Project

General

Profile

Foreman and mod auth kerb » History » Version 14

Jan Pazdziora, 01/31/2014 09:55 AM

1 3 Jan Pazdziora
{{>toc}}
2
3 4 Jan Pazdziora
h1. Foreman and mod_auth_kerb
4 1 Jan Pazdziora
5 13 Jan Pazdziora
Setting up SPNEGO/GSSAPI/Negotiate authentication in Foreman 1.4.
6 1 Jan Pazdziora
7 13 Jan Pazdziora
h2. Kerberos
8 2 Jan Pazdziora
9 13 Jan Pazdziora
Foreman 1.4 has support for SPNEGO/GSSAPI/Negotiate authentication. This page documents how to use the feature.
10 1 Jan Pazdziora
11 13 Jan Pazdziora
In this example, we assume the Foreman machine is IPA-enrolled:
12 1 Jan Pazdziora
13
<pre>
14 12 Jan Pazdziora
# ipa-client-install
15 1 Jan Pazdziora
</pre>
16
17 9 Jan Pazdziora
On the IPA server, we create the service:
18 1 Jan Pazdziora
19
<pre>
20 12 Jan Pazdziora
# ipa service-add HTTP/<the-foreman-hostname>
21 1 Jan Pazdziora
</pre>
22
23
On the Foreman machine, we get the keytab for the service:
24
25
<pre>
26 12 Jan Pazdziora
# ipa-getkeytab -s ipa.example.com -k /etc/http.keytab -p HTTP/$( hostname )
27
# chown apache /etc/http.keytab
28
# chmod 600 /etc/http.keytab
29 1 Jan Pazdziora
</pre>
30
31
On the Foreman machine, we install mod_auth_kerb:
32
33
<pre>
34 12 Jan Pazdziora
# yum install -y mod_auth_kerb
35 1 Jan Pazdziora
</pre>
36
37
On the Foreman machine, we configure it to be used by Apache:
38
39
<pre>
40 12 Jan Pazdziora
<Location /users/extlogin>
41 1 Jan Pazdziora
 AuthType Kerberos
42
 AuthName "Kerberos Login"
43
 KrbMethodNegotiate On
44
 KrbMethodK5Passwd Off
45
 KrbAuthRealms EXAMPLE.COM
46
 Krb5KeyTab /etc/http.keytab
47
 KrbLocalUserMapping On
48
 require valid-user
49 12 Jan Pazdziora
 ErrorDocument 401 '<html><meta http-equiv="refresh" content="0; URL=/users/login"><body>Kerberos authentication did not pass.</body></html>'
50
 # The following is needed as a workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1020087
51
 ErrorDocument 500 '<html><meta http-equiv="refresh" content="0; URL=/users/login"><body>Kerberos authentication did not pass.</body></html>'
52
</Location>
53 1 Jan Pazdziora
</pre>
54
55 12 Jan Pazdziora
On the Foreman machine, we tell Foreman that it is OK to trust the authentication done by Apache:
56 1 Jan Pazdziora
57 2 Jan Pazdziora
<pre>
58 12 Jan Pazdziora
# to /etc/foreman/settings.yaml add
59
:authorize_login_delegation: true
60
:authorize_login_delegation_auth_source_user_autocreate: External
61 2 Jan Pazdziora
</pre>
62
63 1 Jan Pazdziora
On Foreman machine, restart Apache:
64 2 Jan Pazdziora
65
<pre>
66 1 Jan Pazdziora
# service httpd restart
67
</pre>
68
69 14 Jan Pazdziora
Now if you @kinit@ to obtain ticket-granting ticket (or use some graphical tool), accessing Foreman's WebUI via your your browser should not ask for login/password and should display the authenticated dashboard directly. If the user was just created, page asking for the email address of this new user will be shown.
70 1 Jan Pazdziora
71 13 Jan Pazdziora
h2. Additional user attributes
72 1 Jan Pazdziora
73 13 Jan Pazdziora
Since often the central identity provider like FreeIPA holds email address of users, it is reasonable to expect that the address in Foreman will be set to the value from the central provider, rather than forcing user to enter it manually. That is possible with mod_lookup_identity and sssd-dbus.
74
75
