Chapter 8. Configuring External Authentication
- Using Lightweight Directory Access Protocol (LDAP) server as an external identity provider. LDAP is a set of open protocols used to access centrally stored information over a network. For more information, see Section 8.1, “Using LDAP”. Though you can use LDAP to connect to an IdM or AD server, the setup does not support server discovery, cross-forest trusts, or single sign-on with Kerberos on Satellite's web UI.
- Using Red Hat Enterprise Linux Identity Management (IdM) server as an external identity provider. IdM deals with the management of individual identities, their credentials and privileges used in a networking environment. For more information see Section 8.2, “Using Identity Management”.
- Using Active Directory (AD) integrated with IdM through cross-forest Kerberos trust as an external identity provider. For more information see Section 8.3.1, “Using Active Directory with Cross-Forest Trust”.
- Using direct AD as an external identity provider. For more information see Section 8.3.2, “Using Active Directory Directly”.
8.1. Using LDAP
8.1.1. Configure TLS for Secure LDAP (LDAPS)
Note
TLS
to establish a secure LDAP connection (LDAPS), first obtain certificates used by the LDAP server you are connecting to and mark them as trusted on the base operating system of your Satellite Server as described below. If your LDAP server uses a certificate chain with intermediate certificate authorities, all of the root and intermediate certificates in the chain must be trusted, so ensure all certificates are obtained. If you do not require secure LDAP at this time, proceed to Procedure 8.1, “To Configure LDAP Authentication:”.
Obtain the Certificate from the LDAP Server
TLS
on Satellite 6.2 for information on creating and exporting a CA certificate from an Active Directory server.
/tmp/example.crt
. The filename extensions .cer
and .crt
are only conventions and can refer to DER binary or PEM ASCII format certificates.
Trust the Certificate from the LDAP Server
/etc/pki/tls/certs/
directory.
install
command to install the imported certificate into the /etc/pki/tls/certs/
directory with the correct permissions.
# install /tmp/example.crt /etc/pki/tls/certs/
root
to trust the example.crt certificate obtained from the LDAP server:
# ln -s example.crt /etc/pki/tls/certs/$(openssl x509 -noout -hash -in /etc/pki/tls/certs/example.crt).0
httpd
service:
- On Red Hat Enterprise Linux 6:
# service httpd restart
- On Red Hat Enterprise Linux 7:
# systemctl restart httpd
8.1.2. Configuring Red Hat Satellite to Use LDAP
Procedure 8.1. To Configure LDAP Authentication:
- Set the allow Network Information System (NIS) service boolean to true to prevent SELinux from stopping outgoing LDAP connections:
- For Red Hat Enterprise Linux 6:
# setsebool -P allow_ypbind on
- For Red Hat Enterprise Linux 7:
# setsebool -P nis_enabled on
- Navigate to→ .
- Click.
- On thetab, enter the LDAP server's name, host name, port, and server type. The default port is 389, the default server type is POSIX (alternatively you can select FreeIPA or Active Directory depending on the type of authentication server). For
TLS
encrypted connections, select the LDAPS check box to enable encryption. The port should change to 636, which is the default for LDAPS. - On the Section 8.1.3, “LDAP Setting Descriptions and Examples” for descriptions and examples.tab, enter the account information and domain name details. See
- On the Section 8.1.3, “LDAP Setting Descriptions and Examples” for examples.tab, map LDAP attributes to Satellite attributes. You can map Login name, First name, Surname, Email address, and Photo attributes. See
- On thetab, select locations from the left table. Selected locations will be assigned to users created from the LDAP authentication source, and available after their first login.
- On thetab, select organizations from the left table. Selected organizations will be assigned to users created from the LDAP authentication source, and available after their first login.
- Click.
8.1.3. LDAP Setting Descriptions and Examples
Table 8.1. Account Tab Settings
Setting | Description |
---|---|
Account username | The LDAP user who has read access to the LDAP server. User name is not required if the server allows anonymous reading, otherwise use the full path to the user's object. For example:
uid=$login,cn=users,cn=accounts,dc=example,dc=com
The
$login variable stores the username entered on the login page as a literal string. The value is accessed when the variable is expanded.
The variable cannot be used with external user groups from an LDAP source because Satellite needs to retrieve the group list without the user logging in. Use either an anonymous, or dedicated service user.
|
Account password |
The LDAP password for the user defined in the Account username field. This field can remain blank if the Account username is using the
$login variable.
|
Base DN |
The top level domain name of the LDAP directory.
|
Groups base DN |
The top level domain name of the LDAP directory tree that contains groups.
|
LDAP filter |
A filter to restrict LDAP queries.
|
Automatically create accounts in Satellite |
If this option is selected, when LDAP users log in to Satellite for the first time, Satellite user accounts are created automatically for them. Users will see a
Permissions Denied warning and need to contact their Satellite administrator to have their user account associated with roles.
|
Usergroup sync |
If this option is selected, the user group membership of a user is automatically synchronized when the user logs in, which ensures the membership is always up to date. If this option is cleared, Satellite relies on a Cron job to regularly synchronize group membership (every 30 minutes by default). See Procedure 8.6, “To Configure an External User Group:” for further context.
|
Table 8.2. Example Settings for Active Directory LDAP Connection
Setting | Example value |
---|---|
Account username | DOMAIN\redhat |
Account password | P@ssword |
Base DN | DC=example,DC=COM |
Groups Base DN | CN=Users,DC=example,DC=com |
Login name attribute | userPrincipalName |
First name attribute | givenName |
Surname attribute | sn |
Email address attribute |
Note
userPrincipalName
allows the use of whitespace in usernames. The login name attribute sAMAccountName
(which is not listed in the table above) provides backwards compatibility with legacy Microsoft systems. sAMAccountName
does not allow the use of whitespace in usernames.
Table 8.3. Example Settings for FreeIPA or Red Hat Identity Management LDAP Connection
Setting | Example value |
---|---|
Account username | uid=redhat,cn=users,cn=accounts,dc=example,dc=com |
Base DN | dc=example,dc=com |
Groups Base DN | cn=groups,cn=accounts,dc=example,dc=com |
Login name attribute | uid |
First name attribute | givenName |
Surname attribute | sn |
Email address attribute |
Table 8.4. Example Settings for POSIX (OpenLDAP) LDAP Connection
Setting | Example value |
---|---|
Account username | uid=redhat,ou=users,dc=example,dc=com |
Base DN | dc=example,dc=com |
Groups Base DN | cn=employee,ou=userclass,dc=example,dc=com |
Login name attribute | uid |
First name attribute | givenName |
Surname attribute | sn |
Email address attribute |