

33
00:01:43.400 --> 00:01:46.519
<v Speaker 2>the slap demon, the ld HOP server itself. Each bit

34
00:01:46.560 --> 00:01:49.519
<v Speaker 2>of info and entry has attributes like a name, an email,

35
00:01:49.560 --> 00:01:52.159
<v Speaker 2>and a unique ID called a distinguished name or DN.

36
00:01:52.640 --> 00:01:55.760
<v Speaker 2>Clients talk to it using standard operations bind to authenticate,

37
00:01:55.799 --> 00:01:58.920
<v Speaker 2>search to find things, AD delete, modify entries, use tools

38
00:01:58.959 --> 00:02:01.439
<v Speaker 2>like l DOP search all the time just to check things.

39
00:02:01.599 --> 00:02:05.280
<v Speaker 1>Okay, this central directory idea, this single source of truth.

40
00:02:05.879 --> 00:02:09.199
<v Speaker 1>It sounds really powerful, very efficient, but you know, putting

41
00:02:09.199 --> 00:02:11.439
<v Speaker 1>all your eggs in one basket like that immediately makes

42
00:02:11.479 --> 00:02:15.960
<v Speaker 1>me think security If all that user info is in

43
00:02:16.000 --> 00:02:17.800
<v Speaker 1>one spot. How do you lock it down? Because I

44
00:02:17.840 --> 00:02:21.439
<v Speaker 1>understand basic LDAT can send stuff in plain text.

45
00:02:21.360 --> 00:02:23.400
<v Speaker 2>Right, you've hit the nail on the head. Plain text

46
00:02:23.520 --> 00:02:26.639
<v Speaker 2>absolutely not for sensitive data. That's why TLS transport layer

47
00:02:26.680 --> 00:02:29.960
<v Speaker 2>security is well non negotiable. You have to secure those

48
00:02:30.000 --> 00:02:33.280
<v Speaker 2>open LDAPP connections use TLS and x point five zero

49
00:02:33.439 --> 00:02:36.439
<v Speaker 2>nine certificates encrypt everything going back and forth. There's also

50
00:02:36.479 --> 00:02:39.080
<v Speaker 2>the start LS extension, which is quite neat and lets

51
00:02:39.120 --> 00:02:41.039
<v Speaker 2>you upgrade a connection on the standard port three eighty

52
00:02:41.120 --> 00:02:42.199
<v Speaker 2>nine to be encrypted.

53
00:02:42.400 --> 00:02:44.680
<v Speaker 1>Ah, so you don't necessarily need a separate port just

54
00:02:44.719 --> 00:02:45.479
<v Speaker 1>for security.

55
00:02:45.759 --> 00:02:49.000
<v Speaker 2>Not always no, though you still need firewall rules. Of course.

56
00:02:49.439 --> 00:02:51.520
<v Speaker 2>You need to open port three eighty nine for LDP

57
00:02:51.759 --> 00:02:54.639
<v Speaker 2>and maybe six thirty six for LDPS, which is TLS

58
00:02:54.800 --> 00:02:57.560
<v Speaker 2>right from the start. And then for really fine grained

59
00:02:57.560 --> 00:03:00.680
<v Speaker 2>control inside the directory you use access control lists or

60
00:03:00.719 --> 00:03:04.879
<v Speaker 2>ecls defined by old access parameters and open LDP. Think

61
00:03:04.919 --> 00:03:07.000
<v Speaker 2>of old access as the detailed rulebook. It lets you

62
00:03:07.039 --> 00:03:09.759
<v Speaker 2>say exactly who can read or write what, specific information

63
00:03:10.159 --> 00:03:12.280
<v Speaker 2>down to tiny details, supergranular.

64
00:03:12.560 --> 00:03:15.919
<v Speaker 1>Okay, so the directory itself is secure, encrypto traffic granular

65
00:03:15.960 --> 00:03:19.319
<v Speaker 1>access controls that's a relief, but having the data swored

66
00:03:19.360 --> 00:03:22.439
<v Speaker 1>safely is one thing. How does an actual Linux machine

67
00:03:22.560 --> 00:03:25.520
<v Speaker 1>use this directory? When someone tries to log in via SSH,

68
00:03:25.560 --> 00:03:28.479
<v Speaker 1>for instance? How does the OS not to check open LDP.