These packages are currently available from repos at http://copr-fe.cloud.fedoraproject.org/coprs/adelton/identity_demo/. Work to get them to Fedora is under way.
76
77 14 Jan Pazdziora
Get the appropriate @.repo@ file for your OS and put it to @/etc/yum.repos.d@ directory. Then install the packages:
78 13 Jan Pazdziora
79
<pre>
80
# yum install mod_lookup_identity sssd-dbus -y
81
</pre>
82
83 14 Jan Pazdziora
Apply the following patch to @/etc/sssd/sssd.conf@ (your configuration might be different so you might want to do the changes manually):
84 13 Jan Pazdziora
<pre>
85
--- /etc/sssd/sssd.conf.orig    2013-12-10 03:09:20.751552952 -0500
86
+++ /etc/sssd/sssd.conf    2013-12-12 00:52:30.791240631 -0500
87
@@ -11,6 +11,8 @@
88
 ldap_tls_cacert = /etc/ipa/ca.crt
89
+ldap_user_extra_attrs = mail, givenname, sn
90
+
91
 [sssd]
92
-services = nss, pam, ssh
93
+services = nss, pam, ssh, ifp
94
 config_file_version = 2
95
96
 domains = example.com
97
@@ -28,3 +30,7 @@
98
99
 [pac]
100
101
+[ifp]
102
+allowed_uids = apache, root
103
+user_attributes = +mail, +givenname, +sn
104
+
105
</pre>
106
107
Configure the mod_lookup_identity module:
108
109
<pre>
110
 LoadModule lookup_identity_module modules/mod_lookup_identity.so
111
 <Location /users/extlogin>
112
  LookupUserAttr mail REMOTE_USER_EMAIL " " 
113
  LookupUserAttr givenname REMOTE_USER_FIRSTNAME
114
  LookupUserAttr sn REMOTE_USER_LASTNAME
115
 </Location>
116
</pre>
117
118
Put SELinux to permissive (the need to do this is a bug https://bugzilla.redhat.com/show_bug.cgi?id=1053363 and will be fixed):
119
120
<pre>
121
# setenforce 0
122
</pre>
123
124
Restart sssd and Apache:
125
126
<pre>
127
# service sssd restart
128
# service httpd restart
129
</pre>
130
131
h2. Disabling auto-creation of externally authentication users
132
133 1 Jan Pazdziora
If only already existing users should be allowed to log in, remove/comment out the line
134 11 Jan Pazdziora
135 5 Jan Pazdziora
<pre>
136 12 Jan Pazdziora
:authorize_login_delegation: true
137
:authorize_login_delegation_auth_source_user_autocreate: External
138 5 Jan Pazdziora
</pre>
139
140 12 Jan Pazdziora
from /etc/foreman/settings.yaml.
141 5 Jan Pazdziora
142 13 Jan Pazdziora
h2. Namespace separation
143 5 Jan Pazdziora
144 6 Jan Pazdziora
If clear namespace separation of internally and externally authenticated users is desired, the KrbLocalUserMapping should be off:
145
146
<pre>
147 12 Jan Pazdziora
# in /etc/httpd/conf.d/auth_kerb.conf use
148 1 Jan Pazdziora
<Location /users/extlogin>
149
 AuthType Kerberos
150 12 Jan Pazdziora
 ...
151 6 Jan Pazdziora
 KrbLocalUserMapping Off
152
</Location>
153 1 Jan Pazdziora
</pre>
154
155 6 Jan Pazdziora
Then the @REALM would be part of the username and it would be clear that bob is INTERNAL-authenticated and bob@EXAMPLE.COM is different user, EXTERNAL-authenticated. The admin then can manually create another admin@EXAMPLE.COM user (with administrator privileges) and even the admin can use Kerberos.
156 12 Jan Pazdziora
157 13 Jan Pazdziora
158
159 6 Jan Pazdziora
h2. This work
160 12 Jan Pazdziora
161
See "older version of this page":http://projects.theforeman.org/projects/foreman/wiki/Foreman_and_mod_auth_kerb/11 for the original situation in Foreman 1.3.
162 13 Jan Pazdziora
163
This work is Foreman-specific implementation of http://www.freeipa.org/page/Web_App_Authentication.