{{>toc}}

h1. Foreman and mod_auth_kerb

Setting up SPNEGO/GSSAPI/Negotiate authentication in Foreman 1.4-to-be.

h2. Foreman 1.4-to-be (develop as of December 2013)

Foreman 1.4 will have support for SPNEGO/GSSAPI/Negotiate authentication.

We need mod_auth_kerb installed on the Foreman machine.

We assume the Foreman machine is IPA-enrolled:

<pre>

# ipa-client-install

</pre>

On the IPA server, we create the service:

<pre>

# ipa service-add HTTP/<the-foreman-hostname>

</pre>

On the Foreman machine, we get the keytab for the service:

<pre>

# ipa-getkeytab -s ipa.example.com -k /etc/http.keytab -p HTTP/$( hostname )

# chown apache /etc/http.keytab

# chmod 600 /etc/http.keytab

</pre>

On the Foreman machine, we install mod_auth_kerb:

<pre>

# yum install -y mod_auth_kerb

</pre>

On the Foreman machine, we configure it to be used by Apache:

<pre>

<Location /users/extlogin>

 AuthType Kerberos

 AuthName "Kerberos Login"

 KrbMethodNegotiate On

 KrbMethodK5Passwd Off

 KrbAuthRealms EXAMPLE.COM

 Krb5KeyTab /etc/http.keytab

 KrbLocalUserMapping On

 require valid-user

 ErrorDocument 401 '<html><meta http-equiv="refresh" content="0; URL=/users/login"><body>Kerberos authentication did not pass.</body></html>'

 # The following is needed as a workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1020087

 ErrorDocument 500 '<html><meta http-equiv="refresh" content="0; URL=/users/login"><body>Kerberos authentication did not pass.</body></html>'

</Location>

</pre>

On the Foreman machine, we tell Foreman that it is OK to trust the authentication done by Apache:

<pre>

# to /etc/foreman/settings.yaml add

:authorize_login_delegation: true

:authorize_login_delegation_auth_source_user_autocreate: External

</pre>

On Foreman machine, restart Apache:

<pre>

# service httpd restart

</pre>

Now in your browser, if you kinit to obtain a ticket, accessing Foreman's WebUI should not ask for login/password and should display the authenticated dashboard directly. If the user was just created, page asking for the email address of this new user will be shown.

h3. Disabling auto-creation of externally authentication users

If only already existing users should be allowed to log in, remove/comment out the line

<pre>

:authorize_login_delegation: true

:authorize_login_delegation_auth_source_user_autocreate: External

</pre>

from /etc/foreman/settings.yaml.

h3. Namespace separation

If clear namespace separation of internally and externally authenticated users is desired, the KrbLocalUserMapping should be off:

<pre>

# in /etc/httpd/conf.d/auth_kerb.conf use

<Location /users/extlogin>

 AuthType Kerberos

 ...

 KrbLocalUserMapping Off

</Location>

</pre>

Then the @REALM would be part of the username and it would be clear that bob is INTERNAL-authenticated and bob@EXAMPLE.COM is different user, EXTERNAL-authenticated. The admin then can manually create another admin@EXAMPLE.COM user (with administrator privileges) and even the admin can use Kerberos.

h2. This work

See "older version of this page":http://projects.theforeman.org/projects/foreman/wiki/Foreman_and_mod_auth_kerb/11 for the original situation in Foreman 1.3.