Feature #3312
closed
Make it possible to use the REMOTE_USER / sso/apache.rb authentication with mod_auth_kerb
Description
Stock Foreman 1.3 can be configured to use SPNEGO/GSSAPI/Negotiate authentication. However, when it is configured via naive wholesale <Location />, for example in /etc/httpd/conf.d/auth_kerb.conf
<Location /> AuthType Kerberos AuthName "Kerberos Login" KrbMethodNegotiate On KrbMethodK5Passwd Off KrbAuthRealms EXAMPLE.COM Krb5KeyTab /etc/http.keytab KrbLocalUserMapping On require valid-user </Location>
the solution has certain problems (also described at http://projects.theforeman.org/projects/foreman/wiki/Foreman_and_mod_auth_kerb/1):
Some of the locations in Foreman might need the authentication disabled and the proposed <Location /> will cover them all. They need to be identified and exceptions added to Apache configuration. For SPNEGO, this configuration will force the negotiation to happen for every access to the WebUI -- first with 401 result, then second request with negotiation result with result 200, slowing the operation significantly down. Plus, users have to already exist in Foreman database or the authentication will fail -- that however defeats the purpose of using external authentication mechanism.
The goal of this issue is to make the REMOTE_USER authentication more usable by external Apache mod_auth_* modules, specifically with mod_auth_kerb in mind. The authentication should happen on single dedicated location (say /users/extlogin) and after the authentication, the standard Foreman session should be used. If the user does not exist in Foreman database, minimal user record to make the account usable should be created.
Updated by Jan Pazdziora about 11 years ago
Initial draft patches are in https://github.com/theforeman/foreman/pull/958
Updated by
Updated by Dominic Cleal about 11 years ago
- Category set to Authentication
- Status changed from New to Ready For Testing
- Assignee set to Jan Pazdziora
- Target version set to 1.15.0
- Translation missing: en.field_release set to 2
Updated by Jan Pazdziora about 11 years ago
The pull request https://github.com/theforeman/foreman/pull/958 now has code in which allows autopopulation of users authenticated via the REMOTE_USER mechanism (when enabled). The patches will likely need to be squashed to include modifications from https://github.com/adelton/foreman/pull/1 but at this point the code is there and working on my installation, so ready for testing.
Updated by Jan Pazdziora about 11 years ago
New pull request https://github.com/theforeman/foreman/pull/967 was opened for this issue, obsoleting the old one.
Updated by Jan Pazdziora about 11 years ago
The https://github.com/theforeman/foreman/pull/967 now includes tests by Marek H., and is rebased on current develop.
Updated by Dominic Cleal about 11 years ago
- Has duplicate Feature #3502: As an AD user I'd like to have integration with AD added
Updated by Dominic Cleal about 11 years ago
- Target version changed from 1.15.0 to 1.10.0
Updated by Jan Pazdziora about 11 years ago
- Status changed from Ready For Testing to Closed
- % Done changed from 0 to 100
Applied in changeset b7589c3284712211502e25cf56aca17300beb01a.
Updated by Dominic Cleal over 10 years ago
- Blocks Tracker #5031: External authentication support added
Updated by Ewoud Kohl van Wijngaarden almost 4 years ago
- Related to Feature #3710: Configure Kerberos/mod_auth_kerb with a keytab for Foreman web UI added