From b26a16438b47c735edd413479e621c3ac79e1495 Mon Sep 17 00:00:00 2001 From: alazik Date: Wed, 31 Jan 2024 17:16:57 +0100 Subject: [PATCH 01/33] Implement suggestions from SAT-22855 GSS proxy is intended to enable privilege separation for the Apache server by removing access to the keytab file. Documentation recommends implementing GSS proxy for direct AD integration but the procedures don't actually meet that goal. The changes proposed in this commit are intended to ensure Apache does not have access to the keytab. --- ...iguring-direct-ad-integration-with-gss-proxy.adoc | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/guides/common/modules/proc_configuring-direct-ad-integration-with-gss-proxy.adoc b/guides/common/modules/proc_configuring-direct-ad-integration-with-gss-proxy.adoc index 04b5521e1a4..4da593bbca0 100644 --- a/guides/common/modules/proc_configuring-direct-ad-integration-with-gss-proxy.adoc +++ b/guides/common/modules/proc_configuring-direct-ad-integration-with-gss-proxy.adoc @@ -40,7 +40,7 @@ security = ads # id {apache-user} ---- + -Apache user must not have access to the keytab file. +The Apache user must not have access to the keytab file. . Create the `/etc/gssproxy/00-http.conf` file with the following content: + [options="nowrap", subs="+quotes,verbatim,attributes"] @@ -51,13 +51,19 @@ cred_store = keytab:/etc/httpd/conf/http.keytab cred_store = ccache:/var/lib/gssproxy/clients/krb5cc_%U euid = __ID_of_Apache_User__ ---- +. Add a SELinux context rule to apply the appropriate security context to the `http.keytab` file: ++ +[options="nowrap", subs="+quotes,verbatim,attributes"] +---- +# semanage fcontext -a -s system_u -t krb5_keytab_t '/etc/httpd/conf/http\.keytab' +---- . Create a keytab entry: + [options="nowrap", subs="+quotes,verbatim,attributes"] ---- # KRB5_KTNAME=FILE:/etc/httpd/conf/http.keytab net ads keytab add HTTP -U administrator -d3 -s /etc/net-keytab.conf -# chown root.{apache-user} /etc/httpd/conf/http.keytab -# chmod 640 /etc/httpd/conf/http.keytab +# chown root.root /etc/httpd/conf/http.keytab +# chmod 600 /etc/httpd/conf/http.keytab ---- . Configure the System Security Services Daemon (SSSD) to use the AD access control provider to evaluate and enforce Group Policy Object (GPO) access control rules for the `foreman` PAM service: .. In your `/etc/sssd/sssd.conf` file, add the following lines to the `domain` section for the Active Directory domain: From dcff9e442cc27013aeeb0a771f189d4f39833a10 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aneta=20=C5=A0teflov=C3=A1=20Petrov=C3=A1?= Date: Mon, 5 Aug 2024 18:02:28 +0200 Subject: [PATCH 02/33] The installer enforces certain keytab settings Co-authored-by: Ewoud Kohl van Wijngaarden --- .../proc_configuring-direct-ad-integration-with-gss-proxy.adoc | 3 --- 1 file changed, 3 deletions(-) diff --git a/guides/common/modules/proc_configuring-direct-ad-integration-with-gss-proxy.adoc b/guides/common/modules/proc_configuring-direct-ad-integration-with-gss-proxy.adoc index 4da593bbca0..b82b0662201 100644 --- a/guides/common/modules/proc_configuring-direct-ad-integration-with-gss-proxy.adoc +++ b/guides/common/modules/proc_configuring-direct-ad-integration-with-gss-proxy.adoc @@ -40,7 +40,6 @@ security = ads # id {apache-user} ---- + -The Apache user must not have access to the keytab file. . Create the `/etc/gssproxy/00-http.conf` file with the following content: + [options="nowrap", subs="+quotes,verbatim,attributes"] @@ -62,8 +61,6 @@ euid = __ID_of_Apache_User__ [options="nowrap", subs="+quotes,verbatim,attributes"] ---- # KRB5_KTNAME=FILE:/etc/httpd/conf/http.keytab net ads keytab add HTTP -U administrator -d3 -s /etc/net-keytab.conf -# chown root.root /etc/httpd/conf/http.keytab -# chmod 600 /etc/httpd/conf/http.keytab ---- . Configure the System Security Services Daemon (SSSD) to use the AD access control provider to evaluate and enforce Group Policy Object (GPO) access control rules for the `foreman` PAM service: .. In your `/etc/sssd/sssd.conf` file, add the following lines to the `domain` section for the Active Directory domain: From f87a7b80d58a55d8112521cb7ca746b56def2324 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aneta=20=C5=A0teflov=C3=A1=20Petrov=C3=A1?= Date: Mon, 5 Aug 2024 19:15:19 +0200 Subject: [PATCH 03/33] Drop GSS Proxy parts of the direct AD integration proc --- ...xternal-identity-provider-for-project.adoc | 4 +-- ...xternal-identity-provider-for-project.adoc | 7 +--- guides/common/modules/con_gss-proxy.adoc | 12 ------- ...oc_configuring-direct-ad-integration.adoc} | 32 ++----------------- ...c_enrolling-server-with-the-ad-server.adoc | 12 +------ 5 files changed, 6 insertions(+), 61 deletions(-) delete mode 100644 guides/common/modules/con_gss-proxy.adoc rename guides/common/modules/{proc_configuring-direct-ad-integration-with-gss-proxy.adoc => proc_configuring-direct-ad-integration.adoc} (82%) diff --git a/guides/common/assembly_configuring-active-directory-as-an-external-identity-provider-for-project.adoc b/guides/common/assembly_configuring-active-directory-as-an-external-identity-provider-for-project.adoc index 57abef317cb..77a375104b5 100644 --- a/guides/common/assembly_configuring-active-directory-as-an-external-identity-provider-for-project.adoc +++ b/guides/common/assembly_configuring-active-directory-as-an-external-identity-provider-for-project.adoc @@ -1,9 +1,7 @@ include::modules/con_configuring-active-directory-as-an-external-identity-provider-for-project.adoc[] -include::modules/con_gss-proxy.adoc[leveloffset=+1] - include::modules/proc_enrolling-server-with-the-ad-server.adoc[leveloffset=+1] -include::modules/proc_configuring-direct-ad-integration-with-gss-proxy.adoc[leveloffset=+1] +include::modules/proc_configuring-direct-ad-integration.adoc[leveloffset=+1] include::modules/con_kerberos-configuration-in-web-browsers.adoc[leveloffset=+1] diff --git a/guides/common/modules/con_configuring-active-directory-as-an-external-identity-provider-for-project.adoc b/guides/common/modules/con_configuring-active-directory-as-an-external-identity-provider-for-project.adoc index bcf75ce6d00..fd2f0ca37b2 100644 --- a/guides/common/modules/con_configuring-active-directory-as-an-external-identity-provider-for-project.adoc +++ b/guides/common/modules/con_configuring-active-directory-as-an-external-identity-provider-for-project.adoc @@ -2,6 +2,7 @@ = Configuring Active Directory as an external identity provider for {Project} This section shows how to use direct Active Directory (AD) as an external authentication source for {ProjectServer}. +Direct AD integration means that {ProjectServer} is joined directly to the AD domain where the identity is stored. [NOTE] ==== @@ -12,12 +13,6 @@ For an example configuration, see https://access.redhat.com/solutions/1498773[Ho endif::[] ==== -Direct AD integration means that {ProjectServer} is joined directly to the AD domain where the identity is stored. -The recommended setup consists of two steps: - -* Enrolling {ProjectServer} with the Active Directory server as described in xref:Enrolling_Server_with_the_AD_Server_{context}[]. -* Configuring direct Active Directory integration with GSS-proxy as described in xref:Configuring_Direct_AD_Integration_with_GSS_Proxy_{context}[]. - ifndef::orcharhino[] For information about integrating {RHEL} systems with Active{nbsp}Directory, see link:{RHELDocsBaseURL}8/html/integrating_rhel_systems_directly_with_windows_active_directory/index[{RHEL}{nbsp}8 _Integrating RHEL systems directly with Windows Active Directory_]. endif::[] diff --git a/guides/common/modules/con_gss-proxy.adoc b/guides/common/modules/con_gss-proxy.adoc deleted file mode 100644 index f0b8db59862..00000000000 --- a/guides/common/modules/con_gss-proxy.adoc +++ /dev/null @@ -1,12 +0,0 @@ -[id="GSS_Proxy_{context}"] -= GSS-Proxy - -The traditional process of Kerberos authentication in Apache requires the Apache process to have read access to the keytab file. -GSS-Proxy allows you to implement stricter privilege separation for the Apache server by removing access to the keytab file while preserving Kerberos authentication functionality. -When using AD as an external authentication source for {Project}, it is recommended to implement GSS-proxy, because the keys in the keytab file are the same as the host keys. - -ifndef::orcharhino[] -Perform the following procedures on {EL} that acts as a base operating system for your {ProjectServer}. -For the examples in this section _EXAMPLE.ORG_ is the Kerberos realm for the AD domain. -By completing the procedures, users that belong to the EXAMPLE.ORG realm can log in to {ProjectServer}. -endif::[] diff --git a/guides/common/modules/proc_configuring-direct-ad-integration-with-gss-proxy.adoc b/guides/common/modules/proc_configuring-direct-ad-integration.adoc similarity index 82% rename from guides/common/modules/proc_configuring-direct-ad-integration-with-gss-proxy.adoc rename to guides/common/modules/proc_configuring-direct-ad-integration.adoc index b82b0662201..ae5e9a73373 100644 --- a/guides/common/modules/proc_configuring-direct-ad-integration-with-gss-proxy.adoc +++ b/guides/common/modules/proc_configuring-direct-ad-integration.adoc @@ -1,7 +1,7 @@ -[id="Configuring_Direct_AD_Integration_with_GSS_Proxy_{context}"] -= Configuring direct AD integration with GSS-proxy +[id="Configuring_Direct_AD_Integration_{context}"] += Configuring direct AD integration -In the {Project} CLI, configure the direct Active Directory integration with GSS-proxy. +In the {Project} CLI, configure the direct Active Directory integration. .Prerequisites * {Project} is enrolled with the Active Directory server. @@ -40,16 +40,6 @@ security = ads # id {apache-user} ---- + -. Create the `/etc/gssproxy/00-http.conf` file with the following content: -+ -[options="nowrap", subs="+quotes,verbatim,attributes"] ----- -[service/HTTP] -mechs = krb5 -cred_store = keytab:/etc/httpd/conf/http.keytab -cred_store = ccache:/var/lib/gssproxy/clients/krb5cc_%U -euid = __ID_of_Apache_User__ ----- . Add a SELinux context rule to apply the appropriate security context to the `http.keytab` file: + [options="nowrap", subs="+quotes,verbatim,attributes"] @@ -88,22 +78,6 @@ endif::[] ---- # {foreman-installer} --foreman-ipa-authentication=true ---- -. Start and enable the `gssproxy` service: -+ -[options="nowrap", subs="+quotes,verbatim,attributes"] ----- -# systemctl restart gssproxy -# systemctl enable gssproxy ----- -. To configure the Apache server to use the `gssproxy` service, create a `systemd` drop-in file and add the following content to it: -+ -[options="nowrap", subs="+quotes,verbatim,attributes"] ----- -# mkdir -p /etc/systemd/system/httpd.service.d/ -# vi /etc/systemd/system/httpd.service.d/gssproxy.conf -[Service] -Environment=GSS_USE_PROXY=1 ----- . Apply changes to the service: + [options="nowrap", subs="+quotes,verbatim,attributes"] diff --git a/guides/common/modules/proc_enrolling-server-with-the-ad-server.adoc