Project

General

Profile

Actions

Feature #15900

open

more external authentication features with sssd, without IdM/IPA

Added by Stephen Benjamin over 7 years ago. Updated over 7 years ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
Foreman modules
Target version:
-
Difficulty:
Triaged:
Fixed in Releases:
Found in Releases:

Description

Cloned from https://bugzilla.redhat.com/show_bug.cgi?id=1198103
Description of problem:

The Satellite 6.0 release added the option to use --foreman-ipa-authentication=true to enable external authentication via Apache modules, currently only documented at http://theforeman.org/manuals/1.6/index.html#5.7ExternalAuthentication.

Recently, additional setups were requested: direct AD integration using sssd but without cross-realm trust, or using sssd with ldap providers to allow for LDAP failover that sssd supports. In those cases, the assumption of the --foreman-ipa-authentication=true approach are not met -- the /etc/ipa/default.conf does not exist, for example.

It is possible to fake the system being IPA-enrolled for the installer to pass but it is cumbersome.

It'd be useful to have additional external authentication setups (especially with sssd) supported.

Version-Release number of selected component (if applicable):

6.0.x.

How reproducible:

Deterministic.

Steps to Reproduce:
1. Use realm join to join the Satellite machine directly to AD.
2. Or manually configure sssd to use LDAP server.
3. Try to run katello-installer to have Satellite 6 configured to use this external authentication.

Actual results:

It fails.

Expected results:

It is possible.

Additional info:

And documented.

Actions #1

Updated by Dominic Cleal over 7 years ago

  • Project changed from Foreman to Installer
  • Category set to Foreman modules
Actions

Also available in: Atom PDF