Feature #3528
Updated by Jan Pazdziora about 11 years ago
The issue http://projects.theforeman.org/issues/3312 and related pull request https://github.com/theforeman/foreman/pull/967 attempts to make the REMOTE_USER authentication usable for other authentication mechanisms than just HTTP Basic. When the user is populated in Foreman database upon successful logon, they get redirected to add their email address. If the email address of the user is available in the remote authentication service (like FreeIPA), Foreman should populate the database with the data, saving the user manual edits that can lead to errors. Based on http://www.freeipa.org/page/Environment_Variables#Proposed_Additional_Variables, the proposed environment variables that Foreman could observe besides REMOTE_USER are REMOTE_USER_EMAIL, REMOTE_USER_FIRSTNAME, and REMOTE_USER_LASTNAME for the user, and REMOTE_USER_GROUPS or some similar variable for group membership which could imply roles that the user should get in Foreman. There is an experimental work going on in sssd which will make it possible to get the values from IPA and get them to the Apache, probably using a mod_lookup_identity module (https://github.com/adelton/mod_lookup_identity/, http://fedorapeople.org/cgit/adelton/public_git/mod_lookup_identity.git/). h2. The testing setup One way to setup the population of the REMOTE_USER_* environment variables to see the patch from https://github.com/theforeman/foreman/pull/986 working is with IPA. h3. IPA server, enroll Foreman machine, setup mod_auth_kerb On 1.4-to-be (develop) installation of Foreman, follow projects.theforeman.org/projects/foreman/wiki/Foreman_and_mod_auth_kerb to enable the Kerberos authentication and autopopulation of users in Foreman. h3. Configure sssd-dbus and mod_lookup_identity Enable Jakub Hrozek's repository which has the builds of sssd-dbus and mod_lookup_identity. At http://copr-fe.cloud.fedoraproject.org/coprs/jhrozek/identity_demo/ choose chose the correct .repo file. For example, on my Foreman on RHEL 6 installation, I do <pre> # wget -O /etc/yum.repos.d/jhrozek-identity_demo.repo \ http://copr-fe.cloud.fedoraproject.org/coprs/jhrozek/identity_demo/repo/epel-6-i386/ </pre> Install the packages: <pre> # yum install -y sssd-dbus mod_lookup_identity </pre> Update /etc/sssd/sssd.conf to enable the Infopipe feature of sssd. On my installation, I did: <pre> --- /etc/sssd/sssd.conf.orig 2013-12-10 03:09:20.751552952 -0500 +++ /etc/sssd/sssd.conf 2013-12-12 00:52:30.791240631 -0500 @@ -11,8 +11,10 @@ chpass_provider = ipa ipa_server = _srv_, ipa.example.com dns_discovery_domain = example.com +ldap_user_extra_attrs = mail, givenname, sn + [sssd] -services = nss, pam, ssh +services = nss, pam, ssh, ifp config_file_version = 2 domains = example.com @@ -28,3 +30,7 @@ [pac] +[ifp] +allowed_uids = 48, 0 +user_attributes = +mail, +givenname, +sn + </pre> Set SELinux to permissive. I know, this is bad but it's a temporary workaround before the sssd-dbus feature settles in completely: <pre> # setenforce 0 </pre> Configure mod_lookup_identity -- edit for example /etc/httpd/conf.d/lookup_identity.conf to have the following in it: <pre> # cat >> /etc/httpd/conf.d/lookup_identity.conf <<EOF LoadModule lookup_identity_module modules/mod_lookup_identity.so <Location /users/extlogin> LookupUserAttr mail REMOTE_USER_EMAIL " " LookupUserAttr givenname REMOTE_USER_FIRSTNAME LookupUserAttr sn REMOTE_USER_LASTNAME </Location> EOF </pre> Restart sssd and Apache: <pre> # service sssd restart # service httpd restart </pre> As admin, remove the previously autopopulated user from Foreman if there is some, to allow it to be created again, now with attributes. Now when you use Kerberos obtained from the IPA server to log in to Foreman, you should see the full name of the user instead of the login name in the top right corner of the screen, and if you inspect user's details, the email address should be there as well.