-
Language:
English
-
Language:
English
8.2.5. Integrating Active Directory Authentication with Identity Management
Identity Management (IdM) on Red Hat
Enterprise Linux provides a simple, centralized solution to securely manage user authentication. IdM integrates industry standard protocols and servers, such as Kerberos, LDAP, DNS, NTP, and X509 Certificates, into a secure, reliable, and scalable identity management solution.
As a system administrator, you might already source your authentication methods into one location using IdM. IdM defines a domain, with servers and clients who share centrally-managed services, like Kerberos and DNS. OpenShift Enterprise can take advantage of the various features available with IdM. Integration with IdM is ideal, because the authorization and authentication framework in IdM easily supports protocols such as Kerberos, LDAP, DNS, NTP, and x509 Authentication.
Complete the following procedures in the following order presented to integrate IdM into your OpenShift Enterprise instance.
Note
The following steps assume Active Directory and IdM are installed in your OpenShift Enterprise infrastructure.
Procedure 8.8. To Configure the Firewall Ports:
Before the IdM integration can occur, ensure the IdM server can access your instance by configuring the firewall ports. Perform the following steps on all hosts (broker, nodes, etc).
- Save the existing firewall configuration and keep as a backup:
#
cp -p /etc/sysconfig/iptables{,.pre-idm}
- Create a new chain named ipa-client-chain. This contains the firewall rules for the ports needed by IdM:
#
iptables --new-chain ipa-client-chain
#iptables --insert INPUT --jump ipa-client-chain
- Perform the following step for each required port:
#
A list of ports that may be being used in your instance are listed in Section 5.2.1, “Custom and External Firewalls”. Theiptables --append ipa-client-chain --protocol Protocol --destination-port Port_Number --jump ACCEPT
--protocol
option indicates the protocol of the rule to check. The specified protocol can be tcp, udp, udplite, icmp, esp, ah, or sctp, or you can use ""all" to indicate all protocols. - Save the new firewall configuration, restart the iptables service, then ensure the changes are set upon reboot:
#
iptables-save > /etc/sysconfig/iptables
#service iptables restart
#chkconfig iptables on
- For each OpenShift host, verify that the IdM server and replica are listed in the
/etc/resolv.conf
file. The IdM server and replica must be listed before any additional servers.Example 8.4. Featured IdM Server and Replica in the
/etc/resolv.conf
Filedomain broker.example.com search broker.example.com nameserver 10.19.140.101 nameserver 10.19.140.102 nameserver 10.19.140.423
- Now that the IdM server has been configured, configure each OpenShift host to be a IdM client, then verify the Kerberos and IdM lookups. Install the ipa-client package on each host, then run the install tool:
#
Theyum install ipa-client
#ipa-client-install --enable-dns-updates --ssh-trust-dns --mkhomedir
--enable-dns-updates
option permits the IdM client to dynamically register its IP address with the DNS service on the IdM server. The--ssh-trust-dns
option configures OpenSSH to allow any IdM DNS records where the host keys are stored. The--mkhomedir
option automatically creates a home directory on the client upon the user's first login. Note that if DNS is properly configured, then the install tool will detect the IdM server through autodiscovery. If the autodiscovery fails, the install can be run with the--server
option with the IdM server's FQDN. - Next, verify that Kerberos and IdM lookups are functioning by using the following command on each host, entering a password when prompted:
#
Then, use the same command for each user:kinit admin
Password for admin@BROKER.EXAMPLE.COM: ******* #klist
#id admin
#
id Username
Note
If the IdM server has been re-deployed since installation, the CA certificate may be out of sync. If so, you might receive an error with your LDAP configuration. To correct the issue, list the certificate files, re-name the certificate file, then re-run the install:#
ll /etc/ipa
#mv /etc/ipa/ca.crt /etc/ipa/ca.crt.bad
#ipa-client-install --enable-dns-updates --ssh-trust-dns --mkhomedir
Configuring for Application Developers
While your OpenShift Enterprise instance is now configured for IdM use, the next step is to configure any application developer interaction with the broker host for use with IdM. This will allow each developer to authenticate to the broker host.
