Pre-release version Report issue

Configuring authentication for Foreman users

1. Overview of authentication methods in Foreman

Foreman includes native support for authentication with a username and password. If you require additional methods of authentication, configure your Foreman server to use an external authentication source.

Table 1. External authentication sources supported by Foreman and the authentication features they provide
Username and password Single sign-on (SSO) One-time password (OTP) Time-based one-time password (TOTP) PIV cards Additional details

Active Directory (direct integration)

Yes

Yes

No

No

No

Configuring Kerberos SSO for Active Directory users in Foreman

FreeIPA

Yes (Linux and Active Directory users)

Yes (Linux users only)

No

No

No

Configuring Kerberos SSO with FreeIPA in Foreman

Quarkus-based Keycloak

Yes

Yes

Yes

Yes

Yes

Configuring SSO and 2FA with Wildfly-based Keycloak in Foreman

Wildfly-based Keycloak

Yes

Yes

Yes

Yes

Yes

Configuring SSO and 2FA with Wildfly-based Keycloak in Foreman

LDAP

Yes

No

No

No

No

Configuring an LDAP server as an external identity provider for Foreman

2. Accessing Foreman

After Foreman has been installed and configured, use a browser to log in to the Foreman web UI interface. From the Foreman web UI, you can manage and monitor your Foreman infrastructure.

2.1. Logging in to the Foreman web UI

Use the web user interface to log in to Foreman for further configuration.

Procedure

  1. Access Foreman server using a web browser pointed to the fully qualified domain name:

    https://foreman.example.com/

  2. Enter the user name and password created during the configuration process. If a user was not created during the configuration process, the default user name is admin.

Next steps

2.2. Resetting the administrative user password

Use the following procedures to reset the administrative password to randomly generated characters or to set a new administrative password.

To reset the administrative user password

  1. Log in to the base operating system where Foreman server is installed.

  2. Enter the following command to reset the password:

    # foreman-rake permissions:reset
Reset to user: admin, password: qwJxBptxb7Gfcjj5

  3. Use this password to reset the password in the Foreman web UI.

  4. Edit the ~/.hammer/cli.modules.d/foreman.yml file on Foreman server to add the new password:

    # vi ~/.hammer/cli.modules.d/foreman.yml

Unless you update the ~/.hammer/cli.modules.d/foreman.yml file, you cannot use the new password with Hammer CLI.

To set a new administrative user password

  1. Log in to the base operating system where Foreman server is installed.

  2. To set the password, enter the following command:

    # foreman-rake permissions:reset password=new_password

  3. Edit the ~/.hammer/cli.modules.d/foreman.yml file on Foreman server to add the new password:

    # vi ~/.hammer/cli.modules.d/foreman.yml

Unless you update the ~/.hammer/cli.modules.d/foreman.yml file, you cannot use the new password with Hammer CLI.

2.3. Setting a custom message on the Foreman web UI login page

You can change the default text on the login page to a custom message you want your users to see every time they access the page. For example, your custom message might be a warning required by your company.

Procedure

  1. In the Foreman web UI, navigate to Administer > Settings, and click the General tab.

  2. Enter your custom message in the Login page footer text field.

  3. Click Submit.

Verification

  • Log out of the Foreman web UI and verify that the custom message is now displayed on the login page.

3. Configuring Kerberos SSO with FreeIPA in Foreman

FreeIPA is an open-source identity management solution that provides centralized authentication, authorization, and account management services. With Foreman, you can integrate Foreman server with your existing FreeIPA server to enable FreeIPA users to authenticate to Foreman.

With your FreeIPA server configured as an external identity provider, users defined in FreeIPA can log in to Foreman with their FreeIPA credentials. If cross-forest trust is configured between FreeIPA and Active Directory, Active Directory users can also log in to Foreman.

FreeIPA users can log in using the following methods:

  • Username and password

  • Kerberos single sign-on

When cross-forest trust is configured between FreeIPA and Active Directory, Active Directory users can log in to Foreman with their user principal name (UPN) and password.

For information about FreeIPA, including its cross-forest trust functionality, see Red Hat Enterprise Linux 9 Planning Identity Management and Red Hat Enterprise Linux 9 Installing Identity Management.

3.1. Enrolling Foreman server in a FreeIPA domain

Create a host entry for your Foreman server system in the FreeIPA LDAP and configure the system to be a client in your FreeIPA domain.

Prerequisites

  • An existing FreeIPA server

  • FreeIPA user account with privileges to enroll new FreeIPA hosts

Procedure

  1. On the FreeIPA server:

    1. Create a host entry for the Foreman server system.

      For more information, see Red Hat Enterprise Linux 9 Managing IdM users, groups, hosts, and access control rules.

    2. Create an entry for the HTTP service for Foreman server. This enables access to the keytab file by creating a service principal for your Foreman server.

      For more information on creating a service entry in FreeIPA, see Red Hat Enterprise Linux 9 Managing IdM users, groups, hosts, and access control rules.

  2. On your Foreman server, configure the system as client in the FreeIPA domain. This includes ensuring that the system meets the necessary prerequisites, installing the necessary packages, and running the ipa-client-install utility.

    For more information, see Red Hat Enterprise Linux 9 Installing Identity Management.

    Note

    To install packages on your Foreman server, use the foreman-installer utility.

  3. Ensure that the hostname is set to the fully qualified domain name (FQDN); the short name is not sufficient:

    # hostname
foreman.example.com

    Otherwise, foreman-installer cannot generate the right principal name that is needed to join the realm.

Verification

  • On your Foreman server, check that you are able to resolve a user defined on the FreeIPA server. For example, to check the admin user that FreeIPA creates by default:

    $ id admin
Example 1. Enrolling a Foreman server system as a FreeIPA client from the command line by using a one-time password

On the FreeIPA server, a user named admin who has administrative privileges on the FreeIPA server prepares a host entry for the Foreman server system:

  1. Authenticate as the FreeIPA admin user:

    # kinit admin

  2. Optional: Verify that you have authenticated successfully:

    # klist

  3. Create a host entry from the command line. Specify that you want to use a random password for the enrollment.

    # ipa host-add --random foreman-server.example.com
--------------------------------------------------
 Added host "foreman-server.example.com"
 --------------------------------------------------
  Host name: foreman-server.example.com
  Random password: W5YpARl=7M.n
  Password: True
  Keytab: False
  Managed by: freeipa-server.example.com

  4. Enable access to the keytab file by creating a service principal for your Foreman server:

    # ipa service-add HTTP/foreman-server.example.com

On the Foreman server system, a user with Foreman administrative privileges enrolls the system into the FreeIPA domain:

  1. Install the FreeIPA client packages:

    # apt install ipa-client

  2. Configure the Foreman server system a client in FreeIPA by using the random password produced by ipa host-add in a previous step:

    # ipa-client-install --password 'W5YpARl=7M.n'

  3. Verify that you are able to resolve the FreeIPA admin user from your Foreman server:

    $ id admin

3.2. Configuring the FreeIPA authentication source on Foreman server

Enable FreeIPA users to access Foreman by configuring FreeIPA as an authentication provider on your Foreman server.

Prerequisites

  • Foreman server running on a system that is enrolled in the FreeIPA domain.

Procedure

  1. Enable access for your preferred login method:

    • To enable access to the Foreman web UI only:

      # foreman-installer \
--foreman-ipa-authentication true

    • To enable access to the Foreman web UI and the Foreman API, including Hammer CLI:

      # foreman-installer \
--foreman-ipa-authentication-api true \
--foreman-ipa-authentication true
      Warning

      Enabling access to both the Foreman web UI and the Foreman API poses a security risk. After the FreeIPA user enters kinit to receive a Kerberos ticket-granting ticket (TGT), an attacker might obtain an API session. The attack is possible even if the user did not previously enter the Foreman login credentials anywhere, for example in the browser.