69
00:03:28.800 --> 00:03:31.680
<v Speaker 2>That's the integration piece, and it's crucial. You essentially teach

70
00:03:31.719 --> 00:03:33.840
<v Speaker 2>the Linux system Hey for user info, go ask that

71
00:03:33.919 --> 00:03:38.360
<v Speaker 2>open LDP server. Two main players here PAM pluggable authentication modules.

72
00:03:38.599 --> 00:03:41.319
<v Speaker 2>Think of PAM as the bouncer for services like SSH

73
00:03:41.439 --> 00:03:44.280
<v Speaker 2>or pseudo. It handles the actual is this user legit

74
00:03:44.759 --> 00:03:46.080
<v Speaker 2>check against LdpA? Okay?

75
00:03:46.080 --> 00:03:47.159
<v Speaker 1>PAM checks the credentials.

76
00:03:47.199 --> 00:03:50.639
<v Speaker 2>Then what Then there's NSS, the name Service switch. NSS

77
00:03:50.719 --> 00:03:54.000
<v Speaker 2>is like the system's internal address book look up. It

78
00:03:54.039 --> 00:03:56.639
<v Speaker 2>tells the system where to find user and group info.

79
00:03:57.080 --> 00:04:00.360
<v Speaker 2>So when you type say if user name, nssays ah,

80
00:04:00.560 --> 00:04:03.319
<v Speaker 2>check LDP for that user. This combo means you create

81
00:04:03.360 --> 00:04:05.719
<v Speaker 2>a user once in open ldup and they can log

82
00:04:05.759 --> 00:04:09.639
<v Speaker 2>into potentially hundreds of Linux machines. Huge win for SISSIG

83
00:04:09.680 --> 00:04:13.199
<v Speaker 2>means no more creating accounts everywhere. Tools like off config

84
00:04:13.280 --> 00:04:16.360
<v Speaker 2>can help streamline setting up PAM and NSS across different

85
00:04:16.360 --> 00:04:18.120
<v Speaker 2>Linux or U and I like systems.

86
00:04:18.279 --> 00:04:20.560
<v Speaker 1>Right, that makes sense so Linux systems are talking securely

87
00:04:20.600 --> 00:04:24.399
<v Speaker 1>to open LDP for their authentication needs solved. But the

88
00:04:24.439 --> 00:04:27.199
<v Speaker 1>elephant in the room for so many places Windows. You've

89
00:04:27.240 --> 00:04:29.800
<v Speaker 1>got Windows clients, Windows servers. How do we get Linux

90
00:04:29.839 --> 00:04:33.399
<v Speaker 1>and Windows to play nice identity wise share files? Are

91
00:04:33.399 --> 00:04:35.600
<v Speaker 1>we stuck with totally separate worlds? Or is there a bridge?

92
00:04:35.639 --> 00:04:38.120
<v Speaker 2>There is definitely a bridge, and its name is SAUMA.

93
00:04:38.279 --> 00:04:41.240
<v Speaker 2>It's the classic open source tool that lets Linux servers

94
00:04:41.279 --> 00:04:44.600
<v Speaker 2>act just like Windows file and print servers. It speaks

95
00:04:44.639 --> 00:04:48.199
<v Speaker 2>the same language smbcifs and zambas come a long way.

96
00:04:48.240 --> 00:04:51.399
<v Speaker 2>It's got keyparts dot smbd for the actual file and

97
00:04:51.480 --> 00:04:54.480
<v Speaker 2>print sharing, dot med for net bios name stuff mostly

98
00:04:54.519 --> 00:04:57.759
<v Speaker 2>for older compatibility, and win bind that one's really important

99
00:04:57.759 --> 00:04:58.839
<v Speaker 2>for joining Windows domain.

100
00:04:58.920 --> 00:05:02.959
<v Speaker 1>Okay, windbind for main integration. And there's specific ports involved too.

101
00:05:03.120 --> 00:05:05.240
<v Speaker 2>Yeah, got another ports UDP one thirty seven and one

102
00:05:05.319 --> 00:05:08.160
<v Speaker 2>thirty eight for net bios naming and browsing, and TCP

103
00:05:08.240 --> 00:05:11.480
<v Speaker 2>ports one thirty nine and crucially four forty five for

104
00:05:11.519 --> 00:05:14.600
<v Speaker 2>the main SMB service. The protocol itself has evolved to

105
00:05:14.920 --> 00:05:17.720
<v Speaker 2>SMB one point zero was notoriously chatty, kind of slow,

106
00:05:17.959 --> 00:05:20.199
<v Speaker 2>SMB two point zero and later versions are much much

107
00:05:20.199 --> 00:05:20.800
<v Speaker 2>more efficient.

