Foreman 1.5 brought almost complete external authentication support. However, configuring the environment (packages, Apache modules, sssd, keytab) is manual process with many steps: http://theforeman.org/manuals/1.5/index.html#5.7ExternalAuthentication The foreman-installer should make it easy to enable the external authentication via FreeIPA with few command-line options.
Created from redmine issue http://projects.theforeman.org/issues/6445
Moving to POST since upstream bug http://projects.theforeman.org/issues/6445 has been closed ------------- Jan Pazdziora Created https://github.com/theforeman/puppet-foreman/pull/199 ------------- Jan Pazdziora Applied in changeset commit:puppet-foreman|378d602424da89f4493767949d534b66942db8e2.
Katello-installer related update in https://github.com/Katello/katello-installer/pull/90
*** Bug 1102374 has been marked as a duplicate of this bug. ***
(In reply to Marek Hulan from comment #4) > The pull request https://github.com/Katello/katello-installer/pull/90 seems to have been merged into Katello upstream.
Please provide what and how we need to test this here.
I see this link http://theforeman.org/manuals/1.5/index.html#5.7ExternalAuthentication and the steps. But me not sure exactly what steps to follow, when this task is supposed to get executed via katello-installer. Some detailed steps would be of great help here.
Explained on IRC, for the records, it's about testing that most of the steps from 5.7 are not required and installer does them for you. You have to enroll foreman host into FreeIPA and create HTTP/$foreman_fqdn principal, then use --foreman-ipa-authentication=true --foreman-configure-ipa-repo=true options for the installer.
Tested with Sat6-GA-snap5 Registering Sat6/capsule box to IPA Server. ----------------------------------- 1) Just add a nameserver entry to /etc/resolv.conf as "nameserver xxx.xxx.xxx.xxx" in your sat6 box. 2) Run "ipa-client-install" on sat6 box/capsule, 3) Provide the domain info if asked for on prompting and be done registering sat6 box to IPA server. 4) Note:- Provide domain as "katellolabs.org" or whatever you have set your IPA server domain to. Configuring External Authentication for Sat6 with IPA. -------------------------------------- 1) On the FreeIPA server, we create the service: ipa service-add HTTP/<the-foreman-hostname> 2) katello-installer --foreman-ipa-authentication=true --foreman-configure-ipa-repo=true Observations ----------------------------------------------------------------------- With the above configuration in place 1) The IPA users are now able to access the Sat6 UI. 2) These users upon first login get created under Users of Sat6, with "authorized type" as "external". 3) Then one could assign roles to the (external) IPA users for sat6, after logging in to sat6's admin account. Installed Packages candlepin-0.9.23-1.el6_5.noarch candlepin-common-1.0.1-1.el6_5.noarch candlepin-scl-1-5.el6_4.noarch candlepin-scl-quartz-2.1.5-5.el6_4.noarch candlepin-scl-rhino-1.7R3-1.el6_4.noarch candlepin-scl-runtime-1-5.el6_4.noarch candlepin-selinux-0.9.23-1.el6_5.noarch candlepin-tomcat6-0.9.23-1.el6_5.noarch createrepo-0.9.9-21.2.pulp.el6sat.noarch elasticsearch-0.90.10-4.el6sat.noarch katello-1.5.0-28.el6sat.noarch katello-ca-1.0-1.noarch katello-certs-tools-1.5.6-1.el6sat.noarch katello-installer-0.0.59-1.el6sat.noarch m2crypto-0.21.1.pulp-10.el6sat.x86_64 mod_wsgi-3.4-1.pulp.el6sat.x86_64 pulp-katello-0.3-3.el6sat.noarch pulp-nodes-common-2.4.0-0.30.beta.el6sat.noarch pulp-nodes-parent-2.4.0-0.30.beta.el6sat.noarch pulp-puppet-plugins-2.4.0-0.30.beta.el6sat.noarch pulp-puppet-tools-2.4.0-0.30.beta.el6sat.noarch