1. Overview of authentication methods in Foreman

The authentication methods you can configure depend on the authentication source you are using. If the native authentication features provided by Foreman are not sufficient for your use case, use this information to decide which external authentication provider best suits your requirements.

Foreman includes native support for authentication with a username and password. If you require additional methods of authentication, configure your Foreman server to use an external authentication source.

Table 1. External authentication sources supported by Foreman and the authentication features they provide
Username and password Single sign-on (SSO) One-time password (OTP) Time-based one-time password (TOTP) PIV cards Additional details

Active Directory (direct integration)

Yes

Yes

No

No

No

Configuring Kerberos SSO for Active Directory users in Foreman

FreeIPA

Yes (Linux and Active Directory users)

Yes (Linux users only)

No

No

No

Configuring Kerberos SSO with FreeIPA in Foreman

2. Accessing Foreman from Foreman web UI

After Foreman has been installed and configured, you can use a browser to log in to the Foreman web UI.

2.1. Logging in to the Foreman web UI

The Foreman web UI is a browser-based user interface that you can use to manage and monitor your Foreman infrastructure. To access Foreman web UI, use your web browser to navigate to the Foreman web UI login page and enter your credentials.

Prerequisites
Procedure

  1. Access Foreman server using a web browser pointed to the fully qualified domain name:

    https://foreman.example.com/

  2. Enter the user name and password created during the configuration process. If a user was not created during the configuration process, the default user name is admin.

Next steps

2.2. Importing the Katello root CA certificate using Foreman web UI

After the first login to Foreman web UI, you might see a warning that you are using the default self-signed certificate. To ensure a successful connection, locate the root CA certificate on Foreman and import it into your browser truststore.

Prerequisites

  • Your Foreman is installed and configured.

Procedure

  1. Identify the fully qualified domain name of your Foreman server:

    # hostname -f

  2. Access the pub directory on your Foreman server using a web browser pointed to the fully qualified domain name:

    https://foreman.example.com/pub

  3. When you access Foreman for the first time, an untrusted connection warning displays in your web browser. Accept the self-signed certificate and add the Foreman URL as a security exception to override the settings. This procedure might differ depending on the browser being used. Ensure that the Foreman URL is valid before you accept the security exception.

  4. Select katello-server-ca.crt.

  5. Import the certificate into your browser as a certificate authority and trust it to identify websites.

2.3. Importing the Katello root CA certificate using CLI

After the first login to Foreman web UI, you might see a warning that you are using the default self-signed certificate. To ensure a successful connection, locate the root CA certificate on Foreman and import it into your browser truststore.

Prerequisites

  • Your Foreman is installed and configured.

Procedure

  1. On your Foreman server, copy the katello-server-ca.crt file to the machine you use to access the Foreman web UI:

    # scp /var/www/html/pub/katello-server-ca.crt username@hostname:remotefile

  2. In the browser, import the katello-server-ca.crt certificate as a certificate authority and trust it to identify websites.

2.4. Resetting the administrative user password

You can reset the administrative password to randomly generated characters or set a new administrative password for a specific user. This might be useful when you forget the password, when the administrative user is deleted, or for assigning administrative privileges to a user.

Procedure

  1. Log in to the base operating system where your Foreman server is installed.

  2. Reset the administrative user password:

    • To set a randomly generated administrative user password:

      # foreman-rake permissions:reset
Reset to user: admin, password: qwJxBptxb7Gfcjj5

    • To set a new administrative user password:

      # foreman-rake permissions:reset username=My_User_Name password=My_New_Password

      Replace My_User_Name with the username of the user whose password you want to reset.

      Note

      Be aware of the following behaviors:

      • If you enter a username that does not exist, the foreman-rake utility creates a new administrative user with the defined password.

      • If you enter a username of a user without administrative privileges, that user gains administrative privileges.

      • If you do not enter a username, the password resets for the admin user by default.

  3. To use the new password with the Hammer CLI, add the password and username to the ~/.hammer/cli.modules.d/foreman.yml file on your Foreman server:

    # vi ~/.hammer/cli.modules.d/foreman.yml
Verification

  • Use the new password to log in to the Foreman web UI.

2.5. Setting a custom message on the Foreman web UI login page

You can change the default text on the login page to a custom message you want your users to see every time they access the page. For example, your custom message might be a warning required by your company.

