Red Hat Summit13.2. Using Red Hat Identity Management
This section shows how to integrate Red Hat Satellite Server with a Red Hat Identity Management server and how to enable host-based access control.
You can attach Red Hat Identity Management as an external authentication source with no single sign-on support. For more information, see 「Using LDAP」.
Prerequisites
- The Satellite Server has to run on Red Hat Enterprise Linux 7.1 or Red Hat Enterprise Linux 6.6 or later.
- The base operating system of the Satellite Server must be enrolled in the Red Hat Identity Management domain by the Red Hat Identity Management administrator of your organization.
The examples in this chapter assume separation between Red Hat Identity Management and Satellite configuration. However, if you have administrator privileges for both servers, you can configure Red Hat Identity Management as described in Red Hat Enterprise Linux 7 Linux Domain Identity, Authentication, and Policy Guide.
13.2.1. Configuring Red Hat Identity Management Authentication on Satellite Server
In the Satellite CLI, configure Red Hat Identity Management authentication by first creating a host entry on the Red Hat Identity Management server.
Procedure
On the Red Hat Identity Management server, to authenticate, enter the following command and enter your password when prompted:
kinit admin
# kinit adminCopy to Clipboard Copied! Toggle word wrap Toggle overflow To verify that you have authenticated, enter the following command:
klist
# klistCopy to Clipboard Copied! Toggle word wrap Toggle overflow On the Red Hat Identity Management server, create a host entry for the Satellite Server and generate a one-time password, for example:
ipa host-add --random hostname
# ipa host-add --random hostnameCopy to Clipboard Copied! Toggle word wrap Toggle overflow 注記The generated one-time password must be used on the client to complete Red Hat Identity Management-enrollment.
For more information on host configuration properties, see About Host Entry Configuration Properties in the Red Hat Enterprise Linux 7 Linux Domain Identity, Authentication, and Policy guide.
Create an HTTP service for Satellite Server, for example:
ipa service-add HTTP/hostname
# ipa service-add HTTP/hostnameCopy to Clipboard Copied! Toggle word wrap Toggle overflow For more information on managing services, see Managing Services in the Red Hat Enterprise Linux 7 Linux Domain Identity, Authentication, and Policy guide.
On Satellite Server, install the IPA client:
警告This command might restart Satellite services during the installation of the package. For more information about installing and updating packages on Satellite, see 「Managing Packages on the Base Operating System of Satellite or Capsule」.
satellite-maintain packages install ipa-client
# satellite-maintain packages install ipa-clientCopy to Clipboard Copied! Toggle word wrap Toggle overflow On Satellite Server, enter the following command as root to configure Red Hat Identity Management-enrollment:
ipa-client-install --password OTP
# ipa-client-install --password OTPCopy to Clipboard Copied! Toggle word wrap Toggle overflow Replace OTP with the one-time password provided by the Red Hat Identity Management administrator.
If Satellite Server is running on Red Hat Enterprise Linux 7, execute the following command:
subscription-manager repos --enable rhel-7-server-optional-rpms
# subscription-manager repos --enable rhel-7-server-optional-rpmsCopy to Clipboard Copied! Toggle word wrap Toggle overflow The installer is dependent on packages which, on Red Hat Enterprise Linux 7, are in the optional repository
rhel-7-server-optional-rpms. On Red Hat Enterprise Linux 6 all necessary packages are in thebaserepository.Set
foreman-ipa-authenticationto true, using the following command:satellite-installer --foreman-ipa-authentication=true
# satellite-installer --foreman-ipa-authentication=trueCopy to Clipboard Copied! Toggle word wrap Toggle overflow Restart the
satellite-maintainservices:satellite-maintain service restart
# satellite-maintain service restartCopy to Clipboard Copied! Toggle word wrap Toggle overflow
External users can now log in to Satellite using their Red Hat Identity Management credentials. They can now choose to either log in to Satellite Server directly using their username and password or take advantage of the configured Kerberos single sign-on and obtain a ticket on their client machine and be logged in automatically. The two-factor authentication with one-time password (2FA OTP) is also supported. If the user in Red Hat Identity Management is configured for 2FA, and Satellite Server is running on Red Hat Enterprise Linux 7, this user can also authenticate to Satellite with an OTP.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}