Active Directory
In this guide we will cover how to manually configure a 7.1 Appliance’s external authentication to work against Active Directory. This provides AD users access to the Appliance UI as well as the REST API.
In these examples, the AD Domain shown will be EXAMPLE.COM
Enabling Network Manager
This is an optional step for allowing realm to discover the Active Directory domain. If not enabled, one can still join an AD domain if known by the domain name.
# systemctl enable NetworkManager # systemctl start NetworkManager # sed -i '/^NM_CONTROLLED=.*/d;$aNM_CONTROLLED=yes' /etc/sysconfig/network-scripts/ifcfg-eth0 # systemctl restart network
Discovering AD Domains
This only works if Network Manager is enabled.
# realm discover example.com type: kerberos realm-name: EXAMPLE.COM domain-name: example.com configured: kerberos-member server-software: active-directory client-software: sssd required-package: oddjob required-package: oddjob-mkhomedir required-package: sssd required-package: adcli required-package: samba-common login-formats: %U@example.com login-policy: allow-realm-logins
Joining AD Domain
When joining an AD domain, specify a user that has enough permission to be able to browse the directory.
# realm join example.com -U user Password for user: xxxxxxxx #
Configure SSSD
Update the /etc/sssd/sssd.conf file as follows:
[domain/example.com] ad_domain = example.com krb5_realm = EXAMPLE.COM realmd_tags = manages-system joined-with-samba cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = True use_fully_qualified_names = True fallback_homedir = /home/%d/%u access_provider = ad => ldap_user_extra_attrs = mail, givenname, sn, displayname => [sssd] => domains = example.com => config_file_version = 2 => services = nss, pam, ifp => default_domain_suffix = example.com => [nss] => homedir_substring = /home => [pam] => default_domain_suffix = example.com => [ifp] => default_domain_suffix = example.com => allowed_uids = apache, root => user_attributes = +mail, +givenname, +sn, +displayname
Configure Apache
Make sure the Kerberos keytab created by realm join above is readable by Apache.
# chgrp apache /etc/krb5.keytab # chmod 640 /etc/krb5.keytab
Create the Apache configuration files
# TEMPLATE_DIR="/var/www/miq/system/TEMPLATE" # cp ${TEMPLATE_DIR}/etc/pam.d/httpd-auth \ /etc/pam.d/httpd-auth # cp ${TEMPLATE_DIR}/etc/httpd/conf.d/manageiq-remote-user.conf \ /etc/httpd/conf.d/ # cp ${TEMPLATE_DIR}/etc/httpd/conf.d/manageiq-external-auth.conf.erb \ /etc/httpd/conf.d/manageiq-external-auth.conf
Update the Apache configuration file /etc/httpd/conf.d/manageiq-external-auth.conf as follows to specify the correct AD domain, and reference the Kerberos keytab appropriately.
... <Location /dashboard/kerberos_authenticate> AuthType Kerberos AuthName "Kerberos Login" KrbMethodNegotiate On KrbMethodK5Passwd Off => KrbAuthRealms example.com => Krb5KeyTab /etc/krb5.keytab => KrbServiceName Any Require pam-account httpd-auth ErrorDocument 401 /proxy_pages/invalid_sso_credentials.js </Location> ...
Set appropriate SELinux permissions:
# setsebool -P allow_httpd_mod_auth_pam on # setsebool -P httpd_dbus_sssd on
Restart Services
# systemctl restart sssd # systemctl restart httpd
Configure Administrative UI
Login as admin, then in Configure→Configuration→Authentication
-
Set mode to External (httpd)
-
Check: Get User Groups from External Authentication (httpd)
-
Check: Enable Single Signon if you want to allow Kerberos SSO to AD.
-
Click Save.
The above steps need to be done on each UI and WebService enabled appliance.
in Configure→Configuration→Access Control
-
Make sure the user’s AD group for the appliance are created and appropriate roles assigned to those groups.