pulp-rpm-plugins-2.4.0-0.30.beta.el6sat.noarch pulp-selinux-2.4.0-0.30.beta.el6sat.noarch pulp-server-2.4.0-0.30.beta.el6sat.noarch python-gofer-qpid-1.3.0-1.el6sat.noarch python-isodate-0.5.0-1.pulp.el6sat.noarch python-kombu-3.0.15-12.pulp.el6sat.noarch python-pulp-bindings-2.4.0-0.30.beta.el6sat.noarch python-pulp-common-2.4.0-0.30.beta.el6sat.noarch python-pulp-puppet-common-2.4.0-0.30.beta.el6sat.noarch python-pulp-rpm-common-2.4.0-0.30.beta.el6sat.noarch python-qpid-0.22-14.el6sat.noarch python-qpid-qmf-0.22-37.el6.x86_64 qpid-cpp-client-0.22-42.el6.x86_64 qpid-cpp-server-0.22-42.el6.x86_64 qpid-cpp-server-linearstore-0.22-42.el6.x86_64 qpid-java-client-0.22-6.el6.noarch qpid-java-common-0.22-6.el6.noarch qpid-proton-c-0.7-1.el6.x86_64 qpid-qmf-0.22-37.el6.x86_64 qpid-tools-0.22-12.el6.noarch ruby193-rubygem-katello-1.5.0-82.el6sat.noarch rubygem-hammer_cli_katello-0.0.4-12.el6sat.noarch rubygem-smart_proxy_pulp-1.0.0-1.1.el6sat.noarch
(In reply to Kedar Bidarkar from comment #12) > I see this link > http://theforeman.org/manuals/1.5/index.html#5.7ExternalAuthentication and > the steps. > > But me not sure exactly what steps to follow, when this task is supposed to > get executed via katello-installer. > > Some detailed steps would be of great help here. We are working on getting the Foreman 1.6 documentation updated.
(In reply to Kedar Bidarkar from comment #14) > Tested with Sat6-GA-snap5 > > > Registering Sat6/capsule box to IPA Server. > ----------------------------------- > > 1) Just add a nameserver entry to /etc/resolv.conf as "nameserver > xxx.xxx.xxx.xxx" in your sat6 box. > 2) Run "ipa-client-install" on sat6 box/capsule, > 3) Provide the domain info if asked for on prompting and be done registering > sat6 box to IPA server. > 4) Note:- Provide domain as "katellolabs.org" or whatever you have set your > IPA server domain to. > > > Configuring External Authentication for Sat6 with IPA. > -------------------------------------- > > 1) On the FreeIPA server, we create the service: > > ipa service-add HTTP/<the-foreman-hostname> > > 2) katello-installer --foreman-ipa-authentication=true > --foreman-configure-ipa-repo=true This is *not* correct -- for Satellite, the thing has to work without the --foreman-configure-ipa-repo parameter. All the packages are (supposed to be) on the Satellite composes and in the Satellite channels and customer is *not* supposed to get any external packages. > Observations > ----------------------------------------------------------------------- > With the above configuration in place > 1) The IPA users are now able to access the Sat6 UI. > 2) These users upon first login get created under Users of Sat6, with > "authorized type" as "external". > 3) Then one could assign roles to the (external) IPA users for sat6, after > logging in to sat6's admin account. > > Installed Packages > > candlepin-0.9.23-1.el6_5.noarch > candlepin-common-1.0.1-1.el6_5.noarch > candlepin-scl-1-5.el6_4.noarch > candlepin-scl-quartz-2.1.5-5.el6_4.noarch > candlepin-scl-rhino-1.7R3-1.el6_4.noarch > candlepin-scl-runtime-1-5.el6_4.noarch > candlepin-selinux-0.9.23-1.el6_5.noarch > candlepin-tomcat6-0.9.23-1.el6_5.noarch > createrepo-0.9.9-21.2.pulp.el6sat.noarch > elasticsearch-0.90.10-4.el6sat.noarch > katello-1.5.0-28.el6sat.noarch > katello-ca-1.0-1.noarch > katello-certs-tools-1.5.6-1.el6sat.noarch > katello-installer-0.0.59-1.el6sat.noarch > m2crypto-0.21.1.pulp-10.el6sat.x86_64 > mod_wsgi-3.4-1.pulp.el6sat.x86_64 > pulp-katello-0.3-3.el6sat.noarch > pulp-nodes-common-2.4.0-0.30.beta.el6sat.noarch > pulp-nodes-parent-2.4.0-0.30.beta.el6sat.noarch > pulp-puppet-plugins-2.4.0-0.30.beta.el6sat.noarch > pulp-puppet-tools-2.4.0-0.30.beta.el6sat.noarch > pulp-rpm-plugins-2.4.0-0.30.beta.el6sat.noarch > pulp-selinux-2.4.0-0.30.beta.el6sat.noarch > pulp-server-2.4.0-0.30.beta.el6sat.noarch > python-gofer-qpid-1.3.0-1.el6sat.noarch > python-isodate-0.5.0-1.pulp.el6sat.noarch > python-kombu-3.0.15-12.pulp.el6sat.noarch > python-pulp-bindings-2.4.0-0.30.beta.el6sat.noarch > python-pulp-common-2.4.0-0.30.beta.el6sat.noarch > python-pulp-puppet-common-2.4.0-0.30.beta.el6sat.noarch > python-pulp-rpm-common-2.4.0-0.30.beta.el6sat.noarch > python-qpid-0.22-14.el6sat.noarch > python-qpid-qmf-0.22-37.el6.x86_64 > qpid-cpp-client-0.22-42.el6.x86_64 > qpid-cpp-server-0.22-42.el6.x86_64 > qpid-cpp-server-linearstore-0.22-42.el6.x86_64 > qpid-java-client-0.22-6.el6.noarch > qpid-java-common-0.22-6.el6.noarch > qpid-proton-c-0.7-1.el6.x86_64 > qpid-qmf-0.22-37.el6.x86_64 > qpid-tools-0.22-12.el6.noarch > ruby193-rubygem-katello-1.5.0-82.el6sat.noarch > rubygem-hammer_cli_katello-0.0.4-12.el6sat.noarch > rubygem-smart_proxy_pulp-1.0.0-1.1.el6sat.noarch We'd need this retested on RHEL 7 as well. Also -- what is the above list of packages representing? I don't see things like mod_authnz_pam or mod_auth_kerb listed. Moving back ON_QA -- please retest without the external repo and on both RHEL 6 and RHEL 7.
Also, could you please test that katello-installer's --foreman-ipa-authentication=true option is correctly documented in Satellite 6.0 GA documentation?
thanks @jpazdziora for the info. Will also make sure that it's properly documented in Sat6 GA docs. Also we do have practise of listing a set of standard packages for the bugs and hence the list of Installed packages. What you are suggesting was taken care here in the below bug and this is from the set of Sat6 compose Sat6-GA-snap5. https://bugzilla.redhat.com/show_bug.cgi?id=1084136#c43 The below command now I understand is for the upstream purposes only and should be avoided for sat6. katello-installer --foreman-ipa-authentication=true --foreman-configure-ipa-repo=true NOTE for QE as we also need to test it for RHEL7: 1) katello-installer --foreman-ipa-authentication=true --foreman-configure-ipa-repo=true The --foreman-configure-ipa-repo configures an external repo from where the mod_authnz_pam and mod_auth_kerb are installed. http://copr-be.cloud.fedoraproject.org/results/adelton/identity_demo/epel-6-x86_64/ 2) The idea is to test it with the packages packaged along with sat6 composes only, that is mod_authnz_pam , mod_auth_kerb, e.t.c 3) Also we need to test this with both RHEL6 and RHEL7. 4) We need to test only with "katello-installer --foreman-ipa-authentication=true"
(In reply to Kedar Bidarkar from comment #18) > > Also we do have practise of listing a set of standard packages for the bugs > and hence the list of Installed packages. Ah, OK. > The below command now I understand is for the upstream purposes only and > should be avoided for sat6. > katello-installer --foreman-ipa-authentication=true > --foreman-configure-ipa-repo=true Right. > NOTE for QE as we also need to test it for RHEL7: > > 1) katello-installer --foreman-ipa-authentication=true > --foreman-configure-ipa-repo=true Without the --foreman-configure-ipa-repo=true again -- it should not be used on Satellite 6, be it on RHEL 6 or RHEL 7. > 2) The idea is to test it with the packages packaged along with sat6 > composes only, that is mod_authnz_pam , mod_auth_kerb, e.t.c > > 3) Also we need to test this with both RHEL6 and RHEL7. > > 4) We need to test only with "katello-installer > --foreman-ipa-authentication=true" Right.