b/guides/common/modules/proc_enrolling-server-with-the-ad-server.adoc index 5b73b55108e..af8127e237e 100644 --- a/guides/common/modules/proc_enrolling-server-with-the-ad-server.adoc +++ b/guides/common/modules/proc_enrolling-server-with-the-ad-server.adoc @@ -3,16 +3,6 @@ In the {Project} CLI, enroll {ProjectServer} with the Active Directory server. -.Prerequisites -* GSS-proxy and {nfs-client-package} are installed. -+ -Installing GSS-proxy and {nfs-client-package}: -+ -[options="nowrap", subs="+quotes,verbatim,attributes"] ----- -# {project-package-install} gssproxy {nfs-client-package} ----- - .Procedure . Install the required packages: + @@ -31,5 +21,5 @@ You may need to have administrator permissions to perform the following command: + [NOTE] ==== -You must use the Samba client software to enroll with the AD server to create the HTTP keytab in xref:Configuring_Direct_AD_Integration_with_GSS_Proxy_{context}[]. +You must use the Samba client software to enroll with the AD server to create the HTTP keytab in xref:Configuring_Direct_AD_Integration_{context}[]. ==== From e85c958842e1ee0715323859e3a85cfc0ba40271 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aneta=20=C5=A0teflov=C3=A1=20Petrov=C3=A1?= Date: Tue, 13 Aug 2024 20:30:50 +0200 Subject: [PATCH 04/33] Document bare minimum for AD direct integration This is the simplest workflow that should work. aka Burn it all and start again Currently still untested, just based on information from the SSSD team. --- ...roc_configuring-direct-ad-integration.adoc | 97 +------------------ ...c_enrolling-server-with-the-ad-server.adoc | 26 ++--- 2 files changed, 11 insertions(+), 112 deletions(-) diff --git a/guides/common/modules/proc_configuring-direct-ad-integration.adoc b/guides/common/modules/proc_configuring-direct-ad-integration.adoc index ae5e9a73373..6b332436a0a 100644 --- a/guides/common/modules/proc_configuring-direct-ad-integration.adoc +++ b/guides/common/modules/proc_configuring-direct-ad-integration.adoc @@ -1,57 +1,9 @@ -[id="Configuring_Direct_AD_Integration_{context}"] -= Configuring direct AD integration +[id="configuring-the-active-directory-authentication-source-on-projectserver_{context}"] += Configuring the Active Directory authentication source on {ProjectServer} -In the {Project} CLI, configure the direct Active Directory integration. - -.Prerequisites -* {Project} is enrolled with the Active Directory server. -For more information, see xref:Enrolling_Server_with_the_AD_Server_{context}[]. +Enable Active Directory users to access {Project} by configuring the corresponding authentication provider on your {ProjectServer}. .Procedure -. Create the `/etc/ipa/` directory and the `default.conf` file: -+ -[options="nowrap", subs="+quotes,verbatim,attributes"] ----- -# mkdir /etc/ipa -# touch /etc/ipa/default.conf ----- -. To the `default.conf` file, add the following content: -+ -[options="nowrap", subs="+quotes,verbatim,attributes"] ----- -[global] -server = unused -realm = _EXAMPLE.ORG_ ----- -. Create the `/etc/net-keytab.conf` file with the following content: -+ -[options="nowrap", subs="+quotes,verbatim,attributes"] ----- -[global] -workgroup = EXAMPLE -realm = EXAMPLE.ORG -kerberos method = system keytab -security = ads ----- -. Determine the effective user ID of the Apache user: -+ -[options="nowrap", subs="+quotes,verbatim,attributes"] ----- -# id {apache-user} ----- -+ -. Add a SELinux context rule to apply the appropriate security context to the `http.keytab` file: -+ -[options="nowrap", subs="+quotes,verbatim,attributes"] ----- -# semanage fcontext -a -s system_u -t krb5_keytab_t '/etc/httpd/conf/http\.keytab' ----- -. Create a keytab entry: -+ -[options="nowrap", subs="+quotes,verbatim,attributes"] ----- -# KRB5_KTNAME=FILE:/etc/httpd/conf/http.keytab net ads keytab add HTTP -U administrator -d3 -s /etc/net-keytab.conf ----- . Configure the System Security Services Daemon (SSSD) to use the AD access control provider to evaluate and enforce Group Policy Object (GPO) access control rules for the `foreman` PAM service: .. In your `/etc/sssd/sssd.conf` file, add the following lines to the `domain` section for the Active Directory domain: + @@ -78,49 +30,10 @@ endif::[] ---- # {foreman-installer} --foreman-ipa-authentication=true ---- -. Apply changes to the service: -+ -[options="nowrap", subs="+quotes,verbatim,attributes"] ----- -# systemctl daemon-reload ----- -. Start and enable the `httpd` service: -+ -[options="nowrap", subs="+quotes,verbatim,attributes"] ----- -# systemctl restart httpd ----- +// It's okay that this uses --foreman-ipa-authentication because a key function of ipa-client-install is actually to configure SSSD on the new FreeIPA client. .Verification -Verify that SSO is working as expected. - -With a running Apache server, users making HTTP requests against the server are authenticated if the client has a valid Kerberos ticket. - -. Retrieve the Kerberos ticket of the LDAP user, using the following command: -+ -[options="nowrap", subs="+quotes,verbatim,attributes"] ----- -# kinit ldapuser ----- -. View the Kerberos ticket, using the following command: -+ -[options="nowrap", subs="+quotes,verbatim,attributes"] ----- -# klist ----- -. View output from successful SSO-based authentication, using the following command: -+ -[options="nowrap", subs="+quotes,attributes"] ----- -# curl -k -u : --negotiate https://__{foreman-example-com}/__users/extlogin ----- -+ -This returns the following response: -+ -[options="nowrap", subs="+quotes,attributes"] ----- -You are being redirected. ----- +* Log in to {ProjectwebUI} by entering the credentials of a user defined in Active Directory. .Additional resources diff --git a/guides/common/modules/proc_enrolling-server-with-the-ad-server.adoc b/guides/common/modules/proc_enrolling-server-with-the-ad-server.adoc index af8127e237e..b96a72eb8d4 100644 --- a/guides/common/modules/proc_enrolling-server-with-the-ad-server.adoc +++ b/guides/common/modules/proc_enrolling-server-with-the-ad-server.adoc @@ -3,23 +3,9 @@ In the {Project} CLI, enroll {ProjectServer} with the Active Directory server. -.Procedure -. Install the required packages: -+ -[options="nowrap", subs="+quotes,verbatim,attributes"] ----- -# {project-package-install} adcli krb5-workstation \ -oddjob oddjob-mkhomedir realmd samba-common-tools sssd ----- -. Enroll {ProjectServer} with the AD server. -You may need to have administrator permissions to perform the following command: -+ -[options="nowrap", subs="+quotes,verbatim,attributes"] ----- -# realm join -v _EXAMPLE.ORG_ --membership-software=samba -U Administrator ----- -+ -[NOTE] -==== -You must use the Samba client software to enroll with the AD server to create the HTTP keytab in xref:Configuring_Direct_AD_Integration_{context}[]. -==== +For more information, see link:https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/8/html-single/integrating_rhel_systems_directly_with_windows_active_directory/index#connecting-rhel-systems-directly-to-ad-using-sssd_integrating-rhel-systems-directly-with-active-directory[Connecting RHEL systems directly to AD using SSSD]. + +// # yum install samba-common-tools realmd oddjob oddjob-mkhomedir sssd adcli krb5-workstation +// # realm discover ad.example.com +// # realm join ad.example.com +// Verify: # getent passwd administrator@ad.example.com From 4ff153ba6815ec5bc1f5eab8d49f0125e073d574 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aneta=20=C5=A0teflov=C3=A1=20Petrov=C3=A1?= Date: Wed, 11 Sep 2024 15:32:29 +0200 Subject: [PATCH 05/33] foreman-installer expects http.keytab to exist --- .../proc_configuring-direct-ad-integration.adoc | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/guides/common/modules/proc_configuring-direct-ad-integration.adoc b/guides/common/modules/proc_configuring-direct-ad-integration.adoc index 6b332436a0a..0a0380de801 100644 --- a/guides/common/modules/proc_configuring-direct-ad-integration.adoc +++ b/guides/common/modules/proc_configuring-direct-ad-integration.adoc @@ -24,7 +24,17 @@ endif::[] ---- # systemctl restart sssd ---- -. Enable IPA authentication in {Project}: +. Configure Active Directory as the authentication source for your {ProjectServer}: +.. Create an Apache keytab file if it does not already exist on your system: ++ +[options="nowrap", subs="+quotes,verbatim,attributes"] +---- +# touch /etc/httpd/conf/http.keytab +---- ++ +You can leave the file empty. +The `{foreman-installer}` command fails to configure the authentication source if the file is missing. +.. Enable IPA authentication: + [options="nowrap", subs="+quotes,verbatim,attributes"] ---- From 03e402dc749b73e4e4a5efc9a2b45af3a5129075 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aneta=20=C5=A0teflov=C3=A1=20Petrov=C3=A1?= Date: Wed, 11 Sep 2024 15:53:30 +0200 Subject: [PATCH 06/33] AD users must use the full name including the domain name --- .../common/modules/proc_configuring-direct-ad-integration.adoc | 1 + 1 file changed, 1 insertion(+) diff --git a/guides/common/modules/proc_configuring-direct-ad-integration.adoc b/guides/common/modules/proc_configuring-direct-ad-integration.adoc index 0a0380de801..8abfe274264 100644 --- a/guides/common/modules/proc_configuring-direct-ad-integration.adoc +++ b/guides/common/modules/proc_configuring-direct-ad-integration.adoc @@ -44,6 +44,7 @@ The `{foreman-installer}` command fails to configure the authentication source i .Verification * Log in to {ProjectwebUI} by entering the credentials of a user defined in Active Directory. +Enter the user name and the domain name, for example: ad_user@ad-example.com. .Additional resources From 90dde9a3228ea1131116614d6a619eddc1bc8ef6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aneta=20=C5=A0teflov=C3=A1=20Petrov=C3=A1?= Date: Wed, 11 Sep 2024 17:14:05 +0200 Subject: [PATCH 07/33] Restart Apache manually after enabling IPA auth foreman-installer in the previous step doesn't load the configuration on its own --- .../modules/proc_configuring-direct-ad-integration.adoc | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/guides/common/modules/proc_configuring-direct-ad-integration.adoc b/guides/common/modules/proc_configuring-direct-ad-integration.adoc index 8abfe274264..dd301f9d60b 100644 --- a/guides/common/modules/proc_configuring-direct-ad-integration.adoc +++ b/guides/common/modules/proc_configuring-direct-ad-integration.adoc @@ -41,6 +41,12 @@ The `{foreman-installer}` command fails to configure the authentication source i # {foreman-installer} --foreman-ipa-authentication=true ---- // It's okay that this uses --foreman-ipa-authentication because a key function of ipa-client-install is actually to configure SSSD on the new FreeIPA client. +.. Restart Apache: ++ +[options="nowrap", subs="+quotes,verbatim,attributes"] +---- +# systemctl restart httpd +---- .Verification * Log in to {ProjectwebUI} by entering the credentials of a user defined in Active Directory. From 070f2883bb7c60ab353d4bcaa5c6f3c2b99f7a04 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aneta=20=C5=A0teflov=C3=A1=20Petrov=C3=A1?