13.3.3. Configuring Direct AD Integration with GSS-proxy
In the Satellite CLI, configure the direct Active Directory integration with GSS-proxy.
Prerequisite
Satellite is enrolled with the Active Directory server.
For more information, see 「Enrolling Satellite Server with the AD Server」.
Procedure
Create the
/etc/ipa/
directory and thedefault.conf
file:# mkdir /etc/ipa # touch /etc/ipa/default.conf
To the
default.conf
file, add the following content:[global] server = unused realm = EXAMPLE.ORG
Create the
/etc/net-keytab.conf
file with the following content:[global] workgroup = EXAMPLE realm = EXAMPLE.ORG kerberos method = system keytab security = ads
Determine the effective user ID of the Apache user:
# id apache
Apache user must not have access to the keytab file.
Create the
/etc/gssproxy/00-http.conf
file with the following content:[service/HTTP] mechs = krb5 cred_store = keytab:/etc/krb5.keytab cred_store = ccache:/var/lib/gssproxy/clients/krb5cc_%U euid = ID_of_Apache_User
Create a keytab entry:
# KRB5_KTNAME=FILE:/etc/httpd/conf/http.keytab net ads keytab add HTTP -U administrator -d3 -s /etc/net-keytab.conf # chown root.apache /etc/httpd/conf/http.keytab # chmod 640 /etc/httpd/conf/http.keytab
Enable IPA authenication in Satellite:
# satellite-installer --foreman-ipa-authentication=true
Start and enable the
gssproxy
service:# systemctl restart gssproxy.service # systemctl enable gssproxy.service
Configure the Apache server to use the gssproxy service:
Create the
/etc/systemd/system/httpd.service
file with the following content:.include /lib/systemd/system/httpd.service [Service] Environment=GSS_USE_PROXY=1
Apply changes to the service:
# systemctl daemon-reload
Start and enable the
httpd
service:# systemctl restart httpd.service
Verify that SSO is working as expected.
With a running Apache server, users making HTTP requests against the server are authenticated if the client has a valid Kerberos ticket.
Retrieve the Kerberos ticket of the LDAP user, using the following command:
# kinit ldapuser
View the Kerberos ticket, using the following command:
# klist
View output from successful SSO-based authentication, using the following command:
# curl -k -u : --negotiate https://satellite.example.com/users/extlogin
This returns the following response:
<html><body>You are being <a href="https://satellite.example.com/users/4-ldapuserexample-com/edit">redirected</a>.</body></html>