Project

General

Profile

Foreman and mod auth kerb » History » Version 2

Jan Pazdziora, 10/17/2013 05:07 AM

1 1 Jan Pazdziora
h1. Foreman and mod auth kerb
2
3
Setting up SPNEGO/GSSAPI/Negotiate authentication in Foreman 1.3.
4
5 2 Jan Pazdziora
h2. Foreman 1.3
6
7 1 Jan Pazdziora
Stock Foreman 1.3 can be configured to use SPNEGO/GSSAPI/Negotiate authentication.
8
9
We need mod_auth_kerb installed on the Foreman machine.
10
11
We assume the Foreman machine is IPA-enrolled:
12
13
<pre>
14
 # ipa-client-install
15
</pre>
16
17
On the IPA server, we crete the service:
18
19
<pre>
20
 # ipa service-add HTTP/<the-foreman-hostname>
21
</pre>
22
23
On the Foreman machine, we get the keytab for the service:
24
25
<pre>
26
 # ipa-getkeytab -s ipa.example.com -k /etc/http.keytab -p HTTP/$( hostname )
27
 # chown apache /etc/http.keytab
28
 # chmod 600 /etc/http.keytab
29
</pre>
30
31
On the Foreman machine, we install mod_auth_kerb:
32
33
<pre>
34
 # yum install -y mod_auth_kerb
35
</pre>
36
37
On the Foreman machine, we configure it to be used by Apache:
38
39
<pre>
40
 # to /etc/httpd/conf.d/auth_kerb.conf add
41
 <Location />
42
 AuthType Kerberos
43
 AuthName "Kerberos Login"
44
 KrbMethodNegotiate On
45
 KrbMethodK5Passwd Off
46
 KrbAuthRealms EXAMPLE.COM
47
 Krb5KeyTab /etc/http.keytab
48
 KrbLocalUserMapping On
49
 require valid-user
50
 </Location>
51
</pre>
52
53
On the Foreman machine, we tell Foreman that it is OK to trust the authentication dome by Apache:
54
55
<pre>
56
 # to /etc/foreman/settings.yaml add
57
 :authorize_login_delegation: true
58
 :login_delegation_logout_url: /
59
</pre>
60
61
On Foreman machine, restart Apache:
62
63
<pre>
64
 # service httpd restart
65
</pre>
66
67
Now in your browser, if you kinit to obtain a ticket, accessing Foreman's WebUI should not ask for login/password and should display the authenticated dashboard directly. 
68 2 Jan Pazdziora
69
h2. The problems with the above approach
70
71
h3. It authenticates too much
72
73
Some of the locations in Foreman might need the authentication disabled and the proposed <Location /> will cover them all. They need to be identified and exceptions added to Apache configuration
74
75
h3. Two HTTP requests for each click
76
77
This configuration will force the negotiation to happen for every access to the WebUI -- first with 401 result, then second request with negotiation result with result 200.
78
79
h3. Users have to be defined in Foreman's database 
80
81
h2. Possible solutions
82
83
The solution to the first two problems will likely be in only enabling the authentication for some logon location. That will however require some code changes. The /users/login cannot be used because in Foreman 1.3, there is
84
85
<pre>
86
 app/controllers/users_controller.rb:  skip_before_filter :require_login, :authorize, :session_expiry, :update_activity_time, :set_taxonomy, :set_gettext_locale_db, :only => [:login, :logout]
87
</pre>
88
89
so even if we'd use @<Location /users/login>@, the @require_login@ (== authenticate) would not be run and REMOTE_USER would not be consumed.
90
91
Pull request https://github.com/theforeman/foreman/pull/958 (https://github.com/adelton/foreman/commit/77bd5cde7bf530ca13127816b344fe0ce8de2a1c) was opened against Foreman. With these patches and the configuration of the mod_auth_kerb changed to
92
93
<pre>
94
 <Location /users/extlogin>
95
 AuthType Kerberos
96
 AuthName "Kerberos Login"
97
 KrbMethodNegotiate On
98
 KrbMethodK5Passwd Off
99
 KrbAuthRealms EXAMPLE.COM
100
 Krb5KeyTab /etc/http.keytab
101
 KrbLocalUserMapping On
102
 require valid-user
103
 ErrorDocument 401 '<html><meta http-equiv="refresh" content="0; URL=/users/login"><body>Kerberos authentication did not pass.</body></html>'
104
 </Location>
105
</pre>
106
107
the user's browser is redirected to /users/extlogin where the SPNEGO authentication is tried, and if it fails, normal /users/login method is used. After the SPNEGO authentication, normal Foreman session is created and used and since the rest of the Foreman WebUI is not covered by any AuthType, the negotiation does not happen again.
108
109
The patches support /users/extlogin not being configured properly, session expiration, and session logout.
110
111
The setting
112
113
<pre>
114
 :login_delegation_logout_url: /
115
</pre>
116
117
is not longer needed/used.