Installing Foreman Server nightly on Debian/Ubuntu

1. Preparing your Environment for Installation

Before you install Foreman, ensure that your environment meets the following requirements.

1.1. System Requirements

The following requirements apply to the networked base operating system:

x86_64 architecture
4-core 2.0 GHz CPU at a minimum
A minimum of 4 GB RAM is required for Foreman server to function. Foreman running with less RAM than the minimum value might not operate correctly.
Administrative user (root) access
Full forward and reverse DNS resolution using a fully-qualified domain name

Foreman only supports UTF-8 encoding. If your territory is USA and your language is English, set en_US.utf-8 as the system-wide locale settings. For more information about configuring system locale in Enterprise Linux, see Configuring System Locale guide.

Foreman server and Smart Proxy server do not support shortnames in the hostnames. When using custom certificates, the Common Name (CN) of the custom certificate must be a fully qualified domain name (FQDN) instead of a shortname. This does not apply to the clients of a Foreman.

Before you install Foreman server, ensure that your environment meets the requirements for installation.

Foreman server must be installed on a freshly provisioned system that serves no other function except to run Foreman server. The freshly provisioned system must not have the following users provided by external identity providers to avoid conflicts with the local users that Foreman server creates:

www-data
foreman
foreman-proxy
postgres
puppet
redis

1.2. Storage Requirements

The following table details storage requirements for specific directories. These values are based on expected use case scenarios and can vary according to individual environments.

Table 1. Storage Requirements for a Foreman server Installation
Directory	Installation Size	Runtime Size
/var/log	10 MB	10 GB
/var/lib/postgresql	100 MB	20 GB
/usr	5 GB	Not Applicable
/opt/puppetlabs	500 MB	Not Applicable

1.3. Supported Operating Systems

You can install the operating system from a disc, local ISO image, or kickstart.

The following operating systems are supported by the installer, have packages, and are tested for deploying Foreman:

Table 2. Operating Systems supported by foreman-installer
Operating System	Architecture	Notes
Debian 11 (Bullseye)	amd64
Ubuntu 20.04 (Focal)	amd64

Before you install Foreman, apply all operating system updates if possible.

Install Foreman server on a freshly provisioned system.

1.4. Supported Browsers

Using the most recent version of a major browser is highly recommended, as Foreman and the frameworks it uses offer limited support for older versions.

The recommended requirements are as follows for major browsers:

Google Chrome – latest version
Microsoft Edge – latest version
Apple Safari – latest version
Mozilla Firefox – latest version
Mozilla Firefox Extended Support Release (ESR) – latest version

Other browsers may work unpredictably.

The Foreman web UI and command-line interface support English, Portuguese, Simplified Chinese Traditional Chinese, Korean, Japanese, Italian, Spanish, Russian, French, and German.

1.5. Ports and Firewalls Requirements

For the components of Foreman architecture to communicate, ensure that the required network ports are open and free on the base operating system. You must also ensure that the required network ports are open on any network-based firewalls.

Use this information to configure any network-based firewalls. Note that some cloud solutions must be specifically configured to allow communications between machines because they isolate machines similarly to network-based firewalls. If you use an application-based firewall, ensure that the application-based firewall permits all applications that are listed in the tables and known to your firewall. If possible, disable the application checking and allow open port communication based on the protocol.

Integrated Smart Proxy

Foreman server has an integrated Smart Proxy and any host that is directly connected to Foreman server is a Client of Foreman in the context of this section. This includes the base operating system on which Smart Proxy server is running.

Clients of Smart Proxy

Hosts which are clients of Smart Proxies, other than Foreman’s integrated Smart Proxy, do not need access to Foreman server.

Required ports can change based on your configuration.

The following tables indicate the destination port and the direction of network traffic:

Table 3. Foreman server incoming traffic
Destination Port	Protocol	Service	Source	Required For	Description
53	TCP and UDP	DNS	DNS Servers and clients	Name resolution	DNS (optional)
67	UDP	DHCP	Client	Dynamic IP	DHCP (optional)
69	UDP	TFTP	Client	TFTP Server (optional)
443	TCP	HTTPS	Smart Proxy	Foreman API	Communication from Smart Proxy
5910 – 5930	TCP	HTTPS	Browsers	Compute Resource’s virtual console
8000	TCP	HTTP	Client	Provisioning templates	Template retrieval for client installers, iPXE or UEFI HTTP Boot
8000	TCP	HTTPS	Client	PXE Boot	Installation
8140	TCP	HTTPS	Client	Puppet agent	Client updates (optional)
8443	TCP	HTTPS	Client	OpenSCAP	Configure Client
8443	TCP	HTTPS	Foreman	Smart Proxy API	Smart Proxy functionality

Any managed host that is directly connected to Foreman server is a client in this context because it is a client of the integrated Smart Proxy. This includes the base operating system on which a Smart Proxy server is running.

A DHCP Smart Proxy performs ICMP ping or TCP echo connection attempts to hosts in subnets with DHCP IPAM set to find out if an IP address considered for use is free. This behavior can be turned off using foreman-installer --foreman-proxy-dhcp-ping-free-ip=false.

Note	Some outgoing traffic returns to Foreman to enable internal communication and security operations.

Table 4. Foreman server outgoing traffic
Destination Port	Protocol	Service	Destination	Required For	Description
	ICMP	ping	Client	DHCP	Free IP checking (optional)
7	TCP	echo	Client	DHCP	Free IP checking (optional)
22	TCP	SSH	Target host	Remote execution	Run jobs
22, 16514	TCP	SSH SSH/TLS	Compute Resource	Foreman originated communications, for compute resources in libvirt
53	TCP and UDP	DNS	DNS Servers on the Internet	DNS Server	Resolve DNS records (optional)
53	TCP and UDP	DNS	DNS Server	Smart Proxy DNS	Validation of DNS conflicts (optional)
53	TCP and UDP	DNS	DNS Server	Orchestration	Validation of DNS conflicts
68	UDP	DHCP	Client	Dynamic IP	DHCP (optional)
80	TCP	HTTP	Remote repository	Content Sync	Remote yum repository
389, 636	TCP	LDAP, LDAPS	External LDAP Server	LDAP	LDAP authentication, necessary only if external authentication is enabled. The port can be customized when `LDAPAuthSource` is defined
443	TCP	HTTPS	Foreman	Smart Proxy	Smart Proxy Configuration management Template retrieval OpenSCAP Remote Execution result upload
443	TCP	HTTPS	Amazon EC2, Azure, Google GCE	Compute resources	Virtual machine interactions (query/create/destroy) (optional)
443	TCP	HTTPS	Infoblox DHCP Server	DHCP management	When using Infoblox for DHCP, management of the DHCP leases (optional)
623			Client	Power management	BMC On/Off/Cycle/Status
5000	TCP	HTTPS	OpenStack Compute Resource	Compute resources	Virtual machine interactions (query/create/destroy) (optional)
5900 – 5930	TCP	SSL/TLS	Hypervisor	noVNC console	Launch noVNC console
5985	TCP	HTTP	Client	WinRM	Configure Client running Windows
5986	TCP	HTTPS	Client	WinRM	Configure Client running Windows
7911	TCP	DHCP, OMAPI	DHCP Server	DHCP	The DHCP target is configured using `--foreman-proxy-dhcp-server` and defaults to localhost ISC and `remote_isc` use a configurable port that defaults to 7911 and uses OMAPI
8443	TCP	HTTPS	Client	Discovery	Smart Proxy sends reboot command to the discovered host (optional)
8443	TCP	HTTPS	Smart Proxy	Smart Proxy API	Management of Smart Proxies

1.6. Enabling Connections from a Client to Foreman server

Smart Proxies and Content Hosts that are clients of a Foreman server’s internal Smart Proxy require access through Foreman’s host-based firewall and any network-based firewalls.

Use this procedure to configure the host-based firewall on the system that Foreman is installed on, to enable incoming connections from Clients, and to make the configuration persistent across system reboots. For more information on the ports used, see Ports and Firewalls Requirements.

If you do not use firewall-cmd to configure the Linux firewall, implement using the command of your choice.

Procedure

To open the ports for client to Foreman communication, enter the following command on the base operating system that you want to install Foreman on:

# firewall-cmd \
--add-service=dns \
--add-service=dhcp \
--add-service=tftp \
--add-service=http \
--add-service=https \
--add-service=foreman-proxy \
--add-service=puppetmaster

Make the changes persistent:
```
# firewall-cmd --runtime-to-permanent
```

Verification

Enter the following command:
```
# firewall-cmd --list-all
```

1.7. Verifying DNS resolution

Verify the full forward and reverse DNS resolution using a fully-qualified domain name to prevent issues while installing Foreman.

Procedure

Ensure that the host name and local host resolve correctly:

# ping -c1 localhost
# ping -c1 `hostname -f` # my_system.domain.com

Successful name resolution results in output similar to the following:

# ping -c1 localhost
PING localhost (127.0.0.1) 56(84) bytes of data.
64 bytes from localhost (127.0.0.1): icmp_seq=1 ttl=64 time=0.043 ms

--- localhost ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.043/0.043/0.043/0.000 ms

# ping -c1 `hostname -f`
PING hostname.gateway (XX.XX.XX.XX) 56(84) bytes of data.
64 bytes from hostname.gateway (XX.XX.XX.XX): icmp_seq=1 ttl=64 time=0.019 ms

--- localhost.gateway ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.019/0.019/0.019/0.000 ms

To avoid discrepancies with static and transient host names, set all the host names on the system by entering the following command:
```
# hostnamectl set-hostname name
```

Warning

Name resolution is critical to the operation of Foreman. If Foreman cannot properly resolve its fully qualified domain name, many options fail, such as provisioning.

2. Preparing your Environment for Foreman Installation in an IPv6 Network

You can install and use Foreman in an IPv6 network. Before installing Foreman in an IPv6 network, view the limitations and ensure that you meet the requirements.

To provision hosts in an IPv6 network, after installing Foreman, you must also configure Foreman for the UEFI HTTP boot provisioning. For more information, see Configuring Foreman for UEFI HTTP Boot Provisioning in an IPv6 Network.

2.1. Limitations of Foreman Installation in an IPv6 Network

Foreman installation in an IPv6 network has the following limitations:

You can install Foreman and Smart Proxies in IPv6-only systems, dual-stack installation is not supported.
Although Foreman provisioning templates include IPv6 support for PXE and HTTP (iPXE) provisioning, the only tested and certified provisioning workflow is the UEFI HTTP Boot provisioning. This limitation only relates to users who plan to use Foreman to provision hosts.

2.2. Requirements for Foreman Installation in an IPv6 Network

Before installing Foreman in an IPv6 network, ensure that you meet the following requirements:

You must deploy an external DHCP IPv6 server as a separate unmanaged service to bootstrap clients into GRUB2, which then configures IPv6 networking either using DHCPv6 or or assigning static IPv6 address. This is required because the DHCP server in Red Hat Enterprise Linux (ISC DHCP) does not provide an integration API for managing IPv6 records, therefore the Smart Proxy DHCP plug-in that provides DHCP management is limited to IPv4 subnets.

Note that this requirement is for Katello users only.
You must configure Foreman to use this IPv4 HTTP proxy server as the default proxy. For more information, see Adding a Default HTTP Proxy to Foreman.

3. Installing Foreman server

Use the following procedures to install Foreman server and perform the initial configuration.

Note that the Foreman installation script is based on Puppet, which means that if you run the installation script more than once, it might overwrite any manual configuration changes. ⁠ To avoid this and determine which future changes apply, use the --noop argument when you run the installation script. This argument ensures that no actual changes are made. Potential changes are written to /var/log/foreman-installer/foreman.log.

Files are always backed up and so you can revert any unwanted changes. For example, in the foreman-installer logs, you can see an entry similar to the following about Filebucket:

/Stage[main]/Dhcp/File[/etc/dhcp/dhcpd.conf]: Filebucketed /etc/dhcp/dhcpd.conf to puppet with sum 622d9820b8e764ab124367c68f5fa3a1

You can restore the previous file as follows:

# puppet filebucket -l \
restore /etc/dhcp/dhcpd.conf 622d9820b8e764ab124367c68f5fa3a1

3.1. Configuring Repositories

Use these procedures to enable the repositories required to install Foreman server.

Choose from the following list which operating system and version you are installing on:

Debian 11 (Bullseye)
Ubuntu 20.04 (Focal)

3.1.1. Debian 11 (Bullseye)

Install the wget and ca-certificates packages:
```
# apt-get install wget ca-certificates
```
Change directory to /tmp and retrieve the puppet7-release-bullseye.deb package:
```
# cd /tmp && wget https://apt.puppet.com/puppet7-release-bullseye.deb
```

Install the puppet7-release-bullseye.deb package:

# apt-get install /tmp/puppet7-release-bullseye.deb

Enable the Foreman repository:

# wget https://deb.theforeman.org/foreman.asc -O /etc/apt/trusted.gpg.d/foreman.asc
# echo "deb http://deb.theforeman.org/ bullseye nightly" | sudo tee /etc/apt/sources.list.d/foreman.list
# echo "deb http://deb.theforeman.org/ plugins nightly" | sudo tee -a /etc/apt/sources.list.d/foreman.list

3.1.2. Ubuntu 20.04 (Focal)

Install the wget and ca-certificates packages:
```
# apt-get install wget ca-certificates
```
Change directory to /tmp and retrieve the puppet7-release-focal.deb package:
```
# cd /tmp && wget https://apt.puppet.com/puppet7-release-focal.deb
```

Install the puppet7-release-focal.deb package:

# apt-get install /tmp/puppet7-release-focal.deb

Enable the Foreman repository:

# wget https://deb.theforeman.org/foreman.asc -O /etc/apt/trusted.gpg.d/foreman.asc
# echo "deb http://deb.theforeman.org/ focal nightly" | sudo tee /etc/apt/sources.list.d/foreman.list
# echo "deb http://deb.theforeman.org/ plugins nightly" | sudo tee -a /etc/apt/sources.list.d/foreman.list

3.2. Installing Foreman server Packages

Procedure

Update package lists:
```
# apt-get update
```
Update all packages:
```
# apt-get upgrade
```
Install foreman-installer:
```
# apt-get install foreman-installer
```

3.3. Configuring Foreman server

Install Foreman server using the foreman-installer installation script.

This method is performed by running the installation script with one or more command options. The command options override the corresponding default initial configuration options and are recorded in the Foreman answer file. You can run the script as often as needed to configure any necessary options.

Note	Depending on the options that you use when running the Foreman installer, the configuration can take several minutes to complete.

3.3.1. Configuring Foreman Installation

This initial configuration procedure creates an organization, location, user name, and password. After the initial configuration, you can create additional organizations and locations if required. The initial configuration also installs PostgreSQL databases on the same server.

