13.2.2. Configuring Host-Based Authentication Control

Procedure

1. On the Red Hat Identity Management server, to authenticate, enter the following command and enter your password when prompted:

   # kinit admin

2. To verify that you have authenticated, enter the following command:

   # klist

3. Create HBAC service and rule on the Red Hat Identity Management server and link them together. The following examples use the PAM service name satellite-prod. Execute the following commands on the Red Hat Identity Management server:

   # ipa hbacsvc-add satellite-prod
   # ipa hbacrule-add allow_satellite_prod
   # ipa hbacrule-add-service allow_satellite_prod --hbacsvcs=satellite-prod

4. Add the user who is to have access to the service satellite-prod, and the hostname of the Satellite Server:

   # ipa hbacrule-add-user allow_satellite_prod --user=username
   # ipa hbacrule-add-host allow_satellite_prod --hosts=satellite.example.com

   Alternatively, host groups and user groups can be added to the allowsatellite_prod_ rule.

5. To check the status of the rule, execute:

   # ipa hbacrule-find satellite-prod
   # ipa hbactest --user=username --host=satellite.example.com --service=satellite-prod

6. Ensure the allow_all rule is disabled on the Red Hat Identity Management server. For instructions on how to do so without disrupting other services see the How to configure HBAC rules in IdM article on the Red Hat Customer Portal.

7. Configure the Red Hat Identity Management integration with the Satellite Server as described in 「Configuring Red Hat Identity Management Authentication on Satellite Server」. On the Satellite Server, define the PAM service as root:

   # satellite-installer --foreman-pam-service=satellite-prod