    • To disable external authentication with FreeIPA, reset the options. For example, to disable access to the Foreman API and Hammer CLI:

      # foreman-installer --reset-foreman-ipa-authentication-api

  2. If your Foreman server runs in an IPv6-only network and also runs on RHEL 9.6 and earlier or RHEL 10.0, set the lookup_family_order option in the [domain/freeipa-server.example.com] section of the /etc/sssd/sssd.conf file:

    [domain/freeipa-server.example.com]
lookup_family_order = ipv6_only

    If the DNS name of the IdM server can be translated to both an IPv4 and IPv6 address but the IPv4 address is not accessible, SSSD requires lookup_family_order to translate the DNS name correctly. Without the option, IdM users are unable to use kinit to authenticate to Foreman.

Verification

  • Log in to Foreman web UI by entering the credentials of a user defined in FreeIPA.

3.3. Configuring host-based access control for FreeIPA users logging in to Foreman

You can use host-based access control (HBAC) rules to manage access control within your FreeIPA domain. In FreeIPA, HBAC rules define which users can access which hosts and which services can be used to gain access.

For example, you can configure HBAC on the FreeIPA server to limit access to Foreman server only to selected users or user groups. By configuring a HBAC rule in the FreeIPA domain, you can ensure Foreman does not create database entries for users who should not have access.

Prerequisites

  • FreeIPA user account with privileges to configure HBAC rules

Procedure

  1. On the FreeIPA server, configure HBAC control. For more information, see Red Hat Enterprise Linux 9 Managing IdM users, groups, hosts, and access control rules.

    1. Create a HBAC service for Foreman server.

    2. Create a new HBAC rule to define the required access control. Add the following FreeIPA entities to the HBAC rule:

      1. The HBAC service for Foreman server

      2. The Foreman server host

      3. The users or user groups to whom you want to grant access

    3. Make sure the default FreeIPA allow_all rule is disabled.

  2. On your Foreman server, load the host-based access control rules from FreeIPA:

    # foreman-installer --foreman-pam-service foreman-prod
Verification

  • Log in to the Foreman web UI as a user defined in FreeIPA.

    • If the user is included in the HBAC rule, Foreman web UI will grant access.

    • If the user is not included in the HBAC rule, Foreman web UI will not grant access.

Additional resources
Example 2. Configuring host-based access control to allow access to Foreman only for selected FreeIPA users by using the command line

On the FreeIPA server, a user with administrative privileges configures a HBAC rule to allow selected users access to Foreman server:

  1. Authenticate as the user with privileges required to configure HBAC rules:

    $ kinit admin

  2. Optional: Verify that you have authenticated successfully:

    $ klist

  3. Create a new HBAC service named foreman-prod:

    $ ipa hbacsvc-add foreman-prod

  4. Create a new HBAC rule:

    $ ipa hbacrule-add allow-foreman-prod

  5. Add the following FreeIPA entities to the HBAC rule:

    1. The foreman-prod HBAC service:

      $ ipa hbacrule-add-service allow-foreman-prod --hbacsvcs=foreman-prod

    2. The Foreman server host:

      $ ipa hbacrule-add-host allow-foreman-prod --hosts=foreman.example.com

    3. The users or user groups to whom you want to grant access:

      $ ipa hbacrule-add-user allow-foreman-prod --user=ipa-user

  6. Optional: Verify the status of the rule:

    $ ipa hbacrule-find foreman-prod
$ ipa hbactest --user=ipa-user --host=foreman.example.com --service=foreman-prod

  7. Disable the default allow_all rule:

$ ipa hbacrule-disable allow_all

On Foreman server, a Foreman administrator re-runs foreman-installer to load the host-based access control rules from FreeIPA:

# foreman-installer --foreman-pam-service foreman-prod

3.4. Configuring Hammer CLI to accept FreeIPA credentials

Configure the Foreman Hammer CLI tool to use FreeIPA to authenticate users.

Prerequisites
Procedure

  • Open the ~/.hammer/cli.modules.d/foreman.yml file on your Foreman server and update the list of foreman parameters:

    • To enforce session usage, enable :use_sessions::

      :foreman:
  :use_sessions: true

      With this configuration, you will need to initiate an authentication session manually with hammer auth login negotiate.

    • Alternatively, to enforce session usage and also negotiate authentication by default:

      :foreman:
  :default_auth_type: 'Negotiate_Auth'
  :use_sessions: true

      With this configuration, Hammer will negotiate authentication automatically when you enter the first hammer command.

3.5. Logging in to Hammer CLI with FreeIPA credentials

Authenticate to the Foreman Hammer CLI with your FreeIPA username and password.

Prerequisites
Procedure

  1. Authenticate as a user defined in FreeIPA to obtain a Kerberos ticket-granting ticket (TGT):

    $ kinit FreeIPA_user
    Warning

    If you enabled access to the Foreman API and the Foreman web UI when you were configuring FreeIPA as the authentication provider for Foreman, an attacker might now obtain an API session after the user receives the Kerberos TGT. The attack is possible even if the user did not previously enter the Foreman login credentials anywhere, for example in the browser.

  2. If Hammer is not configured to negotiate authentication, initiate an authentication session manually:

    $ hammer auth login negotiate
Note

If you destroy the active Kerberos ticket, for example with kdestroy, you will still be logged in to Hammer. To log out, enter hammer auth logout.
Verification

  • Use any hammer command to check that the system does not ask you to authenticate. For example:

    $ hammer host list
Additional resources

  • Run hammer auth --help to view all Hammer CLI authentication configuration options.

  • For more information about authenticating with Hammer, see Hammer authentication in Using the Hammer CLI tool.

3.6. Logging in to the Foreman web UI with FreeIPA credentials in Mozilla Firefox

You can use Mozilla Firefox to log in to the Foreman web UI with your FreeIPA credentials.

Use the latest stable Mozilla Firefox browser.

Prerequisites

  • You have FreeIPA authentication configured in your Foreman environment. For more information, see Configuring Kerberos SSO with FreeIPA in Foreman.

  • The host on which you are using Mozilla Firefox is a client in the FreeIPA domain.

  • Your Mozilla Firefox is configured for Single Sign-On (SSO).

Procedure

  1. Obtain the Kerberos ticket granting ticket (TGT):

    $ kinit user
Password for user@EXAMPLE.COM:

  2. In Mozilla Firefox, go to the URL of your Foreman server.

  3. You are logged in automatically.

Alternatively:

  1. In your browser address bar, enter the URL of your Foreman server.

  2. Enter your username and password.

3.7. Logging in to the Foreman web UI with FreeIPA credentials in Chrome

You can use Chrome to log in to the Foreman web UI with your FreeIPA credentials.

Use the latest stable Chrome browser.

Prerequisites
Procedure

  1. Enable the Chrome browser to use Kerberos authentication:

    $ google-chrome --auth-server-whitelist="*.example.com" --auth-negotiate-delegate-whitelist="*.example.com"
    Note

    Instead of allowlisting the whole domain, you can also allowlist a specific Foreman server.

  2. Obtain the Kerberos ticket-granting ticket (TGT):

    $ kinit user
Password for user@EXAMPLE.COM:

  3. In Chrome, go to the URL of your Foreman server.

  4. You are logged in automatically.

Alternatively:

  1. In your browser address bar, enter the URL of your Foreman server.

  2. Enter your username and password.

3.8. Configuring a cross-forest trust between FreeIPA and Active Directory for Foreman

When your FreeIPA deployment includes a cross-forest trust with Active Directory (AD), configure host-based access control (HBAC) and the System Security Services Daemon (SSSD) to enable AD users to log in to Foreman.