The installation process can take tens of minutes to complete. If you are connecting remotely to the system, use a utility such as tmux that allows suspending and reattaching a communication session so that you can check the installation progress in case you become disconnected from the remote system. If you lose connection to the shell where the installation command is running, see the log at /var/log/foreman-installer/foreman.log to determine if the process completed successfully.

Considerations

Use the foreman-installer --help command to display the available options and any default values. If you do not specify any values, the default values are used.
Specify a meaningful value for the option: --foreman-initial-organization. This can be your company name. An internal label that matches the value is also created and cannot be changed afterwards. If you do not specify a value, an organization called Default Organization with the label Default_Organization is created. You can rename the organization name but not the label.
By default, all configuration files configured by the installer are managed by Puppet. When foreman-installer runs, it overwrites any manual changes to the Puppet managed files with the initial values. By default, Foreman server is installed with the Puppet agent running as a service. If required, you can disable Puppet agent on Foreman server using the --puppet-runmode=none option.
If you want to manage DNS files and DHCP files manually, use the --foreman-proxy-dns-managed=false and --foreman-proxy-dhcp-managed=false options so that Puppet does not manage the files related to the respective services. For more information on how to apply custom configuration on other services, see Applying Custom Configuration to Foreman.

Procedure

Enter the following command with any additional options that you want to use:

# foreman-installer \
--foreman-initial-organization "My_Organization" \
--foreman-initial-location "My_Location" \
--foreman-initial-admin-username admin_user_name \
--foreman-initial-admin-password admin_password

The script displays its progress and writes logs to /var/log/foreman-installer/foreman.log.

4. Performing Additional Configuration on Foreman server

4.1. Configuring Foreman for UEFI HTTP Boot Provisioning in an IPv6 Network

Use this procedure to configure Foreman to provision hosts in an IPv6 network with UEFI HTTP Boot provisioning.

Prerequisites

Ensure that your clients can access DHCP and HTTP servers.
Ensure that the UDP ports 67 and 68 are accessible by clients so clients can send DHCP requests and receive DHCP offers.
Ensure that the TCP port 8000 is open for clients to download files and Kickstart templates from Foreman and Smart Proxies.
Ensure that the host provisioning interface subnet has an HTTP Boot Smart Proxy, and Templates Smart Proxy set. For more information, see Adding a Subnet to Foreman server in Provisioning Hosts.
In the Foreman web UI, navigate to Administer > Settings > Provisioning and ensure that the Token duration setting is not set to 0. Foreman cannot identify clients that are booting from the network by a remote IPv6 address because of unmanaged DHCPv6 service, therefore provisioning tokens must be enabled.

Procedure

You must disable DHCP management in the installer or not use it.
For all IPv6 subnets created in Foreman, set the DHCP Smart Proxy to blank.
Optional: If the host and the DHCP server are separated by a router, configure the DHCP relay agent and point to the DHCP server.

4.2. Configuring Foreman server with an HTTP Proxy

Use the following procedures to configure Foreman with an HTTP proxy.

4.2.1. Adding a Default HTTP Proxy to Foreman

If your network uses an HTTP Proxy, you can configure Foreman server to use an HTTP proxy for requests to the Red Hat Content Delivery Network (CDN) or another content source. Use the FQDN instead of the IP address where possible to avoid losing connectivity because of network changes.

The following procedure configures a proxy only for downloading content for Foreman. To use the CLI instead of the Foreman web UI, see the CLI procedure.

Procedure

In the Foreman web UI, navigate to Infrastructure > HTTP Proxies.
Click New HTTP Proxy.
In the Name field, enter the name for the HTTP proxy.
In the Url field, enter the URL of the HTTP proxy in the following format: https://proxy.example.com:8080.
Optional: If authentication is required, in the Username field, enter the username to authenticate with.
Optional: If authentication is required, in the Password field, enter the password to authenticate with.
To test connection to the proxy, click the Test Connection button.
Click Submit.
In the Foreman web UI, navigate to Administer > Settings, and click the Content tab.
Set the Default HTTP Proxy setting to the created HTTP proxy.

CLI procedure

Verify that the http_proxy, https_proxy, and no_proxy variables are not set.
```
# unset http_proxy
# unset https_proxy
# unset no_proxy
```

Add an HTTP proxy entry to Foreman:

# hammer http-proxy create --name=myproxy \
--url http://myproxy.example.com:8080  \
--username=proxy_username \
--password=proxy_password

Configure Foreman to use this HTTP proxy by default:

# hammer settings set --name=content_default_http_proxy --value=myproxy

4.2.2. Using an HTTP Proxy for all Foreman HTTP Requests

If your Foreman server must remain behind a firewall that blocks HTTP and HTTPS, you can configure a proxy for communication with external systems, including compute resources.

Note that if you are using compute resources for provisioning, and you want to use a different HTTP proxy with the compute resources, the proxy that you set for all Foreman communication takes precedence over the proxies that you set for compute resources.

Procedure

In the Foreman web UI, navigate to Administer > Settings.
In the HTTP(S) proxy row, select the adjacent Value column and enter the proxy URL.
Click the tick icon to save your changes.

CLI procedure

Enter the following command:

# hammer settings set --name=http_proxy --value=Proxy_URL

4.2.3. Excluding Hosts from Receiving Proxied Requests

If you use an HTTP Proxy for all Foreman HTTP or HTTPS requests, you can prevent certain hosts from communicating through the proxy.

Procedure

In the Foreman web UI, navigate to Administer > Settings.
In the HTTP(S) proxy except hosts row, select the adjacent Value column and enter the names of one or more hosts that you want to exclude from proxy requests.
Click the tick icon to save your changes.

CLI procedure

Enter the following command:

# hammer settings set --name=http_proxy_except_list --value=[hostname1.hostname2...]

4.2.4. Configuring a proxy for PXE files downloads

For Red Hat content served through the Content Delivery Network, Smart Proxy downloads PXE files from synchronized repositories. However, when configuring and installing an operating system using Installation Media, Smart Proxy connects directly using the wget utility.

Procedure

On Smart Proxy with the TFTP feature, to verify the ports that are permitted by SELinux for the HTTP cache, enter the following command:
```
# systemctl edit foreman-proxy
```

Insert the following test into the editor:

[Service]
Environment="http_proxy=http://proxy.example.com:8888"
Environment="https_proxy=https://proxy.example.com:8888"

Save the file. Verify that the file appears as /etc/systemd/system/foreman-proxy.service.d/overrides.conf.
Restart the foreman-proxy service:
```
# systemctl restart foreman-proxy
```
Create a host or enter build mode for an existing host to re-download PXE files to the TFTP Smart Proxy.

4.2.5. Resetting the HTTP Proxy

If you want to reset the current HTTP proxy setting, unset the Default HTTP Proxy setting.

Procedure

In the Foreman web UI, navigate to Administer > Settings, and click the Content tab.
Set the Default HTTP Proxy setting to no global default.

CLI procedure

Set the content_default_http_proxy setting to an empty string:

# hammer settings set --name=content_default_http_proxy --value=""

4.3. Enabling Power Management on Managed Hosts

To perform power management tasks on managed hosts using the intelligent platform management interface (IPMI) or a similar protocol, you must enable the baseboard management controller (BMC) module on Foreman server.

Prerequisites

All managed hosts must have a network interface of BMC type. Foreman server uses this NIC to pass the appropriate credentials to the host. For more information, see Adding a Baseboard Management Controller (BMC) Interface in Managing Hosts.

Procedure

To enable BMC, enter the following command:

# foreman-installer --foreman-proxy-bmc "true" \
--foreman-proxy-bmc-default-provider "freeipmi"

4.4. Configuring DNS, DHCP, and TFTP on Foreman server

To configure the DNS, DHCP, and TFTP services on Foreman server, use the foreman-installer command with the options appropriate for your environment. To view a complete list of configurable options, enter the foreman-installer --help command.

Any changes to the settings require entering the foreman-installer command again. You can enter the command multiple times and each time it updates all configuration files with the changed values.

Adding Multihomed DHCP details

If you want to use Multihomed DHCP, you must inform the installer.

Prerequisites

Ensure that the following information is available to you:
- DHCP IP address ranges
- DHCP gateway IP address
- DHCP nameserver IP address
- DNS information
- TFTP server name
Use the FQDN instead of the IP address where possible in case of network changes.
Contact your network administrator to ensure that you have the correct settings.

Procedure

Enter the foreman-installer command with the options appropriate for your environment. The following example shows configuring full provisioning services:

# foreman-installer \
--foreman-proxy-dns true \
--foreman-proxy-dns-managed true \
--foreman-proxy-dns-interface eth0 \
--foreman-proxy-dns-zone example.com \
--foreman-proxy-dns-reverse 2.0.192.in-addr.arpa \
--foreman-proxy-dhcp true \
--foreman-proxy-dhcp-managed true \
--foreman-proxy-dhcp-interface eth0 \
--foreman-proxy-dhcp-additional-interfaces eth1 \
--foreman-proxy-dhcp-additional-interfaces eth2 \
--foreman-proxy-dhcp-range "192.0.2.100 192.0.2.150" \
--foreman-proxy-dhcp-gateway 192.0.2.1 \
--foreman-proxy-dhcp-nameservers 192.0.2.2 \
--foreman-proxy-tftp true \
--foreman-proxy-tftp-managed true \
--foreman-proxy-tftp-servername 192.0.2.3

You can monitor the progress of the foreman-installer command displayed in your prompt. You can view the logs in /var/log/foreman-installer/foreman.log. You can view the settings used, including the initial_admin_password parameter, in the /etc/foreman-installer/scenarios.d/foreman-answers.yaml file.

For more information about configuring DHCP, DNS, and TFTP services, see Configuring Network Services in Provisioning Hosts.

4.5. Disabling DNS, DHCP, and TFTP for Unmanaged Networks

If you want to manage TFTP, DHCP, and DNS services manually, you must prevent Foreman from maintaining these services on the operating system and disable orchestration to avoid DHCP and DNS validation errors. However, Foreman does not remove the back-end services on the operating system.

Procedure

On Foreman server, enter the following command:

# foreman-installer --foreman-proxy-dhcp false \
--foreman-proxy-dns false \
--foreman-proxy-tftp false

In the Foreman web UI, navigate to Infrastructure > Subnets and select a subnet.
Click the Smart Proxies tab and clear the DHCP Smart Proxy, TFTP Smart Proxy, and Reverse DNS Smart Proxy fields.
In the Foreman web UI, navigate to Infrastructure > Domains and select a domain.
Clear the DNS Smart Proxy field.
Optional: If you use a DHCP service supplied by a third party, configure your DHCP server to pass the following options:
```
Option 66: IP address of Foreman or Smart Proxy
Option 67: /pxelinux.0
```
For more information about DHCP options, see RFC 2132.

Note

Foreman does not perform orchestration when a Smart Proxy is not set for a given subnet and domain. When enabling or disabling Smart Proxy associations, orchestration commands for existing hosts can fail if the expected records and configuration files are not present. When associating a Smart Proxy to turn orchestration on, ensure the required DHCP and DNS records as well as the TFTP files are in place for the existing Foreman hosts in order to prevent host deletion failures in the future.

4.6. Configuring Foreman server for Outgoing Emails

To send email messages from Foreman server, you can use either an SMTP server, or the sendmail command.

Prerequisite

Some SMTP servers with anti-spam protection or grey-listing features are known to cause problems. To setup outgoing email with such a service either install and configure a vanilla SMTP service on Foreman server for relay or use the sendmail command instead.

Procedure

In the Foreman web UI, navigate to Administer > Settings.

Click the Email tab and set the configuration options to match your preferred delivery method. The changes have an immediate effect.

The following example shows the configuration options for using an SMTP server:

Table 5. Using an SMTP server as a delivery method
Name	Example value
Delivery method	SMTP
SMTP address	smtp.example.com
SMTP authentication	login
SMTP HELO/EHLO domain	example.com
SMTP password	password
SMTP port	25
SMTP username	user@example.com

The SMTP username and SMTP password specify the login credentials for the SMTP server.

The following example uses gmail.com as an SMTP server:

Table 6. Using gmail.com as an SMTP server
Name	Example value
Delivery method	SMTP
SMTP address	smtp.gmail.com
SMTP authentication	plain
SMTP HELO/EHLO domain	smtp.gmail.com
SMTP enable StartTLS auto	Yes
SMTP password	password
SMTP port	587
SMTP username	user@gmail.com

The following example uses the sendmail command as a delivery method:

Table 7. Using sendmail as a delivery method

Name Example value

Delivery method

Sendmail

Sendmail location

/usr/sbin/sendmail

Sendmail arguments

-i

For security reasons, both Sendmail location and Sendmail argument settings are read-only and can be only set in /etc/foreman/settings.yaml. Both settings currently cannot be set via foreman-installer. This is being tracked in issue #33543. For more information see the sendmail 1 man page.

If you decide to send email using an SMTP server which uses TLS authentication, also perform one of the following steps:
- Mark the CA certificate of the SMTP server as trusted. To do so, execute the following commands on Foreman server:
  # cp mailca.crt /etc/pki/ca-trust/source/anchors/ # update-ca-trust enable # update-ca-trust
  Where mailca.crt is the CA certificate of the SMTP server.
- Alternatively, in the Foreman web UI, set the SMTP enable StartTLS auto option to No.
Click Test email to send a test message to the user’s email address to confirm the configuration is working. If a message fails to send, the Foreman web UI displays an error. See the log at /var/log/foreman/production.log for further details.

Table 7. Using sendmail as a delivery method
Name	Example value
Delivery method	Sendmail
Sendmail location	/usr/sbin/sendmail
Sendmail arguments	-i

Note	For information on configuring email notifications for individual users or user groups, see Configuring Email Notification Preferences in Administering Foreman.

5. Configuring External Authentication

By using external authentication you can derive user and user group permissions from user group membership in an external identity provider. When you use external authentication, you do not have to create these users and maintain their group membership manually on Foreman server. In case the external source does not provide email, it will be requested during the first login through Foreman web UI.

Important User and Group Account Information

All user and group accounts must be local accounts. This is to ensure that there are no authentication conflicts between local accounts on your Foreman server and accounts in your Active Directory domain.