108
00:05:20.920 --> 00:05:24.120
<v Speaker 1>What really blows my mind though, is how flexible Samba is. Yeah,

109
00:05:24.160 --> 00:05:26.519
<v Speaker 1>it's not just about basic file sharing anymore, is it.

110
00:05:26.519 --> 00:05:28.519
<v Speaker 1>It could be a simple server and a work group. Sure,

111
00:05:28.600 --> 00:05:31.120
<v Speaker 1>it can join a Windows domain like any Windows server,

112
00:05:31.439 --> 00:05:33.720
<v Speaker 1>but some of four it could actually be an active

113
00:05:33.720 --> 00:05:36.120
<v Speaker 1>directory domain controller for real. On Linux.

114
00:05:36.360 --> 00:05:39.199
<v Speaker 2>That's the big one. Yes, some before can act as

115
00:05:39.240 --> 00:05:42.240
<v Speaker 2>a fully fledged eighty DC. It's not just mimicking. It

116
00:05:42.279 --> 00:05:46.720
<v Speaker 2>provides those core eighty services. Think authentication, viaker, burrows, group

117
00:05:46.720 --> 00:05:50.360
<v Speaker 2>policy support, DNS integration, all things you'd expect from a

118
00:05:50.399 --> 00:05:52.160
<v Speaker 2>Windows DC but running on a Linux bot.

119
00:05:52.279 --> 00:05:56.040
<v Speaker 1>H Okay, the implications there that's huge for flexibility, maybe cost.

120
00:05:55.839 --> 00:05:59.920
<v Speaker 2>Savings, absolutely huge flexibility, potential cost savings, and it allows

121
00:05:59.920 --> 00:06:02.120
<v Speaker 2>for a more unified approach if you want open source

122
00:06:02.160 --> 00:06:05.240
<v Speaker 2>but need that deep Windows integration. Now, if you want

123
00:06:05.319 --> 00:06:07.839
<v Speaker 2>Samba to use your existing open lde for users, you

124
00:06:07.879 --> 00:06:10.839
<v Speaker 2>can do that too. In the smb dot com file,

125
00:06:11.000 --> 00:06:14.000
<v Speaker 2>you set PASDB back end exles l DAP SAM and

126
00:06:14.040 --> 00:06:17.439
<v Speaker 2>security exils user this so sumba, hey for user passwords,

127
00:06:17.480 --> 00:06:19.319
<v Speaker 2>go ask that open ldapi ser over there.

128
00:06:19.399 --> 00:06:22.600
<v Speaker 1>So open LDF becomes the authentication source for Samba shares too.

129
00:06:22.560 --> 00:06:25.199
<v Speaker 2>Exactly, and just like before, that connection between Samba and

130
00:06:25.240 --> 00:06:28.519
<v Speaker 2>OPENLBB must be secured so you can figure things like LDAP,

131
00:06:28.639 --> 00:06:31.720
<v Speaker 2>SSL start TLS. You point it to your TLS certificates,

132
00:06:31.720 --> 00:06:35.319
<v Speaker 2>the tlscf file, tlss sert file, tlske file. Got to

133
00:06:35.360 --> 00:06:36.199
<v Speaker 2>encrypt that traffic.

134
00:06:36.399 --> 00:06:39.319
<v Speaker 3>It's really powerful. See in how these pieces connect. Linux

135
00:06:39.399 --> 00:06:42.360
<v Speaker 3>uses LDPP locally, Samba lets Linux join the Windows party

136
00:06:42.399 --> 00:06:44.879
<v Speaker 3>or even host the party as an ad DC, potentially

137
00:06:44.959 --> 00:06:47.879
<v Speaker 3>using that same LDDAP back end, and tools like spunk

138
00:06:47.920 --> 00:06:51.040
<v Speaker 3>client on Linux to access shares or test porm, DASHZV

139
00:06:51.199 --> 00:06:54.639
<v Speaker 3>to check your Samba config must be life savers for admins. Okay,