Prerequisites
Procedure

On your FreeIPA server:

  1. Enable HBAC:

    1. Create an external group and add the AD group to it.

    2. Add the new external group to a POSIX group.

    3. Use the POSIX group in a HBAC rule.

On your FreeIPA server and all replicas in your FreeIPA topology, configure SSSD to transfer additional attributes of AD users:

  1. Add the AD user attributes to the nss and domain sections in /etc/sssd/sssd.conf. For example:

    [domain/EXAMPLE.com]
...
krb5_store_password_if_offline = True
ldap_user_extra_attrs=email:mail, lastname:sn, firstname:givenname

[nss]
user_attributes=+email, +firstname, +lastname

[ifp]
allowed_uids = ipaapi, root
user_attributes=+email, +firstname, +lastname

  2. Clear the SSSD cache:

    1. Stop SSSD:

      # systemctl stop sssd

    2. Clear the cache:

      # sss_cache -E

    3. Start SSSD:

      # systemctl start sssd

  3. Verify the AD attributes value by using the dbus-send command on your Foreman server and on your FreeIPA server. Make sure that both outputs match.

    # dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe org.freedesktop.sssd.infopipe.GetUserAttr string:ad-user@ad-domain array:string:email,firstname,lastname

4. Configuring SSO and 2FA with Wildfly-based Keycloak in Foreman

Important

Configuring Foreman with Wildfly-based Keycloak is a deprecated feature. Deprecated functionality is still included in Foreman and continues to be supported. However, it will be removed in a future release of this product and is not recommended for new deployments.

For the most recent list of major functionality that has been deprecated or removed within Foreman, refer to the Deprecated features section of the Foreman release notes.
Note

The default Keycloak distribution is now based on Quarkus.

Quarkus-based Keycloak replaces Wildfly-based Keycloak in Foreman deployments. For information about configuring Quarkus-based Keycloak authentication, see Configuring SSO and 2FA with Quarkus-based Keycloak in Foreman.

For information about migrating from Wildfly-based Keycloak to Quarkus-based Keycloak, see Migrating to Quarkus distribution.

Keycloak is an open-source identity and access management solution that provides authentication features, such as single sign-on functionality, user federation, and centralized authentication management. With Wildfly-based Keycloak, you can integrate Foreman server with your existing Keycloak server to delegate user authentication and authorization to Keycloak.

Keycloak users can log in using the following login methods:

  • User name and password in Foreman web UI

  • User name and password in Hammer CLI

Note

Keycloak users cannot use both Foreman web UI and Hammer CLI authentication in Foreman at the same time.

  • Time-based one-time password (TOTP)

  • PIV cards

4.1. Prerequisites for configuring Foreman with Wildfly-based Keycloak authentication

On your Foreman server:

  • Install the packages required for registering a Keycloak client:

    # apt install mod_auth_openidc keycloak-httpd-client-install python3-lxml

On the Keycloak side, ensure you meet the following requirements:

  • Your Keycloak server uses HTTPS instead of HTTP.

  • If the certificates or the CA are self-signed, they have been added to the end-user certificate truststore.

  • Your Keycloak account has administrative privileges.

  • A realm is created on the Keycloak server for Foreman user accounts, for example Foreman_Realm.

  • User accounts have been imported or added to Keycloak. For more information about importing or creating users, see the Red Hat Single Sign-On Server Administration Guide.

4.2. Registering Foreman as a client of Keycloak

Users defined in Keycloak can authenticate to Foreman by using one of the following methods:

  • The Foreman web UI

  • Hammer CLI

Choose one of these methods to enable in your Foreman deployment.

Procedure

On your Foreman server:

  1. Choose the authentication method you want Keycloak users to use when authenticating to Foreman:

    • If you want users to authenticate by using the Foreman web UI:

      1. Create a client for Foreman. Use foreman-openidc as the application name.

        # keycloak-httpd-client-install --app-name foreman-openidc \
--keycloak-server-url "https://keycloak.example.com" \
--keycloak-admin-username "admin" \
--keycloak-realm "Foreman_Realm" \
--keycloak-admin-realm master \
--keycloak-auth-role root-admin \
-t openidc -l /users/extlogin --force

      2. Configure Foreman to use Keycloak as an authentication source for Foreman web UI:

        # foreman-installer --foreman-keycloak true \
--foreman-keycloak-app-name "foreman-openidc" \
--foreman-keycloak-realm "Foreman_Realm"

    • If you want users to authenticate by using the Hammer CLI:

      1. Create a client for Foreman. Use hammer-openidc as the application name.

        # keycloak-httpd-client-install --app-name hammer-openidc \
--keycloak-server-url "https://keycloak.example.com" \
--keycloak-admin-username "admin" \
--keycloak-realm "Foreman_Realm" \
--keycloak-admin-realm master \
--keycloak-auth-role root-admin \
-t openidc -l /users/extlogin --force

      2. Configure Foreman to use Keycloak as an authentication source for Hammer CLI:

        # foreman-installer --foreman-keycloak true \
--foreman-keycloak-app-name "hammer-openidc" \
--foreman-keycloak-realm "Foreman_Realm"

  2. Restart the httpd service:

    # systemctl restart httpd

4.3. Configuring the Foreman client in Wildfly-based Keycloak

Configure the Foreman client in Wildfly-based Keycloak with valid redirect URIs and mappers.

Procedure

In the Keycloak web UI:

  1. Go to the realm created for Foreman users. Navigate to Clients and click the Foreman client.

  2. Configure access type:

    • If you are configuring a client that will provide Foreman web UI authentication, select confidential from the Access Type list.

    • If you are configuring a client that will provide Hammer CLI authentication, select public from the Access Type list.

  3. Configure Valid redirect URI addresses:

    • If you are configuring a client that will provide Foreman web UI authentication:

      • You will see a pre-defined URI: https://foreman.example.com/users/extlogin/redirect_uri. Do not change or remove this URI.

      • Add another URI below the pre-defined URI: https://foreman.example.com/users/extlogin

    • If you are configuring a client that will provide Hammer CLI authentication:

      • You will see a pre-defined URI: https://foreman.example.com/users/extlogin/redirect_uri. Do not change or remove this URI.

      • Add another URI below the pre-defined URI: urn:ietf:wg:oauth:2.0:oob

  4. Click Save.

  5. On the Mappers tab, click Create to add an audience mapper.

    1. From the Mapper Type list, select Audience.

    2. From the Included Client Audience list, select the Foreman client.

  6. Click Save.

  7. On the Mappers tab, click Create to add a group mapper so that you can specify authorization in Foreman based on group membership.

    1. From the Mapper Type list, select Group Membership.

    2. In the Token Claim Name field, enter groups.

    3. Set the Full group path setting to OFF.

  8. Click Save.

Additional resources

4.4. Configuring a Foreman client to provide Foreman web UI authentication with Keycloak

If you are configuring a client that will provide Foreman web UI authentication to your Foreman deployment, delegate authentication to the Keycloak server and add Keycloak as an external authentication source in Foreman.

Prerequisites
Procedure

In the Foreman web UI:

  1. Navigate to Administer > Settings.

  2. On the Authentication tab, configure the following settings:

    1. Authorize login delegation: Set to Yes.

    2. Authorize login delegation auth source user autocreate: Set to External.

    3. Login delegation logout URL: Set to https://foreman.example.com/users/extlogout.

    4. OIDC Algorithm: For example, set to RS256.

    5. OIDC Audience: Set to the client ID for Keycloak.

    6. OIDC Issuer: Set to https://keycloak.example.com/auth/realms/Foreman_Realm.

    7. OIDC JWKs URL: Set to https://keycloak.example.com/auth/realms/Foreman_Realm/protocol/openid-connect/certs.

  3. Navigate to Administer > Authentication Sources.

    1. From the External menu, select Edit.

    2. On the Locations tab, add the locations that you want to be able to use the Keycloak authentication source.

    3. On the Organizations tab, add the organizations that you want to be able to use the Keycloak authentication source.

    4. Click Submit.

4.5. Configuring a Foreman client to provide Hammer CLI authentication with Keycloak

If you are configuring a client that will provide Hammer CLI authentication to your Foreman deployment, delegate authentication to the Keycloak server and add Keycloak as an external authentication source in Foreman.