Your system is not affected by this conflict if your user and group accounts exist in both /etc/passwd and /etc/group files. For example, to check if entries for puppet, www-data, foreman and foreman-proxy groups exist in both /etc/passwd and /etc/group files, enter the following commands:

# cat /etc/passwd | grep 'puppet\|www-data\|foreman\|foreman-proxy'
# cat /etc/group | grep 'puppet\|www-data\|foreman\|foreman-proxy'

Scenarios for Configuring External Authentication

Foreman supports the following general scenarios for configuring external authentication:

Using Lightweight Directory Access Protocol (LDAP) server as an external identity provider. LDAP is a set of open protocols used to access centrally stored information over a network. With Foreman, you can manage LDAP entirely through the Foreman web UI. For more information, see Using LDAP. Though you can use LDAP to connect to a FreeIPA or AD server, the setup does not support server discovery, cross-forest trusts, or single sign-on with Kerberos in Foreman’s web UI.
Using a FreeIPA server as an external identity provider. FreeIPA deals with the management of individual identities, their credentials and privileges used in a networking environment. Configuration using FreeIPA cannot be completed using only the Foreman web UI and requires some interaction with the CLI. For more information see Using FreeIPA.
Using Active Directory (AD) integrated with FreeIPA through cross-forest Kerberos trust as an external identity provider. For more information see Active Directory with Cross-Forest Trust.
Using Keycloak as an OpenID provider for external authentication to Foreman. For more information, see Configuring Foreman with Keycloak Authentication.
Using Keycloak as an OpenID provider for external authentication to Foreman with TOTP. For more information, see Configuring Keycloak Authentication with TOTP.
Using Keycloak as an OpenID provider for external authentication to Foreman with PIV cards. For more information, see Configuring Keycloak Authentication with PIV Cards.

As well as providing access to Foreman server, hosts provisioned with Foreman can also be integrated with FreeIPA realms. Foreman has a realm feature that automatically manages the life cycle of any system registered to a realm or domain provider. For more information, see External Authentication for Provisioned Hosts.

Table 8. Authentication Overview
Type	Authentication	User Groups
FreeIPA	Kerberos or LDAP	Yes
Active Directory	Kerberos or LDAP	Yes
POSIX	LDAP	Yes

5.1. Using LDAP

Foreman supports LDAP authentication using one or multiple LDAP directories.

If you require Foreman to use TLS to establish a secure LDAP connection (LDAPS), first obtain certificates used by the LDAP server you are connecting to and mark them as trusted on the base operating system of your Foreman server as described below. If your LDAP server uses a certificate chain with intermediate certificate authorities, all of the root and intermediate certificates in the chain must be trusted, so ensure all certificates are obtained. If you do not require secure LDAP at this time, proceed to Configuring Foreman to use LDAP.

Important

Users cannot use both FreeIPA and LDAP as an authentication method. Once a user authenticates using one method, they cannot use the other method.

To change the authentication method for a user, you have to remove the automatically created user from Foreman.

For more information on using FreeIPA as an authentication method, see Using FreeIPA.

5.1.1. Configuring TLS for Secure LDAP

Use the Foreman CLI to configure TLS for secure LDAP (LDAPS).

Procedure

Obtain the Certificate from the LDAP Server.
1. If you use Active Directory Certificate Services, export the Enterprise PKI CA Certificate using the Base-64 encoded X.509 format. See How to configure Active Directory authentication with TLS on Foreman for information on creating and exporting a CA certificate from an Active Directory server.
2. Download the LDAP server certificate to a temporary location onto Foreman server and remove it when finished.
  
  For example, /tmp/example.crt. The filename extensions .cer and .crt are only conventions and can refer to DER binary or PEM ASCII format certificates.
Trust the Certificate from the LDAP Server.

Foreman server requires the CA certificates for LDAP authentication to be individual files in /etc/pki/tls/certs/ directory.
1. Use the install command to install the imported certificate into the /etc/pki/tls/certs/ directory with the correct permissions:
  # install /tmp/example.crt /etc/pki/tls/certs/
2. Enter the following command as root to trust the example.crt certificate obtained from the LDAP server:
  # ln -s example.crt /etc/pki/tls/certs/$(openssl \ x509 -noout -hash -in \ /etc/pki/tls/certs/example.crt).0
3. Restart the httpd service:
  # systemctl restart httpd

5.1.2. Configuring Foreman to use LDAP

In the Foreman web UI, configure Foreman to use LDAP.

Note that if you need single sign-on functionality with Kerberos on Foreman web UI, you should use FreeIPA and AD external authentication instead. For more information, see:

Using FreeIPA
Using Active Directory

Procedure

Set the Network Information System (NIS) service boolean to true to prevent SELinux from stopping outgoing LDAP connections:
```
# setsebool -P nis_enabled on
```
In the Foreman web UI, navigate to Administer > Authentication Sources.
Click Create LDAP Authentication Source.
On the LDAP server tab, enter the LDAP server’s name, host name, port, and server type. The default port is 389, the default server type is POSIX (alternatively you can select FreeIPA or Active Directory depending on the type of authentication server). For TLS encrypted connections, select the LDAPS checkbox to enable encryption. The port should change to 636, which is the default for LDAPS.
On the Account tab, enter the account information and domain name details. See Description of LDAP Settings for descriptions and examples.
On the Attribute mappings tab, map LDAP attributes to Foreman attributes. You can map login name, first name, last name, email address, and photo attributes. See Example Settings for LDAP Connections for examples.
On the Locations tab, select locations from the left table. Selected locations are assigned to users created from the LDAP authentication source, and available after their first login.
On the Organizations tab, select organizations from the left table. Selected organizations are assigned to users created from the LDAP authentication source, and available after their first login.
Click Submit.
Configure new accounts for LDAP users:
- If you did not select Automatically Create Accounts In Foreman checkbox, see Creating a User in Administering Foreman to create user accounts manually.
- If you selected the Automatically Create Accounts In Foreman checkbox, LDAP users can now log in to Foreman using their LDAP accounts and passwords. After they log in for the first time, the Foreman administrator has to assign roles to them manually. For more information on assigning user accounts appropriate roles in Foreman, see Assigning Roles to a User in Administering Foreman.

5.1.3. Description of LDAP Settings

The following table provides a description for each setting in the Account tab.

Table 9. Account Tab Settings
Setting	Description
Account	The user name of the LDAP account that has read access to the LDAP server. User name is not required if the server allows anonymous reading, otherwise use the full path to the user’s object. For example: uid=$login,cn=users,cn=accounts,dc=example,dc=com The `$login` variable stores the username entered on the login page as a literal string. The value is accessed when the variable is expanded. The variable cannot be used with external user groups from an LDAP source because Foreman needs to retrieve the group list without the user logging in. Use either an anonymous, or dedicated service user.
Account password	The LDAP password for the user defined in the Account username field. This field can remain blank if the Account username is using the `$login` variable.
Base DN	The top level domain name of the LDAP directory.
Groups base DN	The top level domain name of the LDAP directory tree that contains groups.
LDAP filter	A filter to restrict LDAP queries.
Automatically Create Accounts In Foreman	If this checkbox is selected, Foreman creates user accounts for LDAP users when they log in to Foreman for the first time. After they log in for the first time, the Foreman administrator has to assign roles to them manually. See Assigning Roles to a User in Administering Foreman to assign user accounts appropriate roles in Foreman.
Usergroup Sync	If this option is selected, the user group membership of a user is automatically synchronized when the user logs in, which ensures the membership is always up to date. If this option is cleared, Foreman relies on a cron job to regularly synchronize group membership (every 30 minutes by default). For more information, see Configuring External User Groups.

5.1.4. Example Settings for LDAP Connections

The following table shows example settings for different types of LDAP connections. The example below uses a dedicated service account called redhat that has bind, read, and search permissions on the user and group entries. Note that LDAP attribute names are case sensitive.

Table 10. Example Settings for Active Directory, Free IPA or Red Hat Identity Management and POSIX LDAP Connections
Setting	Active Directory	FreeIPA or Red Hat Identity Management	POSIX (OpenLDAP)
Account	DOMAIN\redhat	uid=redhat,cn=users, cn=accounts,dc=example, dc=com	uid=redhat,ou=users, dc=example,dc=com
Account password	P@ssword	-	-
Base DN	DC=example,DC=COM	dc=example,dc=com	dc=example,dc=com
Groups Base DN	CN=Users,DC=example,DC=com	cn=groups,cn=accounts, dc=example,dc=com	cn=employee,ou=userclass, dc=example,dc=com
Login name attribute	userPrincipalName	uid	uid
First name attribute	givenName	givenName	givenName
Last name attribute	sn	sn	sn
Email address attribute	mail	mail	mail
Photo attribute	thumbnailPhoto	-	-

Note	`userPrincipalName` allows the use of whitespace in usernames. The login name attribute `sAMAccountName` (which is not listed in the table above) provides backwards compatibility with legacy Microsoft systems. `sAMAccountName` does not allow the use of whitespace in usernames.

5.1.5. Example LDAP Filters

As an administrator, you can create LDAP filters to restrict the access of specific users to Foreman.

Table 11. Example filters for allowing specific users to login
User	Filter
User1	(distinguishedName=cn=User1,cn=Users,dc=domain,dc=example)
User1, User3	(memberOf=cn=Group1,cn=Users,dc=domain,dc=example)
User2, User3	(memberOf=cn=Group2,cn=Users,dc=domain,dc=example)
User1, User2, User3	(\|(memberOf=cn=Group1,cn=Users,dc=domain,dc=example)(memberOf=cn=Group2,cn=Users,dc=domain,dc=example))
User1, User2, User3	(memberOf:1.2.840.113556.1.4.1941:=cn=Users,dc=domain,dc=example)

Note	Group `Users` is a nested group that contains groups `Group1` and `Group2`. If you want to filter all users from a nested group, you must add `memberOf:1.2.840.113556.1.4.1941:=` before the nested group name. See the last example in the table above.

LDAP directory structure

The LDAP directory structure that the filters in the example use:

DC=Domain,DC=Example
   |
   |----- CN=Users
         |
         |----- CN=Group1
         |----- CN=Group2
         |----- CN=User1
         |----- CN=User2
         |----- CN=User3

LDAP group membership

The group membership that the filters in the example use:

Group	Members
Group1	User1, User3
Group2	User2, User3

Group

Members

Group1

User1, User3

Group2

User2, User3

5.2. Using FreeIPA

This section shows how to integrate Foreman server with a FreeIPA server and how to enable host-based access control.

Note	You can attach FreeIPA as an external authentication source with no single sign-on support. For more information, see Using LDAP.

Important

Users cannot use both FreeIPA and LDAP as an authentication method. Once a user authenticates using one method, they cannot use the other method.

To change the authentication method for a user, you have to remove the automatically created user from Foreman.

Prerequisite

The base operating system of Foreman server must be enrolled in the FreeIPA domain by the FreeIPA administrator of your organization.

The examples in this chapter assume separation between FreeIPA and Foreman configuration. However, if you have administrator privileges for both servers, you can configure FreeIPA as described in Red Hat Enterprise Linux 8 Installing Identity Management Guide.

5.2.1. Configuring FreeIPA Authentication on Foreman server

In the Foreman CLI, configure FreeIPA authentication by first creating a host entry on the FreeIPA server.

Procedure

On the FreeIPA server, to authenticate, enter the following command and enter your password when prompted:
```
# kinit admin
```
To verify that you have authenticated, enter the following command:
```
# klist
```
On the FreeIPA server, create a host entry for Foreman server and generate a one-time password, for example:
```
# ipa host-add --random hostname
```
Note

The generated one-time password must be used on the client to complete FreeIPA-enrollment.
Create an HTTP service for Foreman server, for example:
```
# ipa service-add HTTP/hostname
```
On Foreman server, install the IPA client:
```
# apt-get install ipa-client
```
On Foreman server, enter the following command as root to configure FreeIPA-enrollment:
```
# ipa-client-install --password OTP
```
Replace OTP with the one-time password provided by the FreeIPA administrator.
Ensure that the hostname is set to the fully qualified domain name (FQDN); the short name is not sufficient:
```
# hostname
foreman.example.com
```
Otherwise, foreman-installer cannot generate the right principal name that is needed to join the realm.

Set FreeIPA as the authentication provider, using one of the following commands:

If you only want to enable access to the Foreman web UI but not the Foreman API, enter:
```
# foreman-installer \
--foreman-ipa-authentication=true
```

If you want to enable access both to the Foreman web UI and the Foreman API, enter:

# foreman-installer \
--foreman-ipa-authentication-api=true \
--foreman-ipa-authentication=true

Warning

Enabling access to both the Foreman API and the Foreman web UI can lead to security problems. After an IdM user receives a Kerberos ticket-granting ticket (TGT) by entering kinit user_name, an attacker can obtain an API session. The attack is possible even if the user did not previously enter the Foreman login credentials anywhere, for example in the browser.

Restart Foreman services:
```
# foreman-maintain service restart
```

External users can now log in to Foreman using their FreeIPA credentials. They can now choose to either log in to Foreman server directly using their username and password or take advantage of the configured Kerberos single sign-on and obtain a ticket on their client machine and be logged in automatically. The two-factor authentication with one-time password (2FA OTP) is also supported.

5.2.2. Configuring Host-Based Authentication Control

HBAC rules define which machine within the domain a FreeIPA user is allowed to access. You can configure HBAC on the FreeIPA server to prevent selected users from accessing Foreman server. With this approach, you can prevent Foreman from creating database entries for users that are not allowed to log in. For more information on HBAC, see Managing IdM Users, Groups, Hosts, and Access Control Rules Guide.

On the FreeIPA server, configure Host-Based Authentication Control (HBAC).

Procedure

On the FreeIPA server, to authenticate, enter the following command and enter your password when prompted:
```
# kinit admin
```
To verify that you have authenticated, enter the following command:
```
# klist
```
Create HBAC service and rule on the FreeIPA server and link them together. The following examples use the PAM service name foreman-prod. Execute the following commands on the FreeIPA server:
```
# ipa hbacsvc-add foreman-prod
# ipa hbacrule-add allow_foreman_prod
# ipa hbacrule-add-service allow_foreman_prod --hbacsvcs=foreman-prod
```
Add the user who is to have access to the service foreman-prod, and the hostname of Foreman server:
```
# ipa hbacrule-add-user allow_foreman_prod --user=username
# ipa hbacrule-add-host allow_foreman_prod --hosts=foreman.example.com
```
Alternatively, host groups and user groups can be added to the allowforeman_prod_ rule.

To check the status of the rule, execute:

# ipa hbacrule-find foreman-prod
# ipa hbactest --user=username --host=foreman.example.com --service=foreman-prod

Ensure the allow_all rule is disabled on the FreeIPA server. For instructions on how to do so without disrupting other services see the How to configure HBAC rules in IdM article on the Red Hat Customer Portal.
Configure the FreeIPA integration with Foreman server as described in Configuring FreeIPA Authentication on Foreman server. On Foreman server, define the PAM service as root:
```
# foreman-installer --foreman-pam-service=foreman-prod
```

5.3. Using Active Directory

This section shows how to use direct Active Directory (AD) as an external authentication source for Foreman server.

Note	You can attach Active Directory as an external authentication source with no single sign-on support. For more information, see Using LDAP. For an example configuration, see How to configure Active Directory authentication with TLS on Foreman.

Direct AD integration means that Foreman server is joined directly to the AD domain where the identity is stored. The recommended setup consists of two steps:

Enrolling Foreman server with the Active Directory server as described in Enrolling Foreman server with the AD Server.
Configuring direct Active Directory integration with GSS-proxy as described in Configuring Direct AD Integration with GSS-Proxy.

