8.2.5. Integrating Active Directory Authentication with Identity Management

Identity Management (IdM) on Red Hat Enterprise Linux provides a simple, centralized solution to securely manage user authentication. IdM integrates industry standard protocols and servers, such as Kerberos, LDAP, DNS, NTP, and X509 Certificates, into a secure, reliable, and scalable identity management solution.
As a system administrator, you might already source your authentication methods into one location using IdM. IdM defines a domain, with servers and clients who share centrally-managed services, like Kerberos and DNS. OpenShift Enterprise can take advantage of the various features available with IdM. Integration with IdM is ideal, because the authorization and authentication framework in IdM easily supports protocols such as Kerberos, LDAP, DNS, NTP, and x509 Authentication.
Complete the following procedures in the following order presented to integrate IdM into your OpenShift Enterprise instance.

Note

The following steps assume Active Directory and IdM are installed in your OpenShift Enterprise infrastructure.

Procedure 8.8. To Configure the Firewall Ports:

Before the IdM integration can occur, ensure the IdM server can access your instance by configuring the firewall ports. Perform the following steps on all hosts (broker, nodes, etc).
  1. Save the existing firewall configuration and keep as a backup: 
    # cp -p /etc/sysconfig/iptables{,.pre-idm}
  2. Create a new chain named ipa-client-chain. This contains the firewall rules for the ports needed by IdM: 
    # iptables --new-chain ipa-client-chain
# iptables --insert INPUT --jump ipa-client-chain
  3. Perform the following step for each required port: 
    # iptables --append ipa-client-chain --protocol Protocol --destination-port Port_Number --jump ACCEPT
    A list of ports that may be being used in your instance are listed in Section 5.2.1, “Custom and External Firewalls”. The --protocol option indicates the protocol of the rule to check. The specified protocol can be tcp, udp, udplite, icmp, esp, ah, or sctp, or you can use ""all" to indicate all protocols.
  4. Save the new firewall configuration, restart the iptables service, then ensure the changes are set upon reboot: 
    # iptables-save > /etc/sysconfig/iptables
# service iptables restart
# chkconfig iptables on
  5. For each OpenShift host, verify that the IdM server and replica are listed in the /etc/resolv.conf file. The IdM server and replica must be listed before any additional servers.

    Example 8.4. Featured IdM Server and Replica in the /etc/resolv.conf File

    domain broker.example.com
search broker.example.com
nameserver 10.19.140.101 nameserver 10.19.140.102
nameserver 10.19.140.423
  6. Now that the IdM server has been configured, configure each OpenShift host to be a IdM client, then verify the Kerberos and IdM lookups. Install the ipa-client package on each host, then run the install tool: 
    # yum install ipa-client
# ipa-client-install --enable-dns-updates --ssh-trust-dns --mkhomedir
    The --enable-dns-updates option permits the IdM client to dynamically register its IP address with the DNS service on the IdM server. The --ssh-trust-dns option configures OpenSSH to allow any IdM DNS records where the host keys are stored. The --mkhomedir option automatically creates a home directory on the client upon the user's first login. Note that if DNS is properly configured, then the install tool will detect the IdM server through autodiscovery. If the autodiscovery fails, the install can be run with the --server option with the IdM server's FQDN.
  7. Next, verify that Kerberos and IdM lookups are functioning by using the following command on each host, entering a password when prompted: 
    # kinit admin
Password for admin@BROKER.EXAMPLE.COM: *******
# klist
# id admin
    Then, use the same command for each user: 
    # id Username

    Note

    If the IdM server has been re-deployed since installation, the CA certificate may be out of sync. If so, you might receive an error with your LDAP configuration. To correct the issue, list the certificate files, re-name the certificate file, then re-run the install: 
    # ll /etc/ipa
# mv /etc/ipa/ca.crt /etc/ipa/ca.crt.bad
# ipa-client-install --enable-dns-updates --ssh-trust-dns --mkhomedir
Configuring for Application Developers

While your OpenShift Enterprise instance is now configured for IdM use, the next step is to configure any application developer interaction with the broker host for use with IdM. This will allow each developer to authenticate to the broker host.