Procedure

  1. In the Foreman web UI, navigate to Administer > Settings.

  2. Select the General tab.

  3. Enter your custom message in the Login page footer text field.

  4. Click Submit.

Verification

  • Log out of the Foreman web UI and verify that the custom message is now displayed on the login page.

3. Configuring Kerberos SSO with FreeIPA in Foreman

FreeIPA is an open-source identity management solution that provides centralized authentication, authorization, and account management services. You can integrate Foreman with your existing FreeIPA server to enable FreeIPA users to authenticate to Foreman.

With your FreeIPA server configured as an external identity provider, users defined in FreeIPA can log in to Foreman with their FreeIPA credentials. If cross-forest trust is configured between FreeIPA and Active Directory, Active Directory users can also log in to Foreman.

FreeIPA users can log in using the following methods:

  • Username and password

  • Kerberos single sign-on

When cross-forest trust is configured between FreeIPA and Active Directory, Active Directory users can log in to Foreman with their user principal name (UPN) and password.

For information about FreeIPA, including its cross-forest trust functionality, see Red Hat Enterprise Linux 9 Planning Identity Management and Red Hat Enterprise Linux 9 Installing Identity Management.

3.1. Enrolling Foreman server in your FreeIPA domain

Create a host entry for your Foreman server system in the FreeIPA LDAP and configure the system to be a client in your FreeIPA domain.

Prerequisites

  • An existing FreeIPA server

  • FreeIPA user account with privileges to enroll new FreeIPA hosts

Procedure

  1. On the FreeIPA server:

    1. Create a host entry for the Foreman server system.

      For more information, see Red Hat Enterprise Linux 9 Managing IdM users, groups, hosts, and access control rules.

    2. Create an entry for the HTTP service for Foreman server. This enables access to the keytab file by creating a service principal for your Foreman server.

      For more information on creating a service entry in FreeIPA, see Red Hat Enterprise Linux 9 Managing IdM users, groups, hosts, and access control rules.

  2. On your Foreman server, configure the system as client in the FreeIPA domain. This includes ensuring that the system meets the necessary prerequisites, installing the necessary packages, and running the ipa-client-install utility.

    For more information, see Red Hat Enterprise Linux 9 Installing Identity Management.

Verification

  • On your Foreman server, check that you are able to resolve a user defined on the FreeIPA server. For example, to check the admin user that FreeIPA creates by default:

    $ id admin
Example 1. Enrolling a Foreman server system as a FreeIPA client from the command line by using a one-time password

On the FreeIPA server, a user named admin who has administrative privileges on the FreeIPA server prepares a host entry for the Foreman server system:

  1. Authenticate as the FreeIPA admin user:

    # kinit admin

  2. Optional: Verify that you have authenticated successfully:

    # klist

  3. Create a host entry from the command line. Specify that you want to use a random password for the enrollment.

    # ipa host-add --random foreman-server.example.com
--------------------------------------------------
 Added host "foreman-server.example.com"
 --------------------------------------------------
  Host name: foreman-server.example.com
  Random password: W5YpARl=7M.n
  Password: True
  Keytab: False
  Managed by: freeipa-server.example.com

  4. Enable access to the keytab file by creating a service principal for your Foreman server:

    # ipa service-add HTTP/foreman-server.example.com

On the Foreman server system, a user with Foreman administrative privileges enrolls the system into the FreeIPA domain:

  1. Install the FreeIPA client packages:

    # dnf install ipa-client

  2. Configure the Foreman server system a client in FreeIPA by using the random password produced by ipa host-add in a previous step:

    # ipa-client-install --password 'W5YpARl=7M.n'

  3. Verify that you are able to resolve the FreeIPA admin user from your Foreman server:

    $ id admin

3.2. Configuring the FreeIPA authentication source on Foreman server

Connect your Foreman server to your FreeIPA domain by configuring FreeIPA as an authentication provider on your Foreman server.

Note

The FreeIPA and Active Directory authentication sources are mutually exclusive. Running foremanctl deploy --external-authentication overwrites any previously defined configuration for these authentication sources.
Prerequisites

  • Foreman server running on a system that is enrolled in the FreeIPA domain.