5.3.1. GSS-Proxy

The traditional process of Kerberos authentication in Apache requires the Apache process to have read access to the keytab file. GSS-Proxy allows you to implement stricter privilege separation for the Apache server by removing access to the keytab file while preserving Kerberos authentication functionality. When using AD as an external authentication source for Foreman, it is recommended to implement GSS-proxy, because the keys in the keytab file are the same as the host keys.

Perform the following procedures on Enterprise Linux that acts as a base operating system for your Foreman server. For the examples in this section EXAMPLE.ORG is the Kerberos realm for the AD domain. By completing the procedures, users that belong to the EXAMPLE.ORG realm can log in to Foreman server.

5.3.2. Enrolling Foreman server with the AD Server

In the Foreman CLI, enroll Foreman server with the Active Directory server.

Prerequisite

GSS-proxy and nfs-common are installed.

Installing GSS-proxy and nfs-common:
```
# apt-get install gssproxy nfs-common
```

Procedure

Install the required packages:

# apt-get install sssd adcli realmd ipa-python-compat krb5-workstation samba-common-tools

Enroll Foreman server with the AD server. You may need to have administrator permissions to perform the following command:
```
# realm join -v EXAMPLE.ORG --membership-software=samba -U Administrator
```
Note
You must use the Samba client software to enroll with the AD server to be able to create the HTTP keytab in Configuring Direct AD Integration with GSS-Proxy.

5.3.3. Configuring Direct AD Integration with GSS-Proxy

In the Foreman CLI, configure the direct Active Directory integration with GSS-proxy.

Prerequisite

Foreman is enrolled with the Active Directory server. For more information, see Enrolling Foreman server with the AD Server.

Procedure

Create the /etc/ipa/ directory and the default.conf file:
```
# mkdir /etc/ipa
# touch /etc/ipa/default.conf
```
To the default.conf file, add the following content:
```
[global]
server = unused
realm = EXAMPLE.ORG
```

Create the /etc/net-keytab.conf file with the following content:

[global]
workgroup = EXAMPLE
realm = EXAMPLE.ORG
kerberos method = system keytab
security = ads

Determine the effective user ID of the Apache user:
```
# id www-data
```
Apache user must not have access to the keytab file.

Create the /etc/gssproxy/00-http.conf file with the following content:

[service/HTTP]
mechs = krb5
cred_store = keytab:/etc/httpd/conf/http.keytab
cred_store = ccache:/var/lib/gssproxy/clients/krb5cc_%U
euid = ID_of_Apache_User

Create a keytab entry:

Warning

The host must not be enrolled to a domain before creating a keytab entry.

# KRB5_KTNAME=FILE:/etc/httpd/conf/http.keytab net ads keytab add HTTP -U administrator -d3 -s /etc/net-keytab.conf
# chown root.www-data /etc/httpd/conf/http.keytab
# chmod 640 /etc/httpd/conf/http.keytab

Enable IPA authentication in Foreman:

# foreman-installer --foreman-ipa-authentication=true

Start and enable the gssproxy service:

# systemctl restart gssproxy
# systemctl enable --now gssproxy

To configure the Apache server to use the gssproxy service, create a systemd drop-in file and add the following content to it:

# mkdir -p /etc/systemd/system/httpd.service.d/
# vi /etc/systemd/system/httpd.service.d/gssproxy.conf
[Service]
Environment=GSS_USE_PROXY=1

Apply changes to the service:
```
# systemctl daemon-reload
```
Start and enable the httpd service:
```
# systemctl restart httpd
```

Important

With direct AD integration, HBAC through FreeIPA is not available. As an alternative, you can use Group Policy Objects (GPO) that enable administrators to centrally manage policies in AD environments. To ensure correct GPO to PAM service mapping, add the following SSSD configuration to /etc/sssd/sssd.conf:

access_provider = ad
ad_gpo_access_control = enforcing
ad_gpo_map_service = +foreman

Here, foreman is the PAM service name.

Verification

Verify that SSO is working as expected.

With a running Apache server, users making HTTP requests against the server are authenticated if the client has a valid Kerberos ticket.

Retrieve the Kerberos ticket of the LDAP user, using the following command:
```
# kinit ldapuser
```
View the Kerberos ticket, using the following command:
```
# klist
```

View output from successful SSO-based authentication, using the following command:

# curl -k -u : --negotiate https://foreman.example.com/users/extlogin

This returns the following response:

<html><body>You are being <a href="https://foreman.example.com/users/4-ldapuserexample-com/edit">redirected</a>.</body></html>

5.3.4. Kerberos Configuration in Web Browsers

For information on configuring Firefox, see Configuring Firefox to Use Kerberos for Single Sign-On in the Red Hat Enterprise Linux Configuring authentication and authorization in RHEL guide.

If you use the Internet Explorer browser, add Foreman server to the list of Local Intranet or Trusted sites, and turn on the Enable Integrated Windows Authentication setting. See the Internet Explorer documentation for details.

5.3.5. Active Directory with Cross-Forest Trust

Kerberos can create cross-forest trust that defines a relationship between two otherwise separate domain forests. A domain forest is a hierarchical structure of domains; both AD and FreeIPA constitute a forest. With a trust relationship enabled between AD and FreeIPA, users of AD can access Linux hosts and services using a single set of credentials.

From the Foreman point of view, the configuration process is the same as integration with FreeIPA server without cross-forest trust configured. Foreman server has to be enrolled in the IdM domain and integrated as described in Using FreeIPA.

5.3.6. Configuring the FreeIPA Server to Use Cross-Forest Trust

On the FreeIPA server, configure the server to use cross-forest trust.

Procedure

Enable HBAC:
1. Create an external group and add the AD group to it.
2. Add the new external group to a POSIX group.
3. Use the POSIX group in a HBAC rule.

Configure sssd to transfer additional attributes of AD users.

Add the AD user attributes to the nss and domain sections in /etc/sssd/sssd.conf. For example:

[nss]
user_attributes=+mail, +sn, +givenname
[domain/EXAMPLE.com]
...
krb5_store_password_if_offline = True
ldap_user_extra_attrs=email:mail, lastname:sn, firstname:givenname

[ifp]
allowed_uids = ipaapi, root
user_attributes=+email, +firstname, +lastname

Verify the AD attributes value.

# dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe org.freedesktop.sssd.infopipe.GetUserAttr string:ad-user@ad-domain array:string:email,firstname,lastname

5.4. Configuring External User Groups

Foreman does not associate external users with their user group automatically. You must create a user group with the same name as in the external source on Foreman. Members of the external user group then automatically become members of the Foreman user group and receive the associated permissions.

The configuration of external user groups depends on the type of external authentication.

To assign additional permissions to an external user, add this user to an internal user group that has no external mapping specified. Then assign the required roles to this group.

Prerequisites

If you use an LDAP server, configure Foreman to use LDAP authentication. For more information see Using LDAP.

When using external user groups from an LDAP source, you cannot use the $login variable as a substitute for the account user name. You must use either an anonymous or dedicated service user.
If you use a FreeIPA or AD server, configure Foreman to use FreeIPA or AD authentication. For more information, see Configuring External Authentication in Installing Foreman Server nightly on Debian/Ubuntu.
Ensure that at least one external user authenticates for the first time.
Retain a copy of the external group names you want to use. To find the group membership of external users, enter the following command:
```
# id username
```

Procedure

In the Foreman web UI, navigate to Administer > User Groups, and click Create User Group.
Specify the name of the new user group. Do not select any users to avoid adding users automatically when you refresh the external user group.
Click the Roles tab and select the roles you want to assign to the user group. Alternatively, select the Administrator checkbox to assign all available permissions.
Click the External groups tab, then click Add external user group, and select an authentication source from the Auth source drop-down menu.

Specify the exact name of the external group in the Name field.
Click Submit.

5.5. Refreshing External User Groups for LDAP

To set the LDAP source to synchronize user group membership automatically on user login, in the Auth Source page, select the Usergroup Sync option. If this option is not selected, LDAP user groups are refreshed automatically through a scheduled cron job synchronizing the LDAP Authentication source every 30 minutes by default.

If the user groups in the LDAP Authentication source change in the lapse of time between scheduled tasks, the user can be assigned to incorrect external user groups. This is corrected automatically when the scheduled task runs.

Use this procedure to refresh the LDAP source manually.

Procedure

In the Foreman web UI, navigate to Administer > Usergroups and select a user group.
On the External Groups tab, click Refresh to the right of the required user group.

CLI procedure

Enter the following command:
```
# foreman-rake ldap:refresh_usergroups
```

5.6. Refreshing External User Groups for FreeIPA or AD

External user groups based on FreeIPA or AD are refreshed only when a group member logs in to Foreman. It is not possible to alter user membership of external user groups in the Foreman web UI, such changes are overwritten on the next group refresh.

5.7. Configuring the Hammer CLI to Use FreeIPA User Authentication

This section describes how to configure the Foreman Hammer command-line interface (CLI) tool to use FreeIPA (IdM) to authenticate users.

Prerequisite

You are logged in to the host from which you want to access Foreman by using Hammer.

Procedure

Enable sessions in the ~/.hammer/cli.modules.d/foreman.yml Hammer configuration file by adding the :use_sessions: true line to the foreman parameters:
```
:foreman:
  :use_sessions: true
```
Adding the line enforces session usage in Hammer. This means that Hammer performs the authentication request only once instead of with each hammer command.
Optional: Enable negotiate authentication in the ~/.hammer/cli.modules.d/foreman.yml Hammer configuration file by adding the :default_auth_type: 'Negotiate_Auth' line to the foreman parameters:
```
:foreman:
  :default_auth_type: 'Negotiate_Auth'
  :use_sessions: true
```
Adding this line means that your authentication is negotiated when you enter the first hammer command. If this entry is present, Hammer tries to communicate with Foreman server using the negotiation protocol.

5.8. External Authentication for Provisioned Hosts

Use this section to configure Foreman server or Smart Proxy server for FreeIPA realm support, then add hosts to the FreeIPA realm group.

Prerequisites

Foreman server that is registered to the Content Delivery Network or an external Smart Proxy server that is registered to Foreman server.
A deployed realm or domain provider such as FreeIPA.

To install and configure FreeIPA packages on Foreman server or Smart Proxy Server:

To use FreeIPA for provisioned hosts, complete the following steps to install and configure FreeIPA packages on Foreman server or Smart Proxy server:

Install the ipa-client package on Foreman server or Smart Proxy server:
```
# apt-get install ipa-client
```
Configure the server as a FreeIPA client:
```
# ipa-client-install
```
Create a realm proxy user, realm-smart-proxy, and the relevant roles in FreeIPA:
```
# foreman-prepare-realm admin realm-smart-proxy
```
Note the principal name that returns and your FreeIPA server configuration details because you require them for the following procedure.

To configure Foreman server or Smart Proxy Server for FreeIPA Realm Support:

Complete the following procedure on Foreman and every Smart Proxy that you want to use:

Copy the /root/freeipa.keytab file to any Smart Proxy server that you want to include in the same principal and realm:
```
# scp /root/freeipa.keytab root@smartproxy.example.com:/etc/foreman-proxy/freeipa.keytab
```
Move the /root/freeipa.keytab file to the /etc/foreman-proxy directory and set the ownership settings to the foreman-proxy user:
```
# mv /root/freeipa.keytab /etc/foreman-proxy
# chown foreman-proxy:foreman-proxy /etc/foreman-proxy/freeipa.keytab
```
Enter the following command on all Smart Proxies that you want to include in the realm. If you use the integrated Smart Proxy on Foreman, enter this command on Foreman server:
```
# foreman-installer --foreman-proxy-realm true \
--foreman-proxy-realm-keytab /etc/foreman-proxy/freeipa.keytab \
--foreman-proxy-realm-principal realm-smart-proxy@EXAMPLE.COM \
--foreman-proxy-realm-provider freeipa
```
You can also use these options when you first configure the Foreman server.
Ensure that the most updated versions of the ca-certificates package is installed and trust the FreeIPA Certificate Authority:
```
# cp /etc/ipa/ca.crt /etc/pki/ca-trust/source/anchors/ipa.crt
# update-ca-trust enable
# update-ca-trust
```
Optional: If you configure FreeIPA on an existing Foreman server or Smart Proxy server, complete the following steps to ensure that the configuration changes take effect:
1. Restart the foreman-proxy service:
  # systemctl restart foreman-proxy
2. In the Foreman web UI, navigate to Infrastructure > Smart Proxies.
3. Locate the Smart Proxy you have configured for FreeIPA and from the list in the Actions column, select Refresh.

To create a realm for the FreeIPA-enabled Smart Proxy

After you configure your integrated or external Smart Proxy with FreeIPA, you must create a realm and add the FreeIPA-configured Smart Proxy to the realm.

Procedure

In the Foreman web UI, navigate to Infrastructure > Realms and click Create Realm.
In the Name field, enter a name for the realm.
From the Realm Type list, select the type of realm.
From the Realm Smart Proxy list, select Smart Proxy server where you have configured FreeIPA.
Click the Locations tab and from the Locations list, select the location where you want to add the new realm.
Click the Organizations tab and from the Organizations list, select the organization where you want to add the new realm.
Click Submit.

Updating Host Groups with Realm Information

You must update any host groups that you want to use with the new realm information.

In the Foreman web UI, navigate to Configure > Host Groups, select the host group that you want to update, and click the Network tab.
From the Realm list, select the realm you create as part of this procedure, and then click Submit.

Adding Hosts to a FreeIPA Host Group

FreeIPA supports the ability to set up automatic membership rules based on a system’s attributes. Foreman’s realm feature provides administrators with the ability to map the Foreman host groups to the FreeIPA parameter userclass which allow administrators to configure automembership.

When nested host groups are used, they are sent to the FreeIPA server as they are displayed in the Foreman User Interface. For example, "Parent/Child/Child".

Foreman server or Smart Proxy server sends updates to the FreeIPA server, however automembership rules are only applied at initial registration.

To Add Hosts to a FreeIPA Host Group:

On the FreeIPA server, create a host group:

# ipa hostgroup-add hostgroup_name --desc=hostgroup_description

Create an automembership rule:
```
# ipa automember-add --type=hostgroup hostgroup_name automember_rule
```
Where you can use the following options:
- automember-add flags the group as an automember group.
- --type=hostgroup identifies that the target group is a host group, not a user group.
- automember_rule adds the name you want to identify the automember rule by.
Define an automembership condition based on the userclass attribute:
```
# ipa automember-add-condition --key=userclass --type=hostgroup --inclusive-regex=^webserver hostgroup_name
----------------------------------
Added condition(s) to "hostgroup_name"
----------------------------------
Automember Rule: automember_rule
Inclusive Regex: userclass=^webserver
----------------------------
Number of conditions added 1
----------------------------
```
Where you can use the following options:
- automember-add-condition adds regular expression conditions to identify group members.
- --key=userclass specifies the key attribute as userclass.
- --type=hostgroup identifies that the target group is a host group, not a user group.
- --inclusive-regex= ^webserver identifies matching values with a regular expression pattern.
- hostgroup_name – identifies the target host group’s name.

