Red Hat Summit Red Hat SummitSupportConsoleDéveloppeursCommencer un essaiContact

Ce contenu n'est pas disponible dans la langue sélectionnée.

8.2.5. Integrating Active Directory Authentication with Identity Management

Identity Management (IdM) on Red Hat Enterprise Linux provides a simple, centralized solution to securely manage user authentication. IdM integrates industry standard protocols and servers, such as Kerberos, LDAP, DNS, NTP, and X509 Certificates, into a secure, reliable, and scalable identity management solution.
As a system administrator, you might already source your authentication methods into one location using IdM. IdM defines a domain, with servers and clients who share centrally-managed services, like Kerberos and DNS. OpenShift Enterprise can take advantage of the various features available with IdM. Integration with IdM is ideal, because the authorization and authentication framework in IdM easily supports protocols such as Kerberos, LDAP, DNS, NTP, and x509 Authentication.
Complete the following procedures in the following order presented to integrate IdM into your OpenShift Enterprise instance.

Note

The following steps assume Active Directory and IdM are installed in your OpenShift Enterprise infrastructure.

Procedure 8.8. To Configure the Firewall Ports:

Before the IdM integration can occur, ensure the IdM server can access your instance by configuring the firewall ports. Perform the following steps on all hosts (broker, nodes, etc).
  1. Save the existing firewall configuration and keep as a backup: 
    # cp -p /etc/sysconfig/iptables{,.pre-idm}
    Copy to Clipboard Toggle word wrap
  2. Create a new chain named ipa-client-chain. This contains the firewall rules for the ports needed by IdM: 
    # iptables --new-chain ipa-client-chain
# iptables --insert INPUT --jump ipa-client-chain
    Copy to Clipboard Toggle word wrap
  3. Perform the following step for each required port: 
    # iptables --append ipa-client-chain --protocol Protocol --destination-port Port_Number --jump ACCEPTiptables --append ipa-client-chain --protocol Protocol --destination-port Port_Number --jump ACCEPTiptables --append ipa-client-chain --protocol Protocol --destination-port Port_Number --jump ACCEPTiptables --append ipa-client-chain --protocol Protocol --destination-port Port_Number --jump ACCEPTiptables --append ipa-client-chain --protocol Protocol --destination-port Port_Number --jump ACCEPT
    Copy to Clipboard Toggle word wrap
    A list of ports that may be being used in your instance are listed in Section 5.2.1, “Custom and External Firewalls”. The --protocol option indicates the protocol of the rule to check. The specified protocol can be tcp, udp, udplite, icmp, esp, ah, or sctp, or you can use ""all" to indicate all protocols.
  4. Save the new firewall configuration, restart the iptables service, then ensure the changes are set upon reboot: 
    # iptables-save > /etc/sysconfig/iptables
# service iptables restart
# chkconfig iptables on
    Copy to Clipboard Toggle word wrap
  5. For each OpenShift host, verify that the IdM server and replica are listed in the /etc/resolv.conf file. The IdM server and replica must be listed before any additional servers.

    Example 8.4. Featured IdM Server and Replica in the /etc/resolv.conf File

    domain broker.example.com
search broker.example.com
nameserver 10.19.140.101 nameserver 10.19.140.102
nameserver 10.19.140.423
    Copy to Clipboard Toggle word wrap
  6. Now that the IdM server has been configured, configure each OpenShift host to be a IdM client, then verify the Kerberos and IdM lookups. Install the ipa-client package on each host, then run the install tool: 
    # yum install ipa-client
# ipa-client-install --enable-dns-updates --ssh-trust-dns --mkhomedir
    Copy to Clipboard Toggle word wrap
    The --enable-dns-updates option permits the IdM client to dynamically register its IP address with the DNS service on the IdM server. The --ssh-trust-dns option configures OpenSSH to allow any IdM DNS records where the host keys are stored. The --mkhomedir option automatically creates a home directory on the client upon the user's first login. Note that if DNS is properly configured, then the install tool will detect the IdM server through autodiscovery. If the autodiscovery fails, the install can be run with the --server option with the IdM server's FQDN.
  7. Next, verify that Kerberos and IdM lookups are functioning by using the following command on each host, entering a password when prompted: 
    # kinit admin
Password for admin@BROKER.EXAMPLE.COM: *******
# klist
# id admin
    Copy to Clipboard Toggle word wrap
    Then, use the same command for each user: 
    # id Usernameid Username
    Copy to Clipboard Toggle word wrap

