8.5. External Authentication for Provisioned Hosts
This section shows how to configure IdM integration to authenticate provisioned hosts. First configure the Satellite or Capsule Server for IdM realm support, then add hosts to the IdM realm group.
8.5.1. Configuring a Red Hat Satellite Server or Capsule Server for IdM Realm Support
To use IdM for provisioned hosts, first configure the Red Hat Satellite Server or Red Hat Satellite Capsule Server.
Prerequisites
- A Satellite Server is registered to the content delivery network, an independent Capsule Server is registered to the Satellite Server.
- A realm or domain provider such as Red Hat Identity Management is configured.
Procedure 8.7. To configure the Satellite Server or Capsule Server for IdM Realm Support:
- On the Satellite Server or Capsule Server, install the following packages:
# yum install ipa-client foreman-proxy ipa-admintools
- Configure the Satellite Server (or Capsule Server) as an IdM client:
# ipa-client-install
- Create a realm-capsule user and the relevant roles in Red Hat Identity Management on the Satellite Server or Capsule Server:
# foreman-prepare-realm admin realm-capsule
Running foreman-prepare-realm will prepare an IdM server for use with the Capsule Server. It creates a dedicated role with the permissions needed for Satellite, creates a user with that role and retrieves the keytab file. You will need your Identity Management server configuration details on this step.If the command successfully executes, you should be able to see the following command output:Keytab successfully retrieved and stored in: freeipa.keytab Realm Proxy User: realm-capsule Realm Proxy Keytab: /root/freeipa.keytab
Note
To configure Satellite Server and at least one external Capsule Server for IdM Realm support with the same principal and realm, you must copy the/root/freeipa.keytab
file to all the previously joined Capsule Servers after running theforeman-prepare-realm
script.# scp /root/freeipa.keytab your_username@capsule.example.com:/etc/foreman-proxy/freeipa.keytab
- Move the
/root/freeipa.keytab
to the/etc/foreman-proxy
directory and set the ownership settings to the user foreman-proxy:# mv /root/freeipa.keytab /etc/foreman-proxy # chown foreman-proxy:foreman-proxy /etc/foreman-proxy/freeipa.keytab
- Configure the realm based on whether you are using Satellite Server or Capsule Server:
- If you are using the integrated capsule Server in the Satellite Server, use
satellite-installer
to configure the realm:# satellite-installer --foreman-proxy-realm true \ --foreman-proxy-realm-keytab /etc/foreman-proxy/freeipa.keytab \ --foreman-proxy-realm-principal 'realm-capsule@EXAMPLE.COM' \ --foreman-proxy-realm-provider freeipa
Note
You can also run these options when you first configure the Red Hat Satellite Server. - If you are using an independent Capsule Server, use
satellite-installer --scenario-capsule
to configure the realm:# satellite-installer --scenario-capsule --realm true \ --realm-keytab /etc/foreman-proxy/freeipa.keytab \ --realm-principal 'realm-capsule@EXAMPLE.COM' \ --realm-provider freeipa
- Make sure that the most updated versions of the ca-certificates package is installed and trust the IdM Certificate Authority:
# cp /etc/ipa/ca.crt /etc/pki/ca-trust/source/anchors/ipa.crt # update-ca-trust enable # update-ca-trust
- (Optional) If you are configuring IdM on an already existing Satellite Server or Capsule Server, the following steps should also be taken to make sure that the configuration changes take effect:
- Restart the foreman-proxy service:
# service foreman-proxy restart
- Log in to the Satellite Server and click
. - Click on the drop-down menu on the right-hand side of the Capsule Server you have configured for IdM and choose.
- Finally, create a new realm entry in the Satellite Server user interface:
- Click
and on the right-hand corner of the main page, click . - Fill in the fields in the following subtabs:
- On the Realm subtab, provide the realm name, the type of realm to use and the realm proxy.
- On the Locations subtab, choose the locations where the new realm is intended for use.
- On the Organizations subtab, choose the organizations where the new realm is intended for use.
- Click.
The Satellite Server or Capsule Server is now ready to provision hosts that automatically register to IdM. The next section will detail the steps on how to automatically add hosts to an IdM host group.
8.5.2. Adding Hosts to an IdM Host Group
Red Hat Enterprise Linux Identity Management (IdM) supports the ability to set up automatic membership rules based on a system's attributes. Red Hat Satellite's realm feature provides administrators with the ability to map the Red Hat Satellite host groups to the IdM parameter "userclass" which allow administrators to configure automembership.
When nested host groups are used, they are sent to the IdM server as they are displayed in the Red Hat Satellite User Interface. For example, "Parent/Child/Child".
Note
The Satellite Server or Capsule Server sends updates to the IdM server, however automembership rules are only applied at initial registration.
Procedure 8.8. To Add Hosts to an IdM Host Group:
- On the IdM server, create a host group:
# ipa hostgroup-add hostgroup_name Description: hostgroup_description ---------------------------- Added hostgroup "hostgroup_name" ---------------------------- Host-group: hostgroup_name Description: hostgroup_description
Where:- hostgroup_name is the host group's name.
- hostgroup_description is the host group's description.
- Create an automembership rule:
# ipa automember-add --type=hostgroup automember_rule ---------------------------------- Added automember rule "automember_rule" ---------------------------------- Automember Rule: automember_rule
Where:automember-add
flags the group as an automember group.--type=hostgroup
identifies that the target group is a host group, not a user group.- automember_rule is the name you wish to identify the automember rule by.
- Define an automembership condition based on the userclass attribute:
# ipa automember-add-condition --key=userclass --type=hostgroup --inclusive-regex=^webserver hostgroup_name ---------------------------------- Added condition(s) to "hostgroup_name" ---------------------------------- Automember Rule: automember_rule Inclusive Regex: userclass=^webserver ---------------------------- Number of conditions added 1 ----------------------------
Where:automember-add-condition
allows you to add regular expression conditions to identify group members.--key=userclass
specifies the key attribute as userclass.--type=hostgroup
identifies that the target group is a host group, not a user group.--inclusive-regex=
^webserver is a regular expression pattern to identify matching values.- hostgroup_name is the target host group's name.
When a system is added to the Satellite Server's hostgroup_name host group, it will now automatically be added to the Identity Management server's "hostgroup_name" host group as well. IdM host groups allow for Host-Based Access Controls (HBAC), sudo policies and other IdM functions.