Prerequisites

  • Ensure that the Access Type setting in the Foreman client in the Wildfly-based Keycloak web UI is set to public. For more information, see Configuring the Foreman client in Wildfly-based Keycloak.

  • Obtain the values to configure Foreman settings from the following URL: https://keycloak.example.com/auth/realms/Foreman_Realm/.well-known/openid-configuration. Replace Foreman_Realm with the name of the Keycloak realm created for your Foreman server.

Procedure

On the Foreman client registered to Keycloak:

  1. Set the login delegation to true so that users can authenticate using the Open IDC protocol:

    $ hammer settings set --name authorize_login_delegation --value true

  2. Set the login delegation logout URL:

    $ hammer settings set --name login_delegation_logout_url \
--value https://foreman.example.com/users/extlogout

  3. Set the algorithm for encoding: For example, to use the RS256 algorithm:

    $ hammer settings set --name oidc_algorithm --value 'RS256'

  4. Add the value for the Hammer client in the Open IDC audience:

    $ hammer settings set --name oidc_audience \
--value "['foreman.example.com-hammer-openidc']"

  5. Set the value for the Open IDC issuer:

    $ hammer settings set --name oidc_issuer \
--value "https://keycloak.example.com/auth/realms/Foreman_Realm"

  6. Set the value for Open IDC Java Web Token (JWT):

    $ hammer settings set --name oidc_jwks_url \
--value "https://keycloak.example.com/auth/realms/Foreman_Realm/protocol/openid-connect/certs"

  7. Retrieve the ID of the Keycloak authentication source:

    $ hammer auth-source external list

  8. Set the location and organization:

    $ hammer auth-source external update \
--id My_Authentication_Source_ID \
--location-ids My_Location_ID \
--organization-ids My_Organization_ID

4.6. Configuring Foreman with Keycloak for TOTP authentication

If you want users to authenticate with time-based one-time passwords (TOTP), configure an OTP policy for the Foreman realm in Keycloak.

Procedure

  1. In the Keycloak web UI, navigate to the Foreman realm.

  2. Navigate to Authentication.

  3. On the Policies tab, click the OTP Policy tab. Ensure that the Supported Applications field includes FreeOTP or Google Authenticator.

  4. Configure the OTP settings to suit your requirements.

  5. On Required Actions tab, enable the Set as default action setting for the Configure OTP action.

Additional resources

4.7. Configuring Keycloak settings for authentication with PIV cards

If you want users to authenticate with PIV cards, configure Keycloak for authentication with PIV cards and configure the operating system for PIV cards on each user system.

Procedure

In the Keycloak web UI:

  1. Navigate to the Authentication tab.

  2. From the Flows list, select Browser.

    1. Click Copy to copy this flow.

    2. In the Copy Authentication Flow window, enter a new name for the flow and click OK.

    3. In the copied flow, delete the Username Password Form and OTP Form entries.

    4. Click Add execution.

    5. From the Provider list, select X509/Validate Username Form.

    6. Click Save.

  3. In the X509/Validate Username Form row, select ALTERNATIVE. Click Actions > Config.

    1. In the Alias field, enter a name for this configuration.

    2. From the User Identity Source list, select Subject’s Common Name,

    3. From the User mapping method list, select Username or Email.

    4. Click Save.

  4. Navigate to Authentication > Bindings.

  5. From the Browser Flow list, select the created flow.

On each system from which you want users to log in to with PIV cards:

  1. Install the opensc package:

    • On Debian or Ubuntu:

      # apt install opensc

    • On Enterprise Linux 8+:

      # dnf install opensc

    • On Enterprise Linux 7:

      # yum install opensc

    • On OpenSUSE and SUSE Linux Enterprise Server:

      # zypper install opensc

  2. Make sure Mozilla Firefox is installed.

  3. In Mozilla Firefox main menu, click Settings.

  4. On the Privacy and Security tab, click Security Devices.

  5. Click Load.

    1. In the Load PKCS#11 Device Driver window, enter /usr/lib64/pkcs11/opensc-pkcs11.so in the Module filename field.

    2. Click OK.

  6. If the PIV card is connected to system, restart the pcscd service.

4.8. Optional: Configuring external group mapping for Keycloak authentication

To implement the role-based access control (RBAC), create a group in Foreman, assign a role to this group, and then map an Keycloak group to the Foreman group. As a result, anyone in the given group in Keycloak will log in under the corresponding Foreman group.

For example, you can configure users of the Foreman-admin user group defined in Active Directory to authenticate as users with administrator privileges on Foreman.

If you do not configure group mapping, every user will receive the Default role permissions.

Procedure

  1. In the Foreman web UI, navigate to Administer > User Groups.

  2. Click Create User Group.

    1. In the Name field, enter a name for the user group. Enter a name that is different from the Active Directory user group name.

    2. Do not add any users or user groups to the new group in Foreman web UI.

  3. On the Roles tab, select Administer.

  4. On the External Groups tab, click Add external user group.

    1. In the Name field, enter the name of the Active Directory group.

    2. From the Auth Source drop-down menu, select EXTERNAL.

  5. Click Submit.

4.9. Logging in to Foreman configured with Keycloak as an authentication source

With Keycloak configured as an external authentication source for Foreman, users defined in a Keycloak realm can log in to Foreman server. The particular login methods available to users depend on how you configured integration between Keycloak and Foreman.

Procedure

To authenticate to the Foreman web UI:

  • In your browser, go to https://foreman.example.com and enter your credentials.

To authenticate to the Foreman web UI by using Keycloak TOTP:

  1. In your browser, log in to Foreman. Foreman redirects you to the Keycloak login screen.

  2. Enter your username and password, and click Log In.

  3. On your first login attempt, Keycloak requests you to configure your client by scanning the bar code and entering your PIN. Once authenticated, your browser redirects you back to Foreman and logs you in.

To authenticate to the Foreman CLI with Hammer:

  1. Ensure that Hammer is configured to enforce session usage in ~/.hammer/cli.modules.d/foreman.yml:

    :foreman:
  :use_sessions: true

  2. Initiate an authentication session with hammer auth login oauth:

    $ hammer auth login oauth \
--oidc-token-endpoint 'https://keycloak.example.com/auth/realms/Foreman_realm/protocol/openid-connect/token' \
--oidc-authorization-endpoint 'https://keycloak.example.com/auth' \
--oidc-client-id 'foreman.example.com-hammer-openidc' \
--oidc-redirect-uri urn:ietf:wg:oauth:2.0:oob

To authenticate to the Foreman CLI with Hammer by using Keycloak TOTP:

  1. Ensure that Hammer is configured to enforce session usage in ~/.hammer/cli.modules.d/foreman.yml:

    :foreman:
  :use_sessions: true

  2. Initiate an authentication session by using --two-factor with hammer auth login oauth:

    $ hammer auth login oauth \
--two-factor \
--oidc-token-endpoint 'https://keycloak.example.com/auth/realms/Foreman_realm/protocol/openid-connect/token' \
--oidc-authorization-endpoint 'https://keycloak.example.com/auth' \
--oidc-client-id 'foreman.example.com-hammer-openidc' \
--oidc-redirect-uri urn:ietf:wg:oauth:2.0:oob

  3. You will be prompted to enter a success code. To retrieve the success code, navigate to the URL that the command returns.

  4. Enter the success code in CLI.

To log in to the Foreman web UI using the Keycloak PIV cards:

  1. In Mozilla Firefox, log in to Foreman and enter your credentials.

  2. When prompted, enter the PIN of the PIV card.

  3. Choose the certificate for authentication. Browser verifies this certificate with Keycloak. Once authenticated, browser redirects you back to Foreman and logs you in.

