Project

General

Profile

Feature #3528

Updated by Jan Pazdziora almost 10 years ago

The issue http://projects.theforeman.org/issues/3312 and related pull request https://github.com/theforeman/foreman/pull/967 attempts to make the REMOTE_USER authentication usable for other authentication mechanisms than just HTTP Basic. When the user is populated in Foreman database upon successful logon, they get redirected to add their email address. If the email address of the user is available in the remote authentication service (like FreeIPA), Foreman should populate the database with the data, saving the user manual edits that can lead to errors. 

 Based on http://www.freeipa.org/page/Environment_Variables#Proposed_Additional_Variables, the proposed environment variables that Foreman could observe besides REMOTE_USER are REMOTE_USER_EMAIL, REMOTE_USER_FIRSTNAME, and REMOTE_USER_LASTNAME for the user. 

 There is an experimental work going on in sssd which will make it possible to get the values from IPA and get them to the Apache, probably using a mod_lookup_identity module (https://github.com/adelton/mod_lookup_identity/, http://fedorapeople.org/cgit/adelton/public_git/mod_lookup_identity.git/). 

 h2. The testing setup 

 One way to setup the population of the REMOTE_USER_* environment variables to see the patch from https://github.com/theforeman/foreman/pull/986 working is with IPA. 

 h3. IPA server, enroll Foreman machine, setup mod_auth_kerb 

 On 1.4-to-be (develop) installation of Foreman, follow projects.theforeman.org/projects/foreman/wiki/Foreman_and_mod_auth_kerb to enable the Kerberos authentication and autopopulation of users in Foreman. 

 h3. Configure sssd-dbus and mod_lookup_identity 

 Enable Jakub Hrozek's repository which has the builds of sssd-dbus and mod_lookup_identity. At http://copr-fe.cloud.fedoraproject.org/coprs/jhrozek/identity_demo/ choose the correct .repo file. For example, on my Foreman on RHEL 6 installation, I do 

 <pre> 
 # wget -O /etc/yum.repos.d/jhrozek-identity_demo.repo \ 
   http://copr-fe.cloud.fedoraproject.org/coprs/jhrozek/identity_demo/repo/epel-6-i386/ 
 </pre> 

 Install the packages: 

 <pre> 
 # yum install -y sssd-dbus mod_lookup_identity 
 </pre> 

 Update /etc/sssd/sssd.conf to enable the Infopipe feature of sssd. On my installation, I did: 

 <pre> 
 --- /etc/sssd/sssd.conf.orig 	 2013-12-10 03:09:20.751552952 -0500 
 +++ /etc/sssd/sssd.conf 	 2013-12-12 00:52:30.791240631 -0500 
 @@ -11,8 +11,10 @@ 
  chpass_provider = ipa 
  ipa_server = _srv_, ipa.example.com 
  dns_discovery_domain = example.com 
 +ldap_user_extra_attrs = mail, givenname, sn 
 + 
  [sssd] 
 -services = nss, pam, ssh 
 +services = nss, pam, ssh, ifp 
  config_file_version = 2 
 
  domains = example.com 
 @@ -28,3 +30,7 @@ 
 
  [pac] 
 
 +[ifp] 
 +allowed_uids = 48, 0 
 +user_attributes = +mail, +givenname, +sn 
 + 
 </pre> 

 With new enough selinux-policy, set the follosing boolean: 

 <pre> 
 # setenforce 1 
 # setsebool -P httpd_dbus_sssd on 
 </pre> 

 If your policy doesn't have httpd_dbus_sssd, set Set SELinux to permissive: permissive. I know, this is bad but it's a temporary workaround before the sssd-dbus feature settles in completely: 

 <pre> 
 # setenforce 0 
 </pre> 

 Configure mod_lookup_identity -- edit for example /etc/httpd/conf.d/lookup_identity.conf to have the following in it: 

 <pre> 
 # cat >> /etc/httpd/conf.d/lookup_identity.conf <<EOF 
 LoadModule lookup_identity_module modules/mod_lookup_identity.so 

 <Location /users/extlogin> 
 LookupUserAttr mail REMOTE_USER_EMAIL " " 
 LookupUserAttr givenname REMOTE_USER_FIRSTNAME 
 LookupUserAttr sn REMOTE_USER_LASTNAME 
 </Location> 
 EOF 
 </pre> 

 Restart sssd and Apache: 

 <pre> 
 # service sssd restart 
 # service httpd restart 
 </pre> 

 As admin, remove the previously autopopulated user from Foreman if there is some, to allow it to be created again, now with attributes. 

 Now when you use Kerberos obtained from the IPA server to log in to Foreman, you should see the full name of the user instead of the login name in the top right corner of the screen, and if you inspect user's details, the email address should be there as well.

Back