140
00:06:54.639 --> 00:06:57.279
<v Speaker 3>we've built up these components open LDP for the core directory,

141
00:06:57.439 --> 00:07:00.000
<v Speaker 3>SABA handling the window side, but managing all these things

142
00:07:00.279 --> 00:07:04.360
<v Speaker 3>separately LDP maybe a feporate, Carberos server, DNS keeping track

143
00:07:04.360 --> 00:07:06.519
<v Speaker 3>of certificates with the CAA. That sounds like it could

144
00:07:06.519 --> 00:07:08.600
<v Speaker 3>get messy, really fast, a lot to juggle. Is there

145
00:07:08.600 --> 00:07:10.639
<v Speaker 3>a way to bring all these essential identity bits together

146
00:07:10.720 --> 00:07:13.959
<v Speaker 3>under one roof a more integrated solution.

147
00:07:13.879 --> 00:07:17.079
<v Speaker 2>That is precisely the problem free IPA was designed to solve.

148
00:07:17.680 --> 00:07:20.439
<v Speaker 2>It is that integrated solution. Think of it as a

149
00:07:20.519 --> 00:07:26.560
<v Speaker 2>comprehensive security information management system prepackaged. It cleverly bundles together

150
00:07:26.639 --> 00:07:30.240
<v Speaker 2>critical open source projects into one cohesive whole. It uses

151
00:07:30.319 --> 00:07:32.839
<v Speaker 2>the three eight nine directory server, a really robust ld

152
00:07:32.920 --> 00:07:36.279
<v Speaker 2>app server under the hood. It includes MIT Courberos for

153
00:07:36.279 --> 00:07:40.519
<v Speaker 2>strong authentication single sign on. It integrates MTP for timesync,

154
00:07:40.680 --> 00:07:44.160
<v Speaker 2>vital for Carberos. It has built in DNS capabilities, and

155
00:07:44.199 --> 00:07:46.839
<v Speaker 2>it uses dog tag as a full certificate authority for

156
00:07:46.959 --> 00:07:48.120
<v Speaker 2>managing all your searts.

157
00:07:48.199 --> 00:07:50.519
<v Speaker 1>It's like an all in one identity toolcase.

158
00:07:50.120 --> 00:07:53.519
<v Speaker 2>Exactly and all in one identity solution. It massively simplifies

159
00:07:53.560 --> 00:07:55.959
<v Speaker 2>the infrastructure and cuts down on the headache of managing

160
00:07:56.000 --> 00:07:57.040
<v Speaker 2>all those separate parts.

161
00:07:57.079 --> 00:07:59.399
<v Speaker 1>And the benefit for you, the listener, is it management

162
00:07:59.399 --> 00:08:02.360
<v Speaker 1>becomes much more centralized. I hear free IPA has a

163
00:08:02.399 --> 00:08:07.480
<v Speaker 1>nice WebUI, but also strong command line tools for managing users, groups, machines, everything.

164
00:08:07.560 --> 00:08:10.480
<v Speaker 2>Absolutely, you get both a user friendly web interface for

165
00:08:10.560 --> 00:08:13.680
<v Speaker 2>many common tasks and powerful IPA command line tools for

166
00:08:13.720 --> 00:08:18.439
<v Speaker 2>scripting and more advanced stuff. Getting started involves yet getting

167
00:08:18.439 --> 00:08:21.759
<v Speaker 2>an admin Curbero's kinnet admin and making sure the right

168
00:08:21.800 --> 00:08:27.160
<v Speaker 2>firewall ports are open. HTTPS for the WebUI, LDAPS, Corbero, sports, DNS,

169
00:08:27.279 --> 00:08:29.319
<v Speaker 2>NTP clients need to reach the server.

170
00:08:29.279 --> 00:08:32.519
<v Speaker 1>And day to day user management adding users groups.

171
00:08:32.720 --> 00:08:36.440
<v Speaker 2>Free IPA makes that pretty straightforward commands like IPA user ad,

172
00:08:36.480 --> 00:08:39.360
<v Speaker 2>IPA group AD. There's even IPA stage user AD for

173
00:08:39.399 --> 00:08:41.759
<v Speaker 2>setting up accounts ahead of time. But where it really

174
00:08:41.799 --> 00:08:44.799
<v Speaker 2>shines is the fine grained access control. It uses a

175
00:08:44.799 --> 00:08:47.919
<v Speaker 2>model of permissions like read write access. You bundle permissions

176
00:08:47.919 --> 00:08:51.320
<v Speaker 2>into privileges and then you assign those privileges using roles.

