h1. Foreman and mod auth kerb

Setting up SPNEGO/GSSAPI/Negotiate authentication in Foreman 1.3.

Stock Foreman 1.3 can be configured to use SPNEGO/GSSAPI/Negotiate authentication.

We need mod_auth_kerb installed on the Foreman machine.

We assume the Foreman machine is IPA-enrolled:

<pre>

 # ipa-client-install

</pre>

On the IPA server, we crete the service:

<pre>

 # ipa service-add HTTP/<the-foreman-hostname>

</pre>

On the Foreman machine, we get the keytab for the service:

<pre>

 # ipa-getkeytab -s ipa.example.com -k /etc/http.keytab -p HTTP/$( hostname )

 # chown apache /etc/http.keytab

 # chmod 600 /etc/http.keytab

</pre>

On the Foreman machine, we install mod_auth_kerb:

<pre>

 # yum install -y mod_auth_kerb

</pre>

On the Foreman machine, we configure it to be used by Apache:

<pre>

 # to /etc/httpd/conf.d/auth_kerb.conf add

 <Location />

 AuthType Kerberos

 AuthName "Kerberos Login"

 KrbMethodNegotiate On

 KrbMethodK5Passwd Off

 KrbAuthRealms EXAMPLE.COM

 Krb5KeyTab /etc/http.keytab

 KrbLocalUserMapping On

 require valid-user

 </Location>

</pre>

On the Foreman machine, we tell Foreman that it is OK to trust the authentication dome by Apache:

<pre>

 # to /etc/foreman/settings.yaml add

 :authorize_login_delegation: true

 :login_delegation_logout_url: /

</pre>

On Foreman machine, restart Apache:

<pre>

 # service httpd restart

</pre>

Now in your browser, if you kinit to obtain a ticket, accessing Foreman's WebUI should not ask for login/password and should display the authenticated dashboard directly.