= Date: Wed, 11 Sep 2024 17:24:30 +0200 Subject: [PATCH 08/33] Remove internal notes --- .../modules/proc_configuring-direct-ad-integration.adoc | 1 - .../modules/proc_enrolling-server-with-the-ad-server.adoc | 5 ----- 2 files changed, 6 deletions(-) diff --git a/guides/common/modules/proc_configuring-direct-ad-integration.adoc b/guides/common/modules/proc_configuring-direct-ad-integration.adoc index dd301f9d60b..2ac930f3878 100644 --- a/guides/common/modules/proc_configuring-direct-ad-integration.adoc +++ b/guides/common/modules/proc_configuring-direct-ad-integration.adoc @@ -40,7 +40,6 @@ The `{foreman-installer}` command fails to configure the authentication source i ---- # {foreman-installer} --foreman-ipa-authentication=true ---- -// It's okay that this uses --foreman-ipa-authentication because a key function of ipa-client-install is actually to configure SSSD on the new FreeIPA client. .. Restart Apache: + [options="nowrap", subs="+quotes,verbatim,attributes"] diff --git a/guides/common/modules/proc_enrolling-server-with-the-ad-server.adoc b/guides/common/modules/proc_enrolling-server-with-the-ad-server.adoc index b96a72eb8d4..3c6593fd29b 100644 --- a/guides/common/modules/proc_enrolling-server-with-the-ad-server.adoc +++ b/guides/common/modules/proc_enrolling-server-with-the-ad-server.adoc @@ -4,8 +4,3 @@ In the {Project} CLI, enroll {ProjectServer} with the Active Directory server. For more information, see link:https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/8/html-single/integrating_rhel_systems_directly_with_windows_active_directory/index#connecting-rhel-systems-directly-to-ad-using-sssd_integrating-rhel-systems-directly-with-active-directory[Connecting RHEL systems directly to AD using SSSD]. - -// # yum install samba-common-tools realmd oddjob oddjob-mkhomedir sssd adcli krb5-workstation -// # realm discover ad.example.com -// # realm join ad.example.com -// Verify: # getent passwd administrator@ad.example.com From 0e2eb740133dfa2de2510e771ebb55fc5eb22d6e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aneta=20=C5=A0teflov=C3=A1=20Petrov=C3=A1?= Date: Wed, 11 Sep 2024 17:26:30 +0200 Subject: [PATCH 09/33] Expand Active Directory on first use only --- .../proc_configuring-direct-ad-integration.adoc | 10 +++++----- .../proc_enrolling-server-with-the-ad-server.adoc | 4 ++-- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/guides/common/modules/proc_configuring-direct-ad-integration.adoc b/guides/common/modules/proc_configuring-direct-ad-integration.adoc index 2ac930f3878..1cfa7775121 100644 --- a/guides/common/modules/proc_configuring-direct-ad-integration.adoc +++ b/guides/common/modules/proc_configuring-direct-ad-integration.adoc @@ -1,11 +1,11 @@ [id="configuring-the-active-directory-authentication-source-on-projectserver_{context}"] = Configuring the Active Directory authentication source on {ProjectServer} -Enable Active Directory users to access {Project} by configuring the corresponding authentication provider on your {ProjectServer}. +Enable Active Directory (AD) users to access {Project} by configuring the corresponding authentication provider on your {ProjectServer}. .Procedure . Configure the System Security Services Daemon (SSSD) to use the AD access control provider to evaluate and enforce Group Policy Object (GPO) access control rules for the `foreman` PAM service: -.. In your `/etc/sssd/sssd.conf` file, add the following lines to the `domain` section for the Active Directory domain: +.. In your `/etc/sssd/sssd.conf` file, add the following lines to the `domain` section for the AD domain: + [options="nowrap", subs="+quotes,verbatim,attributes"] ---- @@ -24,7 +24,7 @@ endif::[] ---- # systemctl restart sssd ---- -. Configure Active Directory as the authentication source for your {ProjectServer}: +. Configure AD as the authentication source for your {ProjectServer}: .. Create an Apache keytab file if it does not already exist on your system: + [options="nowrap", subs="+quotes,verbatim,attributes"] @@ -48,9 +48,9 @@ The `{foreman-installer}` command fails to configure the authentication source i ---- .Verification -* Log in to {ProjectwebUI} by entering the credentials of a user defined in Active Directory. +* Log in to {ProjectwebUI} by entering the credentials of a user defined in AD. Enter the user name and the domain name, for example: ad_user@ad-example.com. .Additional resources -* For more information about the options to configure an Active Directory provider for SSSD, see the `sssd-ad(5)` man page. +* For more information about the options to configure an AD provider for SSSD, see the `sssd-ad(5)` man page. diff --git a/guides/common/modules/proc_enrolling-server-with-the-ad-server.adoc b/guides/common/modules/proc_enrolling-server-with-the-ad-server.adoc index 3c6593fd29b..90192ad1e43 100644 --- a/guides/common/modules/proc_enrolling-server-with-the-ad-server.adoc +++ b/guides/common/modules/proc_enrolling-server-with-the-ad-server.adoc @@ -1,6 +1,6 @@ [id="Enrolling_Server_with_the_AD_Server_{context}"] -= Enrolling {ProjectServer} with the AD server += Enrolling {ProjectServer} with the Active Directory server -In the {Project} CLI, enroll {ProjectServer} with the Active Directory server. +In the {Project} CLI, enroll {ProjectServer} with the Active Directory (AD) server. For more information, see link:https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/8/html-single/integrating_rhel_systems_directly_with_windows_active_directory/index#connecting-rhel-systems-directly-to-ad-using-sssd_integrating-rhel-systems-directly-with-active-directory[Connecting RHEL systems directly to AD using SSSD]. From 13bd5608919d3a22f7d873b326318ef0bf461b21 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aneta=20=C5=A0teflov=C3=A1=20Petrov=C3=A1?