Tested with sat6-GA-snap5 on RHEL7. [root@xxx yum.repos.d]# ls prod.repo redhat.repo [root@xxx yum.repos.d]# cat prod.repo [katello] name=katello baseurl=http:/xxx.redhat.com/devel/candidate-trees/Satellite/Satellite-6.0.4-RHEL-7-20140813.2/compose/Satellite/x86_64/os/ enabled=1 gpgcheck=0 [root@xxxx yum.repos.d]# cat /etc/redhat-release Red Hat Enterprise Linux Server release 7.0 (Maipo) [root@xxx yum.repos.d]# #katello-installer --foreman-ipa-authentication=true [root@xxx yum.repos.d]# cd [root@xxx ~]# katello-installer --foreman-ipa-authentication=true Installing Done [100%] [..........................................................................................................] Success! * Katello is running at https://xxxx.redhat.com Initial credentials are admin / changeme * Capsule is running at https://xxxx.redhat.com:9090 * To install additional capsule on separate machine continue by running:" capsule-certs-generate --capsule-fqdn "$CAPSULE" --certs-tar "~/$CAPSULE-certs.tar" The full log is at /var/log/katello-installer/katello-installer.log
Tested with Sat6-GA-snap6-20140820.2 Build on RHEL6.5 [root@xxxx ~]# katello-installer --foreman-ipa-authentication=true Installing Done [100%] [..........................................................................................................] Success! * Katello is running at https://xxxxx.redhat.com Initial credentials are admin / changeme * Capsule is running at https://xxxxx.redhat.com:9090 * To install additional capsule on separate machine continue by running:" capsule-certs-generate --capsule-fqdn "$CAPSULE" --certs-tar "~/$CAPSULE-certs.tar" The full log is at /var/log/katello-installer/katello-installer.log [root@xxxxx ~]# cat /etc/redhat-release Red Hat Enterprise Linux Server release 6.5 (Santiago) [root@xxxxx ~]# cd /etc/yum.repos.d/ [root@xxxxx yum.repos.d]# ls product.repo redhat.repo rhel-source.repo [root@xxxxx yum.repos.d]# cat product.repo [katello] name=katello baseurl=http://xxxx.redhat.com/devel/candidate-trees/Satellite/Satellite-6.0.4-RHEL-6-20140820.2/compose/Satellite/x86_64/os/ enabled=1 gpgcheck=0
For Sat6 on both RHEL6 and RHEL7 ----------------------------------------------------------------------- With the above configuration in place 1) The IPA users are now able to access the Sat6 UI. 2) These users upon first login get created under Users of Sat6, with "authorized type" as "external". 3) Then one could assign roles to such (external) IPA users for sat6, after logging in to sat6's admin account. With the setups as mentioned in comment 22 and comment 23, we were able to perform successfully above 3 steps. So External Authentication via FreeIPA is configurable with katello-installer and also we are able to use only those packages packaged with Satellite6 repos.
(In reply to Jan Pazdziora from comment #15) > > We are working on getting the Foreman 1.6 documentation updated. https://github.com/theforeman/theforeman.org/pull/253
Foreman 1.6 documentation has been updated: http://theforeman.org/manuals/1.6/index.html#5.7ExternalAuthentication
(In reply to Petra Kamenickova from comment #26) > Foreman 1.6 documentation has been updated: > http://theforeman.org/manuals/1.6/index.html#5.7ExternalAuthentication Related to: Need documentation for External authentication via IDM using katello-installer https://bugzilla.redhat.com/show_bug.cgi?id=1132527
This was delivered with Satellite 6.0 which was released on 10 September 2014.