Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1162689

Summary: Need allow_httpd_mod_auth_pam on for IPA integration
Product: Red Hat Satellite 5 Reporter: Dan Macpherson <dmacpher>
Component: DocumentationAssignee: Dan Macpherson <dmacpher>
Status: CLOSED CURRENTRELEASE QA Contact: Dan Macpherson <dmacpher>
Severity: high Docs Contact:
Priority: high    
Version: 570CC: cperry, dmacpher, jpazdziora, tlestach
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-02-18 00:29:38 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1018166    

Description Dan Macpherson 2014-11-11 13:31:12 UTC 
Description of problem:
I was testing out the Spacewalk IPA instructions on a Satellite 5.7 system:
https://fedorahosted.org/spacewalk/wiki/SpacewalkAndIPA

I ran into some SELinux trouble though. I had the httpd_dbus_sssd Boolean switched to on but I still couldn't login.

When I set SELinux to permissive, I could login

When I set SELinux back to enforcing, I couldn't login again.

I tested out a number of other possible related Booleans and was able to successfully login when I switched the allow_httpd_mod_auth_pam Boolean.

Version-Release number of selected component (if applicable):
5.7

How reproducible:
Always

Steps to Reproduce:
1. Configure Satellite 5.7 to use an IPA Server as per upstream Spacewalk instructions
2. Can't login with SELinux enabled
3. setsebool -P allow_httpd_mod_auth_pam on
4. Login works

Actual results:


Expected results:


Additional info:
I spoke with tlestach regarding this issue and he recommended filing a bug. However, it might be just a case of me documenting the need for the allow_httpd_mod_auth_pam Boolean.
Comment 1 Clifford Perry 2014-11-14 09:50:12 UTC 
Please confirm if this is a code/script change, vs passing it back over to Docs.
Comment 2 Tomas Lestach 2014-11-19 10:43:00 UTC 
It is required to to  set allow_httpd_mod_auth_pam on.

Change:
https://fedorahosted.org/spacewalk/wiki/SpacewalkAndIPA?action=diff&version=16&old_version=15
Comment 3 Tomas Lestach 2014-11-20 10:33:05 UTC 
Moving to 'Documentation' Component.
Comment 4 Jan Pazdziora (Red Hat) 2014-11-21 12:40:42 UTC 
Note that if https://github.com/spacewalkproject/spacewalk/pull/178 is reviewed, merged, and shipped with Satellite 5.7, the need for a detailed documentation of the setup might go away. The proposed spacewalk-setup-ipa-authentication contains the allow_httpd_mod_auth_pam setsebool.
Comment 8 Dan Macpherson 2015-02-18 00:29:38 UTC 
So the script is now in 5.7. The documentation has been modified to use this script and pushed live.

The full procedure is here:
http://documentation-devel.engineering.redhat.com/site/documentation/en-US/Red_Hat_Satellite/5.7/html/Installation_Guide/ch06s02.html
Comment 9 Jan Pazdziora (Red Hat) 2015-02-18 08:30:20 UTC 
The live location is https://access.redhat.com/documentation/en-US/Red_Hat_Satellite/5.7/html/Installation_Guide/ch06s02.html

Thank you!