= Date: Wed, 11 Sep 2024 17:28:04 +0200 Subject: [PATCH 10/33] Make refering to services being restarted consistent --- .../common/modules/proc_configuring-direct-ad-integration.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/guides/common/modules/proc_configuring-direct-ad-integration.adoc b/guides/common/modules/proc_configuring-direct-ad-integration.adoc index 1cfa7775121..a6a3b815963 100644 --- a/guides/common/modules/proc_configuring-direct-ad-integration.adoc +++ b/guides/common/modules/proc_configuring-direct-ad-integration.adoc @@ -18,7 +18,7 @@ ifndef::orcharhino[] + For more information on GPOs, see link:{RHELDocsBaseURL}9/html/integrating_rhel_systems_directly_with_windows_active_directory/managing-direct-connections-to-ad_integrating-rhel-systems-directly-with-active-directory#how-sssd-interprets-gpo-access-control-rules_applying-group-policy-object-access-control-in-rhel[How SSSD interprets GPO access control rules] in _{RHEL}{nbsp}9 Integrating RHEL systems directly with Windows Active Directory_ or link:{RHELDocsBaseURL}8/html/integrating_rhel_systems_directly_with_windows_active_directory/managing-direct-connections-to-ad_integrating-rhel-systems-directly-with-active-directory#applying-group-policy-object-access-control-in-rhel_managing-direct-connections-to-ad[How SSSD interprets GPO access control rules] in _{RHEL}{nbsp}8 Integrating RHEL systems directly with Windows Active Directory_. endif::[] -.. Restart the `sssd` service: +.. Restart SSSD: + [options="nowrap", subs="+quotes,verbatim,attributes"] ---- From ce8375a36ad6a92fd3bd1ffec2c5ec7481a909c9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aneta=20=C5=A0teflov=C3=A1=20Petrov=C3=A1?= Date: Wed, 11 Sep 2024 17:29:09 +0200 Subject: [PATCH 11/33] Add markup for replaceable values --- .../common/modules/proc_configuring-direct-ad-integration.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/guides/common/modules/proc_configuring-direct-ad-integration.adoc b/guides/common/modules/proc_configuring-direct-ad-integration.adoc index a6a3b815963..31765d8664c 100644 --- a/guides/common/modules/proc_configuring-direct-ad-integration.adoc +++ b/guides/common/modules/proc_configuring-direct-ad-integration.adoc @@ -49,7 +49,7 @@ The `{foreman-installer}` command fails to configure the authentication source i .Verification * Log in to {ProjectwebUI} by entering the credentials of a user defined in AD. -Enter the user name and the domain name, for example: ad_user@ad-example.com. +Enter the user name and the domain name, for example: _ad_user_@_ad-example.com_. .Additional resources From b53caf4cc82f67860d0afae72986c76a9b0912f3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aneta=20=C5=A0teflov=C3=A1=20Petrov=C3=A1?= Date: Wed, 11 Sep 2024 17:43:47 +0200 Subject: [PATCH 12/33] Add example block with simplified realm join steps --- ...c_enrolling-server-with-the-ad-server.adoc | 26 +++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/guides/common/modules/proc_enrolling-server-with-the-ad-server.adoc b/guides/common/modules/proc_enrolling-server-with-the-ad-server.adoc index 90192ad1e43..9f98bef5772 100644 --- a/guides/common/modules/proc_enrolling-server-with-the-ad-server.adoc +++ b/guides/common/modules/proc_enrolling-server-with-the-ad-server.adoc @@ -4,3 +4,29 @@ In the {Project} CLI, enroll {ProjectServer} with the Active Directory (AD) server. For more information, see link:https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/8/html-single/integrating_rhel_systems_directly_with_windows_active_directory/index#connecting-rhel-systems-directly-to-ad-using-sssd_integrating-rhel-systems-directly-with-active-directory[Connecting RHEL systems directly to AD using SSSD]. + +.Enrolling {ProjectServer} with an AD server by using the System Security Services Daemon (SSSD) +==== +On your {ProjectServer}: + +. Install the packages necessary for direct AD integration with SSSD: ++ +[options="nowrap", subs="+quotes,verbatim,attributes"] +---- +# {foreman-maintain} samba-common-tools realmd oddjob oddjob-mkhomedir sssd adcli krb5-workstation +---- ++ +. Join the AD domain: ++ +[options="nowrap", subs="+quotes,verbatim,attributes"] +---- +# realm join _ad_domain.example.com_ +---- ++ +. Verify that you can resolve a user defined on the AD server: ++ +[options="nowrap", subs="+quotes,verbatim,attributes"] +---- +# getent passwd _ad_user_@_ad_domain.example.com_ +---- +==== From f28b7e5c6c7fc4162dc4e46442cf5f9e16c7cd42 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aneta=20=C5=A0teflov=C3=A1=20Petrov=C3=A1?= Date: Thu, 12 Sep 2024 09:31:29 +0200 Subject: [PATCH 13/33] Fix command to install packages --- .../modules/proc_enrolling-server-with-the-ad-server.