13.3. Using Active Directory
This section shows how to use direct Active Directory (AD) as an external authentication source for Satellite Server.
You can attach Active Directory as an external authentication source with no single sign-on support. For more information, see 「Using LDAP」. For an example configuration, see How to configure Active Directory authentication with TLS on Satellite 6.
Direct AD integration means that Satellite Server is joined directly to the AD domain where the identity is stored. The recommended setup consists of two steps:
- Enrolling Satellite Server with the Active Directory server as described in 「Enrolling Satellite Server with the AD Server」.
- Configuring direct Active Directory integration with GSS-proxy as described in 「Configuring Direct AD Integration with GSS-proxy」.
13.3.1. GSS-Proxy
The traditional process of Kerberos authentication in Apache requires the Apache process to have read access to the keytab file. GSS-Proxy allows you to implement stricter privilege separation for the Apache server by removing access to the keytab file while preserving Kerberos authentication functionality. When using AD as an external authentication source for Satellite, it is recommended to implement GSS-proxy, because the keys in the keytab file are the same as the host keys.
The AD integration requires Red Hat Satellite Server to be deployed on Red Hat Enterprise Linux 7.1 or later.
Perform the following procedures on Red Hat Enterprise Linux that acts as a base operating system for your Satellite Server. For the examples in this section EXAMPLE.ORG is the Kerberos realm for the AD domain. By completing the procedures, users that belong to the EXAMPLE.ORG realm can log in to the Satellite Server.