5. Configuring SSO and 2FA with Quarkus-based Keycloak in Foreman

Quarkus-based Keycloak is an open-source identity and access management solution that provides authentication features, such as single sign-on functionality, user federation, and centralized authentication management. With Quarkus-based Keycloak, you can integrate Foreman server with your existing Quarkus-based Keycloak server to delegate user authentication and authorization to Quarkus-based Keycloak.

Keycloak users can log in using the following login methods:

  • User name and password in Foreman web UI

  • User name and password in Hammer CLI

Note

Keycloak users cannot use both Foreman web UI and Hammer CLI authentication in Foreman at the same time.

  • Time-based one-time password (TOTP), an implementation of two-factor authentication (2FA)

  • PIV cards

For information about Keycloak, see Keycloak documentation.

5.1. Prerequisites for configuring Foreman with Quarkus-based Keycloak authentication

On your Foreman server:

  • Install the packages required for registering a Keycloak client:

    # apt install mod_auth_openidc keycloak-httpd-client-install python3-lxml

  • Check which keycloak-httpd-client-install version is installed:

    # rpm --query keycloak-httpd-client-install

On the Keycloak side, ensure you meet the following requirements:

  • If keycloak-httpd-client-install version 1.2 or earlier is installed on your Foreman server, make sure to use the appropriate context path:

    • You can use a Keycloak server that has been initialized with the --http-relative-path=/auth context path. To access a Keycloak server initialized with --http-relative-path=/auth from its web UI, go to https://keycloak.example.com:8443/auth.

    • If you want to use a different context path, make manual adjustments after the initialization with /auth or configure the foreman-openidc_oidc_keycloak_Foreman_Realm.conf file of the HTTPd service manually. For more information about configuring a different context path, see the Red Hat build of Keycloak Administration Guide.

  • If keycloak-httpd-client-install version 1.3 or later is installed, your Keycloak server does not need to be initialized with the --http-relative-path=/auth context path.

  • Your Keycloak server uses HTTPS instead of HTTP.

  • If the certificates or the CA are self-signed, they have been added to the end-user certificate truststore.

  • Your Keycloak account has administrative privileges.

  • A realm is created on the Keycloak server for Foreman user accounts, for example Foreman_Realm.

  • User accounts have been imported or added to Keycloak. For more information on importing or creating users, see the Red Hat build of Keycloak Administration Guide.

5.2. Registering Foreman as a client of Keycloak

Users defined in Keycloak can authenticate to Foreman by using one of the following methods:

  • The Foreman web UI

  • Hammer CLI

Choose one of these methods to enable in your Foreman deployment.

Procedure

On your Foreman server:

  1. Choose the authentication method you want Keycloak users to use when authenticating to Foreman:

    • If you want users to authenticate by using the Foreman web UI:

      1. Create a client for Foreman. Use foreman-openidc as the application name.

        # keycloak-httpd-client-install --app-name foreman-openidc \
--keycloak-server-url "https://keycloak.example.com:8443" \
--keycloak-admin-username "admin" \
--keycloak-realm "Foreman_Realm" \
--keycloak-admin-realm master \
--keycloak-auth-role root-admin \
-t openidc -l /users/extlogin --force

      2. Configure Foreman to use Keycloak as an authentication source for Foreman web UI:

        # foreman-installer --foreman-keycloak true \
--foreman-keycloak-app-name "foreman-openidc" \
--foreman-keycloak-realm "Foreman_Realm"

    • If you want users to authenticate by using the Hammer CLI:

      1. Create a client for Foreman. Use hammer-openidc as the application name.

        # keycloak-httpd-client-install --app-name hammer-openidc \
--keycloak-server-url "https://keycloak.example.com:8443" \
--keycloak-admin-username "admin" \
--keycloak-realm "Foreman_Realm" \
--keycloak-admin-realm master \
--keycloak-auth-role root-admin \
-t openidc -l /users/extlogin --force

      2. Configure Foreman to use Keycloak as an authentication source for Hammer CLI:

        # foreman-installer --foreman-keycloak true \
--foreman-keycloak-app-name "hammer-openidc" \
--foreman-keycloak-realm "Foreman_Realm"

  2. Restart the httpd service:

    # systemctl restart httpd

5.3. Configuring the Foreman client in Quarkus-based Keycloak

Configure the Foreman client in Quarkus-based Keycloak with valid redirect URIs and mappers.

Procedure

In the Quarkus-based Keycloak web UI:

  1. Go to the realm created for Foreman users.

  2. Navigate to Clients and click the Foreman client.

  3. On the Settings tab for the Foreman client, configure the access type and redirect addresses:

    • If you are configuring a client that will provide Foreman web UI authentication:

      1. Enable Client authentication.

      2. You will see a pre-defined URI: https://foreman.example.com/users/extlogin/redirect_uri. Do not change or remove this URI.

      3. Add another URI below the pre-defined URI: https://foreman.example.com/users/extlogin

    • If you are configuring a client that will provide Hammer CLI authentication:

      1. Ensure Client authentication is disabled.

      2. You will see a pre-defined URI: https://foreman.example.com/users/extlogin/redirect_uri. Do not change or remove this URI.

      3. Add another URI below the pre-defined URI: urn:ietf:wg:oauth:2.0:oob

  4. On the Client Scopes tab for the Foreman client, locate the client scope dedicated to the Foreman client named client-name-dedicated. Start editing the client scope.

    1. On the Mappers tab for client-name-dedicated, add a new mapper by configuration. Select the Audience mapper type.

      1. From the Included Client Audience list, select the Foreman client.

      2. Enable Add to ID token.

      3. Click Save.

    2. Add another mapper by configuration. Select the Group Membership mapper type. This adds a group mapper so that you can specify authorization in Foreman based on group membership.

      1. In the Token Claim Name field, enter groups.

      2. Disable Full group path.

      3. Click Save.

Additional resources

5.4. Configuring a Foreman client to provide Foreman web UI authentication with Keycloak

If you are configuring a client that will provide Foreman web UI authentication to your Foreman deployment, delegate authentication to the Keycloak server and add Keycloak as an external authentication source in Foreman.

Prerequisites
Procedure

In the Foreman web UI:

  1. Navigate to Administer > Settings.

  2. On the Authentication tab, configure the following settings:

    1. Authorize login delegation: Set to Yes.

    2. Authorize login delegation auth source user autocreate: Set to External.

    3. Login delegation logout URL: Set to https://foreman.example.com/users/extlogout.

    4. OIDC Algorithm: For example, set to RS256.

    5. OIDC Audience: Set to the client ID for Keycloak.

    6. OIDC Issuer:

      • Set to https://keycloak.example.com:8443/realms/Foreman_Realm if you initialized your Keycloak server without the --http-relative-path=/auth context path.

      • Set to https://keycloak.example.com:8443/auth/realms/Foreman_Realm if you initialized your Keycloak server with the --http-relative-path=/auth context path.

    7. OIDC JWKs URL:

      • Set to https://keycloak.example.com:8443/realms/Foreman_Realm/protocol/openid-connect/certs if you initialized your Keycloak server without the --http-relative-path=/auth context path.

      • Set to https://keycloak.example.com:8443/auth/realms/Foreman_Realm/protocol/openid-connect/certs if you initialized your Keycloak server with the --http-relative-path=/auth context path.

  3. Navigate to Administer > Authentication Sources.

    1. From the External menu, select Edit.

    2. On the Locations tab, add the locations that you want to be able to use the Keycloak authentication source.

    3. On the Organizations tab, add the organizations that you want to be able to use the Keycloak authentication source.

    4. Click Submit.

5.5. Configuring a Foreman client to provide Hammer CLI authentication with Keycloak

If you are configuring a client that will provide Hammer CLI authentication to your Foreman deployment, delegate authentication to the Keycloak server and add Keycloak as an external authentication source in Foreman.

Prerequisites

  • Ensure that the Client authentication setting in the Foreman client in the Quarkus-based Keycloak web UI is disabled. For more information, see Configuring the Foreman client in Quarkus-based Keycloak.