Procedure 8.9. To Authorize Developer Interaction with the Broker Host:
- On the IdM server, create a HTTP web server for each of your running brokers. This allows the broker host to authenticate to the IdM server using Kerberos. Ensure to replace broker1 with the hostname of the desired broker host, and broker.example,com with the IdM server hostname configured in the above procedure:
#
ipa service-add HTTP/broker1.broker.example.com
- Create a HTTP Kerberos keytab on the broker host. This will provide secure access to the broker web services:
#
If you have multiple brokers, copy the keyfile to the other brokers.ipa-getkeytab -s idm-srv1.broker.example.com \
#ipa-getkeytab -p HTTP/broker1.broker.example.com@BROKER.EXAMPLE.COM \
#ipa-getkeytab -k /var/www/openshift/broker/httpd/conf.d/http.keytab
#chown apache:apache /var/www/openshift/broker/httpd/conf.d/http.keytab
- If your instance has not completed Section 8.2.3, “Authenticating Using Kerberos” in the OpenShift Enterprise Deployment Guide, follow it now to authenticate to the broker host using Kerberos.
- Restart the broker and Console services:
#
service openshift-broker restart
#service openshift-console restart
- Create a backup of the nsupdate plug-in. The nsupdate plug-in facilitates any updates to the dynamic DNS zones without the need to edit zone files or restart the DNS server:
#
Then, edit the file and replace with the contents below:cp -p /etc/openshift/plugins.d/openshift-origin-dns-nsupdate.conf{,.orig}
BIND_SERVER="10.19.140.101" BIND_PORT=53 BIND_ZONE="broker.example.com" BIND_KRB_PRINCIPAL="DNS/broker1.broker.example.com@BROKER.EXAMPLE.COM" BIND_KRB_KEYTAB="/etc/dns.keytab"
Ensure thatBIND_SERVER
points to the IP address of the IdM server,BIND_ZONE
points to the domain name, and theBIND_KRB_PRINCIPAL
is correct. TheBIND_KRB_KEYTAB
is configured after the DNS service is created and when the zones are modified for dynamic DNS. - Create the broker DNS service. Run the following command for each broker host:
#
ipa service-add DNS/broker1.broker.example.com
- Modify the DNS zone to allow the broker host to dynamically register applications with IdM. Perform the following on the idM server:
#
Ensure to repeat the second line for each broker if you have multiple broker hosts.ipa dnszone-mod interop.example.com --dynamic-update=true --update-policy= \ "grant DNS\047\broker1.broker.example.com@BROKER.EXAMPLE.COM wildcard * ANY;\"
- Generate DNS keytabs on the broker using the
ipa-getkeytab
. Repeat the following for each broker host:#
ipa-getkeytab -s idm-srv1.interop.example.com \
#ipa-getkeytab -p DNS/broker1.broker.example.com \
#ipa-getkeytab -k /etc/dns.keytab
#chown apache:apache /etc/dns.keytab
- Restart the broker service:
#
service openshift-broker restart
- The dynamic DNS is now ready for use with the client tools. Configure the client tools by running
rhc setup
specifying the IdM broker as the server:#
rhc setup --server=broker.broker.example.com
- To verify the client tools, check the domain connectivity and deploy a test application:
#
To verify the OpenShift Enterprise broker host, run therhc domain show
#rhc app create App_Name Cartridge_Name
oo-accept-broker
utility from the broker host. Test the full environment with theoo-diagnostics
utility:#
Additionally, you can verify the broker and Console access by obtaining a Kerberos ticket and testing the authentication with the following command:oo-accept-broker
#oo-diagnostics
#
Then running the following commands for each broker host:kinit IdM_Server_Hostname
#
curl -Ik --negotiate -u : https://broker1.broker.example.com/broker/rest/domains
#curl -Ik --negotiate -u : https://broker1.broker.example.com/console