-
Notifications
You must be signed in to change notification settings - Fork 3
Tradeoff on IAM
- PAM_OAUTH2 / Keycloak
- PAM_LDAP / OpenLDAP / Keycloak
- PAM_SSSD / Lightwave / Keycloak
Behind , the research of a product, here is the main drivers
- Have a database of user, group, right
- Have a RBAC Function (Role Based Access Control)
- Have a HBAC Function (Host Based Access Function)
- Have A full integration in Micro services and High Availability
The choice of market player is around the HBAC functionality, because Keycloak signed all main drivers except for this function
Market player shall be evaluated by severals key below :
- Cloud native
- Traceability, audit and compliance
- HA availability
- Security level
- Features
- Reputation/Community
- Licensing
- Compatibility with Kubernetes and container technology
- Cost/Resources
- Hardening ...
Keycloak Oauth2 servers (and open id connect as well) operates as authentication servers for web applications. The Aim is to adapt host login with a token, using the standards PAM. It is possible with little hack around the response.
One of the most issue that this solution do not integrate NSS modules ( exception of https://github.com/twhtanghk/pam_oauth2 with limitation of use pam_mkhomedir and old contribution ). The solution have 2 implementation way:
- (S1) Create a new user on each node and on keycloak user database
- (S2) Use generic user login ( depending on group right) with SSL keys and use keycloak auth on vault to transmit keys .
- Pro : Flexible integration in cloud environment with low effort.
- Cons : Need some Action/configuration on nodes, Security need some improvement
Key driver analyze :
- Cloud native -- > Yes
- API management -- > CLI/WEB
- HA availability -- > Yes
- Traceability, audit and compliance -- > Yes ((S1)PAM logging over Wazuh Framworks / (S2) user audit by log correlation between keycloak and PAM )
- Authentication Local/Centralized -- > HBAC Local / RBAC centralized
- Complexity -- > Medium ( Keycloak and PAM_Oauth2 to install) ( S1/ High due to action on each node, for each new user) (S2 /Medium due to correlations actions to be add)
- Security level -- > Low (S1) /High (S2)
- Reputation/Community -- > Good : (CyberDem0n/pam-oauth2 80 star and 20 fork)
- Licensing -- > Free (MIT License)
- Compatibility with Kubernetes and container technology -- > Full
- Cost/Resources -- > Free
- Hardening -- > High : no CVE
Sources
- https://github.com/CyberDem0n/pam-oauth2
- https://kandi.openweaver.com/c/CyberDem0n/pam-oauth2#Summary
- https://mathieupassenaud.fr/ssh-oauth2/
The Aim of this solution is replace FreeIPA ( S1PDGS solution) by OpenLDAP and PAM/NSS LDAP on nodes.
With this solution Keycloak use OpenLDAP to store credentials and keep keyloak to manage users. To enable login on node HBAC , we need to implement PAM et NSS_LDAP
- Cloud native -- > Yes
- API management -- > CLI/WEB
- HA availability -- > Yes
- Traceability, audit and compliance -- > Yes (PAM logging over Wazuh Frameworks)
- Authentication Local/Centralized -- > HBAC/RBAC centralized
- Security level -- > High
- Reputation/Community -- > Good : Stackshare Stacks 75 Followers 105 and 299 GitHub stars and 105 GitHub forks
- Licensing -- > OpenLDAP Public License version 2.8 (d)
- Compatibility with Kubernetes and container technology -- > Full
- Cost/Resources -- > Free
- Hardening -- > High (openldap) : no CVE over 5.0 , High (pam_ldap) : No high CVE since 2005
- Pro: Low effort integration in cloud environment, user management integrate to keycloak
- Cons : Need to have synchronized HA between Keycloak/OPENLDAP
Sources
- https://www.talkingquickly.co.uk/installing-openldap-kubernetes-helm
- https://www.cvedetails.com/vulnerability-list/vendor_id-589/product_id-1921/Padl-Software-Pam-Ldap.html
- https://www.cvedetails.com/vulnerability-list/vendor_id-439/Openldap.html
The Aim of this solution is replace Freeipa ( S1PDGS solution) by Lightwave (Vmware).
Project Lightwave is an open source project comprised of enterprise-grade, identity and access management services targeting critical security, governance, and compliance challenges for Cloud-Native Apps within the enterprise
- Cloud native -- > Yes
- API management -- > WEB/CLI
- HA availability -- > Yes
- Traceability, audit and compliance -- > Yes (PAM logging over Wazuh Frameworks)
- Authentication Local/Centralized -- > HBAC/RBAC centralized
- Security level -- > high
- Features -- >
- Lightwave Directory Service - standards based, multi-tenant, multi-master, highly scalable LDAP v3 directory service enables an enterprise’s infrastructure to be used by the most-demanding applications as well as by multiple teams.
- Lightwave Certificate Authority - directory integrated certificate authority helps to simplify certificate-based operations and key management across the infrastructure.
- Lightwave Certificate Store - endpoint certificate store to store certificate credentials.
- Lightwave Authentication Services - cloud authentication services with support for LDAP, Kerberos, OAuth 2.0/OpenID Connect, SAML and WSTrust enable interoperability with other standards-based technologies in the data center
- Reputation/Community -- > Good : 312 GitHub stars and 100 GitHub forks
- Licensing -- > Lightwave is available under the Apache 2 license.
- Compatibility with Kubernetes and container technology -- > Medium ( It exist Docker image, but no helm )
- Cost/Resources -- > Free
- Hardening -- > High : no CVE
- Pro: Good security ,
- Cons : No full K8S integration, More function than we need,
Sources
- https://kandi.openweaver.com/c/vmware/lightwave#Summary
- https://github.com/vmware/lightwave
- http://vmware.github.io/lightwave/
Find a solution to replace FreeIPA, and keep Keycloak is no quite simple :
- First of solution : use PAM_Oauth2 to covers missing functionalities in Keycloak : RBAC ( SSH login on nodes). the issue is that only cover authentification, and all processus of hosting user on node d not be covered . This implies to and manual operation on node
- Second solution : replace FreeIPA by OPENLDAP is the solution with the best result: hight integration with keycloak and K8S, centalised HBAC, and good security.
- The third solution: the use of a new competitor VmWare Lightwave . It have same fonctionnality than FreeIPA, but it is more integrated on K8S cluster, with HA function.
Regarding all the elements cited above, we preconize the use of PAM_LDAP / OpenLDAP / Keycloak as IAM.