Foreman and mod auth kerb¶

Setting up SPNEGO/GSSAPI/Negotiate authentication in Foreman 1.3.

Stock Foreman 1.3 can be configured to use SPNEGO/GSSAPI/Negotiate authentication.

We need mod_auth_kerb installed on the Foreman machine.

We assume the Foreman machine is IPA-enrolled:

 # ipa-client-install

On the IPA server, we crete the service:

 # ipa service-add HTTP/<the-foreman-hostname>

On the Foreman machine, we get the keytab for the service:

 # ipa-getkeytab -s ipa.example.com -k /etc/http.keytab -p HTTP/$( hostname )
 # chown apache /etc/http.keytab
 # chmod 600 /etc/http.keytab

On the Foreman machine, we install mod_auth_kerb:

 # yum install -y mod_auth_kerb

On the Foreman machine, we configure it to be used by Apache:

 # to /etc/httpd/conf.d/auth_kerb.conf add
 <Location />
 AuthType Kerberos
 AuthName "Kerberos Login" 
 KrbMethodNegotiate On
 KrbMethodK5Passwd Off
 KrbAuthRealms EXAMPLE.COM
 Krb5KeyTab /etc/http.keytab
 KrbLocalUserMapping On
 require valid-user
 </Location>

On the Foreman machine, we tell Foreman that it is OK to trust the authentication dome by Apache:

 # to /etc/foreman/settings.yaml add
 :authorize_login_delegation: true
 :login_delegation_logout_url: /

On Foreman machine, restart Apache:

 # service httpd restart

Now in your browser, if you kinit to obtain a ticket, accessing Foreman's WebUI should not ask for login/password and should display the authenticated dashboard directly.