    Note

    If the IdM server has been re-deployed since installation, the CA certificate may be out of sync. If so, you might receive an error with your LDAP configuration. To correct the issue, list the certificate files, re-name the certificate file, then re-run the install: 
    # ll /etc/ipa
# mv /etc/ipa/ca.crt /etc/ipa/ca.crt.bad
# ipa-client-install --enable-dns-updates --ssh-trust-dns --mkhomedir
    Copy to Clipboard Toggle word wrap
Configuring for Application Developers

While your OpenShift Enterprise instance is now configured for IdM use, the next step is to configure any application developer interaction with the broker host for use with IdM. This will allow each developer to authenticate to the broker host.

Procedure 8.9. To Authorize Developer Interaction with the Broker Host:

  1. On the IdM server, create a HTTP web server for each of your running brokers. This allows the broker host to authenticate to the IdM server using Kerberos. Ensure to replace broker1 with the hostname of the desired broker host, and broker.example,com with the IdM server hostname configured in the above procedure: 
    # ipa service-add HTTP/broker1.broker.example.comipa service-add HTTP/broker1.broker.example.com
    Copy to Clipboard Toggle word wrap
  2. Create a HTTP Kerberos keytab on the broker host. This will provide secure access to the broker web services: 
    # ipa-getkeytab -s idm-srv1.broker.example.com \
# ipa-getkeytab -p HTTP/broker1.broker.example.com@BROKER.EXAMPLE.COM \
# ipa-getkeytab -k /var/www/openshift/broker/httpd/conf.d/http.keytab
# chown apache:apache /var/www/openshift/broker/httpd/conf.d/http.keytab
    Copy to Clipboard Toggle word wrap
    If you have multiple brokers, copy the keyfile to the other brokers.
  3. If your instance has not completed Section 8.2.3, “Authenticating Using Kerberos” in the OpenShift Enterprise Deployment Guide, follow it now to authenticate to the broker host using Kerberos.
  4. Restart the broker and Console services: 
    # service openshift-broker restart
# service openshift-console restart
    Copy to Clipboard Toggle word wrap
  5. Create a backup of the nsupdate plug-in. The nsupdate plug-in facilitates any updates to the dynamic DNS zones without the need to edit zone files or restart the DNS server: 
    # cp -p /etc/openshift/plugins.d/openshift-origin-dns-nsupdate.conf{,.orig}
    Copy to Clipboard Toggle word wrap
    Then, edit the file and replace with the contents below: 
    BIND_SERVER="10.19.140.101"
BIND_PORT=53
BIND_ZONE="broker.example.com"
BIND_KRB_PRINCIPAL="DNS/broker1.broker.example.com@BROKER.EXAMPLE.COM"
BIND_KRB_KEYTAB="/etc/dns.keytab"
    Copy to Clipboard Toggle word wrap
    Ensure that BIND_SERVER points to the IP address of the IdM server, BIND_ZONE points to the domain name, and the BIND_KRB_PRINCIPAL is correct. The BIND_KRB_KEYTAB is configured after the DNS service is created and when the zones are modified for dynamic DNS.
  6. Create the broker DNS service. Run the following command for each broker host: 
    # ipa service-add DNS/broker1.broker.example.comipa service-add DNS/broker1.broker.example.com
    Copy to Clipboard Toggle word wrap
  7. Modify the DNS zone to allow the broker host to dynamically register applications with IdM. Perform the following on the idM server: 
