20.2. Using Identity Management

This section shows how to integrate Red Hat Satellite server with an IdM or IPA server and how to enable host-based access control.

Prerequisites

The examples in this chapter assume separation between IdM/IPA and Satellite configuration. However, if you have administrator privileges for both servers, you can configure IPA-enrollment as described in Red Hat Enterprise Linux 7 Linux Domain Identity, Authentication, and Policy Guide[11].

Procedure 20.2. To Configure IdM/IPA Authentication:

  1. Execute the following command as root to configure IPA-enrollment on the client:
    # ipa-client-install --password OTP
    Replace OTP with the one-time password provided by the IdM/IPA administrator.
  2. If the Satellite server is running on Red Hat Enterprise Linux 7, execute the following command:
    # subscription-manager repos --enable rhel-7-server-optional-rpms
    The installer is dependent on packages which, on Red Hat Enterprise Linux 7, are in the optional repository rhel-7-server-optional-rpms. On Red Hat Enterprise Linux 6 all necessary packages are in the base repository.
  3. Execute the following command:
    # katello-installer --foreman-ipa-authentication=true
    This command is not limited to a fresh Satellite installation; you can use it to modify an existing Satellite installation.
External users can now log in to Satellite using their IPA credentials. They can now choose to either log in to the Satellite server directly using their username and password or take advantage of the configured Kerberos single sign on and obtain a ticket on their client machine and be logged in automatically. The two-factor authentication with one-time password (2FA OTP) is also supported. If the user in IdM/IPA is configured for 2FA, and the Satellite server is running on Red Hat Enterprise Linux 7, this user can also authenticate to Satellite with a OTP.

20.2.1. Host Based Access Control Configuration

Host-based access control (HBAC) rules define which machine within the domain an IPA user is allowed to access. You can configure HBAC on the IPA server to prevent selected users from accessing the Satellite server. With this approach, you can prevent Satellite from creating database entries for users that are not allowed to log in. For more information on HBAC, see the Red Hat Enterprise Linux 7 Linux Domain Identity, Authentication, and Policy Guide[12]

Procedure 20.3. To Configure HBAC:

  1. Create HBAC service and rule on the IdM/IPA server and link them together. The following examples use the PAM service name satellite-prod. Execute the following commands on the IdM/IPA server:
    $ ipa hbacsvc-add satellite-prod 
    $ ipa hbacrule-add allow_satellite_prod 
    $ ipa hbacrule-add-service allow_satellite_prod --hbacsvcs=satellite-prod
    
  2. Add the user who is to have access to the service satellite-prod, and the hostname of the Satellite server:
    $ ipa hbacrule-add-user allow_satellite_prod --user=username
    $ ipa hbacrule-add-host allow_satellite_prod --hosts=the-satellite-fqdn
    Alternatively, host groups and user groups can be added to the allow_satellite_prod rule.
  3. To check the status of the rule, execute:
    $ ipa hbacrule-find satellite-prod 
    $ ipa hbactest --user=username --host=the-satellite-fqdn --service=satellite-prod
    
  4. Ensure the allow_all rule is disabled on the IdM/IPA server. For instructions on how to do so without disrupting other services see the How to configure HBAC rules in IPA article on the Red Hat Customer Portal[13].
  5. Configure the IdM/IPA integration with the Satellite server as described in Procedure 20.2, “To Configure IdM/IPA Authentication:”. On the Satellite server, define the PAM service as root:
    # katello-installer --foreman-pam-service=satellite-prod