The issue http://projects.theforeman.org/issues/3312 and related pull request https://github.com/theforeman/foreman/pull/967 attempts to make the REMOTE_USER authentication usable for other authentication mechanisms than just HTTP Basic. When the user is populated in Foreman database upon successful logon, they get redirected to add their email address. If the email address of the user is available in the remote authentication service (like FreeIPA), Foreman should populate the database with the data, saving the user manual edits that can lead to errors.

Based on http://www.freeipa.org/page/Environment_Variables#Proposed_Additional_Variables, the proposed environment variables that Foreman could observe besides REMOTE_USER are REMOTE_USER_EMAIL, REMOTE_USER_FIRSTNAME, and REMOTE_USER_LASTNAME for the user.

There is an experimental work going on in sssd which will make it possible to get the values from IPA and get them to the Apache, probably using a mod_lookup_identity module (https://github.com/adelton/mod_lookup_identity/, http://fedorapeople.org/cgit/adelton/public_git/mod_lookup_identity.git/).

The testing setup¶

One way to setup the population of the REMOTE_USER_* environment variables to see the patch from https://github.com/theforeman/foreman/pull/986 working is with IPA.

IPA server, enroll Foreman machine, setup mod_auth_kerb¶

On 1.4-to-be (develop) installation of Foreman, follow projects.theforeman.org/projects/foreman/wiki/Foreman_and_mod_auth_kerb to enable the Kerberos authentication and autopopulation of users in Foreman.

Configure sssd-dbus and mod_lookup_identity¶

Enable Jakub Hrozek's repository which has the builds of sssd-dbus and mod_lookup_identity. At http://copr-fe.cloud.fedoraproject.org/coprs/jhrozek/identity_demo/ choose the correct .repo file. For example, on my Foreman on RHEL 6 installation, I do

# wget -O /etc/yum.repos.d/jhrozek-identity_demo.repo \
  http://copr-fe.cloud.fedoraproject.org/coprs/jhrozek/identity_demo/repo/epel-6-i386/

Install the packages:

# yum install -y sssd-dbus mod_lookup_identity

Update /etc/sssd/sssd.conf to enable the Infopipe feature of sssd. On my installation, I did:

--- /etc/sssd/sssd.conf.orig    2013-12-10 03:09:20.751552952 -0500
+++ /etc/sssd/sssd.conf    2013-12-12 00:52:30.791240631 -0500
@@ -11,8 +11,10 @@
 chpass_provider = ipa
 ipa_server = _srv_, ipa.example.com
 dns_discovery_domain = example.com
+ldap_user_extra_attrs = mail, givenname, sn
+
 [sssd]
-services = nss, pam, ssh
+services = nss, pam, ssh, ifp
 config_file_version = 2

 domains = example.com
@@ -28,3 +30,7 @@

 [pac]

+[ifp]
+allowed_uids = 48, 0
+user_attributes = +mail, +givenname, +sn
+

With new enough selinux-policy, set the following boolean:

# setenforce 1
# setsebool -P httpd_dbus_sssd on

If your policy doesn't have httpd_dbus_sssd, set SELinux to permissive:

# setenforce 0

Configure mod_lookup_identity -- edit for example /etc/httpd/conf.d/lookup_identity.conf to have the following in it:

# cat >> /etc/httpd/conf.d/lookup_identity.conf <<EOF
LoadModule lookup_identity_module modules/mod_lookup_identity.so

<Location /users/extlogin>
LookupUserAttr mail REMOTE_USER_EMAIL " " 
LookupUserAttr givenname REMOTE_USER_FIRSTNAME
LookupUserAttr sn REMOTE_USER_LASTNAME
</Location>
EOF

Restart sssd and Apache:

# service sssd restart
# service httpd restart

As admin, remove the previously autopopulated user from Foreman if there is some, to allow it to be created again, now with attributes.

Now when you use Kerberos obtained from the IPA server to log in to Foreman, you should see the full name of the user instead of the login name in the top right corner of the screen, and if you inspect user's details, the email address should be there as well.