  • If you initialized your Keycloak server without the --http-relative-path=/auth context path, obtain the values to configure Foreman settings from the following URL: https://keycloak.example.com:8443/realms/Foreman_Realm/.well-known/openid-configuration. Replace Foreman_Realm with the name of the Keycloak realm created for your Foreman server.

  • If you initialized your Keycloak server with the --http-relative-path=/auth context path, obtain the values to configure Foreman settings from the following URL: https://keycloak.example.com:8443/auth/realms/Foreman_Realm/.well-known/openid-configuration. Replace Foreman_Realm with the name of the Keycloak realm created for your Foreman server.

Procedure

On the Foreman client registered to Keycloak:

  1. Set the login delegation to true so that users can authenticate using the Open IDC protocol:

    $ hammer settings set --name authorize_login_delegation --value true

  2. Set the login delegation logout URL:

    $ hammer settings set --name login_delegation_logout_url \
--value https://foreman.example.com/users/extlogout

  3. Set the algorithm for encoding: For example, to use the RS256 algorithm:

    $ hammer settings set --name oidc_algorithm --value 'RS256'

  4. Add the value for the Hammer client in the Open IDC audience:

    $ hammer settings set --name oidc_audience \
--value "['foreman.example.com-hammer-openidc']"

  5. Set the value for the Open IDC issuer:

    • If you initialized your Keycloak server without the --http-relative-path=/auth context path:

      $ hammer settings set --name oidc_issuer \
--value "https://keycloak.example.com:8443/realms/Foreman_Realm"

    • If you initialized your Keycloak server with the --http-relative-path=/auth context path:

      $ hammer settings set --name oidc_issuer \
--value "https://keycloak.example.com:8443/auth/realms/Foreman_Realm"

  6. Set the value for Open IDC Java Web Token (JWT):

    • If you initialized your Keycloak server without the --http-relative-path=/auth context path:

      $ hammer settings set --name oidc_jwks_url \
--value "https://keycloak.example.com:8443/realms/Foreman_Realm/protocol/openid-connect/certs"

    • If you initialized your Keycloak server with the --http-relative-path=/auth context path:

      $ hammer settings set --name oidc_jwks_url \
--value "https://keycloak.example.com:8443/auth/realms/Foreman_Realm/protocol/openid-connect/certs"

  7. Retrieve the ID of the Keycloak authentication source:

    $ hammer auth-source external list

  8. Set the location and organization:

    $ hammer auth-source external update \
--id My_Authentication_Source_ID \
--location-ids My_Location_ID \
--organization-ids My_Organization_ID

5.6. Configuring Foreman with Keycloak for TOTP authentication

If you want users to authenticate with time-based one-time passwords (TOTP), configure an OTP policy for the Foreman realm in Keycloak.

Procedure

  1. In the Keycloak web UI, navigate to the Foreman realm.

  2. Navigate to Authentication.

  3. On the Policies tab, click the OTP Policy tab. Ensure that the Supported Applications field includes FreeOTP or Google Authenticator.

  4. Configure the OTP settings to suit your requirements.

  5. On Required Actions tab, enable the Set as default action setting for the Configure OTP action.

Additional resources

5.7. Configuring Keycloak settings for authentication with PIV cards

If you want users to authenticate with PIV cards, configure Keycloak for authentication with PIV cards and configure the operating system for PIV cards on each user system.

Procedure

In the Keycloak web UI:

  1. Navigate to the Authentication tab.

  2. From the Flows list, select Browser.

    1. Click Copy to copy this flow.

    2. In the Copy Authentication Flow window, enter a new name for the flow and click OK.

    3. In the copied flow, delete the Username Password Form and OTP Form entries.

    4. Click Add execution.

    5. From the Provider list, select X509/Validate Username Form.

    6. Click Save.

  3. In the X509/Validate Username Form row, select ALTERNATIVE. Click Actions > Config.

    1. In the Alias field, enter a name for this configuration.

    2. From the User Identity Source list, select Subject’s Common Name,

    3. From the User mapping method list, select Username or Email.

    4. Click Save.

  4. Navigate to Authentication > Bindings.

  5. From the Browser Flow list, select the created flow.

On each system from which you want users to log in to with PIV cards:

  1. Install the opensc package:

    • On Debian or Ubuntu:

      # apt install opensc

    • On Enterprise Linux 8+:

      # dnf install opensc

    • On Enterprise Linux 7:

      # yum install opensc

    • On OpenSUSE and SUSE Linux Enterprise Server:

      # zypper install opensc

  2. Make sure Mozilla Firefox is installed.

  3. In Mozilla Firefox main menu, click Settings.

  4. On the Privacy and Security tab, click Security Devices.

  5. Click Load.

    1. In the Load PKCS#11 Device Driver window, enter /usr/lib64/pkcs11/opensc-pkcs11.so in the Module filename field.

    2. Click OK.

  6. If the PIV card is connected to system, restart the pcscd service.

5.8. Optional: Configuring external group mapping for Keycloak authentication

To implement the role-based access control (RBAC), create a group in Foreman, assign a role to this group, and then map an Keycloak group to the Foreman group. As a result, anyone in the given group in Keycloak will log in under the corresponding Foreman group.

For example, you can configure users of the Foreman-admin user group defined in Active Directory to authenticate as users with administrator privileges on Foreman.

If you do not configure group mapping, every user will receive the Default role permissions.

Procedure

  1. In the Foreman web UI, navigate to Administer > User Groups.

  2. Click Create User Group.

    1. In the Name field, enter a name for the user group. Enter a name that is different from the Active Directory user group name.

    2. Do not add any users or user groups to the new group in Foreman web UI.

  3. On the Roles tab, select Administer.

  4. On the External Groups tab, click Add external user group.

    1. In the Name field, enter the name of the Active Directory group.

    2. From the Auth Source drop-down menu, select EXTERNAL.

  5. Click Submit.

5.9. Logging in to Foreman configured with Keycloak as an authentication source

With Keycloak configured as an external authentication source for Foreman, users defined in a Keycloak realm can log in to Foreman server. The particular login methods available to users depend on how you configured integration between Keycloak and Foreman.

Procedure

To authenticate to the Foreman web UI:

  • In your browser, go to https://foreman.example.com and enter your credentials.

To authenticate to the Foreman web UI by using Keycloak TOTP:

  1. In your browser, log in to Foreman. Foreman redirects you to the Keycloak login screen.

  2. Enter your username and password, and click Log In.

  3. On your first login attempt, Keycloak requests you to configure your client by scanning the bar code and entering your PIN. Once authenticated, your browser redirects you back to Foreman and logs you in.

To authenticate to the Foreman CLI with Hammer:

  1. Ensure that Hammer is configured to enforce session usage in ~/.hammer/cli.modules.d/foreman.yml:

    :foreman:
  :use_sessions: true

  2. Initiate an authentication session with hammer auth login oauth:

    • If you initialized your Keycloak server without the --http-relative-path=/auth context path:

      $ hammer auth login oauth \
--oidc-token-endpoint 'https://keycloak.example.com:8443/realms/Foreman_realm/protocol/openid-connect/token' \
--oidc-authorization-endpoint 'https://keycloak.example.com:8443' \
--oidc-client-id 'foreman.example.com-hammer-openidc' \
--oidc-redirect-uri urn:ietf:wg:oauth:2.0:oob

    • If you initialized your Keycloak server with the --http-relative-path=/auth context path:

      $ hammer auth login oauth \
--oidc-token-endpoint 'https://keycloak.example.com:8443/auth/realms/Foreman_realm/protocol/openid-connect/token' \
--oidc-authorization-endpoint 'https://keycloak.example.com:8443/auth' \
--oidc-client-id 'foreman.example.com-hammer-openidc' \
--oidc-redirect-uri urn:ietf:wg:oauth:2.0:oob

To authenticate to the Foreman CLI with Hammer by using Keycloak TOTP:

  1. Ensure that Hammer is configured to enforce session usage in ~/.hammer/cli.modules.d/foreman.yml:

    :foreman:
  :use_sessions: true

  2. Initiate an authentication session by using --two-factor with hammer auth login oauth:

    $ hammer auth login oauth \
--two-factor \
--oidc-token-endpoint 'https://keycloak.example.com:8443/auth/realms/Foreman_realm/protocol/openid-connect/token' \
--oidc-authorization-endpoint 'https://keycloak.example.com:8443/auth' \
--oidc-client-id 'foreman.example.com-hammer-openidc' \
--oidc-redirect-uri urn:ietf:wg:oauth:2.0:oob

  3. You will be prompted to enter a success code. To retrieve the success code, navigate to the URL that the command returns.

