Feature #3312
Updated by Lukas Zapletal over 10 years ago
Stock Foreman 1.3 can be configured to use SPNEGO/GSSAPI/Negotiate authentication. However, when it is configured via naive wholesale <Location />, for example in /etc/httpd/conf.d/auth_kerb.conf <pre> <Location /> AuthType Kerberos AuthName "Kerberos Login" KrbMethodNegotiate On KrbMethodK5Passwd Off KrbAuthRealms EXAMPLE.COM Krb5KeyTab /etc/http.keytab KrbLocalUserMapping On require valid-user </Location> </pre> the solution has certain problems (also described at http://projects.theforeman.org/projects/foreman/wiki/Foreman_and_mod_auth_kerb): Some of the locations in Foreman might need the authentication disabled and the proposed <Location /> will cover them all. They need to be identified and exceptions added to Apache configuration. For SPNEGO, this configuration will force the negotiation to happen for every access to the WebUI -- first with 401 result, then second request with negotiation result with result 200, slowing the operation significantly down. Plus, users have to already exist in Foreman database or the authentication will fail -- that however defeats the purpose of using external authentication mechanism. The goal of this issue is to make the REMOTE_USER authentication more usable by external Apache mod_auth_* modules, specifically with mod_auth_kerb in mind. The authentication should happen on single dedicated location (say /users/extlogin) and after the authentication, the standard Foreman session should be used. If the user does not exist in Foreman database, minimal user record to make the account usable should be created.