How to authenticate Satellite web UI users using FreeIPA?

How to authenticate Satellite web UI users using FreeIPA?

⁠1.- Installing the IPA Client
Install the client packages. These packages provide a simple way to configure the system as a client; they also install and configure SSSD.
For a regular user system, this requires only the ipa-client package:
​[root@client ~]# yum install ipa-client
2.- If the IdM server is configured as the DNS server and is in the same domain as the client, add the server's IP address as the first entry in the list of name servers in the client's /etc/resolv.conf file.
3.- Run the client setup command.
​[root@client ~]# ipa-client-install --enable-dns-updates
The --enable-dns-updates option updates DNS with the client machine's IP address. This option should only be used if the IdM server was installed with integrated DNS or if the DNS server on the network accepts DNS entry updates with the GSS-TSIG protocol.
Options for ipa-client-install are listed in the ipa-client-install manpage.
4.- If prompted, enter the domain name for the IdM DNS domain.

DNS discovery failed to determine your DNS domain
​Please provide the domain name of your IPA server (ex: example.com): example.com
5.- If prompted, enter the fully-qualified domain name of the IdM server. Alternatively, use the --server option with the client installation script to supply the fully-qualified domain name of the IdM server.
​DNS discovery failed to find the IPA Server
​Please provide your IPA server name (ex: ipa.example.com): ipaserver.example.com

IMPORTANT

This must be a valid DNS name, which means only numbers, alphabetic characters, and hyphens (-) are allowed. Other characters, like underscores, in the hostname will cause DNS failures.
The client script then prompts for a Kerberos identity to use to contact and then join the Kerberos realm. When these credentials are supplied, then the client is able to join the IdM Kerberos domain and then complete the configuration:
Continue to configure the system with these values? [no]: y 
User authorized to enroll computers: admin 
Synchronizing time with KDC... 
Password for admin@EXAMPLE.COM: 
Successfully retrieved CA cert 
Subject: CN=Certificate Authority,O=EXAMPLE.COM 
Issuer: CN=Certificate Authority,O=EXAMPLE.COM 
Valid From: Tue Aug 13 09:29:07 2013 UTC 
Valid Until: Sat Aug 13 09:29:07 2033 UTC 
Enrolled in IPA realm EXAMPLE.COM 
Created /etc/ipa/default.conf 
New SSSD config will be created 
Configured /etc/sssd/sssd.conf 
Configured /etc/krb5.conf for IPA realm EXAMPLE.COM 
Failed to update DNS records. 
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub 
Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub 
Could not update DNS SSHFP records. 
SSSD enabled 
Configured /etc/openldap/ldap.conf 
NTP enabled 
Configured /etc/ssh/ssh_config 
Configured /etc/ssh/sshd_config 
Client configuration complete.
6.- Test that the client can connect successfully to the IdM domain and can perform basic tasks. For example, check that the IdM tools can be used to get user and group information:
[jsmith@client ~]$ id
​[jsmith@client ~]$ getent passwd admin
​[jsmith@client ~]$ getent group admins
7.- Add on the IPA server the service
HTTP/<the-foreman-fqdn>@EXAMPLE.COM

8.- Enable the boolean to allow passenger to communicate with the ldap server

#setsebool -P passenger_can_connect_all on

9.- Configure Satellite 6 with Katello-Installer to enable external authentication with IPA
katello-installer --foreman-ipa-authentication true
10.- Login into you satellite server with you local admin user and configure the ldap authentication
LDAP Server
Name: Name for you new ldap source
Server: FQDN of you IPA Server
Port: Typically either LDAPS on port 636 or LDAP on port 389.
TLS: disable
Account
Account uid=<username>,cn=users,cn=accounts,dc=example,dc=com
Base DN cn=users,cn=accounts,dc=example,dc=com
LDAP filter optional
Automatic create account in foreman tick
Attribute Maps
Login name attribute    uid
First name attribute    givenName
Surname attribute   sn
Email address attribute mail
In case you get the following error:
Attribute Maps

Repeating errors encountered during run:

[ERROR 2015-05-23 01:15:52 verbose]  /bin/echo Get keytab           && KRB5CCNAME=KEYRING:session:get-http-service-keytab kinit -k           && KRB5CCNAME=KEYRING:session:get-http-service-keytab /usr/sbin/ipa-getkeytab -s data.example.com -k /etc/httpd/conf/http.keytab -p HTTP/katello.example.com           && kdestroy -c KEYRING:session:get-http-service-keytab returned 9 instead of one of [0]
[ERROR 2015-05-23 01:15:52 verbose]  /Stage[main]/Foreman::Config/Exec[ipa-getkeytab]/returns: change from notrun to 0 failed: /bin/echo Get keytab           && KRB5CCNAME=KEYRING:session:get-http-service-keytab kinit -k           && KRB5CCNAME=KEYRING:session:get-http-service-keytab /usr/sbin/ipa-getkeytab -s data.example.com -k /etc/httpd/conf/http.keytab -p HTTP/katello.example.com           && kdestroy -c KEYRING:session:get-http-service-keytab returned 9 instead of one of [0]
This mean you forgot to add the http service in you IPA step 7 of this guide with that resolve this issue.

Comments

Post a Comment

Popular posts from this blog

How to clean all the foreman task and locked task

1.- First make su to postgres user su -s /bin/bash - postgres  2.-Execute psql psql  3.- connect to the foreman database \c foreman;  4.- Delete all the foreman task and foreman task locks delete from foreman_tasks_tasks;  delete from foreman_tasks_locks;  5.- Quit from postgres and exit \q  exit  6. Restart all the services for s in {qpidd,pulp_celerybeat,pulp_ resource_manager,pulp_workers, httpd}; do sudo service $s restart; done  Update in todays foreman you can clean the task using the following command: foreman-rake foreman_tasks:cleanup
Read more

CentOS 7 Server Hardening Guide

CentOS 7 Server Hardening Guide 1. System Settings – Disk Partitioning and Post installation 1.1 Disk Encryption with Kickstart The easiest way to encrypt a partition is during Kickstart installation. This can be achieved by adding the –encrypted and –passphrase= options to the definition of a physical LVM volume. Our Kickstart template is provided below. Note that the template requires a 32GB disk. #version=CentOS7.5 # System authorisation information auth --enableshadow --passalgo=sha512 # Use CDROM installation media cdrom ignoredisk --only-use=sda # Keyboard layouts keyboard --vckeymap=gb --xlayouts='gb' # System language lang en_GB.UTF-8 # SELinux selinux --enforcing # Network information network --bootproto=dhcp --device=eth0 --onboot=on --activate network --hostname=ks-c7.example.com # Plaintext root password: PleaseChangeMe rootpw --iscrypted $6$nS0mBJyS$q/QgCof5unWrT9W3qngTISueSDhDHVNntDqd8sOcgmHp2lq4f/niUbjCmoEzaf3EWQ2x3z/k0eIZa
Read more

How to restrict users to send only mail to the local domain in Zimbra

How to restrict users to send only mail to the local domain in Zimbra 1. Open file /opt/zimbra/conf/zmconfigd/smtpd_recipient_restrictions.cf and add this line below reject_non_fqdn_recipient. This is example on my system permit_sasl_authenticated check_sender_access lmdb:/opt/zimbra/postfix/conf/restricted_senders permit_mynetworks 2. Open file /opt/zimbra/conf/zmconfigd.cf and add those lines before RESTART mta. This is example on my system POSTCONF smtpd_restriction_classes local_only POSTCONF local_only FILE postfix_check_recipient_access.cf RESTART mta 3. Create a file /opt/zimbra/conf/postfix_check_recipient_access.cf and add the following line.  check_recipient_access lmdb:/opt/zimbra/postfix/conf/local_domains, reject 4. Create a file "/opt/zimbra/postfix/conf/restricted_senders" and list all the users, whom you want to restrict. Follow this syntax: user@yourdomain.com local_only 5. Create a file "/opt/zimbra/postfix/con
Read more