Show Table of Contents
3.5.2.2. Enabling LDAP Authentication
LDAP authentication is configured in two files.
- The
katello.ymlconfiguration file is what flags Subscription Asset Manager to use LDAP authentication (warden:) and to use LDAP for roles (ldap_roles:). - Subscription Asset Manager uses the Ruby LDAP Fluff module for authentication details. The information on the LDAP server, such as its type, hostname and port, and user base distringuished name (DN), are defined in the the
ldap_fluff.ymlfile.
All of these configuration parameters can be set using the
katello_configure command.
- Create a new Subscription Asset Manager administrative user that has the same username as an administrative user in the LDAP directory. Creating users is covered in Section 3.2.1, “Adding Users”.
Warning
Once LDAP authentication is enabled, no existing Subscription Asset Manager users can log into the Subscription Asset Manager instance. If no LDAP user is seeded into the Subscription Asset Manager instance, than you could be locked out of the server once LDAP authentication is enabled. - Add the admin user to a global administrator role.
- Set the Subscription Asset Manager instance to use LDAP authentication instead of its local database.
[root@server ~]#katello-configure --auth-method=ldap
- Set the LDAP connection information.The required settings are slightly different, depending on what type of LDAP directory is used.There are some settings that are required by all directory types:
--ldap-server-typeto identify the backend LDAP directory--ldap-serverfor the hostname or IP address of the LDAP server--ldap-portfor the standard LDAP port--ldap-users-basednfor the DN (or directory location) of the users subtree--ldap-groups-basednfor the DN (or directory location) of the groups subtree
Then each directory has addition configuration requirements.For POSIX directories--ldap-encryption, which must be set toStart_tls--ldap-anon-queriesset totrueto allow anonymous searches
For example:[root@server ~]#katello-configure --ldap-server-type=":posix" --ldap-server=rhds.example.com --ldap-port=389 --ldap-users-basedn=ou=people,dc=example,dc=com --ldap-groups-basedn=ou=groups,dc=example,dc=com --ldap-encryption=start_tls --ldap-anon-queries=true
For Active Directory directories--ldap-ad-domainto pass the Active Directory domain name--ldap-anon-queriesset tofalseto prevent anonymous searches--ldap-service-user, which sets an identity to use for directory queries--ldap-service-pass, which gives the password for the service user
For example:[root@server ~]#katello-configure --ldap-server-type=":active_directory" --ldap-server=ads.example.com --ldap-port=389 --ldap-users-basedn=cn=Users,dc=win-ads,dc=example,dc=com --ldap-groups-basedn=cn=Domain Admins,cn=Users,dc=win-ads,dc=example,dc=com --ldap-anon-queries=false --ldap-service-user=Administrator --ldap-service-pass=secret --ldap-ad-domain=ads.example.com
For Red Hat Identity Management directories--ldap-anon-queriesset tofalseto prevent anonymous searches--ldap-service-user, which sets an identity to use for directory queries--ldap-service-pass, which gives the password for the service user
For example:[root@server ~]#katello-configure --ldap-server-type=":free_ipa" --ldap-server=ipa.example.com --ldap-port=389 --ldap-users-basedn=dc=example,dc=com --ldap-groups-basedn=cn=groups,cn=accounts,dc=example,dc=com --ldap-anon-queries=false --ldap-service-user=admin --ldap-service-pass=secret
- Restart Subscription Asset Manager:
[root@server ~]# katello-service restart
Where did the comment section go?
Red Hat's documentation publication system recently went through an upgrade to enable speedier, more mobile-friendly content. We decided to re-evaluate our commenting platform to ensure that it meets your expectations and serves as an optimal feedback mechanism. During this redesign, we invite your input on providing feedback on Red Hat documentation via the discussion platform.