{{>toc}}

h1. Foreman and mod_auth_kerb

Setting up SPNEGO/GSSAPI/Negotiate authentication in Foreman 1.4.

h2. Kerberos

Foreman 1.4 has support for SPNEGO/GSSAPI/Negotiate authentication. This page documents how to use the feature.

In this example, we assume the Foreman machine is IPA-enrolled:

<pre>

# ipa-client-install

</pre>

On the IPA server, we create the service:

<pre>

# ipa service-add HTTP/<the-foreman-hostname>

</pre>

On the Foreman machine, we get the keytab for the service:

<pre>

# ipa-getkeytab -s ipa.example.com -k /etc/http.keytab -p HTTP/$( hostname )

# chown apache /etc/http.keytab

# chmod 600 /etc/http.keytab

</pre>

On the Foreman machine, we install mod_auth_kerb:

<pre>

# yum install -y mod_auth_kerb

</pre>

On the Foreman machine, we configure it to be used by Apache in /etc/httpd/conf.d/auth_kerb.conf:

<pre>

<Location /users/extlogin>

 AuthType Kerberos

 AuthName "Kerberos Login"

 KrbMethodNegotiate On

 KrbMethodK5Passwd Off

 KrbAuthRealms EXAMPLE.COM

 Krb5KeyTab /etc/http.keytab

 KrbLocalUserMapping On

 require valid-user

 ErrorDocument 401 '<html><meta http-equiv="refresh" content="0; URL=/users/login"><body>Kerberos authentication did not pass.</body></html>'

 # The following is needed as a workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1020087

 ErrorDocument 500 '<html><meta http-equiv="refresh" content="0; URL=/users/login"><body>Kerberos authentication did not pass.</body></html>'

</Location>

</pre>

On the Foreman machine, we tell Foreman that it is OK to trust the authentication done by Apache:

<pre>

# to /etc/foreman/settings.yaml add

:authorize_login_delegation: true

:authorize_login_delegation_auth_source_user_autocreate: External

</pre>

On Foreman machine, restart Apache:

<pre>

# service httpd restart

</pre>

Now if you @kinit@ to obtain ticket-granting ticket (or use some graphical tool), accessing Foreman's WebUI via your your browser should not ask for login/password and should display the authenticated dashboard directly. If the user was just created, page asking for the email address of this new user will be shown.

h2. Additional user attributes

Since often the central identity provider like FreeIPA holds email address of users, it is reasonable to expect that the address in Foreman will be set to the value from the central provider, rather than forcing user to enter it manually. That is possible with mod_lookup_identity and sssd-dbus.

These packages are currently available from repos at http://copr-fe.cloud.fedoraproject.org/coprs/adelton/identity_demo/. Work to get them to Fedora is under way.

Get the appropriate @.repo@ file for your OS and put it to @/etc/yum.repos.d@ directory. Then install the packages:

<pre>

# yum install mod_lookup_identity sssd-dbus -y

</pre>

Apply the following patch to @/etc/sssd/sssd.conf@ (your configuration might be different so you might want to do the changes manually):

<pre>

--- /etc/sssd/sssd.conf.orig    2013-12-10 03:09:20.751552952 -0500

+++ /etc/sssd/sssd.conf    2013-12-12 00:52:30.791240631 -0500

@@ -11,6 +11,8 @@

 ldap_tls_cacert = /etc/ipa/ca.crt

+ldap_user_extra_attrs = mail, givenname, sn

+

 [sssd]

-services = nss, pam, ssh

+services = nss, pam, ssh, ifp

 config_file_version = 2

 domains = example.com

@@ -28,3 +30,7 @@

 [pac]

+[ifp]

+allowed_uids = apache, root

+user_attributes = +mail, +givenname, +sn

+

</pre>

Configure the mod_lookup_identity module:

<pre>

 LoadModule lookup_identity_module modules/mod_lookup_identity.so

 <Location /users/extlogin>

  LookupUserAttr mail REMOTE_USER_EMAIL " " 

  LookupUserAttr givenname REMOTE_USER_FIRSTNAME

  LookupUserAttr sn REMOTE_USER_LASTNAME

 </Location>

</pre>

With new enough selinux-policy, set the following boolean:

<pre>

# setenforce 1

# setsebool -P httpd_dbus_sssd on

</pre>

If your policy doesn't have httpd_dbus_sssd, set SELinux to permissive:

<pre>

# setenforce 0

</pre>

Restart sssd and Apache:

<pre>

# service sssd restart

# service httpd restart

</pre>

h2. Disabling auto-creation of externally authentication users

If only already existing users should be allowed to log in, remove/comment out the line

<pre>

:authorize_login_delegation_auth_source_user_autocreate: External

</pre>

from /etc/foreman/settings.yaml.

h2. Namespace separation

If clear namespace separation of internally and externally authenticated users is desired, the KrbLocalUserMapping should be off:

<pre>

# in /etc/httpd/conf.d/auth_kerb.conf use

<Location /users/extlogin>

 AuthType Kerberos

 ...

 KrbLocalUserMapping Off

</Location>

</pre>

Then the @REALM would be part of the username and it would be clear that bob is INTERNAL-authenticated and bob@EXAMPLE.COM is different user, EXTERNAL-authenticated. The admin then can manually create another admin@EXAMPLE.COM user (with administrator privileges) and even the admin can use Kerberos.

h2. This work

See "older version of this page":http://projects.theforeman.org/projects/foreman/wiki/Foreman_and_mod_auth_kerb/11 for the original situation in Foreman 1.3.

This work is Foreman-specific implementation of http://www.freeipa.org/page/Web_App_Authentication.