    # ipa dnszone-mod interop.example.com --dynamic-update=true --update-policy= \ "grant DNS\047\broker1.broker.example.com@BROKER.EXAMPLE.COM wildcard * ANY;\"ipa dnszone-mod interop.example.com --dynamic-update=true --update-policy= \ "grant DNS\047\broker1.broker.example.com@BROKER.EXAMPLE.COM wildcard * ANY;\"ipa dnszone-mod interop.example.com --dynamic-update=true --update-policy= \ "grant DNS\047\broker1.broker.example.com@BROKER.EXAMPLE.COM wildcard * ANY;\"ipa dnszone-mod interop.example.com --dynamic-update=true --update-policy= \ "grant DNS\047\broker1.broker.example.com@BROKER.EXAMPLE.COM wildcard * ANY;\"ipa dnszone-mod interop.example.com --dynamic-update=true --update-policy= \ "grant DNS\047\broker1.broker.example.com@BROKER.EXAMPLE.COM wildcard * ANY;\"
    Copy to Clipboard Toggle word wrap
    Ensure to repeat the second line for each broker if you have multiple broker hosts.
  8. Generate DNS keytabs on the broker using the ipa-getkeytab. Repeat the following for each broker host: 
    # ipa-getkeytab -s idm-srv1.interop.example.com \
# ipa-getkeytab -p DNS/broker1.broker.example.com \
# ipa-getkeytab -k /etc/dns.keytab
# chown apache:apache /etc/dns.keytab
    Copy to Clipboard Toggle word wrap
  9. Restart the broker service: 
    # service openshift-broker restart
    Copy to Clipboard Toggle word wrap
  10. The dynamic DNS is now ready for use with the client tools. Configure the client tools by running rhc setup specifying the IdM broker as the server: 
    # rhc setup --server=broker.broker.example.comrhc setup --server=broker.broker.example.com
    Copy to Clipboard Toggle word wrap
  11. To verify the client tools, check the domain connectivity and deploy a test application: 
    # rhc domain show
# rhc app create App_Name Cartridge_Namerhc app create App_Name Cartridge_Namerhc app create App_Name Cartridge_Namerhc app create App_Name Cartridge_Name
    Copy to Clipboard Toggle word wrap
    To verify the OpenShift Enterprise broker host, run the oo-accept-broker utility from the broker host. Test the full environment with the oo-diagnostics utility: 
    # oo-accept-broker
# oo-diagnostics
    Copy to Clipboard Toggle word wrap
    Additionally, you can verify the broker and Console access by obtaining a Kerberos ticket and testing the authentication with the following command: 
    # kinit IdM_Server_Hostnamekinit IdM_Server_Hostname
    Copy to Clipboard Toggle word wrap
    Then running the following commands for each broker host: 
    # curl -Ik --negotiate -u : https://broker1.broker.example.com/broker/rest/domainscurl -Ik --negotiate -u : https://broker1.broker.example.com/broker/rest/domainscurl -Ik --negotiate -u : https://broker1.broker.example.com/broker/rest/domains
# curl -Ik --negotiate -u : https://broker1.broker.example.com/consolecurl -Ik --negotiate -u : https://broker1.broker.example.com/consolecurl -Ik --negotiate -u : https://broker1.broker.example.com/console
    Copy to Clipboard Toggle word wrap
Retour au début
Red Hat logoGithubredditYoutubeTwitter

Apprendre

Essayez, achetez et vendez

Communautés

À propos de la documentation Red Hat

Nous aidons les utilisateurs de Red Hat à innover et à atteindre leurs objectifs grâce à nos produits et services avec un contenu auquel ils peuvent faire confiance. Découvrez nos récentes mises à jour.

Rendre l’open source plus inclusif

Red Hat s'engage à remplacer le langage problématique dans notre code, notre documentation et nos propriétés Web. Pour plus de détails, consultez le Blog Red Hat.

À propos de Red Hat

Nous proposons des solutions renforcées qui facilitent le travail des entreprises sur plusieurs plates-formes et environnements, du centre de données central à la périphérie du réseau.

Theme

© 2025 Red Hat