177
00:08:51.559 --> 00:08:54.399
<v Speaker 2>So you define roles like help desk admin or user

178
00:08:54.399 --> 00:08:56.840
<v Speaker 2>admin and give them only the specific privileges they need.

179
00:08:57.000 --> 00:08:58.000
<v Speaker 2>Very structured, and.

180
00:08:57.960 --> 00:08:59.679
<v Speaker 1>It doesn't stop at users and groups, does it? I

181
00:08:59.720 --> 00:09:02.799
<v Speaker 1>heard it integrates with other Linux services too, Like pseudo rules.

182
00:09:03.039 --> 00:09:06.879
<v Speaker 2>Oh yeah, deeply. You can manage your pseudo rules centrally

183
00:09:06.919 --> 00:09:10.039
<v Speaker 2>in free IPA, define who can run what where as

184
00:09:10.159 --> 00:09:13.120
<v Speaker 2>rude and push that policy out to all your managed hosts.

185
00:09:13.600 --> 00:09:17.200
<v Speaker 2>Same for audoff's maps for automatic network shares, manage SSH

186
00:09:17.320 --> 00:09:20.919
<v Speaker 2>public keys for user centrally, even SELinux user mappings.

187
00:09:20.960 --> 00:09:21.360
<v Speaker 1>Wow.

188
00:09:21.600 --> 00:09:23.879
<v Speaker 2>It means you define these policies once in free IPA

189
00:09:24.039 --> 00:09:27.320
<v Speaker 2>and they apply consistently across your entire domain. There's even

190
00:09:27.320 --> 00:09:30.399
<v Speaker 2>a command I pay advice that can spit out configuration

191
00:09:30.440 --> 00:09:32.240
<v Speaker 2>steps for integrating various clients.

192
00:09:32.320 --> 00:09:35.240
<v Speaker 1>Okay, free ipa sounds fantastic, especially if you're heavy on

193
00:09:35.279 --> 00:09:39.200
<v Speaker 1>Linux or starting fresh. But what about the places and

194
00:09:39.279 --> 00:09:41.559
<v Speaker 1>there are many that already have a big investment in

195
00:09:41.600 --> 00:09:44.120
<v Speaker 1>Microsoft Active Directory. Are they just out of luck two

196
00:09:44.200 --> 00:09:45.759
<v Speaker 1>separate identity systems forever?

197
00:09:46.120 --> 00:09:50.000
<v Speaker 2>Or can free ipa actually talk to AD integrate somehow?

198
00:09:50.159 --> 00:09:53.440
<v Speaker 1>That's arguably one of free IPA's killer features. It's specifically

199
00:09:53.440 --> 00:09:56.720
<v Speaker 1>designed to establish trust relationships with active directory domains. This

200
00:09:56.799 --> 00:09:59.480
<v Speaker 1>isn't just about existing side by side, it's about genuine

201
00:09:59.480 --> 00:10:03.000
<v Speaker 1>interroper ability. It allows AD users to access resources in

202
00:10:03.039 --> 00:10:06.120
<v Speaker 1>the free ipa domain, and free ipa users to access

203
00:10:06.159 --> 00:10:10.039
<v Speaker 1>AD resources without needing separate accounts like true single sign

204
00:10:10.120 --> 00:10:11.559
<v Speaker 1>on across domains.

205
00:10:11.159 --> 00:10:14.240
<v Speaker 2>Exactly, no duplicate accounts, no needing to log in again.

206
00:10:14.600 --> 00:10:18.519
<v Speaker 2>Imagine an AD user accessing a Linux web server managed

207
00:10:18.519 --> 00:10:22.519
<v Speaker 2>by free ipa using their normal Windows credentials. That's the goal.

208
00:10:22.639 --> 00:10:25.360
<v Speaker 2>It's a massive win for hybrid environments.

209
00:10:25.039 --> 00:10:29.360
<v Speaker 1>That seamless access sounds incredible. Setting up that kind of trust, though,

210
00:10:29.679 --> 00:10:32.440
<v Speaker 1>feels like it might be tricky. What are the main steps?

