External Authentication (httpd) Configuration

Sample Domain and Systems

For the purpose of these instructions, the following fully qualified host names and IP addresses will be used:

Type Host Name IP Address
IPA Server ipaserver.test.company.com 192.168.100.11
Appliance appliance.test.company.com 192.168.100.12

The IPA Server serves as the test.company.com domain controller, Kerberos server, and as the LDAP DIT, hosting the Root DSE dc=test,dc=company,dc=com.


Configuration

Configuring the Network

Ensure hosts are resolvable by name. If DNS is not configured, specify the appropriate entries in the /etc/hosts on both IPA Server and Appliance:

/etc/hosts

192.168.100.11   ipaserver.test.company.com
192.168.100.12   appliance.test.company.com

On the non-DNS environment, the network configuration for the systems must reflect their FQDN.

If specifying both FQDN and Hostname in the /etc/hosts file, make sure the FQDN comes first:

192.168.100.11   ipaserver.test.company.com   ipaserver
192.168.100.12   appliance.test.company.com   appliance

/etc/sysconfig/network on Appliance.

NETWORKING=yes
HOSTNAME=appliance.test.company.com

Then run:

hostname appliance.test.company.com

Installing and Configuring the IPA Client Software

/usr/sbin/ipa-client-install -N \
  --realm=TEST.COMPANY.COM --domain=test.company.com   \
  --server=ipaserver.test.company.com   \
  --principal=admin --password=PASSWORD \
  --fixed-primary

Configure SSSD

Update the SSSD configuration file /etc/sssd/sssd.conf to define the IPA Server LDAP Domain and enable the Apache modules for external authentication:

/etc/sssd/sssd.conf

  • Add to the [domain/test.company.com] section:
[domain/test.company.com]
  ldap_user_extra_attrs = mail, givenname, sn, displayname
  • In the [sssd] section, update the services section to include “, ifp”:
[sssd]
   services = nss, pam, ssh, ifp
  • Add an [ifp] section at the end of the file:
[ifp]
  allowed_uids = apache, root, manageiq
  user_attributes = +mail, +givenname, +sn, +displayname

Configure PAM

Create a PAM Config file for the Appliance Apache authentication.

/etc/pam.d/httpd-auth

auth    required pam_sss.so
account required pam_sss.so

Configure Apache

Create an Apache Authentication file for the Appliance

/etc/httpd/conf.d/manageiq-external-auth

LoadModule authnz_pam_module modules/mod_authnz_pam.so
LoadModule intercept_form_submit_module modules/mod_intercept_form_submit.so
LoadModule lookup_identity_module modules/mod_lookup_identity.so

<Location /dashboard/authenticate>
  InterceptFormPAMService httpd-auth
  InterceptFormLogin      user_name
  InterceptFormPassword   user_password
  InterceptFormLoginSkip  admin
  InterceptFormClearRemoteUserForSkipped on
</Location>

<Location /dashboard/authenticate>
  LookupUserAttr   mail        REMOTE_USER_EMAIL
  LookupUserAttr   givenname   REMOTE_USER_FIRSTNAME
  LookupUserAttr   sn          REMOTE_USER_LASTNAME
  LookupUserAttr   displayname REMOTE_USER_FULLNAME
  LookupUserGroups             REMOTE_USER_GROUPS ":"
  LookupDbusTimeout            5000
</Location>

<LocationMatch ^/api|^/vmdbws/wsdl|^/vmdbws/api>
  SetEnvIf Authorization '^Basic +YWRtaW46' let_admin_in
  SetEnvIf X-Auth-Token  '^.+$'             let_api_token_in

  AuthType Basic
  AuthName "External Authentication (httpd) for API"
  AuthBasicProvider PAM

  AuthPAMService httpd-auth
  Require valid-user
  Order Allow,Deny
  Allow from env=let_admin_in
  Allow from env=let_api_token_in
  Satisfy Any

  LookupUserAttr   mail        REMOTE_USER_EMAIL
  LookupUserAttr   givenname   REMOTE_USER_FIRSTNAME
  LookupUserAttr   sn          REMOTE_USER_LASTNAME
  LookupUserAttr   displayname REMOTE_USER_FULLNAME

  LookupUserGroups             REMOTE_USER_GROUPS ":"
  LookupDbusTimeout            5000

</LocationMatch>

Update the Appliance Apache Configuration to enable External Authentication

Modify /etc/httpd/conf.d/manageiq-https-application.conf as follows:

/etc/httpd/conf.d/manageiq-https-application.conf

  • add this line before the VirtualHost directive:
Include conf.d/manageiq-external-auth
  • Within the VirtualHost section, after this line:

    RequestHeader set X_FORWARDED_PROTO ‘https’

    add the following lines:

RequestHeader unset X_REMOTE_USER
RequestHeader set X_REMOTE_USER           %{REMOTE_USER}e            env=REMOTE_USER
RequestHeader set X_EXTERNAL_AUTH_ERROR   %{EXTERNAL_AUTH_ERROR}e    env=EXTERNAL_AUTH_ERROR
RequestHeader set X_REMOTE_USER_EMAIL     %{REMOTE_USER_EMAIL}e      env=REMOTE_USER_EMAIL
RequestHeader set X_REMOTE_USER_FIRSTNAME %{REMOTE_USER_FIRSTNAME}e  env=REMOTE_USER_FIRSTNAME
RequestHeader set X_REMOTE_USER_LASTNAME  %{REMOTE_USER_LASTNAME}e   env=REMOTE_USER_LASTNAME
RequestHeader set X_REMOTE_USER_FULLNAME  %{REMOTE_USER_FULLNAME}e   env=REMOTE_USER_FULLNAME
RequestHeader set X_REMOTE_USER_GROUPS    %{REMOTE_USER_GROUPS}e     env=REMOTE_USER_GROUPS

Configure SELinux

For external authentication to work with Apache through SSSD on SELinux systems, run the following command:

setsebool -P allow_httpd_mod_auth_pam on

Also, on RHEL 6.5 and later as well as CentOS 6.6 and later based Appliances, run the following command:

setsebool -P httpd_dbus_sssd on

Restart SSSD and Apache

Make sure SSSD starts upon reboot:

chkconfig sssd on

Restart both:

service sssd  restart
service httpd restart

Back to External Authentication