- IPA/AD Trust Authentication
- Set up and configure an IPA server for AD Trust Authentication
- Enable the MiQ Appliance to use the configued IPA server
- Configure the MiQ appliance to use external authentication
- Create groups on the MiQ appliance
- Use AD Trust Authentication
IPA/AD Trust Authentication
Active Directory (AD) Trust Authentication on the Appliance is supported with External Authentication to IPA.
In this guide we will cover how to manually configure an Appliance’s external authentication to work with AD Trust Authentication using IPA. This provides IPA Users access to the Appliance Administrative UI and the REST API using their AD credentials.
The following is needed in order to enable AD Trust Authentication to the Appliance:
A CentOS/RHEL 7.2 based MiQ Appliance
Windows Server 2008 R2 or later with configured AD DC and DNS installed locally on the DC
Set up and configure an IPA server for AD Trust Authentication
- Configure an IPA Server based on FreeIPA 3.3.3 or later
Instructions for setting up and configuring cross-realm trust between an IPA domain and an AD (Active Directory) domain can be found at freeipa.org Active Directory Trust Setup
- Add necessary user attributes to the SSSD configuration on the IPA server
The SSSD configuration file on the IPA Server must be updated to list needed user attributes.
Add the following entry to the SSSD configuration file /etc/sssd/sssd.conf
Note: Starting with SSSD version 1.15.2, which will be available in CentOS version 7.4, SSSD will provide the domain name as a user attribute. The below examples show how to set ldap_user_extra_attrs and user_attributes to take advantage of this new feature. If running an appliance built with CentOS version prior to CentOS 7.4 do not include domainname for these attributes.
user_attributes = +mail, +givenname, +sn, +displayname, +domainname
and update ldap_user_extra_attrs to include domainname where appropriate.
ldap_user_extra_attrs = mail, givenname, sn, displayname, domainname
- DNS Configuration Significance
Special care should be made when configuring DNS as improper DNS configurations can result in poor performance and improper functionality. For more details refer to the following documents:
Enable the MiQ Appliance to use the configued IPA server
Use the Appliance Console to enable external authentication to the IPA Server.
Log in to console as root
Summary screen should show External Auth as not configured, Press any key
From the Advanced Setting menu, select the menu item Configure External Authentication (httpd)
Enter the FQDN of the IPA Server, i.e. ipaserver.test.company.com
Enter the IPA Server domain, i.e. test.company.com
Enter the IPA Server realm, i.e. TEST.COMPANY.COM
Press enter to select the default IPA Server Principal, i.e. admin
Enter the Password of the IPA Server Principal
Review details, and Enter y to proceed.
Configure the MiQ appliance to use external authentication
Log in to the MiQ appliance as admin, then in Settings→Configuration→Server→Authentication
Set mode to External (httpd)
Check: Get User Groups from External Authentication (httpd)
Optionally Check: Enable Single Signon
The above steps need to be done on each UI and WebService enabled appliance.
in Settings→Configuration→Access Control
- Make sure the user’s groups are created on the Appliance and appropriate roles assigned to those groups.
Create groups on the MiQ appliance
The below steps need to be done on each UI and WebService enabled appliance.
Log in to the MiQ appliance as admin, then in Settings→Configuration→Access Control→Groups→Configuration→Add a new Group
Check: (Look Up LDAP Groups)
Enter the AD user as the User to Look Up i.e. firstname.lastname@example.org
Choose a group from the LDAP Groups for User dropdown.
Assign the appropriate roles to the group
Use AD Trust Authentication
Once the above is done, the user simply needs to specify their AD Username and Password when:
Logging into the Appliance Administrative UI
Accessing the REST API
Using the Self Service UI
Using the Single Sign On (SSO) to access the MiQ appliance after generating a Kerberos ticket by using kinit with AD credentials.