211
00:10:32.600 --> 00:10:34.919
<v Speaker 2>There are a few key steps. Yes, you need to

212
00:10:34.960 --> 00:10:38.000
<v Speaker 2>install an extra package on the free IPA server IPA

213
00:10:38.159 --> 00:10:41.440
<v Speaker 2>server trust AD. Then you run a command iPad AD

214
00:10:41.440 --> 00:10:45.039
<v Speaker 2>trust install. This basically prepares the free IPA server, sets

215
00:10:45.120 --> 00:10:48.159
<v Speaker 2>up the necessary SOMBA components within free IPA to handle

216
00:10:48.200 --> 00:10:51.200
<v Speaker 2>the AD side of the trust, and finally you establish

217
00:10:51.240 --> 00:10:53.919
<v Speaker 2>the trust itself using IPA trust AD, pointing it to

218
00:10:53.960 --> 00:10:57.360
<v Speaker 2>the AD realm and providing AD admin credentials to authorize it.

219
00:10:57.559 --> 00:11:00.799
<v Speaker 1>Okay, so you install, prepare, then a stade aublish the trust.

220
00:11:01.000 --> 00:11:03.360
<v Speaker 1>What absolutely has to be right for this to work?

221
00:11:03.519 --> 00:11:06.639
<v Speaker 1>The prerequisite some kissing time sink is critical. Again, you

222
00:11:06.679 --> 00:11:07.159
<v Speaker 1>guessed it.

223
00:11:07.759 --> 00:11:12.200
<v Speaker 2>Time synchronization is non negotiable. Curberos, which underpins this whole thing,

224
00:11:12.519 --> 00:11:14.840
<v Speaker 2>breaks if the time is off between free IPA and

225
00:11:14.879 --> 00:11:18.639
<v Speaker 2>the AD controllers, even by a few minutes. Proper DNS

226
00:11:18.679 --> 00:11:20.720
<v Speaker 2>is also vital. Each side needs to be able to

227
00:11:20.759 --> 00:11:24.240
<v Speaker 2>resolve names and service records like SRV records for Courberos

228
00:11:24.279 --> 00:11:28.039
<v Speaker 2>and LDAM in the other domain. Usually involves setting up

229
00:11:28.159 --> 00:11:32.320
<v Speaker 2>DNS forwarders, and critically, you need to exchange Certificate Authority

230
00:11:32.399 --> 00:11:35.879
<v Speaker 2>CA certificates. The free IPACA certain needs to be trusted

231
00:11:35.879 --> 00:11:38.320
<v Speaker 2>by AD and the ADCA certain needs to be trusted

232
00:11:38.360 --> 00:11:39.159
<v Speaker 2>by Free IPA.

233
00:11:39.519 --> 00:11:40.759
<v Speaker 1>Why the certificate exchange.

234
00:11:40.759 --> 00:11:45.440
<v Speaker 2>It's for secure communication, primarily secure ldf ldaps. The trust

235
00:11:45.480 --> 00:11:48.360
<v Speaker 2>relies on secure lookups between the domains, so that certificate

236
00:11:48.360 --> 00:11:50.960
<v Speaker 2>trust is essential to encrypt and verify those connections.

237
00:11:51.039 --> 00:11:55.039
<v Speaker 1>Got it time DNS CERTs nail those down, so once

238
00:11:55.039 --> 00:11:57.320
<v Speaker 1>the trust is up. What does this integration actually look

239
00:11:57.399 --> 00:11:58.879
<v Speaker 1>like day to day? For an admin or a.

240
00:11:58.879 --> 00:12:03.720
<v Speaker 2>User, it feels remarkably unified. Free IPA automatically assigns ID

241
00:12:03.840 --> 00:12:06.639
<v Speaker 2>ranges for the trusted ad users in groups, so they

242
00:12:06.679 --> 00:12:09.919
<v Speaker 2>have unique IDs within the free IPA space. Then you

243
00:12:09.960 --> 00:12:13.200
<v Speaker 2>can create what free IPA calls external groups. You basically

244
00:12:13.200 --> 00:12:15.919
<v Speaker 2>reference an AD group within free ipa, and you can

245
00:12:15.919 --> 00:12:18.960
<v Speaker 2>assign permissions and roles to that external group just like

246
00:12:19.000 --> 00:12:21.519
<v Speaker 2>a native free IPA. So you can grant an entire

247
00:12:21.600 --> 00:12:25.279
<v Speaker 2>AD group access to a Linux resource managed by free ipa.

