• Table of contents
• Foreman and mod_auth_kerb
  • Foreman 1.4-to-be (develop as of December 2013)
    • Disabling auto-creation of externally authentication users
    • Namespace separation
  • This work

Foreman and mod_auth_kerb¶

Setting up SPNEGO/GSSAPI/Negotiate authentication in Foreman 1.4-to-be.

Foreman 1.4-to-be (develop as of December 2013)¶

Foreman 1.4 will have support for SPNEGO/GSSAPI/Negotiate authentication.

We need mod_auth_kerb installed on the Foreman machine.

We assume the Foreman machine is IPA-enrolled:

# ipa-client-install

On the IPA server, we create the service:

# ipa service-add HTTP/<the-foreman-hostname>

On the Foreman machine, we get the keytab for the service:

# ipa-getkeytab -s ipa.example.com -k /etc/http.keytab -p HTTP/$( hostname )
# chown apache /etc/http.keytab
# chmod 600 /etc/http.keytab

On the Foreman machine, we install mod_auth_kerb:

# yum install -y mod_auth_kerb

On the Foreman machine, we configure it to be used by Apache:

<Location /users/extlogin>
 AuthType Kerberos
 AuthName "Kerberos Login" 
 KrbMethodNegotiate On
 KrbMethodK5Passwd Off
 KrbAuthRealms EXAMPLE.COM
 Krb5KeyTab /etc/http.keytab
 KrbLocalUserMapping On
 require valid-user
 ErrorDocument 401 '<html><meta http-equiv="refresh" content="0; URL=/users/login"><body>Kerberos authentication did not pass.</body></html>'
 # The following is needed as a workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1020087
 ErrorDocument 500 '<html><meta http-equiv="refresh" content="0; URL=/users/login"><body>Kerberos authentication did not pass.</body></html>'
</Location>

On the Foreman machine, we tell Foreman that it is OK to trust the authentication done by Apache:

# to /etc/foreman/settings.yaml add
:authorize_login_delegation: true
:authorize_login_delegation_auth_source_user_autocreate: External

On Foreman machine, restart Apache:

# service httpd restart

Now in your browser, if you kinit to obtain a ticket, accessing Foreman's WebUI should not ask for login/password and should display the authenticated dashboard directly. If the user was just created, page asking for the email address of this new user will be shown.

Disabling auto-creation of externally authentication users¶

If only already existing users should be allowed to log in, remove/comment out the line

:authorize_login_delegation: true
:authorize_login_delegation_auth_source_user_autocreate: External

from /etc/foreman/settings.yaml.

Namespace separation¶

If clear namespace separation of internally and externally authenticated users is desired, the KrbLocalUserMapping should be off:

# in /etc/httpd/conf.d/auth_kerb.conf use
<Location /users/extlogin>
 AuthType Kerberos
 ...
 KrbLocalUserMapping Off
</Location>

Then the @REALM would be part of the username and it would be clear that bob is INTERNAL-authenticated and bob@EXAMPLE.COM is different user, EXTERNAL-authenticated. The admin then can manually create another admin@EXAMPLE.COM user (with administrator privileges) and even the admin can use Kerberos.

This work¶

See older version of this page for the original situation in Foreman 1.3.