Foreman and mod auth kerb » History » Version 16
Stephen Benjamin, 03/13/2014 11:27 PM
Added path for Apache auth_kerb config
1 | 3 | Jan Pazdziora | {{>toc}} |
---|---|---|---|
2 | |||
3 | 4 | Jan Pazdziora | h1. Foreman and mod_auth_kerb |
4 | 1 | Jan Pazdziora | |
5 | 13 | Jan Pazdziora | Setting up SPNEGO/GSSAPI/Negotiate authentication in Foreman 1.4. |
6 | 1 | Jan Pazdziora | |
7 | 13 | Jan Pazdziora | h2. Kerberos |
8 | 2 | Jan Pazdziora | |
9 | 13 | Jan Pazdziora | Foreman 1.4 has support for SPNEGO/GSSAPI/Negotiate authentication. This page documents how to use the feature. |
10 | 1 | Jan Pazdziora | |
11 | 13 | Jan Pazdziora | In this example, we assume the Foreman machine is IPA-enrolled: |
12 | 1 | Jan Pazdziora | |
13 | <pre> |
||
14 | 12 | Jan Pazdziora | # ipa-client-install |
15 | 1 | Jan Pazdziora | </pre> |
16 | |||
17 | 9 | Jan Pazdziora | On the IPA server, we create the service: |
18 | 1 | Jan Pazdziora | |
19 | <pre> |
||
20 | 12 | Jan Pazdziora | # ipa service-add HTTP/<the-foreman-hostname> |
21 | 1 | Jan Pazdziora | </pre> |
22 | |||
23 | On the Foreman machine, we get the keytab for the service: |
||
24 | |||
25 | <pre> |
||
26 | 12 | Jan Pazdziora | # ipa-getkeytab -s ipa.example.com -k /etc/http.keytab -p HTTP/$( hostname ) |
27 | # chown apache /etc/http.keytab |
||
28 | # chmod 600 /etc/http.keytab |
||
29 | 1 | Jan Pazdziora | </pre> |
30 | |||
31 | On the Foreman machine, we install mod_auth_kerb: |
||
32 | |||
33 | <pre> |
||
34 | 12 | Jan Pazdziora | # yum install -y mod_auth_kerb |
35 | 1 | Jan Pazdziora | </pre> |
36 | |||
37 | 16 | Stephen Benjamin | On the Foreman machine, we configure it to be used by Apache in /etc/httpd/conf.d/auth_kerb.conf: |
38 | 1 | Jan Pazdziora | |
39 | <pre> |
||
40 | 12 | Jan Pazdziora | <Location /users/extlogin> |
41 | 1 | Jan Pazdziora | AuthType Kerberos |
42 | AuthName "Kerberos Login" |
||
43 | KrbMethodNegotiate On |
||
44 | KrbMethodK5Passwd Off |
||
45 | KrbAuthRealms EXAMPLE.COM |
||
46 | Krb5KeyTab /etc/http.keytab |
||
47 | KrbLocalUserMapping On |
||
48 | require valid-user |
||
49 | 12 | Jan Pazdziora | ErrorDocument 401 '<html><meta http-equiv="refresh" content="0; URL=/users/login"><body>Kerberos authentication did not pass.</body></html>' |
50 | # The following is needed as a workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1020087 |
||
51 | ErrorDocument 500 '<html><meta http-equiv="refresh" content="0; URL=/users/login"><body>Kerberos authentication did not pass.</body></html>' |
||
52 | </Location> |
||
53 | 1 | Jan Pazdziora | </pre> |
54 | |||
55 | 12 | Jan Pazdziora | On the Foreman machine, we tell Foreman that it is OK to trust the authentication done by Apache: |
56 | 1 | Jan Pazdziora | |
57 | 2 | Jan Pazdziora | <pre> |
58 | 12 | Jan Pazdziora | # to /etc/foreman/settings.yaml add |
59 | :authorize_login_delegation: true |
||
60 | :authorize_login_delegation_auth_source_user_autocreate: External |
||
61 | 2 | Jan Pazdziora | </pre> |
62 | |||
63 | 1 | Jan Pazdziora | On Foreman machine, restart Apache: |
64 | 2 | Jan Pazdziora | |
65 | <pre> |
||
66 | 1 | Jan Pazdziora | # service httpd restart |
67 | </pre> |
||
68 | |||
69 | 14 | Jan Pazdziora | Now if you @kinit@ to obtain ticket-granting ticket (or use some graphical tool), accessing Foreman's WebUI via your your browser should not ask for login/password and should display the authenticated dashboard directly. If the user was just created, page asking for the email address of this new user will be shown. |
70 | 1 | Jan Pazdziora | |
71 | 13 | Jan Pazdziora | h2. Additional user attributes |
72 | 1 | Jan Pazdziora | |
73 | 13 | Jan Pazdziora | Since often the central identity provider like FreeIPA holds email address of users, it is reasonable to expect that the address in Foreman will be set to the value from the central provider, rather than forcing user to enter it manually. That is possible with mod_lookup_identity and sssd-dbus. |
