20.2. Using Identity Management
- The Satellite server has to run on Red Hat Enterprise Linux 7.1 or Red Hat Enterprise Linux 6.6 or later.
- The base operating system of the Satellite server has to be IPA-enrolled. Ask the IdM/IPA administrator of your organization to perform the following steps on the IdM/IPA server:
- Create a host entry for the Satellite server with the
ipa host-addcommand. Generate a one-time password with the
--randomoption. This password will be used on the client to complete IPA-enrollment. For more information on host configuration properties, see Red Hat Enterprise Linux 7 Linux Domain Identity, Authentication, and Policy Guide.
- Create an HTTP service for the Satellite server with the
ipa service-add HTTP/satellite_fqdncommand. For more information on managing services, see Red Hat Enterprise Linux 7 Linux Domain Identity, Authentication, and Policy Guide.
Procedure 20.2. To Configure IdM/IPA Authentication:
- Execute the following command as root to configure IPA-enrollment on the client:
# ipa-client-install --password OTPReplace OTP with the one-time password provided by the IdM/IPA administrator.
- If the Satellite server is running on Red Hat Enterprise Linux 7, execute the following command:
# subscription-manager repos --enable rhel-7-server-optional-rpmsThe installer is dependent on packages which, on Red Hat Enterprise Linux 7, are in the optional repository
rhel-7-server-optional-rpms. On Red Hat Enterprise Linux 6 all necessary packages are in the
- Execute the following command:
# katello-installer --foreman-ipa-authentication=trueThis command is not limited to a fresh Satellite installation; you can use it to modify an existing Satellite installation.
20.2.1. Host Based Access Control Configuration
Procedure 20.3. To Configure HBAC:
- Create HBAC service and rule on the IdM/IPA server and link them together. The following examples use the PAM service name satellite-prod. Execute the following commands on the IdM/IPA server:
$ ipa hbacsvc-add satellite-prod $ ipa hbacrule-add allow_satellite_prod $ ipa hbacrule-add-service allow_satellite_prod --hbacsvcs=satellite-prod
- Add the user who is to have access to the service satellite-prod, and the hostname of the Satellite server:
$ ipa hbacrule-add-user allow_satellite_prod --user=username $ ipa hbacrule-add-host allow_satellite_prod --hosts=the-satellite-fqdnAlternatively, host groups and user groups can be added to the allow_satellite_prod rule.
- To check the status of the rule, execute:
$ ipa hbacrule-find satellite-prod $ ipa hbactest --user=username --host=the-satellite-fqdn --service=satellite-prod
- Configure the IdM/IPA integration with the Satellite server as described in Procedure 20.2, “To Configure IdM/IPA Authentication:”. On the Satellite server, define the PAM service as root:
# katello-installer --foreman-pam-service=satellite-prod