  4. Enter the success code in CLI.

To log in to the Foreman web UI using the Keycloak PIV cards:

  1. In Mozilla Firefox, log in to Foreman and enter your credentials.

  2. When prompted, enter the PIN of the PIV card.

  3. Choose the certificate for authentication. Browser verifies this certificate with Keycloak. Once authenticated, browser redirects you back to Foreman and logs you in.

6. Configuring Kerberos SSO for Active Directory users in Foreman

If the base system of your Foreman server is connected directly to Active Directory (AD), you can configure AD as an external authentication source for Foreman. Direct AD integration means that a Linux system is joined directly to the AD domain where the identity is stored.

AD users can log in using the following methods:

  • Username and password

  • Kerberos single sign-on

Note

You can also connect your Foreman deployment to AD in the following ways:

6.1. Configuring the Active Directory authentication source on Foreman server

Enable Active Directory (AD) users to access Foreman by configuring the corresponding authentication provider on your Foreman server.

Prerequisites

  • The base system of your Foreman server must be joined to an Active Directory (AD) domain. To enable AD users to sign in with Kerberos single sign-on, use the System Security Services Daemon (SSSD) and Samba services to join the base system to the AD domain:

    Install the following packages on Foreman server:

    # apt install adcli krb5-workstation oddjob-mkhomedir oddjob realmd samba-winbind-clients samba-winbind samba-common-tools samba-winbind-krb5-locator sssd

    Specify the required software when joining the AD domain:

    # realm join AD.EXAMPLE.COM --membership-software=samba --client-software=sssd

    For more information on direct AD integration, see Connecting RHEL systems directly to AD using Samba Winbind.

Procedure

  1. Define AD realm configuration in a location where foreman-installer expects it:

    1. Create a directory named /etc/ipa/:

      # mkdir /etc/ipa/

    2. Create the /etc/ipa/default.conf file with the following contents to configure the Kerberos realm for the AD domain:

      [global]
realm = AD.EXAMPLE.COM

  2. Configure the Apache keytab for Kerberos connections:

    1. Update the /etc/samba/smb.conf file with the following settings to configure how Samba interacts with AD:

      [global]
workgroup = AD.EXAMPLE
realm = AD.EXAMPLE.COM
kerberos method = system keytab
security = ads

    2. Add the Kerberos service principal to the keytab file at /etc/httpd/conf/http.keytab:

      # KRB5_KTNAME=FILE:/etc/httpd/conf/http.keytab net ads keytab create HTTP -U Administrator -s /etc/samba/smb.conf
      Note

      The net ads keytab create command was introduced in Samba version 4.21.1. If your system uses an earlier version of Samba, use the net ads keytab add command.

  3. Configure the System Security Services Daemon (SSSD) on your Foreman server:

    1. Configure the AD access control provider to evaluate and enforce Group Policy Object (GPO) access control rules for the foreman PAM service. In the [domain/ad.example.com] section of your /etc/sssd/sssd.conf file, set the ad_gpo_access_control and ad_gpo_map_service options as follows:

      [domain/ad.example.com]
ad_gpo_access_control = enforcing
ad_gpo_map_service = +foreman

      For more information on GPOs, see How SSSD interprets GPO access control rules in Integrating RHEL systems directly with Windows Active Directory (RHEL 9).

    2. If your Foreman server runs in an IPv6-only network and also runs on RHEL 9.6 and earlier or RHEL 10.0, set the lookup_family_order option in the [domain/ad.example.com] section of the /etc/sssd/sssd.conf file:

      [domain/ad.example.com]
lookup_family_order = ipv6_only

      If the DNS name of the AD server can be translated to both an IPv4 and IPv6 address but the IPv4 address is not accessible, SSSD requires lookup_family_order to translate the DNS name correctly. Without the option, AD users are unable to use kinit to authenticate to Foreman.

    3. Restart SSSD:

      # systemctl restart sssd

  4. Enable the authentication source:

    # foreman-installer --foreman-ipa-authentication true
Verification

  • To verify that AD users can log in to Foreman by entering their credentials, log in to Foreman web UI at https://foreman.example.com. Enter the user name in the user principal name (UPN) format, for example: ad_user@AD.EXAMPLE.COM.

  • To verify that AD users can authenticate by using Kerberos single sign-on:

    • Obtain a Kerberos ticket-granting ticket (TGT) on behalf of an AD user:

      $ kinit ad_user@AD.EXAMPLE.COM

    • Verify user authentication by using your TGT:

      $ curl -k -u : --negotiate https://foreman.example.com/users/extlogin

<html><body>You are being <a href="foreman.example.com/hosts">redirected</a>.</body></html>
Troubleshooting

  • Connecting to the AD LDAP can sometimes fail with an error such as the following appearing in the logs:

    Authentication failed with status code: {
  "error": { "message": "ERF77-7629 [Foreman::LdapException]: Error while connecting to 'server.com' LDAP server at 'ldap.example.com' during authentication ([Net::LDAP::Error]: Connection reset by peer - SSL_connect)" } }

    If you see this error, verify which cipher is used for the connection:

    # openssl s_client -connect ldap.example.com:636

    If the TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 cipher is used, disable it on either the Foreman server side or on the AD side. The TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 cipher is known to cause incompatibilities.

  • sssd-ad(5) man page on your system

  • For information about configuring Mozilla Firefox for Kerberos, see Configuring Firefox to use Kerberos for single sign-on in Red Hat Enterprise Linux 9 Configuring authentication and authorization in RHEL.

7. Configuring an LDAP server as an external identity provider for Foreman

Lightweight Directory Access Protocol (LDAP) is a set of open protocols used to access centrally stored information over a network. With Foreman, you can use one or multiple LDAP directories for external authentication.

Note

While you can configure the LDAP server integrated with FreeIPA as an external authentication source, FreeIPA users will not be able to log in by using single sign-on. Instead, consider configuring FreeIPA as an external identity provider. For more information, see Configuring Kerberos SSO with FreeIPA in Foreman.
Important

Users cannot use both FreeIPA and LDAP as an authentication method. After a user authenticates by using one of these methods, they cannot use the other method.

To change the authentication method for a user, remove the automatically created user from Foreman.

7.1. Configuring TLS for secure LDAP

If Foreman uses TLS to establish a secure LDAP connection (LDAPS), you must obtain the CA certificates of your LDAP server and add them to the trusted CA list on the base operating system of your Foreman server.

If your LDAP server uses a certificate chain with intermediate certificate authorities, you must obtain all root and intermediate certificates and add them to the trusted CA list.

Procedure

  1. Obtain the CA certificate from the LDAP Server:

    1. If you use Active Directory Certificate Services, export the Enterprise PKI CA Certificate using the Base64 encoded X.509 format. See How to configure Active Directory authentication with TLS on Foreman for information on creating and exporting a CA certificate from an Active Directory server.

    2. Download the LDAP server certificate to a temporary location on the Foreman server, such as /tmp/example.crt. You will remove the certificate when finished.

      Foreman only accepts the .crt file extension for certificates in PEM ASCII format.

