13.7. External Authentication for Provisioned Hosts
Use this section to configure Satellite Server or Capsule Server for Red Hat Identity Management realm support, then add hosts to the Red Hat Identity Management realm group.
Prerequisites
You require the following setup to configure external authentication for provisioned hosts:
- Satellite Server that is registered to the Content Delivery Network or an external Capsule Server that is registered to Satellite Server.
- A deployed realm or domain provider such as Red Hat Identity Management.
To install and configure Red Hat Identity Management packages on Red Hat Satellite Server or Red Hat Satellite Capsule Server:
To use Red Hat Identity Management for provisioned hosts, complete the following steps to install and configure Red Hat Identity Management packages on Red Hat Satellite Server or Red Hat Satellite Capsule Server:
Install the
ipa-clientpackage on Satellite Server or Capsule Server:# satellite-maintain packages install ipa-client
Configure the server as a Red Hat Identity Management client:
# ipa-client-install
Create a realm proxy user,
realm-capsule, and the relevant roles in Red Hat Identity Management:# foreman-prepare-realm admin realm-capsule
Note the principal name that returns and your Red Hat Identity Management server configuration details because you require them for the following procedure.
To configure Satellite Server or Capsule Server for Red Hat Identity Management Realm Support:
Complete the following procedure on Satellite and every Capsule that you want to use:
Copy the
/root/freeipa.keytabfile to any Capsule Server that you want to include in the same principal and realm:# scp /root/freeipa.keytab root@capsule.example.com:/etc/foreman-proxy/freeipa.keytabMove the
/root/freeipa.keytabfile to the/etc/foreman-proxydirectory and set the ownership settings to theforeman-proxyuser:# mv /root/freeipa.keytab /etc/foreman-proxy # chown foreman-proxy:foreman-proxy /etc/foreman-proxy/freeipa.keytab
Enter the following command on all Capsules that you want to include in the realm. If you use the integrated Capsule on Satellite, enter this command on Satellite Server:
# satellite-installer --foreman-proxy-realm true \ --foreman-proxy-realm-keytab /etc/foreman-proxy/freeipa.keytab \ --foreman-proxy-realm-principal realm-capsule@EXAMPLE.COM \ --foreman-proxy-realm-provider freeipaYou can also use these options when you first configure the Red Hat Satellite Server.
Ensure that the most updated versions of the ca-certificates package is installed and trust the Red Hat Identity Management Certificate Authority:
# cp /etc/ipa/ca.crt /etc/pki/ca-trust/source/anchors/ipa.crt # update-ca-trust enable # update-ca-trust
Optional: If you configure Red Hat Identity Management on an existing Satellite Server or Capsule Server, complete the following steps to ensure that the configuration changes take effect:
Restart the foreman-proxy service:
# systemctl restart foreman-proxy
- In the Satellite web UI, navigate to Infrastructure > Capsules.
- Locate the Capsule you have configured for Red Hat Identity Management and from the list in the Actions column, select Refresh.
To create a realm for the Red Hat Identity Management-enabled Capsule
After you configure your integrated or external Capsule with Red Hat Identity Management, you must create a realm and add the Red Hat Identity Management-configured Capsule to the realm.
To create a realm, complete the following steps:
- In the Satellite web UI, navigate to Infrastructure > Realms and click Create Realm.
- In the Name field, enter a name for the realm.
- From the Realm Type list, select the type of realm.
- From the Realm Capsule list, select the Capsule Server where you have configured Red Hat Identity Management.
- Click the Locations tab and from the Locations list, select the location where you want to add the new realm.
- Click the Organizations tab and from the Organizations list, select the organization where you want to add the new realm.
- Click Submit.
Updating Host Groups with Realm Information
You must update any host groups that you want to use with the new realm information.
- Navigate to Configure > Host Groups, select the host group that you want to update, and click the Network tab.
- From the Realm list, select the realm you create as part of this procedure, and then click Submit.
Adding Hosts to a Red Hat Identity Management Host Group
Red Hat Identity Management supports the ability to set up automatic membership rules based on a system’s attributes. Red Hat Satellite’s realm feature provides administrators with the ability to map the Red Hat Satellite host groups to the Red Hat Identity Management parameter userclass which allow administrators to configure automembership.
When nested host groups are used, they are sent to the Red Hat Identity Management server as they are displayed in the Red Hat Satellite User Interface. For example, "Parent/Child/Child".
Satellite Server or Capsule Server sends updates to the Red Hat Identity Management server, however automembership rules are only applied at initial registration.
To Add Hosts to a Red Hat Identity Management Host Group:
On the Red Hat Identity Management server, create a host group:
# ipa hostgroup-add hostgroup_name --desc=hostgroup_description
Create an
automembershiprule:# ipa automember-add --type=hostgroup hostgroup_name automember_rule
Where you can use the following options:
-
automember-addflags the group as an automember group. -
--type=hostgroupidentifies that the target group is a host group, not a user group. -
automember_ruleadds the name you want to identify the automember rule by.
-
Define an automembership condition based on the
userclassattribute:# ipa automember-add-condition --key=userclass --type=hostgroup --inclusive-regex=^webserver hostgroup_name ---------------------------------- Added condition(s) to "hostgroup_name" ---------------------------------- Automember Rule: automember_rule Inclusive Regex: userclass=^webserver ---------------------------- Number of conditions added 1 ----------------------------
Where you can use the following options:
-
automember-add-conditionadds regular expression conditions to identify group members. -
--key=userclassspecifies the key attribute asuserclass. -
--type=hostgroupidentifies that the target group is a host group, not a user group. -
--inclusive-regex=^webserver identifies matching values with a regular expression pattern. - hostgroup_name - identifies the target host group’s name.
-
When a system is added to Satellite Server’s hostgroup_name host group, it is added automatically to the Red Hat Identity Management server’s "hostgroup_name" host group. Red Hat Identity Management host groups allow for Host-Based Access Controls (HBAC), sudo policies and other Red Hat Identity Management functions.