8.2. Using Identity Management

Select from one of the following methods:

8.2.1. Using Identity Management Directly

This section shows how to integrate Red Hat Satellite Server with an IdM server and how to enable host-based access control.

Prerequisites

The Satellite Server has to run on Red Hat Enterprise Linux 7.1 or Red Hat Enterprise Linux 6.6 or later.
The examples in this chapter assume separation between IdM and Satellite configuration. However, if you have administrator privileges for both servers, you can configure IdM as described in Red Hat Enterprise Linux 7 Linux Domain Identity, Authentication, and Policy Guide[4].
The base operating system of the Satellite Server must be enrolled in the IdM domain by the IdM administrator of your organization.

Procedure 8.2. To Configure IdM Authentication on the Satellite Server:

  1. On the IdM server, create a host entry for the Satellite Server and generate a one-time password, for example:
    # ipa host-add --random hostname

    Note

    The generated one-time password must be used on the client to complete IdM-enrollment.
    For more information on host configuration properties, see Red Hat Enterprise Linux 7 Linux Domain Identity, Authentication, and Policy Guide[5].
  2. Create an HTTP service for the Satellite Server, for example:
    # ipa service-add servicename/hostname
  3. On the Satellite Server, execute the following command as root to configure IdM-enrollment:
    # ipa-client-install --password OTP
    Replace OTP with the one-time password provided by the IdM administrator.
  4. If the Satellite Server is running on Red Hat Enterprise Linux 7, execute the following command:
    # subscription-manager repos --enable rhel-7-server-optional-rpms
    The installer is dependent on packages which, on Red Hat Enterprise Linux 7, are in the optional repository rhel-7-server-optional-rpms. On Red Hat Enterprise Linux 6 all necessary packages are in the base repository.
  5. Execute the following command:
    # satellite-installer --foreman-ipa-authentication=true
    This command is not limited to a fresh Satellite installation; you can use it to modify an existing Satellite installation.
  6. Restart Katello services:
    # katello-service restart
External users can now log in to Satellite using their IdM credentials. They can now choose to either log in to the Satellite Server directly using their username and password or take advantage of the configured Kerberos single sign on and obtain a ticket on their client machine and be logged in automatically. The two-factor authentication with one-time password (2FA OTP) is also supported. If the user in IdM is configured for 2FA, and the Satellite Server is running on Red Hat Enterprise Linux 7, this user can also authenticate to Satellite with a OTP. Optionally proceed to the next procedure to confgiure host-based access control (HBAC).
HBAC rules define which machine within the domain an IdM user is allowed to access. You can configure HBAC on the IdM server to prevent selected users from accessing the Satellite Server. With this approach, you can prevent Satellite from creating database entries for users that are not allowed to log in. For more information on HBAC, see the Red Hat Enterprise Linux 7 Linux Domain Identity, Authentication, and Policy Guide[7]

Procedure 8.3. To Configure HBAC:

  1. Create HBAC service and rule on the IdM server and link them together. The following examples use the PAM service name satellite-prod. Execute the following commands on the IdM server:
    $ ipa hbacsvc-add satellite-prod
    $ ipa hbacrule-add allow_satellite_prod
    $ ipa hbacrule-add-service allow_satellite_prod --hbacsvcs=satellite-prod
    
  2. Add the user who is to have access to the service satellite-prod, and the host name of the Satellite Server:
    $ ipa hbacrule-add-user allow_satellite_prod --user=username
    $ ipa hbacrule-add-host allow_satellite_prod --hosts=the-satellite-fqdn
    Alternatively, host groups and user groups can be added to the allow_satellite_prod rule.
  3. To check the status of the rule, execute:
    $ ipa hbacrule-find satellite-prod
    $ ipa hbactest --user=username --host=the-satellite-fqdn --service=satellite-prod
    
  4. Ensure the allow_all rule is disabled on the IdM server. For instructions on how to do so without disrupting other services see the How to configure HBAC rules in IdM article on the Red Hat Customer Portal[8].
  5. Configure the IdM integration with the Satellite Server as described in Procedure 8.2, “To Configure IdM Authentication on the Satellite Server:”. On the Satellite Server, define the PAM service as root:
    # satellite-installer --foreman-pam-service=satellite-prod
    

8.2.2. Using Identity Management with LDAP Authentication

To attach Identity Management as an external authentication source with no single sign-on support, see Section 8.1, “Using LDAP” for more information.