Project

General

Profile

Foreman and mod auth kerb » History » Version 17

Jan Pazdziora, 04/25/2014 02:27 PM

1 3 Jan Pazdziora
{{>toc}}
2
3 4 Jan Pazdziora
h1. Foreman and mod_auth_kerb
4 1 Jan Pazdziora
5 13 Jan Pazdziora
Setting up SPNEGO/GSSAPI/Negotiate authentication in Foreman 1.4.
6 1 Jan Pazdziora
7 13 Jan Pazdziora
h2. Kerberos
8 2 Jan Pazdziora
9 13 Jan Pazdziora
Foreman 1.4 has support for SPNEGO/GSSAPI/Negotiate authentication. This page documents how to use the feature.
10 1 Jan Pazdziora
11 13 Jan Pazdziora
In this example, we assume the Foreman machine is IPA-enrolled:
12 1 Jan Pazdziora
13
<pre>
14 12 Jan Pazdziora
# ipa-client-install
15 1 Jan Pazdziora
</pre>
16
17 9 Jan Pazdziora
On the IPA server, we create the service:
18 1 Jan Pazdziora
19
<pre>
20 12 Jan Pazdziora
# ipa service-add HTTP/<the-foreman-hostname>
21 1 Jan Pazdziora
</pre>
22
23
On the Foreman machine, we get the keytab for the service:
24
25
<pre>
26 12 Jan Pazdziora
# ipa-getkeytab -s ipa.example.com -k /etc/http.keytab -p HTTP/$( hostname )
27
# chown apache /etc/http.keytab
28
# chmod 600 /etc/http.keytab
29 1 Jan Pazdziora
</pre>
30
31
On the Foreman machine, we install mod_auth_kerb:
32
33
<pre>
34 12 Jan Pazdziora
# yum install -y mod_auth_kerb
35 1 Jan Pazdziora
</pre>
36
37 16 Stephen Benjamin
On the Foreman machine, we configure it to be used by Apache in /etc/httpd/conf.d/auth_kerb.conf:
38 1 Jan Pazdziora
39
<pre>
40 12 Jan Pazdziora
<Location /users/extlogin>
41 1 Jan Pazdziora
 AuthType Kerberos
42
 AuthName "Kerberos Login"
43
 KrbMethodNegotiate On
44
 KrbMethodK5Passwd Off
45
 KrbAuthRealms EXAMPLE.COM
46
 Krb5KeyTab /etc/http.keytab
47
 KrbLocalUserMapping On
48
 require valid-user
49 12 Jan Pazdziora
 ErrorDocument 401 '<html><meta http-equiv="refresh" content="0; URL=/users/login"><body>Kerberos authentication did not pass.</body></html>'
50
 # The following is needed as a workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1020087
51
 ErrorDocument 500 '<html><meta http-equiv="refresh" content="0; URL=/users/login"><body>Kerberos authentication did not pass.</body></html>'
52
</Location>
53 1 Jan Pazdziora
</pre>
54
55 12 Jan Pazdziora
On the Foreman machine, we tell Foreman that it is OK to trust the authentication done by Apache:
56 1 Jan Pazdziora
57 2 Jan Pazdziora
<pre>
58 12 Jan Pazdziora
# to /etc/foreman/settings.yaml add
59
:authorize_login_delegation: true
60
:authorize_login_delegation_auth_source_user_autocreate: External
61 2 Jan Pazdziora
</pre>
62
63 1 Jan Pazdziora
On Foreman machine, restart Apache:
64 2 Jan Pazdziora
65
<pre>
66 1 Jan Pazdziora
# service httpd restart
67
</pre>
68
69 14 Jan Pazdziora
Now if you @kinit@ to obtain ticket-granting ticket (or use some graphical tool), accessing Foreman's WebUI via your your browser should not ask for login/password and should display the authenticated dashboard directly. If the user was just created, page asking for the email address of this new user will be shown.
70 1 Jan Pazdziora
71 13 Jan Pazdziora
h2. Additional user attributes
72 1 Jan Pazdziora
73 13 Jan Pazdziora
Since often the central identity provider like FreeIPA holds email address of users, it is reasonable to expect that the address in Foreman will be set to the value from the central provider, rather than forcing user to enter it manually. That is possible with mod_lookup_identity and sssd-dbus.
74
75
