Chapter 20. Configuring External Authentication
- Using Lightweight Directory Access Protocol (LDAP) server as an external identity provider. LDAP is a set of open protocols used to access centrally stored information over a network. For more information see Section 20.1, “Using LDAP”.
- Using Identity Management (IdM) or Identity, Policy, Audit (IPA) server as an external identity provider. IdM and IPA deal with the management of individual identities, their credentials and privileges used in a networking environment. For more information see Section 20.2, “Using Identity Management”.
- Using Active Directory (AD) integrated with IdM or IPA through cross-forest Kerberos trust as an external identity provider. For more information see Section 20.3, “Using Active Directory with Cross-Forest Trust”.
- Using direct AD as an external identity provider. For more information see Section 20.4, “Using Active Directory Directly”.
20.1. Using LDAP
20.1.1. Configure TLS for Secure LDAP (LDAPS)
TLSto establish a secure LDAP connection (LDAPS), first obtain certificates used by the LDAP server you are connecting to and mark them as trusted on the base operating system of your Satellite server as described below. If your LDAP server uses a certificate chain with intermediate certificate authorities, all of the root and intermediate certificates in the chain must be trusted, so ensure all certificates are obtained. If you do not require secure LDAP at this time, proceed to Procedure 20.1, “To Configure LDAP Authentication”.
Obtain the Certificate from the LDAP Server
TLSon Satellite 6.1 for information on creating and exporting a CA certificate from an Active Directory server.
/tmp/example.crt. The filename extensions
.crtare only conventions and can refer to DER binary or PEM ASCII format certificates.
Trust the Certificate from the LDAP Server
installcommand to install the imported certificate into the
/etc/pki/tls/certs/directory with the correct permissions.
install /tmp/example.crt /etc/pki/tls/certs/
rootto trust the example.crt certificate obtained from the LDAP server:
ln -s example.crt /etc/pki/tls/certs/$(openssl x509 -noout -hash -in /etc/pki/tls/certs/example.crt).0
- On Red Hat Enterprise Linux 6:
service httpd restart
- On Red Hat Enterprise Linux 7:
systemctl restart httpd
20.1.2. Configuring Red Hat Satellite to Use LDAP
# setsebool authlogin_nsswitch_use_ldap=1
Procedure 20.1. To Configure LDAP Authentication
- Navigate to→ .
- On thetab, enter the LDAP server's name, host name, port, and server type. The default port is 389, the default server type is POSIX (alternatively you can select FreeIPA or Active Directory depending on the type of authentication server). For
TLSencrypted connections, select the LDAPS check box to enable encryption. The port should change to 636, which is the default for LDAPS.
- On thetab, enter the following information:
- Account username: an LDAP user who has read access to the LDAP server. User name is not required if the server allows anonymous reading, otherwise use the full path to the user's object. For example:
- Account password: the LDAP password for the user defined in the Account username field. This field can remain blank if the Account username is using the "$login" variable.
- Base DN: the top level domain name of your LDAP directory. For example:
- Groups base DN: the top level domain name of your LDAP directory tree that contains groups.
- LDAP filter: a filter to restrict your LDAP queries.
- Automatically create accounts in Foreman: creates Satellite accounts automatically for LDAP users who log in for the first time in Satellite.
- On thetab, map LDAP attributes to Satellite attributes. You can map Login name, First name, Surname, Email address, and Photo attributes.
Table 20.1. Example Settings for Active Directory LDAP Connection
|Groups Base DN||CN=Users,DC=example,DC=com|
|Login name attribute||sAMAccountName|
Table 20.2. Example settings for FreeIPA LDAP Connection
|Groups Base DN||cn=groups,cn=accounts,dc=example,dc=com|
|Login name attribute||uid|
Table 20.3. Example Settings for POSIX (OpenLDAP) LDAP Connection
|Groups Base DN||dc=example,dc=com|
|Login name attribute||uid|