8.2.5. Integrating Active Directory Authentication with Identity Management

Procedure 8.8. To Configure the Firewall Ports:

1. Save the existing firewall configuration and keep as a backup:

   # cp -p /etc/sysconfig/iptables{,.pre-idm}

   Copy to Clipboard Toggle word wrap
2. Create a new chain named ipa-client-chain. This contains the firewall rules for the ports needed by IdM:

   # iptables --new-chain ipa-client-chain
   # iptables --insert INPUT --jump ipa-client-chain

   Copy to Clipboard Toggle word wrap
3. Perform the following step for each required port:

   # iptables --append ipa-client-chain --protocol Protocol --destination-port Port_Number --jump ACCEPT

   Copy to Clipboard Toggle word wrap

   A list of ports that may be being used in your instance are listed in Section 5.2.1, “Custom and External Firewalls”. The --protocol option indicates the protocol of the rule to check. The specified protocol can be tcp, udp, udplite, icmp, esp, ah, or sctp, or you can use ""all" to indicate all protocols.
4. Save the new firewall configuration, restart the iptables service, then ensure the changes are set upon reboot:

   # iptables-save > /etc/sysconfig/iptables
   # service iptables restart
   # chkconfig iptables on

   Copy to Clipboard Toggle word wrap
5. For each OpenShift host, verify that the IdM server and replica are listed in the /etc/resolv.conf file. The IdM server and replica must be listed before any additional servers.

   Example 8.4. Featured IdM Server and Replica in the /etc/resolv.conf File

   domain broker.example.com
   search broker.example.com
   nameserver 10.19.140.101 nameserver 10.19.140.102
   nameserver 10.19.140.423

   Copy to Clipboard Toggle word wrap
6. Now that the IdM server has been configured, configure each OpenShift host to be a IdM client, then verify the Kerberos and IdM lookups. Install the ipa-client package on each host, then run the install tool:

   # yum install ipa-client
   # ipa-client-install --enable-dns-updates --ssh-trust-dns --mkhomedir

   Copy to Clipboard Toggle word wrap

   The --enable-dns-updates option permits the IdM client to dynamically register its IP address with the DNS service on the IdM server. The --ssh-trust-dns option configures OpenSSH to allow any IdM DNS records where the host keys are stored. The --mkhomedir option automatically creates a home directory on the client upon the user's first login. Note that if DNS is properly configured, then the install tool will detect the IdM server through autodiscovery. If the autodiscovery fails, the install can be run with the --server option with the IdM server's FQDN.
7. Next, verify that Kerberos and IdM lookups are functioning by using the following command on each host, entering a password when prompted:

   # kinit admin
   Password for admin@BROKER.EXAMPLE.COM: *******
   # klist
   # id admin

   Copy to Clipboard Toggle word wrap

   Then, use the same command for each user:

   # id Username

   Copy to Clipboard Toggle word wrap

   Note

   If the IdM server has been re-deployed since installation, the CA certificate may be out of sync. If so, you might receive an error with your LDAP configuration. To correct the issue, list the certificate files, re-name the certificate file, then re-run the install:

   # ll /etc/ipa
   # mv /etc/ipa/ca.crt /etc/ipa/ca.crt.bad
   # ipa-client-install --enable-dns-updates --ssh-trust-dns --mkhomedir

   Copy to Clipboard Toggle word wrap

Procedure 8.9. To Authorize Developer Interaction with the Broker Host:

1. On the IdM server, create a HTTP web server for each of your running brokers. This allows the broker host to authenticate to the IdM server using Kerberos. Ensure to replace broker1 with the hostname of the desired broker host, and broker.example,com with the IdM server hostname configured in the above procedure:

   # ipa service-add HTTP/broker1.broker.example.com

   Copy to Clipboard Toggle word wrap
2. Create a HTTP Kerberos keytab on the broker host. This will provide secure access to the broker web services:

