Project

General

Profile

Feature #4462

Updated by Jan Pazdziora over 8 years ago

The form-based authentication should be able to consume external authentication, for example PAM authentication and access control provided by mod_intercept_form_submit.

The generic approach is documented at

http://www.freeipa.org/page/Web_App_Authentication

For Foreman, the goal is to be able to say

<pre>
LoadModule intercept_form_submit_module modules/mod_intercept_form_submit.so
<Location /users/login>
InterceptFormPAMService foreman-prod
InterceptFormLogin login[login]
InterceptFormPassword login[password]
</Location>
</pre>

and be able to authenticate against foreman-prod PAM service.

In case the Foreman machine is IPA-enrolled, additional user attributes should be consumable just like link in case of http://projects.theforeman.org/projects/foreman/wiki/Foreman_and_mod_auth_kerb. projects.theforeman.org/projects/foreman/wiki/Foreman_and_mod_auth_kerb. The mod_lookup_identity module configuration would then need to be amended to

<pre>
LoadModule lookup_identity_module modules/mod_lookup_identity.so
<LocationMatch ^/users/(ext)?login$>
LookupUserAttr mail REMOTE_USER_EMAIL " "
LookupUserAttr givenname REMOTE_USER_FIRSTNAME
LookupUserAttr sn REMOTE_USER_LASTNAME
</LocationMatch>
</pre>

to support both the Kerberos-based /users/extlogin, and /users/login.

Back