Feature #4462
Updated by Jan Pazdziora almost 11 years ago
The form-based authentication should be able to consume external authentication, for example PAM authentication and access control provided by mod_intercept_form_submit.
The generic approach is documented at
http://www.freeipa.org/page/Web_App_Authentication
For Foreman, the goal is to be able to say
<pre>
LoadModule intercept_form_submit_module modules/mod_intercept_form_submit.so
<Location /users/login>
InterceptFormPAMService foreman-prod
InterceptFormLogin login[login]
InterceptFormPassword login[password]
</Location>
</pre>
and be able to authenticate against foreman-prod PAM service.
In case the Foreman machine is IPA-enrolled, additional user attributes should be consumable just link in case of projects.theforeman.org/projects/foreman/wiki/Foreman_and_mod_auth_kerb. The mod_lookup_identity module configuration would then need to be amended to
<pre>
LoadModule lookup_identity_module modules/mod_lookup_identity.so
<LocationMatch ^/users/(ext)?login$>
LookupUserAttr mail REMOTE_USER_EMAIL " "
LookupUserAttr givenname REMOTE_USER_FIRSTNAME
LookupUserAttr sn REMOTE_USER_LASTNAME
</LocationMatch>
</pre>
to support both the Kerberos-based /users/extlogin, and /users/login.