Procedure

  1. Enable access for your preferred login method:

    • To enable access to the Foreman web UI only:

      # foremanctl deploy --external-authentication ipa

    • To enable access to the Foreman web UI and the Foreman API, including Hammer CLI:

      # foremanctl deploy --external-authentication ipa_with_api
      Warning

      Enabling access to both the Foreman web UI and the Foreman API poses a security risk. After the FreeIPA user enters kinit to receive a Kerberos ticket-granting ticket (TGT), an attacker might obtain an API session. The attack is possible even if the user did not previously enter the Foreman login credentials anywhere, for example in the browser.

  2. If your Foreman server runs in an IPv6-only network and also runs on Enterprise Linux 9.6 and earlier or Enterprise Linux 10.0, set the lookup_family_order option in the [domain/freeipa-server.example.com] section of the /etc/sssd/sssd.conf file:

    [domain/freeipa-server.example.com]
lookup_family_order = ipv6_only

    If the DNS name of the IdM server can be translated to both an IPv4 and IPv6 address but the IPv4 address is not accessible, SSSD requires lookup_family_order to translate the DNS name correctly. Without the option, IdM users are unable to use kinit to authenticate to Foreman.

Verification

  • Log in to Foreman web UI by entering the credentials of a user defined in FreeIPA.

Additional resources

3.3. Configuring host-based access control for FreeIPA users logging in to Foreman

You can use host-based access control (HBAC) rules to manage access control within your FreeIPA domain. In FreeIPA, HBAC rules define which users can access which hosts and which services can be used to gain access.

For example, you can configure HBAC on the FreeIPA server to limit access to Foreman server only to selected users or user groups. By configuring a HBAC rule in the FreeIPA domain, you can ensure Foreman does not create database entries for users who should not have access.

Prerequisites
Procedure

  1. On the FreeIPA server, configure HBAC control. For more information, see Red Hat Enterprise Linux 9 Managing IdM users, groups, hosts, and access control rules.

    1. Create a HBAC service for Foreman server.

    2. Create a new HBAC rule to define the required access control. Add the following FreeIPA entities to the HBAC rule:

      1. The HBAC service for Foreman server

      2. The Foreman server host

      3. The users or user groups to whom you want to grant access

    3. Make sure the default FreeIPA allow_all rule is disabled.

  2. On your Foreman server, load the host-based access control rules from FreeIPA:

    # foremanctl deploy --external-authentication-pam-service foreman-prod
Verification

  • Log in to the Foreman web UI as a user defined in FreeIPA.

    • If the user is included in the HBAC rule, Foreman web UI will grant access.

    • If the user is not included in the HBAC rule, Foreman web UI will not grant access.

Additional resources
Example 2. Configuring host-based access control to allow access to Foreman only for selected FreeIPA users by using the command line

On the FreeIPA server, a user with administrative privileges configures a HBAC rule to allow selected users access to Foreman server:

  1. Authenticate as the user with privileges required to configure HBAC rules:

    $ kinit admin

  2. Optional: Verify that you have authenticated successfully:

    $ klist

  3. Create a new HBAC service named foreman-prod:

    $ ipa hbacsvc-add foreman-prod

  4. Create a new HBAC rule:

    $ ipa hbacrule-add allow-foreman-prod

  5. Add the following FreeIPA entities to the HBAC rule:

    1. The foreman-prod HBAC service:

      $ ipa hbacrule-add-service allow-foreman-prod --hbacsvcs=foreman-prod

    2. The Foreman server host:

      $ ipa hbacrule-add-host allow-foreman-prod --hosts=foreman.example.com

    3. The users or user groups to whom you want to grant access:

      $ ipa hbacrule-add-user allow-foreman-prod --user=ipa-user

  6. Optional: Verify the status of the rule:

    $ ipa hbacrule-find foreman-prod
$ ipa hbactest --user=ipa-user --host=foreman.example.com --service=foreman-prod

  7. Disable the default allow_all rule:

$ ipa hbacrule-disable allow_all

On Foreman server, a Foreman administrator re-runs foremanctl deploy to load the host-based access control rules from FreeIPA:

# foremanctl deploy --external-authentication-pam-service foreman-prod

3.4. Configuring Hammer CLI to accept FreeIPA credentials

If you want to enable users to authenticate to the Hammer CLI by using their FreeIPA credentials from a system with standalone Hammer installed, update Hammer configuration on that system.