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/guides/common/modules/proc_enrolling-server-with-the-ad-server.adoc b/guides/common/modules/proc_enrolling-server-with-the-ad-server.adoc index 9f98bef5772..36ed52b3c86 100644 --- a/guides/common/modules/proc_enrolling-server-with-the-ad-server.adoc +++ b/guides/common/modules/proc_enrolling-server-with-the-ad-server.adoc @@ -13,7 +13,7 @@ On your {ProjectServer}: + [options="nowrap", subs="+quotes,verbatim,attributes"] ---- -# {foreman-maintain} samba-common-tools realmd oddjob oddjob-mkhomedir sssd adcli krb5-workstation +# {project-package-install} samba-common-tools realmd oddjob oddjob-mkhomedir sssd adcli krb5-workstation ---- + . Join the AD domain: From ba5ab6aa98c09478cba78bd512c7df3c70a7fb47 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aneta=20=C5=A0teflov=C3=A1=20Petrov=C3=A1?= Date: Thu, 12 Sep 2024 09:33:15 +0200 Subject: [PATCH 14/33] ad_server does not need to be manually added to sssd.conf --- .../common/modules/proc_configuring-direct-ad-integration.adoc | 1 - 1 file changed, 1 deletion(-) diff --git a/guides/common/modules/proc_configuring-direct-ad-integration.adoc b/guides/common/modules/proc_configuring-direct-ad-integration.adoc index 31765d8664c..a7482bf03d2 100644 --- a/guides/common/modules/proc_configuring-direct-ad-integration.adoc +++ b/guides/common/modules/proc_configuring-direct-ad-integration.adoc @@ -10,7 +10,6 @@ Enable Active Directory (AD) users to access {Project} by configuring the corres [options="nowrap", subs="+quotes,verbatim,attributes"] ---- [domain/_EXAMPLE_] -access_provider = ad ad_gpo_access_control = enforcing ad_gpo_map_service = +foreman ---- From 1880244fe159682398e251a9049125cb847f9c42 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aneta=20=C5=A0teflov=C3=A1=20Petrov=C3=A1?= Date: Thu, 12 Sep 2024 09:38:21 +0200 Subject: [PATCH 15/33] Make AD domain and user example values consistent --- .../modules/proc_configuring-direct-ad-integration.adoc | 4 ++-- .../modules/proc_enrolling-server-with-the-ad-server.adoc | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/guides/common/modules/proc_configuring-direct-ad-integration.adoc b/guides/common/modules/proc_configuring-direct-ad-integration.adoc index a7482bf03d2..0466f59bcbf 100644 --- a/guides/common/modules/proc_configuring-direct-ad-integration.adoc +++ b/guides/common/modules/proc_configuring-direct-ad-integration.adoc @@ -9,7 +9,7 @@ Enable Active Directory (AD) users to access {Project} by configuring the corres + [options="nowrap", subs="+quotes,verbatim,attributes"] ---- -[domain/_EXAMPLE_] +[domain/_ad.example.com_] ad_gpo_access_control = enforcing ad_gpo_map_service = +foreman ---- @@ -48,7 +48,7 @@ The `{foreman-installer}` command fails to configure the authentication source i .Verification * Log in to {ProjectwebUI} by entering the credentials of a user defined in AD. -Enter the user name and the domain name, for example: _ad_user_@_ad-example.com_. +Enter the user name and the domain name, for example: _ad_user_@_ad.example.com_. .Additional resources diff --git a/guides/common/modules/proc_enrolling-server-with-the-ad-server.adoc b/guides/common/modules/proc_enrolling-server-with-the-ad-server.adoc index 36ed52b3c86..e7c1cc7964a 100644 --- a/guides/common/modules/proc_enrolling-server-with-the-ad-server.adoc +++ b/guides/common/modules/proc_enrolling-server-with-the-ad-server.adoc @@ -20,13 +20,13 @@ On your {ProjectServer}: + [options="nowrap", subs="+quotes,verbatim,attributes"] ---- -# realm join _ad_domain.example.com_ +# realm join _ad.example.com_ ---- + . Verify that you can resolve a user defined on the AD server: + [options="nowrap", subs="+quotes,verbatim,attributes"] ---- -# getent passwd _ad_user_@_ad_domain.example.com_ +# getent passwd _ad_user_@_ad.example.com_ ---- ==== From d9c46ad42e2a6a9db62803119cbd2e8cb20f96c5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aneta=20=C5=A0teflov=C3=A1=20Petrov=C3=A1?= Date: Thu, 12 Sep 2024 09:40:32 +0200 Subject: [PATCH 16/33] Rename file to match ID --- ...-directory-as-an-external-identity-provider-for-project.adoc | 2 +- ...ctive-directory-authentication-source-on-projectserver.adoc} | 0 2 files changed, 1 insertion(+), 1 deletion(-) rename guides/common/modules/{proc_configuring-direct-ad-integration.adoc => proc_configuring-the-active-directory-authentication-source-on-projectserver.adoc} (100%) diff --git a/guides/common/assembly_configuring-active-directory-as-an-external-identity-provider-for-project.adoc b/guides/common/assembly_configuring-active-directory-as-an-external-identity-provider-for-project.adoc index 77a375104b5..a07cc5cfffb 100644 --- a/guides/common/assembly_configuring-active-directory-as-an-external-identity-provider-for-project.adoc +++ b/guides/common/assembly_configuring-active-directory-as-an-external-identity-provider-for-project.adoc @@ -2,6 +2,6 @@ include::modules/con_configuring-active-directory-as-an-external-identity-provid include::modules/proc_enrolling-server-with-the-ad-server.adoc[leveloffset=+1] -include::modules/proc_configuring-direct-ad-integration.adoc[leveloffset=+1] +include::modules/proc_configuring-the-active-directory-authentication-source-on-projectserver.adoc[leveloffset=+1] include::modules/con_kerberos-configuration-in-web-browsers.adoc[leveloffset=+1] diff --git a/guides/common/modules/proc_configuring-direct-ad-integration.adoc b/guides/common/modules/proc_configuring-the-active-directory-authentication-source-on-projectserver.adoc similarity index 100% rename from guides/common/modules/proc_configuring-direct-ad-integration.adoc rename to guides/common/modules/proc_configuring-the-active-directory-authentication-source-on-projectserver.adoc From 595ff52699d962734fc55b666729c6098ea82d66 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aneta=20=C5=A0teflov=C3=A1=20Petrov=C3=A1?