Project

General

Profile

Feature #3312

Make it possible to use the REMOTE_USER / sso/apache.rb authentication with mod_auth_kerb

Added by Jan Pazdziora almost 9 years ago. Updated about 4 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
Authentication
Target version:
Difficulty:
Triaged:
Bugzilla link:
Pull request:
Fixed in Releases:
Found in Releases:

Description

Stock Foreman 1.3 can be configured to use SPNEGO/GSSAPI/Negotiate authentication. However, when it is configured via naive wholesale <Location />, for example in /etc/httpd/conf.d/auth_kerb.conf

  <Location />
  AuthType Kerberos
  AuthName "Kerberos Login" 
  KrbMethodNegotiate On
  KrbMethodK5Passwd Off
  KrbAuthRealms EXAMPLE.COM
  Krb5KeyTab /etc/http.keytab
  KrbLocalUserMapping On
  require valid-user
  </Location>

the solution has certain problems (also described at http://projects.theforeman.org/projects/foreman/wiki/Foreman_and_mod_auth_kerb/1):

Some of the locations in Foreman might need the authentication disabled and the proposed <Location /> will cover them all. They need to be identified and exceptions added to Apache configuration. For SPNEGO, this configuration will force the negotiation to happen for every access to the WebUI -- first with 401 result, then second request with negotiation result with result 200, slowing the operation significantly down. Plus, users have to already exist in Foreman database or the authentication will fail -- that however defeats the purpose of using external authentication mechanism.

The goal of this issue is to make the REMOTE_USER authentication more usable by external Apache mod_auth_* modules, specifically with mod_auth_kerb in mind. The authentication should happen on single dedicated location (say /users/extlogin) and after the authentication, the standard Foreman session should be used. If the user does not exist in Foreman database, minimal user record to make the account usable should be created.


Related issues

Related to Installer - Feature #3710: Configure Kerberos/mod_auth_kerb with a keytab for Foreman web UIResolved
Has duplicate Foreman - Feature #3502: As an AD user I'd like to have integration with ADClosed2013-10-25
Blocks Foreman - Tracker #5031: External authentication supportNew2014-04-02

Associated revisions

Revision b7589c32 (diff)
Added by Jan Pazdziora over 8 years ago

fixes #3312 - support /users/extlogin as a login page based on REMOTE_USER

History

#2 Updated by Lukas Zapletal almost 9 years ago

  • Description updated (diff)

#3 Updated by Dominic Cleal almost 9 years ago

  • Category set to Authentication
  • Status changed from New to Ready For Testing
  • Assignee set to Jan Pazdziora
  • Target version set to 1.15.0
  • Legacy Backlogs Release (now unused) set to 2

#4 Updated by Jan Pazdziora almost 9 years ago

The pull request https://github.com/theforeman/foreman/pull/958 now has code in which allows autopopulation of users authenticated via the REMOTE_USER mechanism (when enabled). The patches will likely need to be squashed to include modifications from https://github.com/adelton/foreman/pull/1 but at this point the code is there and working on my installation, so ready for testing.

#5 Updated by Jan Pazdziora almost 9 years ago

New pull request https://github.com/theforeman/foreman/pull/967 was opened for this issue, obsoleting the old one.

#6 Updated by Jan Pazdziora almost 9 years ago

The https://github.com/theforeman/foreman/pull/967 now includes tests by Marek H., and is rebased on current develop.

#7 Updated by Dominic Cleal almost 9 years ago

  • Has duplicate Feature #3502: As an AD user I'd like to have integration with AD added

#8 Updated by Dominic Cleal over 8 years ago

  • Target version changed from 1.15.0 to 1.10.0

#9 Updated by Jan Pazdziora over 8 years ago

  • Status changed from Ready For Testing to Closed
  • % Done changed from 0 to 100

#10 Updated by Jan Pazdziora over 8 years ago

  • Description updated (diff)

#11 Updated by Dominic Cleal over 8 years ago

#12 Updated by Ewoud Kohl van Wijngaarden over 1 year ago

  • Related to Feature #3710: Configure Kerberos/mod_auth_kerb with a keytab for Foreman web UI added

Also available in: Atom PDF