  2. Add the LDAP server certificate to the system truststore:

    1. Import the certificate:

      # cp /tmp/example.crt /usr/local/share/ca-certificates

    2. Update the certificate authority truststore:

      # update-ca-certificates

  3. Delete the downloaded LDAP certificate from the temporary location on your Foreman server.

7.2. Configuring Foreman to use LDAP

Configure an LDAP authentication source to enable users to log in to Foreman with their existing LDAP credentials.

Prerequisites

  • Your LDAP server complies with the RFC 2307 schema.

  • Your user account has the following permissions:

    • view_authenticators, create_authenticators, edit_authenticators

    • view_locations, assign_locations

    • view_organizations, assign_organizations

Procedure

  1. On your Foreman server, enable the Network Information System (NIS) service so that SELinux does not block outgoing LDAP connections:

    # setsebool -P nis_enabled on

  2. In the Foreman web UI, navigate to Administer > Authentication Sources.

  3. From the LDAP menu, select Create.

  4. On the LDAP server tab, enter the details of your LDAP server.

    For TLS encrypted connections, select LDAPS to enable encryption.

  5. On the Account tab, enter the account information and domain name details. For more information, see the following sections:

  6. On the Attribute mappings tab, map LDAP attributes to Foreman attributes.

  7. On the Locations tab, select the locations you want Foreman to assign to users created from the LDAP authentication source. These locations are available to users after they log in for the first time.

  8. On the Organizations tab, select the organizations you want Foreman to assign to users created from the LDAP authentication source. These locations are available to users after they log in for the first time.

  9. Click Submit.

Next steps

  • If you did not select Automatically Create Accounts In Foreman on the Account tab, create user accounts manually. For more information, see Creating a User in Administering Foreman.

  • If you selected Automatically Create Accounts In Foreman, LDAP users can now log in to Foreman using their LDAP accounts and passwords.

  • After users log in for the first time, the Foreman administrator must assign roles to them manually. For more information about assigning appropriate roles to user accounts, see Assigning Roles to a User in Administering Foreman.

7.3. Example settings for LDAP connections

Example 3. Example settings for Active Directory LDAP connections

This example uses a dedicated service account called redhat that has bind, read, and search permissions on the user and group entries.

  • Account Username: DOMAIN\redhat

  • Account password: P@ssword

  • Base DN: DC=example,DC=COM

  • Login name attribute: userPrincipalName

  • First name attribute: givenName

  • Last name attribute: sn

  • Email address attribute: mail

  • Photo attribute: thumbnailPhoto

The userPrincipalName attribute allows the use of whitespace in usernames. The sAMAccountName attribute, which provides backwards compatibility with legacy Microsoft systems, does not allow the use of whitespace in usernames.

Example 4. Example settings for FreeIPA LDAP connections

This example uses a dedicated service account called redhat that has bind, read, and search permissions on the user and group entries.

  • Account Username: uid=redhat,cn=users,cn=accounts,dc=example,dc=com

  • Base DN: dc=example,dc=com

  • Groups Base DN: cn=groups,cn=accounts,dc=example,dc=com

  • Login name attribute: uid

  • First name attribute: givenName

  • Last name attribute: sn

  • Email address attribute: mail

Example 5. Example settings for POSIX LDAP connections

This example uses a dedicated service account called redhat that has bind, read, and search permissions on the user and group entries.

  • Account Username: uid=redhat,ou=users,dc=example,dc=com

  • Base DN: dc=example,dc=com

  • Groups Base DN: cn=employee,ou=userclass,dc=example,dc=com

  • Login name attribute: uid

  • First name attribute: givenName

  • Last name attribute: sn

  • Email address attribute: mail

7.4. Example LDAP filters

Example 6. Example LDAP filters for allowing specific users to login

You are using the following LDAP directory structure:

DC=Domain,DC=Example
   |
   |----- CN=Users
         |
         |----- CN=Group1
         |----- CN=Group2
         |----- CN=User1
         |----- CN=User2
         |----- CN=User3

Group membership is defined as follows:

  • Group1 includes users User1 and User3

  • Group2 includes users User2 and User3

For example, you can define the following search filters:

Search result (users) Filter

User1

(distinguishedName=cn=User1,cn=Users,dc=domain,dc=example)

User1, User3

(memberOf=cn=Group1,cn=Users,dc=domain,dc=example)

User2, User3

(memberOf=cn=Group2,cn=Users,dc=domain,dc=example)

User1, User2, User3

(|(memberOf=cn=Group1,cn=Users,dc=domain,dc=example)(memberOf=cn=Group2,cn=Users,dc=domain,dc=example))

User1, User2, User3

(memberOf:1.2.840.113556.1.4.1941:=cn=Users,dc=domain,dc=example)

Because group Users is a nested group that contains groups Group1 and Group2, the filter must include memberOf:1.2.840.113556.1.4.1941:= before the nested group name. This enables you to filter all users from the nested group.

8. Important user and group account information for Active Directory accounts

All user and group accounts must be local accounts. This is to ensure that there are no authentication conflicts between local accounts on your Foreman server and accounts in your Active Directory domain.

Your system is not affected by this conflict if your user and group accounts exist in both /etc/passwd and /etc/group files. For example, to check if entries for puppet, www-data, foreman and foreman-proxy groups exist in both /etc/passwd and /etc/group files, enter the following commands:

# grep 'puppet\|www-data\|foreman\|foreman-proxy' /etc/passwd /etc/group

9. Configuring external user groups

Foreman does not associate external users with their user group automatically. You must create a user group with the same name as in the external source on Foreman. Members of the external user group then automatically become members of the Foreman user group and receive the associated permissions.

The configuration of external user groups depends on the type of external authentication.

To assign additional permissions to an external user, add this user to an internal user group that has no external mapping specified. Then assign the required roles to this group.

Prerequisites

  • If you use an LDAP server, configure Foreman to use LDAP authentication. For more information, see Configuring an LDAP server as an external identity provider for Foreman.

    When using external user groups from an LDAP source, you cannot use the $login variable as a substitute for the account user name. You must use either an anonymous or dedicated service user.

  • If you use a FreeIPA or AD server, configure Foreman to use FreeIPA or AD authentication. For more information, see Configuring authentication for Foreman users.

  • Ensure that at least one external user authenticates for the first time.

  • Retain a copy of the external group names you want to use. To find the group membership of external users, enter the following command:

    # id username
Procedure

  1. In the Foreman web UI, navigate to Administer > User Groups, and click Create User Group.

  2. Specify the name of the new user group. Do not select any users to avoid adding users automatically when you refresh the external user group.

  3. Click the Roles tab and select the roles you want to assign to the user group. Alternatively, select the Administrator checkbox to assign all available permissions.

  4. Click the External groups tab, then click Add external user group, and select an authentication source from the Auth source drop-down menu.

    Specify the exact name of the external group in the Name field.

  5. Click Submit.

10. Refreshing external user groups for LDAP

To set the LDAP source to synchronize user group membership automatically on user login, in the Auth Source page, select the Usergroup Sync option. If this option is not selected, LDAP user groups are refreshed automatically through a scheduled cron job synchronizing the LDAP Authentication source every 30 minutes by default.

If the user groups in the LDAP Authentication source change in the lapse of time between scheduled tasks, the user can be assigned to incorrect external user groups. This is corrected automatically when the scheduled task runs.

Use this procedure to refresh the LDAP source manually.

Procedure

  1. In the Foreman web UI, navigate to Administer > Usergroups and select a user group.

  2. On the External Groups tab, click Refresh to the right of the required user group.

CLI procedure

  • Enter the following command:

    # foreman-rake ldap:refresh_usergroups

11. Refreshing external user groups for FreeIPA or AD

External user groups based on FreeIPA or AD are refreshed only when a group member logs in to Foreman. It is not possible to alter user membership of external user groups in the Foreman web UI, such changes are overwritten on the next group refresh.