Red Hat Summit Red Hat Summit지원콘솔개발자평가판 시작연락처

이 콘텐츠는 선택한 언어로 제공되지 않습니다.

5.2. Using Identity Management for Authentication

Satellite 5 now offers authentication through an IdM or IPA server, which provides support for:
  • Kerberos authentication in the WebUI
  • Users do not need to be pre-created in Satellite database
  • The PAM authentication can be enabled for all users
  • User roles can be derived from user group membership in the external identity provider
  • System Groups administrators can be derived from user group membership in the external identity provider per Organization

Note

IPA authentication configuration only works with Satellite 5's Web UI. Client tools like rhn_register, rhnreg_ks, spacecmd, rhncfg-manager and the Satellite 5 API can not use IPA authentication.

5.2.1. Requirements
링크 복사

Satellite Authentication through IPA has the following requirements:
  • A configured Satellite Server. The following instructions will use the hostname satellite.example.com to denote the Satellite server.
  • A configured IPA/IdM Server on Red Hat Enterprise Linux 6 or 7. The following instructions will use the hostname ipa.example.com to denote the IPA server.
  • Installation of additional packages on the Satellite server. Use the following command to install these packages from the standard Red Hat Enterprise Linux 6 and 7 repositories: 
    [root@satellite ~]# yum install ipa-client ipa-admintools sssd sssd-dbus mod_auth_kerb mod_authnz_pam mod_lookup_identity mod_intercept_form_submit -y
    Copy to Clipboard Toggle word wrap
  • The latest version of the selinux-policy package to ensure the latest SELinux Booleans are added. You can update this package with the following command: 
    [root@satellite ~]# yum update selinux-policy -y
    Copy to Clipboard Toggle word wrap

5.2.2. Enrolling the Satellite Server
링크 복사

Enrol the Satellite server with the IPA server using the ipa-client-install command. This will step through the required configuration options to enrol the Satellite server. 
[root@satellite ~]# ipa-client-install
Provide the domain name of your IPA server (ex: example.com): example.com
Provide your IPA server name (ex: ipa.example.com): ipa.example.com
Hostname: satellite.example.com
Realm: EXAMPLE.COM
DNS Domain: example.com
IPA Server: ipa.example.com
BaseDN: dc=example,dc=com

Continue to configure the system with these values? [no]: yes
User authorized to enroll computers: admin
Synchronizing time with KDC...
Password for admin@EXAMPLE.COM: *********
Copy to Clipboard Toggle word wrap
When complete, the Satellite server acts as an client using the IPA Server details.
The IPA server also requires a HTTP Service for the Satellite server. Authenticate the Satellite server against the IPA server with the admin user and run the ipa service-add command: 
[root@satellite ~]# kinit admin
[root@satellite ~]# ipa service-add HTTP/satellite.example.com
--------------------------------------------------
Added service "HTTP/satellite.example.com@EXAMPLE.COM"
--------------------------------------------------
  Principal: HTTP/satellite.example.com@EXAMPLE.COM
  Managed by: satellite.example.com
Copy to Clipboard Toggle word wrap

5.2.3. Using the IPA Authentication Setup Tool
링크 복사

Satellite contains a tool called spacewalk-setup-ipa-authentication, which configures your Satellite server to use IPA Authentication. The tool performs the following steps:
  • Configures Kerberos authentication on the Satellite server
  • Configures SSSD services on the Satellite server
  • Configures Satellite webservers to communicate with SSSD and observe PAM authentication
Run the command on the Satellite server to start the configuration: 
[root@satellite ~]# spacewalk-setup-ipa-authentication
Copy to Clipboard Toggle word wrap

5.2.4. Finalizing Authentication Configuration
링크 복사

Log in as the Satellite administration user and navigate to Admin Users External Authentication. Set the Default organization to the default organization for new users authenticating through IPA. Click Update to save this option.
Users can now login to Satellite using their IPA credentials.

5.2.5. Configuring IPA to Use Multiple Organizations (Optional)
링크 복사

The IPA server contains a parameter for the Organizational Unit for each user. Satellite can use this value to map to its own Organizations. This adds specific users to Organizations based upon the Organizational Unit value (ou) in the IPA server.
Log in as the Satellite administration user and navigate to Admin Users External Authentication. Enable the Use organization unit name passed from IPA option and click Update.
Satellite now adds users to Organizations based on each user's Organizational Unit in the IPA server. Users with no Organizational Unit are assigned to the default organization.

5.2.6. Configuring IPA to Use Groups (Optional)
링크 복사

The IPA server contains parameters for Groups, which Satellite can map to roles. This provides a method to use role-based permissions for IPA users.
Log in as the Satellite administration user and navigate to Admin Users External Authentication Group Role Mapping. Click the Create new external group link and enter the following details:
  • External Group Name - Enter the name of the group from the IPA server.
  • Administrative Roles and Roles - Select roles to assign to the group. For example, assign the Channel Administrator.
Click Create to complete the group creation.
Satellite now assigns permissions to users based on each user's IPA groups.
맨 위로 이동
Red Hat logoGithubredditYoutubeTwitter

자세한 정보

평가판, 구매 및 판매

커뮤니티

Red Hat 문서 정보

Red Hat을 사용하는 고객은 신뢰할 수 있는 콘텐츠가 포함된 제품과 서비스를 통해 혁신하고 목표를 달성할 수 있습니다. 최신 업데이트를 확인하세요.

보다 포괄적 수용을 위한 오픈 소스 용어 교체

Red Hat은 코드, 문서, 웹 속성에서 문제가 있는 언어를 교체하기 위해 최선을 다하고 있습니다. 자세한 내용은 다음을 참조하세요.Red Hat 블로그.

Red Hat 소개

Red Hat은 기업이 핵심 데이터 센터에서 네트워크 에지에 이르기까지 플랫폼과 환경 전반에서 더 쉽게 작업할 수 있도록 강화된 솔루션을 제공합니다.

Theme

© 2025 Red Hat