When a system is added to Foreman server’s hostgroup_name host group, it is added automatically to the FreeIPA server’s "hostgroup_name" host group. FreeIPA host groups allow for Host-Based Access Controls (HBAC), sudo policies and other FreeIPA functions.

5.9. Configuring Foreman with Keycloak Authentication

Use this section to configure Foreman to use Keycloak as an OpenID provider for external authentication.

5.9.1. Prerequisites for Configuring Foreman with Keycloak Authentication

Before configuring Foreman with Keycloak external authentication, ensure that you meet the following requirements:

A working installation of Keycloak server that uses HTTPS instead of HTTP.
A Keycloak account with admin privileges.
A realm for Foreman user accounts created in Keycloak.
If the certificates or the CA are self-signed, ensure that they are added to the end-user certificate trust store.
Users imported or added to Keycloak.

If you have an existing user database configured such as LDAP or Kerberos, you can import users from it by configuring user federation. For more information, see User Storage Federation in the Red Hat Single Sign-On Server Administration Guide.

If you do not have an existing user database configured, you can manually create users in Keycloak. For more information, see Creating New Users in the Red Hat Single Sign-On Server Administration Guide.

5.9.2. Registering Foreman as a Keycloak Client

Use this procedure to register Foreman to Keycloak as a client and configure Foreman to use Keycloak as an authentication source.

You can configure Foreman and Keycloak with two different authentication methods:

Users authenticate to Foreman using the Foreman web UI.
Users authenticate to Foreman using the Foreman CLI.

You must decide on how you want your users to authenticate in advance because both methods require different Foreman clients to be registered to Keycloak and configured. The steps to register and configure Foreman client in Keycloak are distinguished within the procedure.

You can also register two different Foreman clients to Keycloak if you want to use both authentication methods and configure both clients accordingly.

Procedure

On the Foreman server, install the following packages:

# apt-get install mod_auth_openidc keycloak-httpd-client-install

Register Foreman to Keycloak as a client. Note that you the registration process for logging in using the web UI and the CLI are different. You can register two clients Foreman clients to Keycloak to be able to log in to Foreman from the web UI and the CLI.
- If you want you users to authenticate to Foreman using the web UI, create a client as follows:
  # keycloak-httpd-client-install --app-name foreman-openidc \ --keycloak-server-url "https://Keycloak.example.com" \ --keycloak-admin-username "admin" \ --keycloak-realm "Foreman_Realm" \ --keycloak-admin-realm master \ --keycloak-auth-role root-admin \ -t openidc -l /users/extlogin --force
  Enter the password for the administer account when prompted. This command creates a client for Foreman in Keycloak.
  
  Then, configure Foreman to use Keycloak as an authentication source:
  # foreman-installer --foreman-keycloak true \ --foreman-keycloak-app-name "foreman-openidc" \ --foreman-keycloak-realm "Foreman_Realm"
- If you want your users to authenticate to Foreman using the CLI, create a client as follows:
  # keycloak-httpd-client-install --app-name hammer-openidc \ --keycloak-server-url "https://Keycloak.example.com" \ --keycloak-admin-username "admin" \ --keycloak-realm "Foreman_Realm" \ --keycloak-admin-realm master \ --keycloak-auth-role root-admin \ -t openidc -l /users/extlogin --force
  Enter the password for the administer account when prompted. This command creates a client for Foreman in Keycloak.
Restart the httpd service:
```
# systemctl restart httpd
```

5.9.3. Configuring the Foreman Client in Keycloak

Use this procedure to configure the Foreman client in the Keycloak web UI and create group and audience mappers for the Foreman client.

Procedure

In the Keycloak web UI, navigate to Clients and click the Foreman client.
Configure access type:
- If you want your users to authenticate to Foreman using the Foreman web UI, from the Access Type list, select confidential.
- If you want your users to authenticate to Foreman using the CLI, from the Access Type list, select public.
In the Valid redirect URI fields, add a valid redirect URI.
- If you want your users to authenticate to Foreman using the Foreman web UI, in the blank field below the existing URI, enter a URI in the form https://foreman.example.com/users/extlogin. Note that you must add the string /users/extlogin after the Foreman FQDN.
  
  After completing this step, the Foreman client for logging in using the Foreman web UI must have the following Valid Redirect URIs:
  https://foreman.example.com/users/extlogin/redirect_uri https://foreman.example.com/users/extlogin
- If you want your users to authenticate to Foreman using the CLI, in the blank field below the existing URI, enter urn:ietf:wg:oauth:2.0:oob.
  
  After completing this step, the Foreman client for logging in using the CLI must have the following Valid Redirect URIs:
  https://foreman.example.com/users/extlogin/redirect_uri urn:ietf:wg:oauth:2.0:oob
Click Save.
Click the Mappers tab and click Create to add an audience mapper.
In the Name field, enter a name for the audience mapper.
From the Mapper Type list, select Audience.
From the Included Client Audience list, select the Foreman client.
Click Save.
Click Create to add a group mapper so that you can specify authorization in Foreman based on group membership.
In the Name field, enter a name for the group mapper.
From the Mapper Type list, select Group Membership.
In the Token Claim Name field, enter groups.
Set the Full group path setting to OFF.
Click Save.

5.9.4. Configuring Foreman Settings for Keycloak Authentication

Use this section to configure Foreman for Keycloak authentication using the Foreman web UI or the CLI.

Configuring Foreman Settings for Keycloak Authentication Using the Web UI

Use this procedure to configure Foreman settings for Keycloak authentication using the Foreman web UI.

Note that you can navigate to the following URL within your realm to obtain values to configure Foreman settings: https://Keycloak.example.com/auth/realms/Foreman_Realm/.well-known/openid-configuration

Prerequisite

Ensure that the Access Type setting in the Foreman client in the Keycloak web UI is set to confidential

Procedure

In the Foreman web UI, navigate to Administer > Settings, and click the Authentication tab.
Locate the Authorize login delegation row, and in the Value column, set the value to Yes.
Locate the Authorize login delegation auth source user autocreate row, and in the Value column, set the value to External.
Locate the Login delegation logout URL row, and in the Value column, set the value to https://foreman.example.com/users/extlogout.
Locate the OIDC Algorithm row, and in the Value column, set the algorithm for encoding on Keycloak to RS256.
Locate the OIDC Audience row, and in the Value column, set the value to the client ID for Keycloak.
Locate the OIDC Issuer row, and in the Value column, set the value to https://Keycloak.example.com/auth/realms/Foreman_Realm.
Locate the OIDC JWKs URL row, and in the Value column, set the value to https://Keycloak.example.com/auth/realms/Foreman_Realm/protocol/openid-connect/certs.
In the Foreman web UI, navigate to Administer > Authentication Sources, click the vertical ellipsis on the External card, and select Edit.
Click the Locations tab and add locations that can use the Keycloak authentication source.
Click the Organizations tab and add organizations that can use the Keycloak authentication source.
Click Submit.

Configuring Foreman Settings for Keycloak Authentication Using the CLI

Use this procedure to configure Foreman settings for Keycloak authentication using the Foreman CLI.

Prerequisite

Ensure that the Access Type setting in the Foreman client in the Keycloak web UI is set to public

Procedure

On Foreman, set the login delegation to true so that users can authenticate using the Open IDC protocol:
```
# hammer settings set --name authorize_login_delegation --value true
```

Set the login delegation logout URL:

# hammer settings set --name login_delegation_logout_url \
--value https://foreman.example.com/users/extlogout

Set the algorithm for encoding on Keycloak, for example, RS256:
```
# hammer settings set --name oidc_algorithm --value 'RS256'
```
Open the Keycloak.example.com/auth/realms/Keycloak_REALM/.well-known/openid-configuration URL and note the values to populate the options in the following steps.

Add the value for the Hammer client in the Open IDC audience:

# hammer settings set --name oidc_audience \
--value "['foreman.example.com-hammer-openidc']"

Note	If you register several Keycloak clients to Foreman, ensure that you append all audiences in the array. For example: # hammer settings set --name oidc_audience \ --value "['foreman.example.com-foreman-openidc', 'foreman.example.com-hammer-openidc']"

Set the value for the Open IDC issuer:

# hammer settings set --name oidc_issuer \
--value "Keycloak.example.com/auth/realms/Keycloak_Realm"

Set the value for Open IDC Java Web Token (JWT):

# hammer settings set --name oidc_jwks_url \
--value "Keycloak.example.com/auth/realms/Keycloak_Realm/protocol/openid-connect/certs"

Retrieve the ID of the Keycloak authentication source:
```
# hammer auth-source external list
```

Set the location and organization:

# hammer auth-source external update --id Authentication Source ID \
--location-ids Location ID --organization-ids Organization ID

5.9.5. Logging in to the Foreman web UI Using Keycloak

Use this procedure to log in to the Foreman web UI using Keycloak.

Procedure

In your browser, log in to Foreman and enter your credentials.

5.9.6. Logging in to the Foreman CLI Using Keycloak

Use this procedure to authenticate to the Foreman CLI using the code grant type.

Procedure

To authenticate to the Foreman CLI using the code grant type, enter the following command:

# hammer auth login oauth \
--two-factor \
--oidc-token-endpoint 'https://Keycloak.example.com/auth/realms/ssl-realm/protocol/openid-connect/token' \
--oidc-authorization-endpoint 'https://Keycloak.example.com/auth' \
--oidc-client-id 'foreman.example.com-foreman-openidc' \
--oidc-redirect-uri urn:ietf:wg:oauth:2.0:oob

The command prompts you to enter a success code.

To retrieve the success code, navigate to the URL that the command returns and provide the required information.
Copy the success code that the web UI returns.
In the command prompt of hammer auth login oauth, enter the success code to authenticate to the Foreman CLI.

5.9.7. Configuring Group Mapping for Keycloak Authentication

Optionally, to implement the Role Based Access Control (RBAC), create a group in Foreman, assign a role to this group, and then map an Active Directory group to the Foreman group. As a result, anyone in the given group in Keycloak are logged in under the corresponding Foreman group. This example configures users of the Foreman-admin user group in the Active Directory to authenticate as users with administrator privileges on Foreman.

Procedure

In the Foreman web UI, navigate to Administer > User Groups, and click the Create User Group button.
In the Name field, enter a name for the user group. The name should not be the same as in the Active Directory.
Do not add users and user groups to the right-hand columns. Click the Roles tab.
Select the Administer checkbox.
Click the External Groups tab.
Click Add external user group.
In the Name field, enter the name of the Active Directory group.
From the list, select EXTERNAL.

5.10. Configuring Keycloak Authentication with TOTP

Use this section to configure Foreman to use Keycloak as an OpenID provider for external authentication with TOTP cards.

5.10.1. Prerequisites for Configuring Foreman with Keycloak Authentication

Before configuring Foreman with Keycloak external authentication, ensure that you meet the following requirements:

A working installation of Keycloak server that uses HTTPS instead of HTTP.
A Keycloak account with admin privileges.
A realm for Foreman user accounts created in Keycloak.
If the certificates or the CA are self-signed, ensure that they are added to the end-user certificate trust store.
Users imported or added to Keycloak.

If you have an existing user database configured such as LDAP or Kerberos, you can import users from it by configuring user federation. For more information, see User Storage Federation in the Red Hat Single Sign-On Server Administration Guide.

If you do not have an existing user database configured, you can manually create users in Keycloak. For more information, see Creating New Users in the Red Hat Single Sign-On Server Administration Guide.

5.10.2. Registering Foreman as a Keycloak Client

Use this procedure to register Foreman to Keycloak as a client and configure Foreman to use Keycloak as an authentication source.

You can configure Foreman and Keycloak with two different authentication methods:

Users authenticate to Foreman using the Foreman web UI.
Users authenticate to Foreman using the Foreman CLI.

You can also register two different Foreman clients to Keycloak if you want to use both authentication methods and configure both clients accordingly.

Procedure

On the Foreman server, install the following packages:

# apt-get install mod_auth_openidc keycloak-httpd-client-install

Register Foreman to Keycloak as a client. Note that you the registration process for logging in using the web UI and the CLI are different. You can register two clients Foreman clients to Keycloak to be able to log in to Foreman from the web UI and the CLI.
- If you want you users to authenticate to Foreman using the web UI, create a client as follows:
  # keycloak-httpd-client-install --app-name foreman-openidc \ --keycloak-server-url "https://Keycloak.example.com" \ --keycloak-admin-username "admin" \ --keycloak-realm "Foreman_Realm" \ --keycloak-admin-realm master \ --keycloak-auth-role root-admin \ -t openidc -l /users/extlogin --force
  Enter the password for the administer account when prompted. This command creates a client for Foreman in Keycloak.
  
  Then, configure Foreman to use Keycloak as an authentication source:
  # foreman-installer --foreman-keycloak true \ --foreman-keycloak-app-name "foreman-openidc" \ --foreman-keycloak-realm "Foreman_Realm"
- If you want your users to authenticate to Foreman using the CLI, create a client as follows:
  # keycloak-httpd-client-install --app-name hammer-openidc \ --keycloak-server-url "https://Keycloak.example.com" \ --keycloak-admin-username "admin" \ --keycloak-realm "Foreman_Realm" \ --keycloak-admin-realm master \ --keycloak-auth-role root-admin \ -t openidc -l /users/extlogin --force
  Enter the password for the administer account when prompted. This command creates a client for Foreman in Keycloak.
Restart the httpd service:
```
# systemctl restart httpd
```

5.10.3. Configuring the Foreman Client in Keycloak

Use this procedure to configure the Foreman client in the Keycloak web UI and create group and audience mappers for the Foreman client.

Procedure

In the Keycloak web UI, navigate to Clients and click the Foreman client.
Configure access type:
- If you want your users to authenticate to Foreman using the Foreman web UI, from the Access Type list, select confidential.
- If you want your users to authenticate to Foreman using the CLI, from the Access Type list, select public.
In the Valid redirect URI fields, add a valid redirect URI.
- If you want your users to authenticate to Foreman using the Foreman web UI, in the blank field below the existing URI, enter a URI in the form https://foreman.example.com/users/extlogin. Note that you must add the string /users/extlogin after the Foreman FQDN.
  
  After completing this step, the Foreman client for logging in using the Foreman web UI must have the following Valid Redirect URIs:
  https://foreman.example.com/users/extlogin/redirect_uri https://foreman.example.com/users/extlogin
- If you want your users to authenticate to Foreman using the CLI, in the blank field below the existing URI, enter urn:ietf:wg:oauth:2.0:oob.
  
