6.2. Using Identity Management for Authentication
Satellite 5 now offers authentication through an IdM or IPA server, which provides support for:
- Kerberos authentication in the WebUI
- Users do not need to be pre-created in Satellite database
- The PAM authentication can be enabled for all users
- User roles can be derived from user group membership in the external identity provider
- System Groups administrators can be derived from user group membership in the external identity provider per Organization
Note
IPA authentication configuration only works with Satellite 5's Web UI. Client tools like
rhn_register, rhnreg_ks, spacecmd, rhncfg-manager and the Satellite 5 API can not use IPA authentication.
6.2.1. Requirements
Satellite Authentication through IPA has the following requirements:
- A configured Satellite Server. The following instructions will use the host name
satellite.example.comto denote the Satellite server. - A configured IPA/IdM Server on Red Hat Enterprise Linux 6 or 7. The following instructions will use the host name
ipa.example.comto denote the IPA server. - Installation of additional packages on the Satellite server. Use the following command to install these packages from the standard Red Hat Enterprise Linux 6 and 7 repositories:
[root@satellite ~]# yum install ipa-client ipa-admintools sssd sssd-dbus mod_auth_kerb mod_authnz_pam mod_lookup_identity mod_intercept_form_submit -y
- The latest version of the
selinux-policypackage to ensure the latest SELinux Booleans are added. You can update this package with the following command:[root@satellite ~]# yum update selinux-policy -y
