13.3.3. Configuring Direct AD Integration with GSS-proxy

Procedure

1. Create the /etc/ipa/ directory and the default.conf file:

   # mkdir /etc/ipa
   # touch /etc/ipa/default.conf

2. To the default.conf file, add the following content:

   [global]
   server = unused
   realm = EXAMPLE.ORG

3. Create the /etc/net-keytab.conf file with the following content:

   [global]
   workgroup = EXAMPLE
   realm = EXAMPLE.ORG
   kerberos method = system keytab
   security = ads

4. Determine the effective user ID of the Apache user:

   # id apache

   Apache user must not have access to the keytab file.

5. Create the /etc/gssproxy/00-http.conf file with the following content:

   [service/HTTP]
   mechs = krb5
   cred_store = keytab:/etc/krb5.keytab
   cred_store = ccache:/var/lib/gssproxy/clients/krb5cc_%U
   euid = ID_of_Apache_User

6. Create a keytab entry:

   # KRB5_KTNAME=FILE:/etc/httpd/conf/http.keytab net ads keytab add HTTP -U administrator -d3 -s /etc/net-keytab.conf
   # chown root.apache /etc/httpd/conf/http.keytab
   # chmod 640 /etc/httpd/conf/http.keytab

7. Enable IPA authenication in Satellite:

   # satellite-installer --foreman-ipa-authentication=true

8. Start and enable the gssproxy service:

   # systemctl restart gssproxy.service
   # systemctl enable gssproxy.service

9. Configure the Apache server to use the gssproxy service:

   1. Create the /etc/systemd/system/httpd.service file with the following content:

      .include /lib/systemd/system/httpd.service
      [Service]
      Environment=GSS_USE_PROXY=1

   2. Apply changes to the service:

      # systemctl daemon-reload

10. Start and enable the httpd service:

    # systemctl restart httpd.service

11. Verify that SSO is working as expected.

    With a running Apache server, users making HTTP requests against the server are authenticated if the client has a valid Kerberos ticket.

    1. Retrieve the Kerberos ticket of the LDAP user, using the following command:

       # kinit ldapuser

    2. View the Kerberos ticket, using the following command:

       # klist

    3. View output from successful SSO-based authentication, using the following command:

       # curl -k -u : --negotiate https://satellite.example.com/users/extlogin

       This returns the following response:

       <html><body>You are being <a href="https://satellite.example.com/users/4-ldapuserexample-com/edit">redirected</a>.</body></html>