Note

Updating Hammer configuration manually is not required on systems that have been configured with foremanctl. Running foremanctl --add-feature hammer updates the Hammer configuration as necessary.
Prerequisites
Procedure

  • Open the ~/.hammer/cli.modules.d/foreman.yml file on your Foreman server and update the list of foreman parameters:

    • To enforce session usage, enable :use_sessions::

      :foreman:
  :use_sessions: true

      With this configuration, you will need to initiate an authentication session manually with hammer auth login negotiate.

    • Alternatively, to enforce session usage and also negotiate authentication by default:

      :foreman:
  :default_auth_type: 'Negotiate_Auth'
  :use_sessions: true

      With this configuration, Hammer will negotiate authentication automatically when you enter the first hammer command.

3.5. Logging in to Hammer CLI with FreeIPA credentials

Authenticate to the Foreman Hammer CLI with your FreeIPA username and password.

Procedure

  1. Authenticate as a user defined in FreeIPA to obtain a Kerberos ticket-granting ticket (TGT):

    $ kinit FreeIPA_user
    Warning

    If you enabled access to the Foreman API and the Foreman web UI when you were configuring FreeIPA as the authentication provider for Foreman, an attacker might now obtain an API session after the user receives the Kerberos TGT. The attack is possible even if the user did not previously enter the Foreman login credentials anywhere, for example in the browser.

  2. If Hammer is not configured to negotiate authentication, initiate an authentication session manually:

    $ hammer auth login negotiate
    Note

    If you destroy the active Kerberos ticket, for example with kdestroy, you will still be logged in to Hammer. To log out, enter hammer auth logout.
Verification

  • Use any hammer command to check that the system does not ask you to authenticate. For example:

    $ hammer host list

3.6. Logging in to the Foreman web UI with FreeIPA credentials in Mozilla Firefox

Users with valid FreeIPA login credentials can log in to the Foreman web UI from the Mozilla Firefox browser.

Use the latest stable Mozilla Firefox browser.

Prerequisites

  • You have FreeIPA authentication configured in your Foreman environment. For more information, see Configuring Kerberos SSO with FreeIPA in Foreman.

  • The host on which you are using Mozilla Firefox is a client in the FreeIPA domain.

  • Your Mozilla Firefox is configured for Single Sign-On (SSO).

Procedure

  1. To log in with a Kerberos ticket granting ticket (TGT):

    1. Obtain the Kerberos TGT:

      $ kinit user
Password for user@EXAMPLE.COM:

    2. In Mozilla Firefox, go to the URL of your Foreman server.

    3. You are logged in automatically.

  2. To log in with your username and password:

    1. In your browser address bar, enter the URL of your Foreman server.

    2. Enter your username and password.

3.7. Logging in to the Foreman web UI with FreeIPA credentials in Chrome

Users with valid FreeIPA login credentials can log in to the Foreman web UI from the Chrome browser.

Use the latest stable Chrome browser.

Prerequisites
Procedure

  1. To use Kerberos authentication to log in:

    1. Enable the Chrome browser to use Kerberos authentication:

      $ google-chrome --auth-server-whitelist="*.example.com" --auth-negotiate-delegate-whitelist="*.example.com"
      Note

      Instead of allowlisting the whole domain, you can also allowlist a specific Foreman server.

    2. Obtain the Kerberos ticket-granting ticket (TGT):

      $ kinit user
Password for user@EXAMPLE.COM:

    3. In Chrome, go to the URL of your Foreman server.

    4. You are logged in automatically.

  2. To use username and password to log in:

    1. In your browser address bar, enter the URL of your Foreman server.

    2. Enter your username and password.

3.8. Configuring a cross-forest trust between FreeIPA and Active Directory for Foreman

If your FreeIPA deployment includes a cross-forest trust with Active Directory (AD), you must configure host-based access control (HBAC) and the System Security Services Daemon (SSSD) before AD users can log in to Foreman.

