Make it possible to use the REMOTE_USER / sso/apache.rb authentication with mod_auth_kerb
Stock Foreman 1.3 can be configured to use SPNEGO/GSSAPI/Negotiate authentication. However, when it is configured via naive wholesale <Location />, for example in /etc/httpd/conf.d/auth_kerb.conf
<Location /> AuthType Kerberos AuthName "Kerberos Login" KrbMethodNegotiate On KrbMethodK5Passwd Off KrbAuthRealms EXAMPLE.COM Krb5KeyTab /etc/http.keytab KrbLocalUserMapping On require valid-user </Location>
the solution has certain problems (also described at http://projects.theforeman.org/projects/foreman/wiki/Foreman_and_mod_auth_kerb/1):
Some of the locations in Foreman might need the authentication disabled and the proposed <Location /> will cover them all. They need to be identified and exceptions added to Apache configuration. For SPNEGO, this configuration will force the negotiation to happen for every access to the WebUI -- first with 401 result, then second request with negotiation result with result 200, slowing the operation significantly down. Plus, users have to already exist in Foreman database or the authentication will fail -- that however defeats the purpose of using external authentication mechanism.
The goal of this issue is to make the REMOTE_USER authentication more usable by external Apache mod_auth_* modules, specifically with mod_auth_kerb in mind. The authentication should happen on single dedicated location (say /users/extlogin) and after the authentication, the standard Foreman session should be used. If the user does not exist in Foreman database, minimal user record to make the account usable should be created.
#4 Updated by Jan Pazdziora almost 9 years ago
The pull request https://github.com/theforeman/foreman/pull/958 now has code in which allows autopopulation of users authenticated via the REMOTE_USER mechanism (when enabled). The patches will likely need to be squashed to include modifications from https://github.com/adelton/foreman/pull/1 but at this point the code is there and working on my installation, so ready for testing.