13.3.3. Configuring Direct AD Integration with GSS-proxy
In the Satellite CLI, configure the direct Active Directory integration with GSS-proxy.
Prerequisite
Satellite is enrolled with the Active Directory server.
For more information, see 「Enrolling Satellite Server with the AD Server」.
Procedure
Create the
/etc/ipa/
directory and thedefault.conf
file:mkdir /etc/ipa touch /etc/ipa/default.conf
# mkdir /etc/ipa # touch /etc/ipa/default.conf
Copy to Clipboard Copied! Toggle word wrap Toggle overflow To the
default.conf
file, add the following content:[global] server = unused realm = EXAMPLE.ORG
[global] server = unused realm = EXAMPLE.ORG
Copy to Clipboard Copied! Toggle word wrap Toggle overflow Create the
/etc/net-keytab.conf
file with the following content:[global] workgroup = EXAMPLE realm = EXAMPLE.ORG kerberos method = system keytab security = ads
[global] workgroup = EXAMPLE realm = EXAMPLE.ORG kerberos method = system keytab security = ads
Copy to Clipboard Copied! Toggle word wrap Toggle overflow Determine the effective user ID of the Apache user:
id apache
# id apache
Copy to Clipboard Copied! Toggle word wrap Toggle overflow Apache user must not have access to the keytab file.
Create the
/etc/gssproxy/00-http.conf
file with the following content:[service/HTTP] mechs = krb5 cred_store = keytab:/etc/krb5.keytab cred_store = ccache:/var/lib/gssproxy/clients/krb5cc_%U euid = ID_of_Apache_User
[service/HTTP] mechs = krb5 cred_store = keytab:/etc/krb5.keytab cred_store = ccache:/var/lib/gssproxy/clients/krb5cc_%U euid = ID_of_Apache_User
Copy to Clipboard Copied! Toggle word wrap Toggle overflow Create a keytab entry:
KRB5_KTNAME=FILE:/etc/httpd/conf/http.keytab net ads keytab add HTTP -U administrator -d3 -s /etc/net-keytab.conf chown root.apache /etc/httpd/conf/http.keytab chmod 640 /etc/httpd/conf/http.keytab
# KRB5_KTNAME=FILE:/etc/httpd/conf/http.keytab net ads keytab add HTTP -U administrator -d3 -s /etc/net-keytab.conf # chown root.apache /etc/httpd/conf/http.keytab # chmod 640 /etc/httpd/conf/http.keytab
Copy to Clipboard Copied! Toggle word wrap Toggle overflow Enable IPA authenication in Satellite:
satellite-installer --foreman-ipa-authentication=true
# satellite-installer --foreman-ipa-authentication=true
Copy to Clipboard Copied! Toggle word wrap Toggle overflow Start and enable the
gssproxy
service:systemctl restart gssproxy.service systemctl enable gssproxy.service
# systemctl restart gssproxy.service # systemctl enable gssproxy.service
Copy to Clipboard Copied! Toggle word wrap Toggle overflow Configure the Apache server to use the gssproxy service:
Create the
/etc/systemd/system/httpd.service
file with the following content:.include /lib/systemd/system/httpd.service [Service] Environment=GSS_USE_PROXY=1
.include /lib/systemd/system/httpd.service [Service] Environment=GSS_USE_PROXY=1
Copy to Clipboard Copied! Toggle word wrap Toggle overflow Apply changes to the service:
systemctl daemon-reload
# systemctl daemon-reload
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
Start and enable the
httpd
service:systemctl restart httpd.service
# systemctl restart httpd.service
Copy to Clipboard Copied! Toggle word wrap Toggle overflow Verify that SSO is working as expected.
With a running Apache server, users making HTTP requests against the server are authenticated if the client has a valid Kerberos ticket.
Retrieve the Kerberos ticket of the LDAP user, using the following command:
kinit ldapuser
# kinit ldapuser
Copy to Clipboard Copied! Toggle word wrap Toggle overflow View the Kerberos ticket, using the following command:
klist
# klist
Copy to Clipboard Copied! Toggle word wrap Toggle overflow View output from successful SSO-based authentication, using the following command:
curl -k -u : --negotiate https://satellite.example.com/users/extlogin
# curl -k -u : --negotiate https://satellite.example.com/users/extlogin
Copy to Clipboard Copied! Toggle word wrap Toggle overflow This returns the following response:
<html><body>You are being <a href="https://satellite.example.com/users/4-ldapuserexample-com/edit">redirected</a>.</body></html>
<html><body>You are being <a href="https://satellite.example.com/users/4-ldapuserexample-com/edit">redirected</a>.</body></html>
Copy to Clipboard Copied! Toggle word wrap Toggle overflow