  After completing this step, the Foreman client for logging in using the CLI must have the following Valid Redirect URIs:
  https://foreman.example.com/users/extlogin/redirect_uri urn:ietf:wg:oauth:2.0:oob
Click Save.
Click the Mappers tab and click Create to add an audience mapper.
In the Name field, enter a name for the audience mapper.
From the Mapper Type list, select Audience.
From the Included Client Audience list, select the Foreman client.
Click Save.
Click Create to add a group mapper so that you can specify authorization in Foreman based on group membership.
In the Name field, enter a name for the group mapper.
From the Mapper Type list, select Group Membership.
In the Token Claim Name field, enter groups.
Set the Full group path setting to OFF.
Click Save.

5.10.4. Configuring Foreman Settings for Keycloak Authentication

Use this section to configure Foreman for Keycloak authentication using the Foreman web UI or the CLI.

Configuring Foreman Settings for Keycloak Authentication Using the Web UI

Use this procedure to configure Foreman settings for Keycloak authentication using the Foreman web UI.

Prerequisite

Ensure that the Access Type setting in the Foreman client in the Keycloak web UI is set to confidential

Procedure

In the Foreman web UI, navigate to Administer > Settings, and click the Authentication tab.
Locate the Authorize login delegation row, and in the Value column, set the value to Yes.
Locate the Authorize login delegation auth source user autocreate row, and in the Value column, set the value to External.
Locate the Login delegation logout URL row, and in the Value column, set the value to https://foreman.example.com/users/extlogout.
Locate the OIDC Algorithm row, and in the Value column, set the algorithm for encoding on Keycloak to RS256.
Locate the OIDC Audience row, and in the Value column, set the value to the client ID for Keycloak.
Locate the OIDC Issuer row, and in the Value column, set the value to https://Keycloak.example.com/auth/realms/Foreman_Realm.
Locate the OIDC JWKs URL row, and in the Value column, set the value to https://Keycloak.example.com/auth/realms/Foreman_Realm/protocol/openid-connect/certs.
In the Foreman web UI, navigate to Administer > Authentication Sources, click the vertical ellipsis on the External card, and select Edit.
Click the Locations tab and add locations that can use the Keycloak authentication source.
Click the Organizations tab and add organizations that can use the Keycloak authentication source.
Click Submit.

Configuring Foreman Settings for Keycloak Authentication Using the CLI

Use this procedure to configure Foreman settings for Keycloak authentication using the Foreman CLI.

Prerequisite

Ensure that the Access Type setting in the Foreman client in the Keycloak web UI is set to public

Procedure

On Foreman, set the login delegation to true so that users can authenticate using the Open IDC protocol:
```
# hammer settings set --name authorize_login_delegation --value true
```

Set the login delegation logout URL:

# hammer settings set --name login_delegation_logout_url \
--value https://foreman.example.com/users/extlogout

Set the algorithm for encoding on Keycloak, for example, RS256:
```
# hammer settings set --name oidc_algorithm --value 'RS256'
```
Open the Keycloak.example.com/auth/realms/Keycloak_REALM/.well-known/openid-configuration URL and note the values to populate the options in the following steps.

Add the value for the Hammer client in the Open IDC audience:

# hammer settings set --name oidc_audience \
--value "['foreman.example.com-hammer-openidc']"

Note	If you register several Keycloak clients to Foreman, ensure that you append all audiences in the array. For example: # hammer settings set --name oidc_audience \ --value "['foreman.example.com-foreman-openidc', 'foreman.example.com-hammer-openidc']"

Set the value for the Open IDC issuer:

# hammer settings set --name oidc_issuer \
--value "Keycloak.example.com/auth/realms/Keycloak_Realm"

Set the value for Open IDC Java Web Token (JWT):

# hammer settings set --name oidc_jwks_url \
--value "Keycloak.example.com/auth/realms/Keycloak_Realm/protocol/openid-connect/certs"

Retrieve the ID of the Keycloak authentication source:
```
# hammer auth-source external list
```

Set the location and organization:

# hammer auth-source external update --id Authentication Source ID \
--location-ids Location ID --organization-ids Organization ID

5.10.5. Configuring Foreman with Keycloak for TOTP Authentication

Use this procedure to configure Foreman to use Keycloak as an OpenID provider for external authentication with Time-based One-time Password (TOTP).

Procedure

In the Keycloak web UI, navigate to the Foreman realm.
Navigate to Authentication, and click the OTP Policy tab.
Ensure that the Supported Applications field includes FreeOTP or Google Authenticator.
Configure the OTP settings to suit your requirements.
Optional: If you want to use TOTP authentication as a default authentication method for all users, click the Flows tab, and to the right of the OTP Form setting, select REQUIRED.
Click the Required Actions tab.
To the right of the Configure OTP row, select the Default Action checkbox.

5.10.6. Logging in to the Foreman web UI Using Keycloak TOTP Authentication

Use this procedure to log in to the Foreman web UI using Keycloak TOTP authentication.

Procedure

Log in to Foreman, Foreman redirects you to the Keycloak login screen.
Enter your username and password, and click Log In.
The first attempt to log in, Keycloak requests you to configure your client by scanning the barcode and entering the pin displayed.
After you configure your client and enter a valid PIN, Keycloak redirects you to Foreman and logs you in.

5.10.7. Logging in to the Foreman CLI Using Keycloak

Use this procedure to authenticate to the Foreman CLI using the code grant type.

Procedure

To authenticate to the Foreman CLI using the code grant type, enter the following command:

# hammer auth login oauth \
--two-factor \
--oidc-token-endpoint 'https://Keycloak.example.com/auth/realms/ssl-realm/protocol/openid-connect/token' \
--oidc-authorization-endpoint 'https://Keycloak.example.com/auth' \
--oidc-client-id 'foreman.example.com-foreman-openidc' \
--oidc-redirect-uri urn:ietf:wg:oauth:2.0:oob

The command prompts you to enter a success code.

To retrieve the success code, navigate to the URL that the command returns and provide the required information.
Copy the success code that the web UI returns.
In the command prompt of hammer auth login oauth, enter the success code to authenticate to the Foreman CLI.

5.10.8. Configuring Group Mapping for Keycloak Authentication

Procedure

In the Foreman web UI, navigate to Administer > User Groups, and click the Create User Group button.
In the Name field, enter a name for the user group. The name should not be the same as in the Active Directory.
Do not add users and user groups to the right-hand columns. Click the Roles tab.
Select the Administer checkbox.
Click the External Groups tab.
Click Add external user group.
In the Name field, enter the name of the Active Directory group.
From the list, select EXTERNAL.

5.11. Configuring Keycloak Authentication with PIV Cards

Use this section to configure Foreman to use Keycloak as an OpenID provider for external authentication with PIV cards.

5.11.1. Prerequisites for Configuring Foreman with Keycloak Authentication

Before configuring Foreman with Keycloak external authentication, ensure that you meet the following requirements:

A working installation of Keycloak server that uses HTTPS instead of HTTP.
A Keycloak account with admin privileges.
A realm for Foreman user accounts created in Keycloak.
If the certificates or the CA are self-signed, ensure that they are added to the end-user certificate trust store.
Users imported or added to Keycloak.

If you have an existing user database configured such as LDAP or Kerberos, you can import users from it by configuring user federation. For more information, see User Storage Federation in the Red Hat Single Sign-On Server Administration Guide.

If you do not have an existing user database configured, you can manually create users in Keycloak. For more information, see Creating New Users in the Red Hat Single Sign-On Server Administration Guide.

5.11.2. Registering Foreman as a Keycloak Client

Use this procedure to register Foreman to Keycloak as a client and configure Foreman to use Keycloak as an authentication source.

You can configure Foreman and Keycloak with two different authentication methods:

Users authenticate to Foreman using the Foreman web UI.
Users authenticate to Foreman using the Foreman CLI.

You can also register two different Foreman clients to Keycloak if you want to use both authentication methods and configure both clients accordingly.

Procedure

On the Foreman server, install the following packages:

# apt-get install mod_auth_openidc keycloak-httpd-client-install

Register Foreman to Keycloak as a client. Note that you the registration process for logging in using the web UI and the CLI are different. You can register two clients Foreman clients to Keycloak to be able to log in to Foreman from the web UI and the CLI.
- If you want you users to authenticate to Foreman using the web UI, create a client as follows:
  # keycloak-httpd-client-install --app-name foreman-openidc \ --keycloak-server-url "https://Keycloak.example.com" \ --keycloak-admin-username "admin" \ --keycloak-realm "Foreman_Realm" \ --keycloak-admin-realm master \ --keycloak-auth-role root-admin \ -t openidc -l /users/extlogin --force
  Enter the password for the administer account when prompted. This command creates a client for Foreman in Keycloak.
  
  Then, configure Foreman to use Keycloak as an authentication source:
  # foreman-installer --foreman-keycloak true \ --foreman-keycloak-app-name "foreman-openidc" \ --foreman-keycloak-realm "Foreman_Realm"
- If you want your users to authenticate to Foreman using the CLI, create a client as follows:
  # keycloak-httpd-client-install --app-name hammer-openidc \ --keycloak-server-url "https://Keycloak.example.com" \ --keycloak-admin-username "admin" \ --keycloak-realm "Foreman_Realm" \ --keycloak-admin-realm master \ --keycloak-auth-role root-admin \ -t openidc -l /users/extlogin --force
  Enter the password for the administer account when prompted. This command creates a client for Foreman in Keycloak.
Restart the httpd service:
```
# systemctl restart httpd
```

5.11.3. Configuring the Foreman Client in Keycloak

Use this procedure to configure the Foreman client in the Keycloak web UI and create group and audience mappers for the Foreman client.

Procedure

In the Keycloak web UI, navigate to Clients and click the Foreman client.
Configure access type:
- If you want your users to authenticate to Foreman using the Foreman web UI, from the Access Type list, select confidential.
- If you want your users to authenticate to Foreman using the CLI, from the Access Type list, select public.
In the Valid redirect URI fields, add a valid redirect URI.
- If you want your users to authenticate to Foreman using the Foreman web UI, in the blank field below the existing URI, enter a URI in the form https://foreman.example.com/users/extlogin. Note that you must add the string /users/extlogin after the Foreman FQDN.
  
  After completing this step, the Foreman client for logging in using the Foreman web UI must have the following Valid Redirect URIs:
  https://foreman.example.com/users/extlogin/redirect_uri https://foreman.example.com/users/extlogin
- If you want your users to authenticate to Foreman using the CLI, in the blank field below the existing URI, enter urn:ietf:wg:oauth:2.0:oob.
  
  After completing this step, the Foreman client for logging in using the CLI must have the following Valid Redirect URIs:
  https://foreman.example.com/users/extlogin/redirect_uri urn:ietf:wg:oauth:2.0:oob
Click Save.
Click the Mappers tab and click Create to add an audience mapper.
In the Name field, enter a name for the audience mapper.
From the Mapper Type list, select Audience.
From the Included Client Audience list, select the Foreman client.
Click Save.
Click Create to add a group mapper so that you can specify authorization in Foreman based on group membership.
In the Name field, enter a name for the group mapper.
From the Mapper Type list, select Group Membership.
In the Token Claim Name field, enter groups.
Set the Full group path setting to OFF.
Click Save.

5.11.4. Configuring Foreman Settings for Keycloak Authentication

Use this section to configure Foreman for Keycloak authentication using the Foreman web UI or the CLI.

Configuring Foreman Settings for Keycloak Authentication Using the Web UI

Use this procedure to configure Foreman settings for Keycloak authentication using the Foreman web UI.

Prerequisite

Ensure that the Access Type setting in the Foreman client in the Keycloak web UI is set to confidential

Procedure

In the Foreman web UI, navigate to Administer > Settings, and click the Authentication tab.
Locate the Authorize login delegation row, and in the Value column, set the value to Yes.
Locate the Authorize login delegation auth source user autocreate row, and in the Value column, set the value to External.
Locate the Login delegation logout URL row, and in the Value column, set the value to https://foreman.example.com/users/extlogout.
Locate the OIDC Algorithm row, and in the Value column, set the algorithm for encoding on Keycloak to RS256.
Locate the OIDC Audience row, and in the Value column, set the value to the client ID for Keycloak.
Locate the OIDC Issuer row, and in the Value column, set the value to https://Keycloak.example.com/auth/realms/Foreman_Realm.
Locate the OIDC JWKs URL row, and in the Value column, set the value to https://Keycloak.example.com/auth/realms/Foreman_Realm/protocol/openid-connect/certs.
In the Foreman web UI, navigate to Administer > Authentication Sources, click the vertical ellipsis on the External card, and select Edit.
Click the Locations tab and add locations that can use the Keycloak authentication source.
Click the Organizations tab and add organizations that can use the Keycloak authentication source.
Click Submit.

Configuring Foreman Settings for Keycloak Authentication Using the CLI

Use this procedure to configure Foreman settings for Keycloak authentication using the Foreman CLI.

Prerequisite

Ensure that the Access Type setting in the Foreman client in the Keycloak web UI is set to public

Procedure

On Foreman, set the login delegation to true so that users can authenticate using the Open IDC protocol:
```
# hammer settings set --name authorize_login_delegation --value true
```

Set the login delegation logout URL:

# hammer settings set --name login_delegation_logout_url \
--value https://foreman.example.com/users/extlogout

Set the algorithm for encoding on Keycloak, for example, RS256:
```
# hammer settings set --name oidc_algorithm --value 'RS256'
```
Open the Keycloak.example.com/auth/realms/Keycloak_REALM/.well-known/openid-configuration URL and note the values to populate the options in the following steps.

Add the value for the Hammer client in the Open IDC audience:

# hammer settings set --name oidc_audience \
--value "['foreman.example.com-hammer-openidc']"

Note	If you register several Keycloak clients to Foreman, ensure that you append all audiences in the array. For example: # hammer settings set --name oidc_audience \ --value "['foreman.example.com-foreman-openidc', 'foreman.example.com-hammer-openidc']"

Set the value for the Open IDC issuer:

# hammer settings set --name oidc_issuer \
--value "Keycloak.example.com/auth/realms/Keycloak_Realm"

Set the value for Open IDC Java Web Token (JWT):

# hammer settings set --name oidc_jwks_url \
--value "Keycloak.example.com/auth/realms/Keycloak_Realm/protocol/openid-connect/certs"

Retrieve the ID of the Keycloak authentication source:
```
# hammer auth-source external list
```

Set the location and organization:

# hammer auth-source external update --id Authentication Source ID \
--location-ids Location ID --organization-ids Organization ID

5.11.5. Configuring Keycloak Settings for Authentication With PIV Cards

You must configure Keycloak settings for authentication with PIV cards.

