Chapter 5. Appendix
5.1. External Authentication Configuration Map Settings
See Section 5.2, “Sample External Authentication Configuration” for an example configuration map file.
The configuration map includes the following parameters:
- auth-type
The authentication type.
This parameter controls which configuration files
httpdwill load upon startup. The default isinternal. Supported values are:Table 5.1.
auth-typevaluesValue External Authentication Configuration internalApplication Based Authentication - Database, LDAP/LDAPS, Amazon. This is the default.
externalIPA, IPA 2-factor authentication, IPA/AD Trust, LDAP (OpenLDAP, RHDS, Active Directory, etc.)
active-directoryActive Directory domain realm join
samlSAML based authentication (Keycloak, ADFS, etc.)
ImportantEnabling external authentication must be done from the CloudForms user interface; see Configuring External Authentication in Managing Authentication for details.
- auth-kerberos-realms
The Kerberos realms to join.
When configuring external authentication against IPA, Active Directory or LDAP, this parameter defines the Kerberos realm
httpdis configured against, such as example.com. When specifying multiple Kerberos realms, they must be separated by spaces. The default isundefined.- auth-configuration.conf
The external authentication configuration file which declares the list of files to overlay upon startup if
auth-typeis other thaninternal.Syntax for the file is as follows:
# for comments file = basename1 target_path1 permission1 file = basename2 target_path2 permission2
For the files to overlay on the
httpdpod, onefiledirective is needed per file.- basename
- The name of the source file in the configuration map.
- permission
(optional) By default, files are copied using the pod’s default umask, owner and group, so files are created as mode 644 owner root, group root.
permissioncan be specified as follows, reflecting the mode and ownership to set the copied files to:- mode
- mode:owner
mode:owner:group
For example:
- 755
- 640:root
644:root:apache
Binary files can be specified in the configuration map in their base64 encoded format with a basename having a
.base64extension. Such files are then converted back to binary as they are copied to their target path.When an
/etc/sssd/sssd.conffile is included in the configuration map, thehttpdpod automatically enables the SSSD service upon startup.
- target_path
-
The path of the file on the pod to overwrite, i.e.
/etc/sssd/sssd.conf.
5.2. Sample External Authentication Configuration
The following is an example of the data section of a SAML auth-config map data section (excluding the content of the files):
apiVersion: v1 data: auth-type: saml auth-kerberos-realms: example.com auth-configuration.conf: | # # Configuration for SAML authentication # file = manageiq-remote-user.conf /etc/httpd /conf.d/manageiq-remote-user.conf 644 file = manageiq-external-auth-saml.conf /etc/httpd/conf.d/manageiq-external-auth-saml.conf 644 file = idp-metadata.xml /etc/httpd/saml2/idp-metadata.xml 644 file = sp-key.key /etc/httpd/saml2/sp-key.key 600:root:root file = sp-cert.cert /etc/httpd/saml2/sp-cert.cert 644 file = sp-metadata.xml /etc/httpd/saml2/sp-metadata.xml 644 manageiq-remote-user.conf: | RequestHeader unset X_REMOTE_USER ... manageiq-external-auth-saml.conf: | LoadModule auth_mellon_module modules/mod_auth_mellon.so ... idp-metadata.xml: | <EntitiesDescriptor ... ... </EntitiesDescriptor> sp-key.key: | -----BEGIN PRIVATE KEY----- ... -----END PRIVATE KEY----- sp-cert.cert: | -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- sp-metadata.xml: | <EntityDescriptor ... ... </EntityDescriptor>
Where did the comment section go?
Red Hat's documentation publication system recently went through an upgrade to enable speedier, more mobile-friendly content. We decided to re-evaluate our commenting platform to ensure that it meets your expectations and serves as an optimal feedback mechanism. During this redesign, we invite your input on providing feedback on Red Hat documentation via the discussion platform.