When new users are created based on REMOTE_USER authentication, their attributes should be populated as well
The issue http://projects.theforeman.org/issues/3312 and related pull request https://github.com/theforeman/foreman/pull/967 attempts to make the REMOTE_USER authentication usable for other authentication mechanisms than just HTTP Basic. When the user is populated in Foreman database upon successful logon, they get redirected to add their email address. If the email address of the user is available in the remote authentication service (like FreeIPA), Foreman should populate the database with the data, saving the user manual edits that can lead to errors.
Based on http://www.freeipa.org/page/Environment_Variables#Proposed_Additional_Variables, the proposed environment variables that Foreman could observe besides REMOTE_USER are REMOTE_USER_EMAIL, REMOTE_USER_FIRSTNAME, and REMOTE_USER_LASTNAME for the user.
There is an experimental work going on in sssd which will make it possible to get the values from IPA and get them to the Apache, probably using a mod_lookup_identity module (https://github.com/adelton/mod_lookup_identity/, http://fedorapeople.org/cgit/adelton/public_git/mod_lookup_identity.git/).
The testing setup¶
One way to setup the population of the REMOTE_USER_* environment variables to see the patch from https://github.com/theforeman/foreman/pull/986 working is with IPA.
IPA server, enroll Foreman machine, setup mod_auth_kerb¶
On 1.4-to-be (develop) installation of Foreman, follow projects.theforeman.org/projects/foreman/wiki/Foreman_and_mod_auth_kerb to enable the Kerberos authentication and autopopulation of users in Foreman.
Configure sssd-dbus and mod_lookup_identity¶
Enable Jakub Hrozek's repository which has the builds of sssd-dbus and mod_lookup_identity. At http://copr-fe.cloud.fedoraproject.org/coprs/jhrozek/identity_demo/ choose the correct .repo file. For example, on my Foreman on RHEL 6 installation, I do
# wget -O /etc/yum.repos.d/jhrozek-identity_demo.repo \ http://copr-fe.cloud.fedoraproject.org/coprs/jhrozek/identity_demo/repo/epel-6-i386/
Install the packages:
# yum install -y sssd-dbus mod_lookup_identity
Update /etc/sssd/sssd.conf to enable the Infopipe feature of sssd. On my installation, I did:
--- /etc/sssd/sssd.conf.orig 2013-12-10 03:09:20.751552952 -0500 +++ /etc/sssd/sssd.conf 2013-12-12 00:52:30.791240631 -0500 @@ -11,8 +11,10 @@ chpass_provider = ipa ipa_server = _srv_, ipa.example.com dns_discovery_domain = example.com +ldap_user_extra_attrs = mail, givenname, sn + [sssd] -services = nss, pam, ssh +services = nss, pam, ssh, ifp config_file_version = 2 domains = example.com @@ -28,3 +30,7 @@ [pac] +[ifp] +allowed_uids = 48, 0 +user_attributes = +mail, +givenname, +sn +
With new enough selinux-policy, set the following boolean:
# setenforce 1 # setsebool -P httpd_dbus_sssd on
If your policy doesn't have httpd_dbus_sssd, set SELinux to permissive:
# setenforce 0
Configure mod_lookup_identity -- edit for example /etc/httpd/conf.d/lookup_identity.conf to have the following in it:
# cat >> /etc/httpd/conf.d/lookup_identity.conf <<EOF LoadModule lookup_identity_module modules/mod_lookup_identity.so <Location /users/extlogin> LookupUserAttr mail REMOTE_USER_EMAIL " " LookupUserAttr givenname REMOTE_USER_FIRSTNAME LookupUserAttr sn REMOTE_USER_LASTNAME </Location> EOF
Restart sssd and Apache:
# service sssd restart # service httpd restart
As admin, remove the previously autopopulated user from Foreman if there is some, to allow it to be created again, now with attributes.
Now when you use Kerberos obtained from the IPA server to log in to Foreman, you should see the full name of the user instead of the login name in the top right corner of the screen, and if you inspect user's details, the email address should be there as well.
#9 Updated by Jan Pazdziora over 8 years ago
- Subject changed from When new users are created based on REMOTE_USER authentication, their attributes and roles should be populated as well to When new users are created based on REMOTE_USER authentication, their attributes should be populated as well
- Description updated (diff)
I'm removing the roles part from this issue, now tracking it in http://projects.theforeman.org/issues/3892.
#12 Updated by Jan Pazdziora over 8 years ago
I have now updated http://projects.theforeman.org/projects/foreman/wiki/Foreman_and_mod_auth_kerb with this setup because the Kerberos authentication is currently where it can be seen and used.
#13 Updated by Dominic Cleal over 8 years ago
Official documentation was added to the manual: http://theforeman.org/manuals/1.4/index.html#5.7SPNEGOauthentication