How to configure Active Directory authentication with TLS on Red Hat Satellite 6?

Solution Verified - Updated -

Environment

  • Red Hat Satellite 6.3 or later
  • Active Directory

Issue

  • How to configure Active Directory authentication with TLS on Satellite 6.3 or later?
  • Active Directory authentication with Red Hat Satellite 6.3 or later
  • Logging in with an LDAP account results in an SSL error:

    SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
    
    OpenSSL::SSL::SSLError
    SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
    app/models/auth_sources/auth_source_ldap.rb:50:in `authenticate'
    app/models/user.rb:190:in `try_to_login'
    app/controllers/users_controller.rb:71:in `login'
    app/models/concerns/foreman/thread_session.rb:33:in `clear_thread'
    lib/middleware/catch_json_parse_errors.rb:9:in `call'
    

Resolution

This solution is for creating a certificate in Active Directory, which can then be installed on the Satellite Servers base system, to enable secure LDAP (LDAPS).

The procedure to configure Red Hat Satellite to use AD as an LDAP server is Using LDAP. This procedure is only required if you are using AD as an LDAP server. This method does not provide single-sign on.

Note that when the use of AD is required, Red Hat recommends using AD directly as described in Using Active Directory. This method uses Kerberos for authentication, which allows for single sign-on, and does not require the certificate described here.

If secure LDAP(Lightweight Directory Access Protocol) to an Active Directory server is required, the following solution is available.

  1. Install the Active Directory Certificate services role:

    01-ad_cs_role.png

  2. Select the Root CA server from the Active Directory Certificate Services console:

    02-ad_cs_console.png

  3. Right click on the Root CA server and click on its properties:

    03-ad_ca_server_properties.png

  4. Click the Details tab and then click on Copy to File Button to export Active Directory CA certificate:

    04-ca_cert_details_tab.png

  5. Select Next on the CA Certificate export wizard:

    05-ca_cert_export_wizard.png

  6. Select Base-64 encoded X.509 option to export the CA certificate in ASCII mode:

    06-ca_export_ascii_mode.png

  7. Specify the path and file name of the CA certificate to export:

    07-ca_file_name.png

  8. Review the details of the CA certificate export wizard and click on Finish to complete the export process:

    08-ca_completion_wizard.png

  9. Alternatively, Active Directory CA certificates can be generated from the Windows Command Prompt seen here:

    12-cli_ca_cert_generation_1.png

  10. Copy over the exported CA Certificate file to the Red Hat Satellite 6.3 or later server and execute the following commands:

    # openssl x509 -inform DER -in EXAMPLE-CA.cer -out example.crt
    # install example.crt  /etc/pki/tls/certs/
    # ln -s example.crt  /etc/pki/tls/certs/$(openssl x509 -noout -hash -in /etc/pki/tls/certs/example.crt).0
    
    • Note: Make sure the certificate is in PEM format (Example: example.crt).
      Ensure the CA chain is complete and has all the required Certificate Authorities inside the bundle. ( Root + Intermediate CAs).
     # openssl s_client -connect <FQDN_AD>:636 -CAfile example.crt -showcerts -state 
    
  11. Restart the httpd service:

    • RHEL 7:

      [root@satellite ~]# systemctl restart httpd.service
      
    • RHEL 6:

       [root@satellite ~]# service httpd restart
      
  12. Configure LDAP Authentication on Red Hat Satellite 6.1. Click Administer ---> LDAP authentication and configure it as per the following screenshots:

    09-ldap_settings1_0.png
    10-ldap_settings2_0.png
    11-ldap_settings3.png

  13. Log in to Red Hat Satellite 6 with Active Directory user which should authenticate successfully:

    • If the SSLv3 read server certificate B: certificate verify failed issue still persists, try adding exported CA Certificate to the ca-bundle certificate.

      # cp /etc/pki/tls/certs/ca-bundle.crt /etc/pki/tls/certs/ca-bundle.crt.bkp
      # cat example.crt >> /etc/pki/tls/certs/ca-bundle.crt
      
    • Copy the new ca-bundle.crt file to /etc/pki/ca-trust/source/anchors:
           # cp  -v  ca-bundle.crt  /etc/pki/ca-trust/source/anchors/
  • Run the update-ca-trust commands below to extract and add the newly copied ca- bundle.crt file to the system-wide trust:
    # update-ca-trust  extract
    # update-ca-trust
  • Restart httpd services:

        # systemctl restart httpd
    

Note: Make sure that the AD user has the email field specified in the Active Directory, which is mandatory to login to Red Hat Satellite 6 server.

Attachments

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

12 Comments

There's a typo in the cp command. In the first operand it's missing the "tls" part of the actual path: /etc/pki/tls/certs/ca-bundle.crt

Hi Joel,
Good catch, its corrected now.

Would you please provide additional information on how to get the Active Directory's ca.pem? Did you use Microsoft's "certutil.exe" command to dump it into a file, or is it easily found in the filesystem (already in PEM format)?

Is it correct to have Server Type as POSIX in the first configuration window, or should it be Active Directory? Or does it depend on whether you are using POSIX attributes in Active Directory?

Hi,
Thanks for the catch. Server type setting has to be set to Active Directory which is corrected now.

IMHO there is a better solution for step 10...!

On RHEL7 ca-bundle.crt is a to /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
which belongs to ca-certificates-2015

Now, using step 10 as decribed, an updated RPM will cause the manually added certificates to disappear. (bye bye ldaps....)

A better alternative seems:

  • Copy all the CA-certificates needed to /etc/pki/ca-trust/source/anchors
  • Just in case: restorecon -R -v /etc/pki/ca-trust/source/anchors
  • run update-ca-trust
  • katello-service restart

LDAPS will work now, AND will survive any "update-ca-trust" which, for example is used by the RPM ca-certificates.

Step 10 does work but the solution will not work on the longer term I guest.

I agree. This is the proper solution for adding trusted certs.

The document starts with question

  • Is it possible to use PAM and Active Directory for authentication and groups with Satellite 6?

but there seems to be no answer to that question.

I found this odd as well. Since this article doesn't address that question, I think it should be removed from the Issue section.

Make sense!! Removed it!

Is there a version of this for Windows 2012R2? The GUI in 2012R2 does not show equivalent options, and the "certutil" command give here does not produce the same output.

If you care about security at all, I cannot stress this enough: DO NOT INSTALL Certificate Services ON A DOMAIN CONTROLLER.