13.2. Using Red Hat Identity Management

This section shows how to integrate Red Hat Satellite Server with a Red Hat Identity Management server and how to enable host-based access control.

注記

You can attach Red Hat Identity Management as an external authentication source with no single sign-on support. For more information, see 「Using LDAP」.

Prerequisites

  • The Satellite Server has to run on Red Hat Enterprise Linux 7.1 or Red Hat Enterprise Linux 6.6 or later.
  • The base operating system of the Satellite Server must be enrolled in the Red Hat Identity Management domain by the Red Hat Identity Management administrator of your organization.

The examples in this chapter assume separation between Red Hat Identity Management and Satellite configuration. However, if you have administrator privileges for both servers, you can configure Red Hat Identity Management as described in Red Hat Enterprise Linux 7 Linux Domain Identity, Authentication, and Policy Guide.

13.2.1. Configuring Red Hat Identity Management Authentication on Satellite Server

In the Satellite CLI, configure Red Hat Identity Management authentication by first creating a host entry on the Red Hat Identity Management server.

Procedure

  1. On the Red Hat Identity Management server, to authenticate, enter the following command and enter your password when prompted:

    # kinit admin
  2. To verify that you have authenticated, enter the following command:

    # klist
  3. On the Red Hat Identity Management server, create a host entry for the Satellite Server and generate a one-time password, for example:

    # ipa host-add --random hostname
    注記

    The generated one-time password must be used on the client to complete Red Hat Identity Management-enrollment.

    For more information on host configuration properties, see About Host Entry Configuration Properties in the Red Hat Enterprise Linux 7 Linux Domain Identity, Authentication, and Policy guide.

  4. Create an HTTP service for Satellite Server, for example:

    # ipa service-add HTTP/hostname

    For more information on managing services, see Managing Services in the Red Hat Enterprise Linux 7 Linux Domain Identity, Authentication, and Policy guide.

  5. On Satellite Server, install the IPA client:

    警告

    This command might restart Satellite services during the installation of the package. For more information about installing and updating packages on Satellite, see 「Managing Packages on the Base Operating System of Satellite or Capsule」.

    # satellite-maintain packages install ipa-client
  6. On Satellite Server, enter the following command as root to configure Red Hat Identity Management-enrollment:

    # ipa-client-install --password OTP

    Replace OTP with the one-time password provided by the Red Hat Identity Management administrator.

  7. If Satellite Server is running on Red Hat Enterprise Linux 7, execute the following command:

    # subscription-manager repos --enable rhel-7-server-optional-rpms

    The installer is dependent on packages which, on Red Hat Enterprise Linux 7, are in the optional repository rhel-7-server-optional-rpms. On Red Hat Enterprise Linux 6 all necessary packages are in the base repository.

  8. Set foreman-ipa-authentication to true, using the following command:

    # satellite-installer --foreman-ipa-authentication=true
  9. Restart the satellite-maintain services:

    # satellite-maintain service restart

External users can now log in to Satellite using their Red Hat Identity Management credentials. They can now choose to either log in to Satellite Server directly using their username and password or take advantage of the configured Kerberos single sign-on and obtain a ticket on their client machine and be logged in automatically. The two-factor authentication with one-time password (2FA OTP) is also supported. If the user in Red Hat Identity Management is configured for 2FA, and Satellite Server is running on Red Hat Enterprise Linux 7, this user can also authenticate to Satellite with an OTP.