Project

General

Profile

Actions

Feature #3528

closed

When new users are created based on REMOTE_USER authentication, their attributes should be populated as well

Added by Jan Pazdziora over 10 years ago. Updated over 5 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
Authentication
Target version:
Difficulty:
Triaged:
Fixed in Releases:
Found in Releases:

Description

The issue http://projects.theforeman.org/issues/3312 and related pull request https://github.com/theforeman/foreman/pull/967 attempts to make the REMOTE_USER authentication usable for other authentication mechanisms than just HTTP Basic. When the user is populated in Foreman database upon successful logon, they get redirected to add their email address. If the email address of the user is available in the remote authentication service (like FreeIPA), Foreman should populate the database with the data, saving the user manual edits that can lead to errors.

Based on http://www.freeipa.org/page/Environment_Variables#Proposed_Additional_Variables, the proposed environment variables that Foreman could observe besides REMOTE_USER are REMOTE_USER_EMAIL, REMOTE_USER_FIRSTNAME, and REMOTE_USER_LASTNAME for the user.

There is an experimental work going on in sssd which will make it possible to get the values from IPA and get them to the Apache, probably using a mod_lookup_identity module (https://github.com/adelton/mod_lookup_identity/, http://fedorapeople.org/cgit/adelton/public_git/mod_lookup_identity.git/).

The testing setup

One way to setup the population of the REMOTE_USER_* environment variables to see the patch from https://github.com/theforeman/foreman/pull/986 working is with IPA.

IPA server, enroll Foreman machine, setup mod_auth_kerb

On 1.4-to-be (develop) installation of Foreman, follow projects.theforeman.org/projects/foreman/wiki/Foreman_and_mod_auth_kerb to enable the Kerberos authentication and autopopulation of users in Foreman.

Configure sssd-dbus and mod_lookup_identity

Enable Jakub Hrozek's repository which has the builds of sssd-dbus and mod_lookup_identity. At http://copr-fe.cloud.fedoraproject.org/coprs/jhrozek/identity_demo/ choose the correct .repo file. For example, on my Foreman on RHEL 6 installation, I do

# wget -O /etc/yum.repos.d/jhrozek-identity_demo.repo \
  http://copr-fe.cloud.fedoraproject.org/coprs/jhrozek/identity_demo/repo/epel-6-i386/

Install the packages:

# yum install -y sssd-dbus mod_lookup_identity

Update /etc/sssd/sssd.conf to enable the Infopipe feature of sssd. On my installation, I did:

--- /etc/sssd/sssd.conf.orig    2013-12-10 03:09:20.751552952 -0500
+++ /etc/sssd/sssd.conf    2013-12-12 00:52:30.791240631 -0500
@@ -11,8 +11,10 @@
 chpass_provider = ipa
 ipa_server = _srv_, ipa.example.com
 dns_discovery_domain = example.com
+ldap_user_extra_attrs = mail, givenname, sn
+
 [sssd]
-services = nss, pam, ssh
+services = nss, pam, ssh, ifp
 config_file_version = 2

 domains = example.com
@@ -28,3 +30,7 @@

 [pac]

+[ifp]
+allowed_uids = 48, 0
+user_attributes = +mail, +givenname, +sn
+

With new enough selinux-policy, set the following boolean:

# setenforce 1
# setsebool -P httpd_dbus_sssd on

If your policy doesn't have httpd_dbus_sssd, set SELinux to permissive:

# setenforce 0

Configure mod_lookup_identity -- edit for example /etc/httpd/conf.d/lookup_identity.conf to have the following in it:

# cat >> /etc/httpd/conf.d/lookup_identity.conf <<EOF
LoadModule lookup_identity_module modules/mod_lookup_identity.so

<Location /users/extlogin>
LookupUserAttr mail REMOTE_USER_EMAIL " " 
LookupUserAttr givenname REMOTE_USER_FIRSTNAME
LookupUserAttr sn REMOTE_USER_LASTNAME
</Location>
EOF

Restart sssd and Apache:

# service sssd restart
# service httpd restart

As admin, remove the previously autopopulated user from Foreman if there is some, to allow it to be created again, now with attributes.

Now when you use Kerberos obtained from the IPA server to log in to Foreman, you should see the full name of the user instead of the login name in the top right corner of the screen, and if you inspect user's details, the email address should be there as well.


Related issues 3 (1 open2 closed)

Blocks Foreman - Tracker #5031: External authentication supportNew04/02/2014

Actions
Copied to Foreman - Feature #3696: Populate user or usergroup roles from LDAP or REMOTE_USER_*Duplicate10/28/2013Actions
Copied to Foreman - Feature #3892: When new users are created based on REMOTE_USER authentication, their roles should be populated as wellClosedJan Pazdziora10/28/2013Actions
Actions #1

Updated by Jan Pazdziora over 10 years ago

Created pull request https://github.com/theforeman/foreman/pull/986 for the user attributes.

Actions #2

Updated by Dominic Cleal over 10 years ago

  • Category set to Authentication
  • Status changed from New to Ready For Testing
  • Assignee set to Jan Pazdziora
  • Target version set to 1.15.0
Actions #3

Updated by Dominic Cleal over 10 years ago

  • Target version changed from 1.15.0 to 1.10.0
Actions #4

Updated by Dominic Cleal over 10 years ago

  • Copied to Feature #3696: Populate user or usergroup roles from LDAP or REMOTE_USER_* added
Actions #5

Updated by Dominic Cleal over 10 years ago

  • Target version changed from 1.10.0 to 1.9.3
Actions #6

Updated by Jan Pazdziora over 10 years ago

  • Description updated (diff)
Actions #7

Updated by Jan Pazdziora over 10 years ago

  • Description updated (diff)
Actions #8

Updated by Jan Pazdziora over 10 years ago

  • Copied to Feature #3892: When new users are created based on REMOTE_USER authentication, their roles should be populated as well added
Actions #9

Updated by Jan Pazdziora over 10 years ago

  • Subject changed from When new users are created based on REMOTE_USER authentication, their attributes and roles should be populated as well to When new users are created based on REMOTE_USER authentication, their attributes should be populated as well
  • Description updated (diff)

I'm removing the roles part from this issue, now tracking it in http://projects.theforeman.org/issues/3892.

Actions #10

Updated by Dominic Cleal about 10 years ago

  • translation missing: en.field_release set to 2
Actions #11

Updated by Jan Pazdziora about 10 years ago

  • Status changed from Ready For Testing to Closed
  • % Done changed from 0 to 100
Actions #12

Updated by Jan Pazdziora about 10 years ago

I have now updated http://projects.theforeman.org/projects/foreman/wiki/Foreman_and_mod_auth_kerb with this setup because the Kerberos authentication is currently where it can be seen and used.

Actions #13

Updated by Dominic Cleal about 10 years ago

Official documentation was added to the manual: http://theforeman.org/manuals/1.4/index.html#5.7SPNEGOauthentication

Actions #14

Updated by Dominic Cleal almost 10 years ago

Actions #15

Updated by Jan Pazdziora almost 10 years ago

  • Description updated (diff)
Actions #16

Updated by Jan Pazdziora almost 10 years ago

  • Description updated (diff)
Actions

Also available in: Atom PDF