These packages are currently available from repos at http://copr-fe.cloud.fedoraproject.org/coprs/adelton/identity_demo/. Work to get them to Fedora is under way.
76
77 14 Jan Pazdziora
Get the appropriate @.repo@ file for your OS and put it to @/etc/yum.repos.d@ directory. Then install the packages:
78 13 Jan Pazdziora
79
<pre>
80
# yum install mod_lookup_identity sssd-dbus -y
81
</pre>
82
83 14 Jan Pazdziora
Apply the following patch to @/etc/sssd/sssd.conf@ (your configuration might be different so you might want to do the changes manually):
84 13 Jan Pazdziora
<pre>
85
--- /etc/sssd/sssd.conf.orig    2013-12-10 03:09:20.751552952 -0500
86
+++ /etc/sssd/sssd.conf    2013-12-12 00:52:30.791240631 -0500
87
@@ -11,6 +11,8 @@
88
 ldap_tls_cacert = /etc/ipa/ca.crt
89
+ldap_user_extra_attrs = mail, givenname, sn
90
+
91
 [sssd]
92
-services = nss, pam, ssh
93
+services = nss, pam, ssh, ifp
94
 config_file_version = 2
95
96
 domains = example.com
97
@@ -28,3 +30,7 @@
98
99
 [pac]
100
101
+[ifp]
102
+allowed_uids = apache, root
103
+user_attributes = +mail, +givenname, +sn
104
+
105
</pre>
106
107
Configure the mod_lookup_identity module:
108
109
<pre>
110
 LoadModule lookup_identity_module modules/mod_lookup_identity.so
111
 <Location /users/extlogin>
112
  LookupUserAttr mail REMOTE_USER_EMAIL " " 
113
  LookupUserAttr givenname REMOTE_USER_FIRSTNAME
114
  LookupUserAttr sn REMOTE_USER_LASTNAME
115
 </Location>
116
</pre>
117
118 17 Jan Pazdziora
With new enough selinux-policy, set the following boolean:
119
120
<pre>
121
# setenforce 1
122
# setsebool -P httpd_dbus_sssd on
123
</pre>
124
125
If your policy doesn't have httpd_dbus_sssd, set SELinux to permissive:
126 13 Jan Pazdziora
127
<pre>
128
# setenforce 0
129
</pre>
130
131
Restart sssd and Apache:
132
133
<pre>
134
# service sssd restart
135
# service httpd restart
136
</pre>
137
138
h2. Disabling auto-creation of externally authentication users
139
140 1 Jan Pazdziora
If only already existing users should be allowed to log in, remove/comment out the line
141 11 Jan Pazdziora
142 5 Jan Pazdziora
<pre>
143 12 Jan Pazdziora
:authorize_login_delegation_auth_source_user_autocreate: External
144 5 Jan Pazdziora
</pre>
145
146 12 Jan Pazdziora
from /etc/foreman/settings.yaml.
147 5 Jan Pazdziora
148 13 Jan Pazdziora
h2. Namespace separation
149 5 Jan Pazdziora
150 6 Jan Pazdziora
If clear namespace separation of internally and externally authenticated users is desired, the KrbLocalUserMapping should be off:
151
152
<pre>
153 12 Jan Pazdziora
# in /etc/httpd/conf.d/auth_kerb.conf use
154 1 Jan Pazdziora
<Location /users/extlogin>
155
 AuthType Kerberos
156 12 Jan Pazdziora
 ...
157 6 Jan Pazdziora
 KrbLocalUserMapping Off
158
</Location>
159 1 Jan Pazdziora
</pre>
160
161 6 Jan Pazdziora
Then the @REALM would be part of the username and it would be clear that bob is INTERNAL-authenticated and bob@EXAMPLE.COM is different user, EXTERNAL-authenticated. The admin then can manually create another admin@EXAMPLE.COM user (with administrator privileges) and even the admin can use Kerberos.
162 12 Jan Pazdziora
163 13 Jan Pazdziora
164
165 6 Jan Pazdziora
h2. This work
166 12 Jan Pazdziora
167
See "older version of this page":http://projects.theforeman.org/projects/foreman/wiki/Foreman_and_mod_auth_kerb/11 for the original situation in Foreman 1.3.
168 13 Jan Pazdziora
169
This work is Foreman-specific implementation of http://www.freeipa.org/page/Web_App_Authentication.