Bug #30535
closedWhen using Puma with Foreman 2.1 FreeIPA external authentication does not work
Description
I looked into this a bit. It appears that all of the freeIPA authentication bits are configured to set internal apache variables, and mod_passenger would be able to read them as environment variables on each request. Because puma is being used as a generic http proxy via mod_proxy, no information about the intercepted form logins or kerberos auth makes its way to foreman through puma.
All of this needs to be reworked with puma in the mix. None of the existing IPA logic will work. (Check headers, not env if puma is used, etc).
Updated by Steve Jacobs over 4 years ago
What I did to check this:
Turned up debug logging in apache and installed mod_dumpio.
I can verify that auth is occurring, and the ifp service is delivering email, etc.
mod_dumpio trace shows that no REMOTE_USER, etc header is being sent to puma on port 3000.
Updated by Ewoud Kohl van Wijngaarden over 4 years ago
- Project changed from Foreman to Installer
- Category set to Foreman modules
- Triaged changed from No to Yes
With 2.1 you can revert back to passenger using --foreman-passenger true. I consider that a workaround, not a solution since long term we want to align on Puma and this is a feature we support. This is something in the installer, so moving to the correct project.
Updated by The Foreman Bot about 4 years ago
- Status changed from New to Ready For Testing
- Pull request https://github.com/theforeman/puppet-foreman/pull/872 added
Updated by Hesham Ahmed about 4 years ago
- Pull request https://github.com/theforeman/foreman/pull/7909 added
- Pull request deleted (
https://github.com/theforeman/puppet-foreman/pull/872)
I have fixed this by changing app/services/sso/apache.rb to use HTTP_REMOTE_USER instead of REMOTE_USER and setting HTTP_REMOTE_USER in apache. I have created pull requests to foreman and puppet-foreman projects in case this is acceptable.
Updated by Adam Winberg about 4 years ago
Hesham Ahmed wrote:
I have fixed this by changing app/services/sso/apache.rb to use HTTP_REMOTE_USER instead of REMOTE_USER and setting HTTP_REMOTE_USER in apache. I have created pull requests to foreman and puppet-foreman projects in case this is acceptable.
Have you actually tested this? I have tried this with many variations and never got it to work. Tested on RHEL8.
Updated by Hesham Ahmed about 4 years ago
I have tested this and it works fine on EL7
Updated by Adam Winberg about 4 years ago
Ok, got it working. But when using mod_ssl the request header statement need to look a bit different:
RequestHeader set REMOTE_USER %{REMOTE_USER}s
Notice the ending 's' instead of 'e' to make it work with mod_ssl
Updated by The Foreman Bot about 4 years ago
- Pull request https://github.com/theforeman/puppet-foreman/pull/872 added
Updated by Ewoud Kohl van Wijngaarden about 4 years ago
- Target version changed from 2.1.3 to 2.2.0
Updated by Tomer Brisker about 4 years ago
- Project changed from Installer to Foreman
- Category deleted (
Foreman modules)
Updated by Anonymous about 4 years ago
- Status changed from Ready For Testing to Closed
Applied in changeset puppet-foreman:puppet-foreman|6f5b99bb08f19ff61410dc6208346b9c8c333221.
Updated by Tomer Brisker about 4 years ago
- Fixed in Releases 2.2.0 added
- Fixed in Releases deleted (
2.3.0)
Updated by Ewoud Kohl van Wijngaarden about 4 years ago
- Subject changed from When using puma with foreman 2.1 freeipa external authentication does not work to When using Puma with Foreman 2.1 freeipa external authentication does not work
Updated by Ewoud Kohl van Wijngaarden about 4 years ago
- Subject changed from When using Puma with Foreman 2.1 freeipa external authentication does not work to When using Puma with Foreman 2.1 FreeIPA external authentication does not work
Updated by The Foreman Bot about 4 years ago
- Assignee set to Tomer Brisker
- Pull request https://github.com/theforeman/puppet-foreman/pull/896 added
Updated by The Foreman Bot about 4 years ago
- Pull request https://github.com/theforeman/puppet-foreman/pull/902 added