Prerequisites
Procedure

  1. On your FreeIPA server:

    1. Enable HBAC:

      1. Create an external group and add the AD group to it.

      2. Add the new external group to a POSIX group.

      3. Use the POSIX group in a HBAC rule.

  2. On your FreeIPA server and all replicas in your FreeIPA topology, configure SSSD to transfer additional attributes of AD users:

    1. Add the AD user attributes to the nss and domain sections in /etc/sssd/sssd.conf. For example:

      [domain/EXAMPLE.com]
...
krb5_store_password_if_offline = True
ldap_user_extra_attrs=email:mail, lastname:sn, firstname:givenname

[nss]
user_attributes=+email, +firstname, +lastname

[ifp]
allowed_uids = ipaapi, root
user_attributes=+email, +firstname, +lastname

    2. Clear the SSSD cache:

      1. Stop SSSD:

        # systemctl stop sssd

      2. Clear the cache:

        # sss_cache -E

      3. Start SSSD:

        # systemctl start sssd

    3. Verify the AD attributes value by using the dbus-send command on your Foreman server and on your FreeIPA server. Make sure that both outputs match.

      # dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe org.freedesktop.sssd.infopipe.GetUserAttr string:ad-user@ad-domain array:string:email,firstname,lastname

4. Configuring Kerberos SSO for Active Directory users in Foreman

If the base system of your Foreman server is connected directly to Active Directory (AD), you can configure AD as an external authentication source for Foreman. Direct AD integration means that a Linux system is joined directly to the AD domain where the identity is stored.

AD users can log in using the following methods:

  • Username and password

  • Kerberos single sign-on

4.1. Joining the Foreman server system to an AD domain

The base system of your Foreman server must be joined to an Active Directory (AD) domain before you can configure the AD authentication source on your Foreman server. Use the System Security Services Daemon (SSSD) and Samba services to join the base system to the AD domain.

Procedure

  1. Install the following packages on Foreman server:

    # dnf install adcli krb5-workstation oddjob-mkhomedir oddjob realmd samba-winbind-clients samba-winbind samba-common-tools samba-winbind-krb5-locator sssd

  2. Join the system to the AD domain, specifying the required software:

    # realm join AD.EXAMPLE.COM --membership-software=samba --client-software=sssd
Additional resources

4.2. Configuring the Active Directory authentication source on Foreman server

Enable Active Directory (AD) users to access Foreman by configuring the corresponding authentication provider on your Foreman server.

Procedure

  1. Define AD realm configuration in a location where Foreman expects it:

    1. Create a directory named /etc/ipa/:

      # mkdir /etc/ipa/

    2. Create the /etc/ipa/default.conf file with the following contents to configure the Kerberos realm for the AD domain:

      [global]
realm = AD.EXAMPLE.COM

  2. Configure the Apache keytab for Kerberos connections:

    1. Update the /etc/samba/smb.conf file with the following settings to configure how Samba interacts with AD:

      [global]
workgroup = AD.EXAMPLE
realm = AD.EXAMPLE.COM
kerberos method = system keytab
security = ads

    2. Add the Kerberos service principal to the keytab file at /etc/httpd/conf/http.keytab:

      # KRB5_KTNAME=FILE:/etc/httpd/conf/http.keytab net ads keytab create HTTP -U Administrator -s /etc/samba/smb.conf
      Note

      The net ads keytab create command was introduced in Samba version 4.21.1. If your system uses an earlier version of Samba, use the net ads keytab add command.

  3. Configure the System Security Services Daemon (SSSD) on your Foreman server:

    1. Configure the AD access control provider to evaluate and enforce Group Policy Object (GPO) access control rules for the foreman PAM service. In the [domain/ad.example.com] section of your /etc/sssd/sssd.conf file, set the ad_gpo_access_control and ad_gpo_map_service options as follows:

      [domain/ad.example.com]
ad_gpo_access_control = enforcing
ad_gpo_map_service = +foreman

      For more information on GPOs, see How SSSD interprets GPO access control rules in Integrating RHEL systems directly with Windows Active Directory (RHEL 9).

    2. If your Foreman server runs in an IPv6-only network and also runs on RHEL 9.6 and earlier or RHEL 10.0, set the lookup_family_order option in the [domain/ad.example.com] section of the /etc/sssd/sssd.conf file:

      [domain/ad.example.com]
lookup_family_order = ipv6_only

      If the DNS name of the AD server can be translated to both an IPv4 and IPv6 address but the IPv4 address is not accessible, SSSD requires lookup_family_order to translate the DNS name correctly. Without the option, AD users are unable to use kinit to authenticate to Foreman.

