Project

General

Profile

Foreman and mod auth kerb » History » Version 11

Jan Pazdziora, 10/31/2013 08:55 AM

1 3 Jan Pazdziora
{{>toc}}
2
3 4 Jan Pazdziora
h1. Foreman and mod_auth_kerb
4 1 Jan Pazdziora
5
Setting up SPNEGO/GSSAPI/Negotiate authentication in Foreman 1.3.
6
7 2 Jan Pazdziora
h2. Foreman 1.3
8
9 1 Jan Pazdziora
Stock Foreman 1.3 can be configured to use SPNEGO/GSSAPI/Negotiate authentication.
10
11
We need mod_auth_kerb installed on the Foreman machine.
12
13
We assume the Foreman machine is IPA-enrolled:
14
15
<pre>
16
 # ipa-client-install
17
</pre>
18
19 9 Jan Pazdziora
On the IPA server, we create the service:
20 1 Jan Pazdziora
21
<pre>
22
 # ipa service-add HTTP/<the-foreman-hostname>
23
</pre>
24
25
On the Foreman machine, we get the keytab for the service:
26
27
<pre>
28
 # ipa-getkeytab -s ipa.example.com -k /etc/http.keytab -p HTTP/$( hostname )
29
 # chown apache /etc/http.keytab
30
 # chmod 600 /etc/http.keytab
31
</pre>
32
33
On the Foreman machine, we install mod_auth_kerb:
34
35
<pre>
36
 # yum install -y mod_auth_kerb
37
</pre>
38
39
On the Foreman machine, we configure it to be used by Apache:
40
41
<pre>
42
 # to /etc/httpd/conf.d/auth_kerb.conf add
43
 <Location />
44
 AuthType Kerberos
45
 AuthName "Kerberos Login"
46
 KrbMethodNegotiate On
47
 KrbMethodK5Passwd Off
48
 KrbAuthRealms EXAMPLE.COM
49
 Krb5KeyTab /etc/http.keytab
50
 KrbLocalUserMapping On
51
 require valid-user
52
 </Location>
53
</pre>
54
55
On the Foreman machine, we tell Foreman that it is OK to trust the authentication dome by Apache:
56
57
<pre>
58
 # to /etc/foreman/settings.yaml add
59
 :authorize_login_delegation: true
60
 :login_delegation_logout_url: /
61
</pre>
62
63
On Foreman machine, restart Apache:
64
65
<pre>
66
 # service httpd restart
67
</pre>
68
69
Now in your browser, if you kinit to obtain a ticket, accessing Foreman's WebUI should not ask for login/password and should display the authenticated dashboard directly. 
70 2 Jan Pazdziora
71
h2. The problems with the above approach
72
73
h3. It authenticates too much
74
75
Some of the locations in Foreman might need the authentication disabled and the proposed <Location /> will cover them all. They need to be identified and exceptions added to Apache configuration
76
77
h3. Two HTTP requests for each click
78
79
This configuration will force the negotiation to happen for every access to the WebUI -- first with 401 result, then second request with negotiation result with result 200.
80
81
h3. Users have to be defined in Foreman's database 
82
83
h2. Possible solutions
84
85 6 Jan Pazdziora
h3. Separate logon location /users/extlogin
86
87 2 Jan Pazdziora
The solution to the first two problems will likely be in only enabling the authentication for some logon location. That will however require some code changes. The /users/login cannot be used because in Foreman 1.3, there is
88
89
<pre>
90
 app/controllers/users_controller.rb:  skip_before_filter :require_login, :authorize, :session_expiry, :update_activity_time, :set_taxonomy, :set_gettext_locale_db, :only => [:login, :logout]
91
</pre>
92
93
so even if we'd use @<Location /users/login>@, the @require_login@ (== authenticate) would not be run and REMOTE_USER would not be consumed.
94
95
Pull request https://github.com/theforeman/foreman/pull/958 (https://github.com/adelton/foreman/commit/77bd5cde7bf530ca13127816b344fe0ce8de2a1c) was opened against Foreman. With these patches and the configuration of the mod_auth_kerb changed to
96
97
<pre>
98
 <Location /users/extlogin>
99
 AuthType Kerberos
100
 AuthName "Kerberos Login"
101
 KrbMethodNegotiate On
102
 KrbMethodK5Passwd Off
103
 KrbAuthRealms EXAMPLE.COM
104
 Krb5KeyTab /etc/http.keytab
105
 KrbLocalUserMapping On
106
 require valid-user
107
 ErrorDocument 401 '<html><meta http-equiv="refresh" content="0; URL=/users/login"><body>Kerberos authentication did not pass.</body></html>'
108 8 Jan Pazdziora
 # The following is needed as a workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1020087
109
 ErrorDocument 500 '<html><meta http-equiv="refresh" content="0; URL=/users/login"><body>Kerberos authentication did not pass.</body></html>'
110 2 Jan Pazdziora
 </Location>
111
</pre>
112
113
the user's browser is redirected to /users/extlogin where the SPNEGO authentication is tried, and if it fails, normal /users/login method is used. After the SPNEGO authentication, normal Foreman session is created and used and since the rest of the Foreman WebUI is not covered by any AuthType, the negotiation does not happen again.
114
115
The patches support /users/extlogin not being configured properly, session expiration, and session logout.
116
117
The setting
118
119
<pre>
120
 :login_delegation_logout_url: /
121
</pre>
122
123
is not longer needed/used. 
124 5 Jan Pazdziora
125 6 Jan Pazdziora
h3. Auto-creation of externally authentication users
126
127 11 Jan Pazdziora
Latest updates to https://github.com/theforeman/foreman/pull/967 contain code which allows previously unseen users to be automatically created. It gets enabled in /etc/foreman/settings.yaml via
128 5 Jan Pazdziora
129
<pre>
130
 :authorize_login_delegation: true
131
 :authorize_login_delegation_auth_source_user_autocreate: External
132
</pre>
133
134
where the authorize_login_delegation_auth_source_user_autocreate is the name of auth_source to be used as target for these new users.
135
136
With the current code, only the login is populated, so upon login, the user is redirected to the Edit User page where at least the email address needs to be filled.
137 6 Jan Pazdziora
138
h3. Namespace separation
139
140 7 Jan Pazdziora
If clear namespace separation of internally and externally authenticated users is desired, the KrbLocalUserMapping should be off:
141 6 Jan Pazdziora
142
<pre>
143
 # in /etc/httpd/conf.d/auth_kerb.conf use
144
 <Location /users/extlogin>
145
 AuthType Kerberos
146
 ...
147
 KrbLocalUserMapping Off
148
 </Location>
149
</pre>
150
151 7 Jan Pazdziora
Then the @REALM would be part of the username and it would be clear that bob is INTERNAL-authenticated and bob@EXAMPLE.COM is different user, EXTERNAL-authenticated. The admin then can manually create another admin@EXAMPLE.COM user (with administrator privileges) and even the admin can use Kerberos.