   # ipa-getkeytab -s idm-srv1.broker.example.com \
   # ipa-getkeytab -p HTTP/broker1.broker.example.com@BROKER.EXAMPLE.COM \
   # ipa-getkeytab -k /var/www/openshift/broker/httpd/conf.d/http.keytab
   # chown apache:apache /var/www/openshift/broker/httpd/conf.d/http.keytab

   Copy to Clipboard Toggle word wrap

   If you have multiple brokers, copy the keyfile to the other brokers.
3. If your instance has not completed Section 8.2.3, “Authenticating Using Kerberos” in the OpenShift Enterprise Deployment Guide, follow it now to authenticate to the broker host using Kerberos.
4. Restart the broker and Console services:

   # service openshift-broker restart
   # service openshift-console restart

   Copy to Clipboard Toggle word wrap
5. Create a backup of the nsupdate plug-in. The nsupdate plug-in facilitates any updates to the dynamic DNS zones without the need to edit zone files or restart the DNS server:

   # cp -p /etc/openshift/plugins.d/openshift-origin-dns-nsupdate.conf{,.orig}

   Copy to Clipboard Toggle word wrap

   Then, edit the file and replace with the contents below:

   BIND_SERVER="10.19.140.101"
   BIND_PORT=53
   BIND_ZONE="broker.example.com"
   BIND_KRB_PRINCIPAL="DNS/broker1.broker.example.com@BROKER.EXAMPLE.COM"
   BIND_KRB_KEYTAB="/etc/dns.keytab"

   Copy to Clipboard Toggle word wrap

   Ensure that BIND_SERVER points to the IP address of the IdM server, BIND_ZONE points to the domain name, and the BIND_KRB_PRINCIPAL is correct. The BIND_KRB_KEYTAB is configured after the DNS service is created and when the zones are modified for dynamic DNS.
6. Create the broker DNS service. Run the following command for each broker host:

   # ipa service-add DNS/broker1.broker.example.com

   Copy to Clipboard Toggle word wrap
7. Modify the DNS zone to allow the broker host to dynamically register applications with IdM. Perform the following on the idM server:

   # ipa dnszone-mod interop.example.com --dynamic-update=true --update-policy= \ "grant DNS\047\broker1.broker.example.com@BROKER.EXAMPLE.COM wildcard * ANY;\"

   Copy to Clipboard Toggle word wrap

   Ensure to repeat the second line for each broker if you have multiple broker hosts.
8. Generate DNS keytabs on the broker using the ipa-getkeytab. Repeat the following for each broker host:

   # ipa-getkeytab -s idm-srv1.interop.example.com \
   # ipa-getkeytab -p DNS/broker1.broker.example.com \
   # ipa-getkeytab -k /etc/dns.keytab
   # chown apache:apache /etc/dns.keytab

   Copy to Clipboard Toggle word wrap
9. Restart the broker service:

   # service openshift-broker restart

   Copy to Clipboard Toggle word wrap
10. The dynamic DNS is now ready for use with the client tools. Configure the client tools by running rhc setup specifying the IdM broker as the server:

    # rhc setup --server=broker.broker.example.com

    Copy to Clipboard Toggle word wrap
11. To verify the client tools, check the domain connectivity and deploy a test application:

    # rhc domain show
    # rhc app create App_Name Cartridge_Name

    Copy to Clipboard Toggle word wrap

    To verify the OpenShift Enterprise broker host, run the oo-accept-broker utility from the broker host. Test the full environment with the oo-diagnostics utility:

    # oo-accept-broker
    # oo-diagnostics

    Copy to Clipboard Toggle word wrap

    Additionally, you can verify the broker and Console access by obtaining a Kerberos ticket and testing the authentication with the following command:

    # kinit IdM_Server_Hostname

    Copy to Clipboard Toggle word wrap

    Then running the following commands for each broker host:

    # curl -Ik --negotiate -u : https://broker1.broker.example.com/broker/rest/domains
    # curl -Ik --negotiate -u : https://broker1.broker.example.com/console

    Copy to Clipboard Toggle word wrap