Feature #4462
Updated by Jan Pazdziora about 10 years ago
The form-based authentication should be able to consume external authentication, for example PAM authentication and access control provided by mod_intercept_form_submit. The generic approach is documented at http://www.freeipa.org/page/Web_App_Authentication For Foreman, the goal is to be able to say <pre> LoadModule intercept_form_submit_module modules/mod_intercept_form_submit.so <Location /users/login> InterceptFormPAMService foreman-prod InterceptFormLogin login[login] InterceptFormPassword login[password] </Location> </pre> and be able to authenticate against foreman-prod PAM service. In case the Foreman machine is IPA-enrolled, additional user attributes should be consumable just like link in case of http://projects.theforeman.org/projects/foreman/wiki/Foreman_and_mod_auth_kerb. projects.theforeman.org/projects/foreman/wiki/Foreman_and_mod_auth_kerb. The mod_lookup_identity module configuration would then need to be amended to <pre> LoadModule lookup_identity_module modules/mod_lookup_identity.so <LocationMatch ^/users/(ext)?login$> LookupUserAttr mail REMOTE_USER_EMAIL " " LookupUserAttr givenname REMOTE_USER_FIRSTNAME LookupUserAttr sn REMOTE_USER_LASTNAME </LocationMatch> </pre> to support both the Kerberos-based /users/extlogin, and /users/login.