Procedure 8.9. To Authorize Developer Interaction with the Broker Host:

  1. On the IdM server, create a HTTP web server for each of your running brokers. This allows the broker host to authenticate to the IdM server using Kerberos. Ensure to replace broker1 with the hostname of the desired broker host, and broker.example,com with the IdM server hostname configured in the above procedure: 
    # ipa service-add HTTP/broker1.broker.example.com
  2. Create a HTTP Kerberos keytab on the broker host. This will provide secure access to the broker web services: 
    # ipa-getkeytab -s idm-srv1.broker.example.com \
# ipa-getkeytab -p HTTP/broker1.broker.example.com@BROKER.EXAMPLE.COM \
# ipa-getkeytab -k /var/www/openshift/broker/httpd/conf.d/http.keytab
# chown apache:apache /var/www/openshift/broker/httpd/conf.d/http.keytab
    If you have multiple brokers, copy the keyfile to the other brokers.
  3. If your instance has not completed Section 8.2.3, “Authenticating Using Kerberos” in the OpenShift Enterprise Deployment Guide, follow it now to authenticate to the broker host using Kerberos.
  4. Restart the broker and Console services: 
    # service openshift-broker restart
# service openshift-console restart
  5. Create a backup of the nsupdate plug-in. The nsupdate plug-in facilitates any updates to the dynamic DNS zones without the need to edit zone files or restart the DNS server: 
    # cp -p /etc/openshift/plugins.d/openshift-origin-dns-nsupdate.conf{,.orig}
    Then, edit the file and replace with the contents below: 
    BIND_SERVER="10.19.140.101"
BIND_PORT=53
BIND_ZONE="broker.example.com"
BIND_KRB_PRINCIPAL="DNS/broker1.broker.example.com@BROKER.EXAMPLE.COM"
BIND_KRB_KEYTAB="/etc/dns.keytab"
    Ensure that BIND_SERVER points to the IP address of the IdM server, BIND_ZONE points to the domain name, and the BIND_KRB_PRINCIPAL is correct. The BIND_KRB_KEYTAB is configured after the DNS service is created and when the zones are modified for dynamic DNS.
  6. Create the broker DNS service. Run the following command for each broker host: 
    # ipa service-add DNS/broker1.broker.example.com
  7. Modify the DNS zone to allow the broker host to dynamically register applications with IdM. Perform the following on the idM server: 
    # ipa dnszone-mod interop.example.com --dynamic-update=true --update-policy= \ "grant DNS\047\broker1.broker.example.com@BROKER.EXAMPLE.COM wildcard * ANY;\"
    Ensure to repeat the second line for each broker if you have multiple broker hosts.
  8. Generate DNS keytabs on the broker using the ipa-getkeytab. Repeat the following for each broker host: 
    # ipa-getkeytab -s idm-srv1.interop.example.com \
# ipa-getkeytab -p DNS/broker1.broker.example.com \
# ipa-getkeytab -k /etc/dns.keytab
# chown apache:apache /etc/dns.keytab
  9. Restart the broker service: 
    # service openshift-broker restart
  10. The dynamic DNS is now ready for use with the client tools. Configure the client tools by running rhc setup specifying the IdM broker as the server: 
    # rhc setup --server=broker.broker.example.com
  11. To verify the client tools, check the domain connectivity and deploy a test application: 
    # rhc domain show
# rhc app create App_Name Cartridge_Name
    To verify the OpenShift Enterprise broker host, run the oo-accept-broker utility from the broker host. Test the full environment with the oo-diagnostics utility: 
    # oo-accept-broker
# oo-diagnostics
    Additionally, you can verify the broker and Console access by obtaining a Kerberos ticket and testing the authentication with the following command: 
    # kinit IdM_Server_Hostname
    Then running the following commands for each broker host: 
    # curl -Ik --negotiate -u : https://broker1.broker.example.com/broker/rest/domains
# curl -Ik --negotiate -u : https://broker1.broker.example.com/console