Red Hat Training

A Red Hat training course is available for Red Hat Satellite

8.5. External Authentication for Provisioned Hosts

This section shows how to configure IdM integration to authenticate provisioned hosts. First configure the Satellite or Capsule Server for IdM realm support, then add hosts to the IdM realm group.

8.5.1. Configuring a Red Hat Satellite Server or Capsule Server for IdM Realm Support

To use IdM for provisioned hosts, first configure the Red Hat Satellite Server or Red Hat Satellite Capsule Server.

Prerequisites

  • A Satellite Server is registered to the content delivery network, an independent Capsule Server is registered to the Satellite Server.
  • A realm or domain provider such as Red Hat Identity Management is configured.

Procedure 8.7. To configure the Satellite Server or Capsule Server for IdM Realm Support:

  1. On the Satellite Server or Capsule Server, install the following packages: 
    # yum install ipa-client foreman-proxy ipa-admintools
  2. Configure the Satellite Server (or Capsule Server) as an IdM client: 
    # ipa-client-install
  3. Create a realm-capsule user and the relevant roles in Red Hat Identity Management on the Satellite Server or Capsule Server: 
    # foreman-prepare-realm admin realm-capsule
    Running foreman-prepare-realm will prepare an IdM server for use with the Capsule Server. It creates a dedicated role with the permissions needed for Satellite, creates a user with that role and retrieves the keytab file. You will need your Identity Management server configuration details on this step.
    If the command successfully executes, you should be able to see the following command output: 
    Keytab successfully retrieved and stored in: freeipa.keytab
Realm Proxy User:    realm-capsule
Realm Proxy Keytab:  /root/freeipa.keytab

    Note

    To configure Satellite Server and at least one external Capsule Server for IdM Realm support with the same principal and realm, you must copy the /root/freeipa.keytab file to all the previously joined Capsule Servers after running the foreman-prepare-realm script. 
    # scp /root/freeipa.keytab your_username@capsule.example.com:/etc/foreman-proxy/freeipa.keytab
  4. Move the /root/freeipa.keytab to the /etc/foreman-proxy directory and set the ownership settings to the user foreman-proxy: 
    # mv /root/freeipa.keytab /etc/foreman-proxy
# chown foreman-proxy:foreman-proxy /etc/foreman-proxy/freeipa.keytab
  5. Configure the realm based on whether you are using Satellite Server or Capsule Server:
    • If you are using the integrated capsule Server in the Satellite Server, use satellite-installer to configure the realm: 
      # satellite-installer --foreman-proxy-realm true \
--foreman-proxy-realm-keytab /etc/foreman-proxy/freeipa.keytab \
--foreman-proxy-realm-principal 'realm-capsule@EXAMPLE.COM' \
--foreman-proxy-realm-provider freeipa

      Note

      You can also run these options when you first configure the Red Hat Satellite Server.
    • If you are using an independent Capsule Server, use satellite-installer --scenario-capsule to configure the realm: 
      # satellite-installer --scenario-capsule --realm true \
--realm-keytab /etc/foreman-proxy/freeipa.keytab \
--realm-principal 'realm-capsule@EXAMPLE.COM' \
--realm-provider freeipa
  6. Make sure that the most updated versions of the ca-certificates package is installed and trust the IdM Certificate Authority: 
    # cp /etc/ipa/ca.crt /etc/pki/ca-trust/source/anchors/ipa.crt
# update-ca-trust enable
# update-ca-trust
  7. (Optional) If you are configuring IdM on an already existing Satellite Server or Capsule Server, the following steps should also be taken to make sure that the configuration changes take effect:
    1. Restart the foreman-proxy service: 
      # service foreman-proxy restart
    2. Log in to the Satellite Server and click InfrastructureCapsules.
    3. Click on the drop-down menu on the right-hand side of the Capsule Server you have configured for IdM and choose Refresh Features.
  8. Finally, create a new realm entry in the Satellite Server user interface:
    1. Click InfrastructureRealms and on the right-hand corner of the main page, click New Realm.
    2. Fill in the fields in the following subtabs:
      1. On the Realm subtab, provide the realm name, the type of realm to use and the realm proxy.
      2. On the Locations subtab, choose the locations where the new realm is intended for use.
      3. On the Organizations subtab, choose the organizations where the new realm is intended for use.
    3. Click Submit.
The Satellite Server or Capsule Server is now ready to provision hosts that automatically register to IdM. The next section will detail the steps on how to automatically add hosts to an IdM host group.

8.5.2. Adding Hosts to an IdM Host Group

Red Hat Enterprise Linux Identity Management (IdM) supports the ability to set up automatic membership rules based on a system's attributes. Red Hat Satellite's realm feature provides administrators with the ability to map the Red Hat Satellite host groups to the IdM parameter "userclass" which allow administrators to configure automembership.
When nested host groups are used, they are sent to the IdM server as they are displayed in the Red Hat Satellite User Interface. For example, "Parent/Child/Child".

Note

The Satellite Server or Capsule Server sends updates to the IdM server, however automembership rules are only applied at initial registration.

Procedure 8.8. To Add Hosts to an IdM Host Group:

  1. On the IdM server, create a host group: 
    # ipa hostgroup-add hostgroup_name
Description: hostgroup_description
----------------------------
Added hostgroup "hostgroup_name"
----------------------------
Host-group: hostgroup_name
Description: hostgroup_description
    Where:
    1. hostgroup_name is the host group's name.
    2. hostgroup_description is the host group's description.
  2. Create an automembership rule: 
    # ipa automember-add --type=hostgroup automember_rule
----------------------------------
Added automember rule "automember_rule"
----------------------------------
Automember Rule: automember_rule
    Where:
    1. automember-add flags the group as an automember group.
    2. --type=hostgroup identifies that the target group is a host group, not a user group.
    3. automember_rule is the name you wish to identify the automember rule by.
  3. Define an automembership condition based on the userclass attribute: 
    # ipa automember-add-condition --key=userclass --type=hostgroup --inclusive-regex=^webserver hostgroup_name
----------------------------------
Added condition(s) to "hostgroup_name"
----------------------------------
Automember Rule: automember_rule
Inclusive Regex: userclass=^webserver
----------------------------
Number of conditions added 1
----------------------------
    Where:
    1. automember-add-condition allows you to add regular expression conditions to identify group members.
    2. --key=userclass specifies the key attribute as userclass.
    3. --type=hostgroup identifies that the target group is a host group, not a user group.
    4. --inclusive-regex=^webserver is a regular expression pattern to identify matching values.
    5. hostgroup_name is the target host group's name.
When a system is added to the Satellite Server's hostgroup_name host group, it will now automatically be added to the Identity Management server's "hostgroup_name" host group as well. IdM host groups allow for Host-Based Access Controls (HBAC), sudo policies and other IdM functions.