    3. Restart SSSD:

      # systemctl restart sssd

  4. Enable the authentication source:

    # foremanctl deploy --external-authentication ipa
Verification

  • To verify that AD users can log in to Foreman by entering their credentials, log in to Foreman web UI at https://foreman.example.com. Enter the user name in the user principal name (UPN) format, for example: ad_user@AD.EXAMPLE.COM.

  • To verify that AD users can authenticate by using Kerberos single sign-on:

    • Obtain a Kerberos ticket-granting ticket (TGT) on behalf of an AD user:

      $ kinit ad_user@AD.EXAMPLE.COM

    • Verify user authentication by using your TGT:

      $ curl -k -u : --negotiate https://foreman.example.com/users/extlogin

      If external authentication is configured correctly, the curl command redirects you to https://foreman.example.com/hosts:

      <html><body>You are being <a href="foreman.example.com/hosts">redirected</a>.</body></html>
Troubleshooting

  • Connecting to the AD LDAP can sometimes fail with an error such as the following appearing in the logs:

    Authentication failed with status code: {
  "error": { "message": "ERF77-7629 [Foreman::LdapException]: Error while connecting to 'server.com' LDAP server at 'ldap.example.com' during authentication ([Net::LDAP::Error]: Connection reset by peer - SSL_connect)" } }

    If you see this error, verify which cipher is used for the connection:

    # openssl s_client -connect ldap.example.com:636

    If the TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 cipher is used, disable it on either the Foreman server side or on the AD side. The TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 cipher is known to cause incompatibilities.

    For information on configuring system-wide cryptographic policies, see Using system-wide cryptographic policies in Red Hat Enterprise Linux 9 Security hardening.

Additional resources

5. Managing external user groups

When using external authentication sources, such as FreeIPA or Active Directory, you can configure group membership to control user access and permissions in Foreman. You might need to take extra configuration steps to manage group membership for user accounts defined in external authentication sources.

Note

External user groups based on FreeIPA or AD are refreshed only when a group member logs in to Foreman. It is not possible to alter user membership of external user groups in the Foreman web UI, such changes are overwritten on the next group refresh.

5.1. Associating external users with user groups

Foreman does not associate external users with their user group automatically. To associate these external users with their user group, you must create the user group on your Foreman server.

When you create a Foreman user group with the same name as in the external source, members of the external user group automatically become members of the Foreman user group and receive the associated permissions. The configuration of external user groups depends on the type of external authentication.

To assign additional permissions to an external user, add this user to an internal user group that has no external mapping specified. Then assign the required roles to this group.

Prerequisites

  • If you use a FreeIPA or AD server, configure Foreman to use FreeIPA or AD authentication. For more information, see Configuring authentication for Foreman users.

  • Ensure that at least one external user authenticates for the first time.

  • Retain a copy of the external group names you want to use. You can find the group membership of external users:

    # id username
Procedure

  1. In the Foreman web UI, navigate to Administer > User Groups, and click Create User Group.

  2. Specify the name of the new user group. Do not select any users to avoid adding users automatically when you refresh the external user group.

  3. Click the Roles tab and select the roles you want to assign to the user group. Alternatively, select the Administrator checkbox to assign all available permissions.

  4. Click the External groups tab, then click Add external user group, and select an authentication source from the Auth source drop-down menu.

    Specify the exact name of the external group in the Name field.

  5. Click Submit.

6. Resetting external authentication configuration for Kerberos SSO

You can disable external authentication with FreeIPA or Active Directory (AD) by resetting the configuration for the IPA authentication type. This prevents user accounts defined in the external authentication source from accessing Foreman.

Important

Resetting external authentication prevents users from accessing Foreman with Kerberos single sign-on (SSO). However, some configuration files, such as configuration files for the System Security Services Daemon (SSSD), will remain modified because Foreman does not have access to the previous state of these files.
Procedure

  • Reset the external authentication configuration to the default state:

    # foremanctl deploy --reset-external-authentication
Verification

  • Verify your external authentication configuration:

    $ curl -k -u : --negotiate https://foreman.example.com/users/extlogin

    If external authentication is disabled, the curl command redirects you to https://foreman.example.com/users/login.

    <html><body>You are being <a href="https://foreman.example.com/users/login">redirected</a>.</body></html>
Pre-release version Report issue