Bug 1198103 - [RFE] more external authentication features with sssd, without IdM/IPA
Summary: [RFE] more external authentication features with sssd, without IdM/IPA
Alias: None
Product: Red Hat Satellite
Classification: Red Hat
Component: Installer
Version: 6.1.0
Hardware: Unspecified
OS: Unspecified
Target Milestone: Unspecified
Assignee: satellite6-bugs
QA Contact: Katello QA List
Depends On:
TreeView+ depends on / blocked
Reported: 2015-03-03 11:58 UTC by Jan Pazdziora
Modified: 2019-06-26 12:19 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
Clone Of:
Last Closed: 2018-07-05 15:23:46 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Foreman Issue Tracker 15900 0 'Normal' 'New' 'more external authentication features with sssd, without IdM/IPA' 2019-11-12 09:33:35 UTC
Red Hat Bugzilla 1202939 1 None None None 2021-01-20 06:05:38 UTC

Internal Links: 1202939

Description Jan Pazdziora 2015-03-03 11:58:43 UTC
Description of problem:

The Satellite 6.0 release added the option to use --foreman-ipa-authentication=true to enable external authentication via Apache modules, currently only documented at http://theforeman.org/manuals/1.6/index.html#5.7ExternalAuthentication.

Recently, additional setups were requested: direct AD integration using sssd but without cross-realm trust, or using sssd with ldap providers to allow for LDAP failover that sssd supports. In those cases, the assumption of the --foreman-ipa-authentication=true approach are not met -- the /etc/ipa/default.conf does not exist, for example.

It is possible to fake the system being IPA-enrolled for the installer to pass but it is cumbersome.

It'd be useful to have additional external authentication setups (especially with sssd) supported.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. Use realm join to join the Satellite machine directly to AD.
2. Or manually configure sssd to use LDAP server.
3. Try to run katello-installer to have Satellite 6 configured to use this external authentication.

Actual results:

It fails.

Expected results:

It is possible.

Additional info:

And documented.

Comment 1 RHEL Program Management 2015-03-03 20:19:17 UTC
Since this issue was entered in Red Hat Bugzilla, the release flag has been
set to ? to ensure that it is properly evaluated for this release.

Comment 4 Stephen Benjamin 2016-07-29 14:22:39 UTC
Created redmine issue http://projects.theforeman.org/issues/15900 from this bug

Comment 9 Bryan Kearney 2018-07-05 15:23:46 UTC
Thank you for your interest in Satellite 6. We have evaluated this request, and we do not expect this to be implemented in product in the forseeable future. We are therefore closing this out as WONTFIX. If you have any concerns about this, please feel free to contact Rich Jerrido or Bryan Kearney. Thank you.

Note You need to log in before you can comment on or make changes to this bug.