Procedure

In the Keycloak web UI, navigate to the Authentication tab.
From the Flows list, select Browser.
Click Copy to copy this flow.
In the Copy Authentication Flow window, enter a new name for the flow and click OK.
In the copied flow, delete Username Password Form and OTP Form entries.
Click Add execution.
From the Provider list, select X509/Validate Username Form.
Click Save.
In the X509/Validate Username Form raw, select ALTERNATIVE.
In the X509/Validate Username Form raw, click Actions > Config.
In the Alias field, enter a name for this configuration.
From the User Identity Source list, select Subject’s Common Name,
From the User mapping method list, select Username or Email.
Click Save.
Navigate to Authentication > Bindings.
From the Browser Flow list, select the created flow.

5.11.6. Configuring Users' OS for Keycloak Authentication with PIV Cards

Complete this procedure on each system from which you want to be able to log in to Foreman using Keycloak PIV cards.

Procedure

Install required packages:
```
apt-get install opensc -y
```
Install the Firefox browser if not installed.
Launch Firefox and navigate to Preferences.
Click the Privacy and Security tab.
Click Security Devices.
Click Load.
In the Load PKCS#11 Device Driver window, in the Module Name field, enter a name for this device.
In the Module filename field, enter /usr/lib64/pkcs11/opensc-pkcs11.so.
Click OK.
If the PIV card is connected to system, restart the pcscd service.

5.11.7. Logging in to the Foreman web UI Using Keycloak PIV Cards

Use this procedure to log in to the Foreman web UI using the Keycloak PIV cards.

Procedure

In Firefox, log in to Foreman and enter your credentials.
When prompted, enter the PIN of the PIV card.
Choose the certificate for authentication. Browser verifies this certificate with Keycloak. Once authenticated, browser redirects you back to Foreman and logs you in.

5.11.8. Logging in to the Foreman CLI Using Keycloak

Use this procedure to authenticate to the Foreman CLI using the code grant type.

Procedure

To authenticate to the Foreman CLI using the code grant type, enter the following command:

# hammer auth login oauth \
--two-factor \
--oidc-token-endpoint 'https://Keycloak.example.com/auth/realms/ssl-realm/protocol/openid-connect/token' \
--oidc-authorization-endpoint 'https://Keycloak.example.com/auth' \
--oidc-client-id 'foreman.example.com-foreman-openidc' \
--oidc-redirect-uri urn:ietf:wg:oauth:2.0:oob

The command prompts you to enter a success code.

To retrieve the success code, navigate to the URL that the command returns and provide the required information.
Copy the success code that the web UI returns.
In the command prompt of hammer auth login oauth, enter the success code to authenticate to the Foreman CLI.

5.11.9. Configuring Group Mapping for Keycloak Authentication

Procedure

In the Foreman web UI, navigate to Administer > User Groups, and click the Create User Group button.
In the Name field, enter a name for the user group. The name should not be the same as in the Active Directory.
Do not add users and user groups to the right-hand columns. Click the Roles tab.
Select the Administer checkbox.
Click the External Groups tab.
Click Add external user group.
In the Name field, enter the name of the Active Directory group.
From the list, select EXTERNAL.

5.12. Disabling Keycloak Authentication

If you want to disable Keycloak authentication in Foreman, complete this procedure.

Procedure

Enter the following command to disable Keycloak Authentication:
```
# foreman-installer --reset-foreman-keycloak
```

6. Configuring Foreman server with External Services

If you do not want to configure the DNS, DHCP, and TFTP services on Foreman server, use this section to configure your Foreman server to work with external DNS, DHCP and TFTP services.

6.1. Configuring Foreman server with External DNS

You can configure Foreman server with external DNS. Foreman server uses the nsupdate utility to update DNS records on the remote server.

To make any changes persistent, you must enter the foreman-installer command with the options appropriate for your environment.

Prerequisites

You must have a configured external DNS server.
This guide assumes you have an existing installation.

Procedure

Copy the /etc/rndc.key file from the external DNS server to Foreman server:
```
# scp root@dns.example.com:/etc/rndc.key /etc/foreman-proxy/rndc.key
```

Configure the ownership, permissions, and SELinux context:

# chown -v root:foreman-proxy /etc/foreman-proxy/rndc.key
# chmod -v 640 /etc/foreman-proxy/rndc.key

To test the nsupdate utility, add a host remotely:

# echo -e "server DNS_IP_Address\n \
update add aaa.example.com 3600 IN A Host_IP_Address\n \
send\n" | nsupdate -k /etc/foreman-proxy/rndc.key
# nslookup aaa.example.com DNS_IP_Address
# echo -e "server DNS_IP_Address\n \
update delete aaa.example.com 3600 IN A Host_IP_Address\n \
send\n" | nsupdate -k /etc/foreman-proxy/rndc.key

Enter the foreman-installer command to make the following persistent changes to the /etc/foreman-proxy/settings.d/dns.yml file:

# foreman-installer --foreman-proxy-dns=true \
--foreman-proxy-dns-managed=false \
--foreman-proxy-dns-provider=nsupdate \
--foreman-proxy-dns-server="DNS_IP_Address" \
--foreman-proxy-keyfile=/etc/foreman-proxy/rndc.key

In the Foreman web UI, navigate to Infrastructure > Smart Proxies.
Locate the Foreman server and select Refresh from the list in the Actions column.
Associate the DNS service with the appropriate subnets and domain.

6.2. Configuring Foreman server with External DHCP

To configure Foreman server with external DHCP, you must complete the following procedures:

Configuring an External DHCP Server to Use with Foreman server
Configuring Foreman server with an External DHCP Server

6.2.1. Configuring an External DHCP Server to Use with Foreman server

To configure an external DHCP server running Enterprise Linux to use with Foreman server, you must install the ISC DHCP Service and Berkeley Internet Name Domain (BIND) packages. You must also share the DHCP configuration and lease files with Foreman server. The example in this procedure uses the distributed Network File System (NFS) protocol to share the DHCP configuration and lease files.

Note

If you use dnsmasq as an external DHCP server, enable the dhcp-no-override setting. This is required because Foreman creates configuration files on the TFTP server under the grub2/ subdirectory. If the dhcp-no-override setting is disabled, clients fetch the bootloader and its configuration from the root directory, which might cause an error.

If you do not use firewall-cmd to configure the Linux firewall, implement using the command of your choice.

Procedure

On your Enterprise Linux host, install the ISC DHCP Service and Berkeley Internet Name Domain (BIND) packages:
```
# apt-get install dhcp bind
```
Generate a security token:
```
# dnssec-keygen -a HMAC-MD5 -b 512 -n HOST omapi_key
```
As a result, a key pair that consists of two files is created in the current directory.

Copy the secret hash from the key:

# cat Komapi_key.+*.private |grep ^Key|cut -d ' ' -f2

Edit the dhcpd configuration file for all of the subnets and add the key. The following is an example:

# cat /etc/dhcp/dhcpd.conf
default-lease-time 604800;
max-lease-time 2592000;
log-facility local7;

subnet 192.168.38.0 netmask 255.255.255.0 {
	range 192.168.38.10 192.168.38.100;
	option routers 192.168.38.1;
	option subnet-mask 255.255.255.0;
	option domain-search "virtual.lan";
	option domain-name "virtual.lan";
	option domain-name-servers 8.8.8.8;
}

omapi-port 7911;
key omapi_key {
	algorithm HMAC-MD5;
	secret "jNSE5YI3H1A8Oj/tkV4...A2ZOHb6zv315CkNAY7DMYYCj48Umw==";
};
omapi-key omapi_key;

Note that the option routers value is the Foreman or Smart Proxy IP address that you want to use with an external DHCP service.

Delete the two key files from the directory that they were created in.
On Foreman server, define each subnet. Do not set DHCP Smart Proxy for the defined Subnet yet.

To prevent conflicts, set up the lease and reservation ranges separately. For example, if the lease range is 192.168.38.10 to 192.168.38.100, in the Foreman web UI define the reservation range as 192.168.38.101 to 192.168.38.250.

Configure the firewall for external access to the DHCP server:

# firewall-cmd --add-service dhcp \
&& firewall-cmd --runtime-to-permanent

On Foreman server, determine the UID and GID of the foreman user:
```
# id -u foreman
993
# id -g foreman
990
```
On the DHCP server, create the foreman user and group with the same IDs as determined in a previous step:
```
# groupadd -g 990 foreman
# useradd -u 993 -g 990 -s /sbin/nologin foreman
```

To ensure that the configuration files are accessible, restore the read and execute flags:

# chmod o+rx /etc/dhcp/
# chmod o+r /etc/dhcp/dhcpd.conf
# chattr +i /etc/dhcp/ /etc/dhcp/dhcpd.conf

Enable and start the DHCP service:
```
# systemctl enable --now dhcpd
```

Export the DHCP configuration and lease files using NFS:

# apt-get install nfs-kernel-server
# systemctl enable --now nfs-server

Create directories for the DHCP configuration and lease files that you want to export using NFS:
```
# mkdir -p /exports/var/lib/dhcpd /exports/etc/dhcp
```

To create mount points for the created directories, add the following line to the /etc/fstab file:

/var/lib/dhcpd /exports/var/lib/dhcpd none bind,auto 0 0
/etc/dhcp /exports/etc/dhcp none bind,auto 0 0

Mount the file systems in /etc/fstab:
```
# mount -a
```

Ensure the following lines are present in /etc/exports:

/exports 192.168.38.1(rw,async,no_root_squash,fsid=0,no_subtree_check)

/exports/etc/dhcp 192.168.38.1(ro,async,no_root_squash,no_subtree_check,nohide)

/exports/var/lib/dhcpd 192.168.38.1(ro,async,no_root_squash,no_subtree_check,nohide)

Note that the IP address that you enter is the Foreman or Smart Proxy IP address that you want to use with an external DHCP service.

Reload the NFS server:
```
# exportfs -rva
```

Configure the firewall for the DHCP omapi port 7911:

# firewall-cmd --add-port="7911/tcp" \
&& firewall-cmd --runtime-to-permanent

Optional: Configure the firewall for external access to NFS. Clients are configured using NFSv3.

# firewall-cmd --zone public --add-service mountd \
&& firewall-cmd --zone public --add-service rpc-bind \
&& firewall-cmd --zone public --add-service nfs \
&& firewall-cmd --runtime-to-permanent

6.2.2. Configuring Foreman server with an External DHCP Server

You can configure Foreman server with an external DHCP server.

Prerequisite

Ensure that you have configured an external DHCP server and that you have shared the DHCP configuration and lease files with Foreman server. For more information, see Configuring an External DHCP Server to Use with Foreman server.

Procedure

Install the nfs-common package:
```
# apt-get install nfs-common
```

Create the DHCP directories for NFS:

# mkdir -p /mnt/nfs/etc/dhcp /mnt/nfs/var/lib/dhcpd

Change the file owner:
```
# chown -R foreman-proxy /mnt/nfs
```
Verify communication with the NFS server and the Remote Procedure Call (RPC) communication paths:
```
# showmount -e DHCP_Server_FQDN
# rpcinfo -p DHCP_Server_FQDN
```

Add the following lines to the /etc/fstab file:

DHCP_Server_FQDN:/exports/etc/dhcp /mnt/nfs/etc/dhcp nfs
ro,vers=3,auto,nosharecache,context="system_u:object_r:dhcp_etc_t:s0" 0 0

DHCP_Server_FQDN:/exports/var/lib/dhcpd /mnt/nfs/var/lib/dhcpd nfs
ro,vers=3,auto,nosharecache,context="system_u:object_r:dhcpd_state_t:s0" 0 0

Mount the file systems on /etc/fstab:
```
# mount -a
```

To verify that the foreman-proxy user can access the files that are shared over the network, display the DHCP configuration and lease files:

# su foreman-proxy -s /bin/bash
bash-4.2$ cat /mnt/nfs/etc/dhcp/dhcpd.conf
bash-4.2$ cat /mnt/nfs/var/lib/dhcpd/dhcpd.leases
bash-4.2$ exit

Enter the foreman-installer command to make the following persistent changes to the /etc/foreman-proxy/settings.d/dhcp.yml file:

# foreman-installer --foreman-proxy-dhcp=true \
--foreman-proxy-dhcp-provider=remote_isc \
--foreman-proxy-plugin-dhcp-remote-isc-dhcp-config /mnt/nfs/etc/dhcp/dhcpd.conf \
--foreman-proxy-plugin-dhcp-remote-isc-dhcp-leases /mnt/nfs/var/lib/dhcpd/dhcpd.leases \
--foreman-proxy-plugin-dhcp-remote-isc-key-name=omapi_key \
--foreman-proxy-plugin-dhcp-remote-isc-key-secret=jNSE5YI3H1A8Oj/tkV4...A2ZOHb6zv315CkNAY7DMYYCj48Umw== \
--foreman-proxy-plugin-dhcp-remote-isc-omapi-port=7911 \
--enable-foreman-proxy-plugin-dhcp-remote-isc \
--foreman-proxy-dhcp-server=DHCP_Server_FQDN

Associate the DHCP service with the appropriate subnets and domain.

6.3. Configuring Foreman server with External TFTP

You can configure Foreman server with external TFTP services.

Procedure

Create the TFTP directory for NFS:
```
# mkdir -p /mnt/nfs/var/lib/tftpboot
```

In the /etc/fstab file, add the following line:

TFTP_Server_IP_Address:/exports/var/lib/tftpboot /mnt/nfs/var/lib/tftpboot nfs rw,vers=3,auto,nosharecache,context="system_u:object_r:tftpdir_rw_t:s0" 0 0

Mount the file systems in /etc/fstab:
```
# mount -a
```
Enter the foreman-installer command to make the following persistent changes to the /etc/foreman-proxy/settings.d/tftp.yml file:
```
# foreman-installer --foreman-proxy-tftp=true \
--foreman-proxy-tftp-root /mnt/nfs/var/lib/tftpboot
```
If the TFTP service is running on a different server than the DHCP service, update the tftp_servername setting with the FQDN or IP address of the server that the TFTP service is running on:
```
# foreman-installer --foreman-proxy-tftp-servername=TFTP_Server_FQDN
```
In the Foreman web UI, navigate to Infrastructure > Smart Proxies.
Locate the Foreman server and select Refresh from the list in the Actions column.
Associate the TFTP service with the appropriate subnets and domain.

6.4. Configuring Foreman server with External IdM DNS

When Foreman server adds a DNS record for a host, it first determines which Smart Proxy is providing DNS for that domain. It then communicates with the Smart Proxy that is configured to provide DNS service for your deployment and adds the record. The hosts are not involved in this process. Therefore, you must install and configure the IdM client on the Foreman or Smart Proxy that is currently configured to provide a DNS service for the domain you want to manage using the IdM server.

Foreman server can be configured to use a Red Hat Identity Management (IdM) server to provide DNS service. For more information about Red Hat Identity Management, see the Linux Domain Identity, Authentication, and Policy Guide.

