Feature #4462

Add support for PAM authentication via mod_intercept_form_submit

Added by Jan Pazdziora over 3 years ago. Updated over 3 years ago.

Status:Closed
Priority:Normal
Assigned To:Jan Pazdziora
Category:Authentication
Target version:Sprint 22
Difficulty: Bugzilla link:
Found in release: Pull request:
Story points-
Velocity based estimate-
Release1.5.0Release relationshipAuto

Description

The form-based authentication should be able to consume external authentication, for example PAM authentication and access control provided by mod_intercept_form_submit.

The generic approach is documented at

http://www.freeipa.org/page/Web_App_Authentication

For Foreman, the goal is to be able to say

LoadModule intercept_form_submit_module modules/mod_intercept_form_submit.so
<Location /users/login>
  InterceptFormPAMService foreman-prod
  InterceptFormLogin login[login]
  InterceptFormPassword login[password]
</Location>

and be able to authenticate against foreman-prod PAM service.

In case the Foreman machine is IPA-enrolled, additional user attributes should be consumable just like in case of http://projects.theforeman.org/projects/foreman/wiki/Foreman_and_mod_auth_kerb. The mod_lookup_identity module configuration would then need to be amended to

LoadModule lookup_identity_module modules/mod_lookup_identity.so
<LocationMatch ^/users/(ext)?login$>
  LookupUserAttr mail REMOTE_USER_EMAIL " " 
  LookupUserAttr givenname REMOTE_USER_FIRSTNAME
  LookupUserAttr sn REMOTE_USER_LASTNAME
</LocationMatch>

to support both the Kerberos-based /users/extlogin, and /users/login.


Related issues

Blocks Foreman - Tracker #5031: External authentication support New 04/02/2014

Associated revisions

Revision 74d32e15
Added by Jan Pazdziora over 3 years ago

fixes #4462 - extending the /users/login handling to process REMOTE_USER through intercept

History

#1 Updated by Jan Pazdziora over 3 years ago

  • Description updated (diff)

#2 Updated by Jan Pazdziora over 3 years ago

  • Description updated (diff)

#4 Updated by Dominic Cleal over 3 years ago

  • Category set to Authentication
  • Status changed from New to Ready For Testing
  • Assigned To set to Jan Pazdziora
  • Target version set to Sprint 20

#5 Updated by Dmitri Dolguikh over 3 years ago

  • Target version changed from Sprint 20 to Sprint 21

#6 Updated by Dmitri Dolguikh over 3 years ago

  • Target version changed from Sprint 21 to Sprint 22

#7 Updated by Dominic Cleal over 3 years ago

#8 Updated by Dominic Cleal over 3 years ago

  • Release set to 1.5.0

#9 Updated by Jan Pazdziora over 3 years ago

  • Status changed from Ready For Testing to Closed
  • % Done changed from 0 to 100

Also available in: Atom PDF