74 | |||
75 | These packages are currently available from repos at http://copr-fe.cloud.fedoraproject.org/coprs/adelton/identity_demo/. Work to get them to Fedora is under way. |
||
76 | |||
77 | 14 | Jan Pazdziora | Get the appropriate @.repo@ file for your OS and put it to @/etc/yum.repos.d@ directory. Then install the packages: |
78 | 13 | Jan Pazdziora | |
79 | <pre> |
||
80 | # yum install mod_lookup_identity sssd-dbus -y |
||
81 | </pre> |
||
82 | |||
83 | 14 | Jan Pazdziora | Apply the following patch to @/etc/sssd/sssd.conf@ (your configuration might be different so you might want to do the changes manually): |
84 | 13 | Jan Pazdziora | <pre> |
85 | --- /etc/sssd/sssd.conf.orig 2013-12-10 03:09:20.751552952 -0500 |
||
86 | +++ /etc/sssd/sssd.conf 2013-12-12 00:52:30.791240631 -0500 |
||
87 | @@ -11,6 +11,8 @@ |
||
88 | ldap_tls_cacert = /etc/ipa/ca.crt |
||
89 | +ldap_user_extra_attrs = mail, givenname, sn |
||
90 | + |
||
91 | [sssd] |
||
92 | -services = nss, pam, ssh |
||
93 | +services = nss, pam, ssh, ifp |
||
94 | config_file_version = 2 |
||
95 | |||
96 | domains = example.com |
||
97 | @@ -28,3 +30,7 @@ |
||
98 | |||
99 | [pac] |
||
100 | |||
101 | +[ifp] |
||
102 | +allowed_uids = apache, root |
||
103 | +user_attributes = +mail, +givenname, +sn |
||
104 | + |
||
105 | </pre> |
||
106 | |||
107 | Configure the mod_lookup_identity module: |
||
108 | |||
109 | <pre> |
||
110 | LoadModule lookup_identity_module modules/mod_lookup_identity.so |
||
111 | <Location /users/extlogin> |
||
112 | LookupUserAttr mail REMOTE_USER_EMAIL " " |
||
113 | LookupUserAttr givenname REMOTE_USER_FIRSTNAME |
||
114 | LookupUserAttr sn REMOTE_USER_LASTNAME |
||
115 | </Location> |
||
116 | </pre> |
||
117 | |||
118 | Put SELinux to permissive (the need to do this is a bug https://bugzilla.redhat.com/show_bug.cgi?id=1053363 and will be fixed): |
||
119 | |||
120 | <pre> |
||
121 | # setenforce 0 |
||
122 | </pre> |
||
123 | |||
124 | Restart sssd and Apache: |
||
125 | |||
126 | <pre> |
||
127 | # service sssd restart |
||
128 | # service httpd restart |
||
129 | </pre> |
||
130 | |||
131 | h2. Disabling auto-creation of externally authentication users |
||
132 | |||
133 | 1 | Jan Pazdziora | If only already existing users should be allowed to log in, remove/comment out the line |
134 | 11 | Jan Pazdziora | |
135 | 5 | Jan Pazdziora | <pre> |
136 | 12 | Jan Pazdziora | :authorize_login_delegation_auth_source_user_autocreate: External |
137 | 5 | Jan Pazdziora | </pre> |
138 | |||
139 | 12 | Jan Pazdziora | from /etc/foreman/settings.yaml. |
140 | 5 | Jan Pazdziora | |
141 | 13 | Jan Pazdziora | h2. Namespace separation |
142 | 5 | Jan Pazdziora | |
143 | 6 | Jan Pazdziora | If clear namespace separation of internally and externally authenticated users is desired, the KrbLocalUserMapping should be off: |
144 | |||
145 | <pre> |
||
146 | 12 | Jan Pazdziora | # in /etc/httpd/conf.d/auth_kerb.conf use |
147 | 1 | Jan Pazdziora | <Location /users/extlogin> |
148 | AuthType Kerberos |
||
149 | 12 | Jan Pazdziora | ... |
150 | 6 | Jan Pazdziora | KrbLocalUserMapping Off |
151 | </Location> |
||
152 | 1 | Jan Pazdziora | </pre> |
153 | |||
154 | 6 | Jan Pazdziora | Then the @REALM would be part of the username and it would be clear that bob is INTERNAL-authenticated and bob@EXAMPLE.COM is different user, EXTERNAL-authenticated. The admin then can manually create another admin@EXAMPLE.COM user (with administrator privileges) and even the admin can use Kerberos. |
155 | 12 | Jan Pazdziora | |
156 | 13 | Jan Pazdziora | |
157 | |||
158 | 6 | Jan Pazdziora | h2. This work |
159 | 12 | Jan Pazdziora | |
160 | See "older version of this page":http://projects.theforeman.org/projects/foreman/wiki/Foreman_and_mod_auth_kerb/11 for the original situation in Foreman 1.3. |
||
161 | 13 | Jan Pazdziora | |
162 | This work is Foreman-specific implementation of http://www.freeipa.org/page/Web_App_Authentication. |