To configure Foreman server to use a Red Hat Identity Management (IdM) server to provide DNS service, use one of the following procedures:

Configuring Dynamic DNS Update with GSS-TSIG Authentication
Configuring Dynamic DNS Update with TSIG Authentication

To revert to internal DNS service, use the following procedure:

Reverting to Internal DNS Service

Note

You are not required to use Foreman server to manage DNS. When you are using the realm enrollment feature of Foreman, where provisioned hosts are enrolled automatically to IdM, the ipa-client-install script creates DNS records for the client. Configuring Foreman server with external IdM DNS and realm enrollment are mutually exclusive. For more information about configuring realm enrollment, see External Authentication for Provisioned Hosts.

6.4.1. Configuring Dynamic DNS Update with GSS-TSIG Authentication

You can configure the IdM server to use the generic security service algorithm for secret key transaction (GSS-TSIG) technology defined in RFC3645. To configure the IdM server to use the GSS-TSIG technology, you must install the IdM client on the Foreman server base operating system.

Prerequisites

You must ensure the IdM server is deployed and the host-based firewall is configured correctly.
You must contact the IdM server administrator to ensure that you obtain an account on the IdM server with permissions to create zones on the IdM server.
You should create a backup of the answer file. You can use the backup to restore the answer file to its original state if it becomes corrupted. For more information, see Configuring Foreman server.

Procedure

To configure dynamic DNS update with GSS-TSIG authentication, complete the following steps:

Creating a Kerberos Principal on the IdM Server

Obtain a Kerberos ticket for the account obtained from the IdM administrator:
```
# kinit idm_user
```
Create a new Kerberos principal for Foreman server to use to authenticate on the IdM server.
```
# ipa service-add smartproxy/foreman.example.com
```

Installing and Configuring the IdM Client

On the base operating system of either the Foreman or Smart Proxy that is managing the DNS service for your deployment, install the ipa-client package:
```
# apt-get install ipa-client
```
Configure the IdM client by running the installation script and following the on-screen prompts:
```
# ipa-client-install
```
Obtain a Kerberos ticket:
```
# kinit admin
```
Remove any preexisting keytab:
```
# rm /etc/foreman-proxy/dns.keytab
```

Obtain the keytab for this system:

# ipa-getkeytab -p smartproxy/foreman.example.com@EXAMPLE.COM \
-s idm1.example.com -k /etc/foreman-proxy/dns.keytab

Note	When adding a keytab to a standby system with the same host name as the original system in service, add the `r` option to prevent generating new credentials and rendering the credentials on the original system invalid.

For the dns.keytab file, set the group and owner to foreman-proxy:

# chown foreman-proxy:foreman-proxy /etc/foreman-proxy/dns.keytab

Optional: To verify that the keytab file is valid, enter the following command:

# kinit -kt /etc/foreman-proxy/dns.keytab \
smartproxy/foreman.example.com@EXAMPLE.COM

Configuring DNS Zones in the IdM web UI

Create and configure the zone that you want to manage:
1. Navigate to Network Services > DNS > DNS Zones.
2. Select Add and enter the zone name. For example, example.com.
3. Click Add and Edit.
4. Click the Settings tab and in the BIND update policy box, add the following to the semi-colon separated list:
  grant smartproxy\047foreman.example.com@EXAMPLE.COM wildcard * ANY;
5. Set Dynamic update to True.
6. Enable Allow PTR sync.
7. Click Save to save the changes.
Create and configure the reverse zone:
1. Navigate to Network Services > DNS > DNS Zones.
2. Click Add.
3. Select Reverse zone IP network and add the network address in CIDR format to enable reverse lookups.
4. Click Add and Edit.
5. Click the Settings tab and in the BIND update policy box, add the following to the semi-colon separated list:
  grant smartproxy\047foreman.example.com@EXAMPLE.COM wildcard * ANY;
6. Set Dynamic update to True.
7. Click Save to save the changes.

Configuring the Foreman or Smart Proxy Server that Manages the DNS Service for the Domain

Use the foreman-installer command to configure the Foreman or Smart Proxy that manages the DNS Service for the domain:

On Foreman, enter the following command:

foreman-installer \
--foreman-proxy-dns=true \
--foreman-proxy-dns-managed=false \
--foreman-proxy-dns-provider=nsupdate_gss \
--foreman-proxy-dns-server="idm1.example.com" \
--foreman-proxy-dns-tsig-principal="smartproxy/foreman.example.com@EXAMPLE.COM" \
--foreman-proxy-dns-tsig-keytab=/etc/foreman-proxy/dns.keytab

On Smart Proxy, enter the following command:

foreman-installer --no-enable-foreman --no-enable-foreman-plugin-puppet --no-enable-foreman-cli --no-enable-foreman-cli-puppet \
--foreman-proxy-dns=true \
--foreman-proxy-dns-managed=false \
--foreman-proxy-dns-provider=nsupdate_gss \
--foreman-proxy-dns-server="idm1.example.com" \
--foreman-proxy-dns-tsig-principal="smartproxy/foreman.example.com@EXAMPLE.COM" \
--foreman-proxy-dns-tsig-keytab=/etc/foreman-proxy/dns.keytab

After you run the foreman-installer command to make any changes to your Smart Proxy configuration, you must update the configuration of each affected Smart Proxy in the Foreman web UI.

Updating the Configuration in the Foreman web UI

In the Foreman web UI, navigate to Infrastructure > Smart Proxies, locate the Foreman server, and from the list in the Actions column, select Refresh.
Configure the domain:
1. In the Foreman web UI, navigate to Infrastructure > Domains and select the domain name.
2. In the Domain tab, ensure DNS Smart Proxy is set to the Smart Proxy where the subnet is connected.
Configure the subnet:
1. In the Foreman web UI, navigate to Infrastructure > Subnets and select the subnet name.
2. In the Subnet tab, set IPAM to None.
3. In the Domains tab, select the domain that you want to manage using the IdM server.
4. In the Smart Proxies tab, ensure Reverse DNS Smart Proxy is set to the Smart Proxy where the subnet is connected.
5. Click Submit to save the changes.

6.4.2. Configuring Dynamic DNS Update with TSIG Authentication

You can configure an IdM server to use the secret key transaction authentication for DNS (TSIG) technology that uses the rndc.key key file for authentication. The TSIG protocol is defined in RFC2845.

Prerequisites

You must ensure the IdM server is deployed and the host-based firewall is configured correctly. For more information, see Port Requirements in the Linux Domain Identity, Authentication, and Policy Guide.
You must obtain root user access on the IdM server.
You must confirm whether Foreman server or Smart Proxy server is configured to provide DNS service for your deployment.
You must configure DNS, DHCP and TFTP services on the base operating system of either the Foreman or Smart Proxy that is managing the DNS service for your deployment.
You must create a backup of the answer file. You can use the backup to restore the answer file to its original state if it becomes corrupted. For more information, see Configuring Foreman server.

Procedure

To configure dynamic DNS update with TSIG authentication, complete the following steps:

Enabling External Updates to the DNS Zone in the IdM Server

On the IdM Server, add the following to the top of the /etc/named.conf file:

########################################################################

include "/etc/rndc.key";
controls  {
inet _IdM_Server_IP_Address_ port 953 allow { _Foreman_IP_Address_; } keys { "rndc-key"; };
};
########################################################################

Reload the named service to make the changes take effect:
```
# systemctl reload named
```
In the IdM web UI, navigate to Network Services > DNS > DNS Zones and click the name of the zone. In the Settings tab, apply the following changes:
1. Add the following in the BIND update policy box:
  grant "rndc-key" zonesub ANY;
2. Set Dynamic update to True.
3. Click Update to save the changes.
Copy the /etc/rndc.key file from the IdM server to the base operating system of your Foreman server. Enter the following command:
```
# scp /etc/rndc.key root@foreman.example.com:/etc/rndc.key
```
To set the correct ownership, permissions, and SELinux context for the rndc.key file, enter the following command:
```
# restorecon -v /etc/rndc.key
# chown -v root:named /etc/rndc.key
# chmod -v 640 /etc/rndc.key
```
Assign the foreman-proxy user to the named group manually. Normally, foreman-installer ensures that the foreman-proxy user belongs to the named UNIX group, however, in this scenario Foreman does not manage users and groups, therefore you need to assign the foreman-proxy user to the named group manually.
```
# usermod -a -G named foreman-proxy
```

On Foreman server, enter the following foreman-installer command to configure Foreman to use the external DNS server:

# foreman-installer \
--foreman-proxy-dns=true \
--foreman-proxy-dns-managed=false \
--foreman-proxy-dns-provider=nsupdate \
--foreman-proxy-dns-server="IdM_Server_IP_Address" \
--foreman-proxy-keyfile=/etc/rndc.key \
--foreman-proxy-dns-ttl=86400

Testing External Updates to the DNS Zone in the IdM Server

Ensure that the key in the /etc/rndc.key file on Foreman server is the same key file that is used on the IdM server:
```
key "rndc-key" {
        algorithm hmac-md5;
        secret "secret-key==";
};
```
On Foreman server, create a test DNS entry for a host. For example, host test.example.com with an A record of 192.168.25.20 on the IdM server at 192.168.25.1.
```
# echo -e "server 192.168.25.1\n \
update add test.example.com 3600 IN A 192.168.25.20\n \
send\n" | nsupdate -k /etc/rndc.key
```

On Foreman server, test the DNS entry:

# nslookup test.example.com 192.168.25.1
Server:		192.168.25.1
Address:	192.168.25.1#53

Name:	test.example.com
Address: 192.168.25.20

To view the entry in the IdM web UI, navigate to Network Services > DNS > DNS Zones. Click the name of the zone and search for the host by name.

If resolved successfully, remove the test DNS entry:

# echo -e "server 192.168.25.1\n \
update delete test.example.com 3600 IN A 192.168.25.20\n \
send\n" | nsupdate -k /etc/rndc.key

Confirm that the DNS entry was removed:
```
# nslookup test.example.com 192.168.25.1
```
The above nslookup command fails and returns the SERVFAIL error message if the record was successfully deleted.

6.4.3. Reverting to Internal DNS Service

You can revert to using Foreman server and Smart Proxy server as your DNS providers. You can use a backup of the answer file that was created before configuring external DNS, or you can create a backup of the answer file. For more information about answer files, see Configuring Foreman server.

Procedure

On the Foreman or Smart Proxy server that you want to configure to manage DNS service for the domain, complete the following steps:

Configuring Foreman or Smart Proxy as a DNS Server

If you have created a backup of the answer file before configuring external DNS, restore the answer file and then enter the foreman-installer command:
```
# foreman-installer
```
If you do not have a suitable backup of the answer file, create a backup of the answer file now. To configure Foreman or Smart Proxy as DNS server without using an answer file, enter the following foreman-installer command on Foreman or Smart Proxy:
```
# foreman-installer \
--foreman-proxy-dns=true \
--foreman-proxy-dns-managed=true \
--foreman-proxy-dns-provider=nsupdate \
--foreman-proxy-dns-server="127.0.0.1"
```
For more information,see Configuring DNS, DHCP, and TFTP on Smart Proxy server.

After you run the foreman-installer command to make any changes to your Smart Proxy configuration, you must update the configuration of each affected Smart Proxy in the Foreman web UI.

Updating the Configuration in the Foreman web UI

In the Foreman web UI, navigate to Infrastructure > Smart Proxies.
For each Smart Proxy that you want to update, from the Actions list, select Refresh.
Configure the domain:
1. In the Foreman web UI, navigate to Infrastructure > Domains and click the domain name that you want to configure.
2. In the Domain tab, set DNS Smart Proxy to the Smart Proxy where the subnet is connected.
Configure the subnet:
1. In the Foreman web UI, navigate to Infrastructure > Subnets and select the subnet name.
2. In the Subnet tab, set IPAM to DHCP or Internal DB.
3. In the Domains tab, select the domain that you want to manage using Foreman or Smart Proxy.
4. In the Smart Proxies tab, set Reverse DNS Smart Proxy to the Smart Proxy where the subnet is connected.
5. Click Submit to save the changes.

Appendix A: Applying Custom Configuration to Foreman

When you install and configure Foreman for the first time using foreman-installer, you can specify that the DNS and DHCP configuration files are not to be managed by Puppet using the installer flags --foreman-proxy-dns-managed=false and --foreman-proxy-dhcp-managed=false. If these flags are not specified during the initial installer run, rerunning of the installer overwrites all manual changes, for example, rerun for upgrade purposes. If changes are overwritten, you must run the restore procedure to restore the manual changes. For more information, see Restoring Manual Changes Overwritten by a Puppet Run.

To view all installer flags available for custom configuration, run foreman-installer --full-help. Some Puppet classes are not exposed to the Foreman installer. To manage them manually and prevent the installer from overwriting their values, specify the configuration values by adding entries to configuration file /etc/foreman-installer/custom-hiera.yaml. This configuration file is in YAML format, consisting of one entry per line in the format of <puppet class>::<parameter name>: <value>. Configuration values specified in this file persist across installer reruns.

Common examples include:

For Apache, to set the ServerTokens directive to only return the Product name:
```
apache::server_tokens: Prod
```
To turn off the Apache server signature entirely:
```
apache::server_signature: Off
```

The Puppet modules for the Foreman installer are stored under /usr/share/foreman-installer/modules. Check the .pp files (for example: moduleName/manifests/example.pp) to look up the classes, parameters, and values. Alternatively, use the grep command to do keyword searches.

Setting some values may have unintended consequences that affect the performance or functionality of Foreman. Consider the impact of the changes before you apply them, and test the changes in a non-production environment first. If you do not have a non-production Foreman environment, run the Foreman installer with the --noop and --verbose options. If your changes cause problems, remove the offending lines from custom-hiera.yaml and rerun the Foreman installer. If you have any specific questions about whether a particular value is safe to alter, contact Red Hat support.

Appendix B: Restoring Manual Changes Overwritten by a Puppet Run

If your manual configuration has been overwritten by a Puppet run, you can restore the files to the previous state. The following example shows you how to restore a DHCP configuration file overwritten by a Puppet run.

Procedure

Copy the file you intend to restore. This allows you to compare the files to check for any mandatory changes required by the upgrade. This is not common for DNS or DHCP services.
```
# cp /etc/dhcp/dhcpd.conf /etc/dhcp/dhcpd.backup
```

Check the log files to note down the md5sum of the overwritten file. For example:

# journalctl -xe
...
/Stage[main]/Dhcp/File[/etc/dhcp/dhcpd.conf]: Filebucketed /etc/dhcp/dhcpd.conf to puppet with sum 622d9820b8e764ab124367c68f5fa3a1
...

Restore the overwritten file:

# puppet filebucket restore --local --bucket \
/var/lib/puppet/clientbucket /etc/dhcp/dhcpd.conf \ 622d9820b8e764ab124367c68f5fa3a1

Compare the backup file and the restored file, and edit the restored file to include any mandatory changes required by the upgrade.