248
00:12:25.240 --> 00:12:26.600
<v Speaker 1>All managed from free IPA.

249
00:12:26.879 --> 00:12:30.120
<v Speaker 2>Mostly. Yes, you manage the AD users in AD, but

250
00:12:30.159 --> 00:12:33.320
<v Speaker 2>you manage their access to free IPA resources within free ipa,

251
00:12:33.440 --> 00:12:36.279
<v Speaker 2>often by using those external groups. There's even a passing

252
00:12:36.360 --> 00:12:39.279
<v Speaker 2>plug in for Windows dcs that can synchronize password changes

253
00:12:39.320 --> 00:12:42.399
<v Speaker 2>from AD to free IPA, making the user experience even smoother,

254
00:12:42.759 --> 00:12:45.159
<v Speaker 2>and you can verify it all works commands like a

255
00:12:45.279 --> 00:12:47.840
<v Speaker 2>deducer at ADY domain on a free IPA client should

256
00:12:47.879 --> 00:12:49.960
<v Speaker 2>resolve the AD user dot ip group show on an

257
00:12:50.000 --> 00:12:53.200
<v Speaker 2>external group shows the eight members. It really does bridge

258
00:12:53.200 --> 00:12:53.879
<v Speaker 2>the two worlds.

259
00:12:54.000 --> 00:12:56.679
<v Speaker 1>What an incredible journey we've taken, seriously through this whole

260
00:12:56.759 --> 00:13:00.399
<v Speaker 1>landscape of network identity and access. We start with open

261
00:13:00.519 --> 00:13:04.600
<v Speaker 1>LDP as that fundamental flexible directory, move to Samba, the

262
00:13:04.600 --> 00:13:07.240
<v Speaker 1>crucial bridge, to Windows which can even amazingly act as

263
00:13:07.240 --> 00:13:10.240
<v Speaker 1>an ad DC, and then land it on free IPA,

264
00:13:10.639 --> 00:13:13.759
<v Speaker 1>this unified modern powerhouse that pulls it all together and

265
00:13:13.879 --> 00:13:17.679
<v Speaker 1>can even build robust trust relationships with existing AD setups.

266
00:13:17.720 --> 00:13:23.320
<v Speaker 1>The value here centralizing identity access for security efficiency to

267
00:13:23.360 --> 00:13:26.759
<v Speaker 1>simplifying administration. It's hard to overstate how important that is.

268
00:13:26.840 --> 00:13:30.799
<v Speaker 2>Indeed, and hopefully by understanding these core pieces Open LDPS, Samba,

269
00:13:30.840 --> 00:13:33.840
<v Speaker 2>Free IPA and how they interact, especially with the AD trust,

270
00:13:33.879 --> 00:13:37.360
<v Speaker 2>you the listener gained the insight needed insight to design,

271
00:13:37.480 --> 00:13:40.240
<v Speaker 2>build and manage networks that are resilient, cross platform and

272
00:13:40.279 --> 00:13:43.000
<v Speaker 2>really meet the complex demands of today's it, whether that's

273
00:13:43.320 --> 00:13:45.440
<v Speaker 2>on prem cloud or hybrid, it gives.

274
00:13:45.200 --> 00:13:48.279
<v Speaker 1>You control absolutely So if you wrap up listening or

275
00:13:48.320 --> 00:13:50.600
<v Speaker 1>go about your day, here's a little something to chew on.

276
00:13:50.639 --> 00:13:53.759
<v Speaker 1>A provocative thought. Maybe in this world it's only getting

277
00:13:53.799 --> 00:13:58.840
<v Speaker 1>more interconnected, diverse systems, tons of cloud services, maybe even

278
00:13:58.840 --> 00:14:02.120
<v Speaker 1>things like decentralized I identity on the horizon. How will

279
00:14:02.120 --> 00:14:05.600
<v Speaker 1>these principles of unified identity and access keep evolving? How

280
00:14:05.639 --> 00:14:08.720
<v Speaker 1>will they simplify our digital lives even more? What new bridges,

281
00:14:08.799 --> 00:14:11.120
<v Speaker 1>what new integrated solutions will we need to build for

282
00:14:11.159 --> 00:14:13.240
<v Speaker 1>the identities of tomorrow? Keep exploring