= Date: Thu, 12 Sep 2024 09:41:03 +0200 Subject: [PATCH 17/33] Remove extra blank line --- ...-active-directory-authentication-source-on-projectserver.adoc | 1 - 1 file changed, 1 deletion(-) diff --git a/guides/common/modules/proc_configuring-the-active-directory-authentication-source-on-projectserver.adoc b/guides/common/modules/proc_configuring-the-active-directory-authentication-source-on-projectserver.adoc index 0466f59bcbf..cb7d3320125 100644 --- a/guides/common/modules/proc_configuring-the-active-directory-authentication-source-on-projectserver.adoc +++ b/guides/common/modules/proc_configuring-the-active-directory-authentication-source-on-projectserver.adoc @@ -51,5 +51,4 @@ The `{foreman-installer}` command fails to configure the authentication source i Enter the user name and the domain name, for example: _ad_user_@_ad.example.com_. .Additional resources - * For more information about the options to configure an AD provider for SSSD, see the `sssd-ad(5)` man page. From f2906b2948ec8a5d2dda2ba0c6811b589d64f9e0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aneta=20=C5=A0teflov=C3=A1=20Petrov=C3=A1?= Date: Thu, 12 Sep 2024 09:59:00 +0200 Subject: [PATCH 18/33] Drop a section on AD join and turn it into a prerequisite --- ...xternal-identity-provider-for-project.adoc | 2 -- ...uthentication-source-on-projectserver.adoc | 4 +++ ...c_enrolling-server-with-the-ad-server.adoc | 32 ------------------- 3 files changed, 4 insertions(+), 34 deletions(-) delete mode 100644 guides/common/modules/proc_enrolling-server-with-the-ad-server.adoc diff --git a/guides/common/assembly_configuring-active-directory-as-an-external-identity-provider-for-project.adoc b/guides/common/assembly_configuring-active-directory-as-an-external-identity-provider-for-project.adoc index a07cc5cfffb..ef122b7a3a6 100644 --- a/guides/common/assembly_configuring-active-directory-as-an-external-identity-provider-for-project.adoc +++ b/guides/common/assembly_configuring-active-directory-as-an-external-identity-provider-for-project.adoc @@ -1,7 +1,5 @@ include::modules/con_configuring-active-directory-as-an-external-identity-provider-for-project.adoc[] -include::modules/proc_enrolling-server-with-the-ad-server.adoc[leveloffset=+1] - include::modules/proc_configuring-the-active-directory-authentication-source-on-projectserver.adoc[leveloffset=+1] include::modules/con_kerberos-configuration-in-web-browsers.adoc[leveloffset=+1] diff --git a/guides/common/modules/proc_configuring-the-active-directory-authentication-source-on-projectserver.adoc b/guides/common/modules/proc_configuring-the-active-directory-authentication-source-on-projectserver.adoc index cb7d3320125..09ffb51af86 100644 --- a/guides/common/modules/proc_configuring-the-active-directory-authentication-source-on-projectserver.adoc +++ b/guides/common/modules/proc_configuring-the-active-directory-authentication-source-on-projectserver.adoc @@ -3,6 +3,10 @@ Enable Active Directory (AD) users to access {Project} by configuring the corresponding authentication provider on your {ProjectServer}. +.Prerequisites +* The base system of your {ProjectServer} must be joined to an Active Directory (AD) domain. +For more information, see link:https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/8/html-single/integrating_rhel_systems_directly_with_windows_active_directory/index#connecting-rhel-systems-directly-to-ad-using-sssd_integrating-rhel-systems-directly-with-active-directory[Connecting RHEL systems directly to AD using SSSD]. + .Procedure . Configure the System Security Services Daemon (SSSD) to use the AD access control provider to evaluate and enforce Group Policy Object (GPO) access control rules for the `foreman` PAM service: .. In your `/etc/sssd/sssd.conf` file, add the following lines to the `domain` section for the AD domain: diff --git a/guides/common/modules/proc_enrolling-server-with-the-ad-server.adoc b/guides/common/modules/proc_enrolling-server-with-the-ad-server.adoc deleted file mode 100644 index e7c1cc7964a..00000000000 --- a/guides/common/modules/proc_enrolling-server-with-the-ad-server.adoc +++ /dev/null @@ -1,32 +0,0 @@ -[id="Enrolling_Server_with_the_AD_Server_{context}"] -= Enrolling {ProjectServer} with the Active Directory server - -In the {Project} CLI, enroll {ProjectServer} with the Active Directory (AD) server. - -For more information, see link:https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/8/html-single/integrating_rhel_systems_directly_with_windows_active_directory/index#connecting-rhel-systems-directly-to-ad-using-sssd_integrating-rhel-systems-directly-with-active-directory[Connecting RHEL systems directly to AD using SSSD]. - -.Enrolling {ProjectServer} with an AD server by using the System Security Services Daemon (SSSD) -==== -On your {ProjectServer}: - -. Install the packages necessary for direct AD integration with SSSD: -+ -[options="nowrap", subs="+quotes,verbatim,attributes"] ----- -# {project-package-install} samba-common-tools realmd oddjob oddjob-mkhomedir sssd adcli krb5-workstation ----- -+ -. Join the AD domain: -+ -[options="nowrap", subs="+quotes,verbatim,attributes"] ----- -# realm join _ad.example.com_ ----- -+ -. Verify that you can resolve a user defined on the AD server: -+ -[options="nowrap", subs="+quotes,verbatim,attributes"] ----- -# getent passwd _ad_user_@_ad.example.com_ ----- -==== From cb7a862ceca17355ad5878c16fcc10c8e44217b8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aneta=20=C5=A0teflov=C3=A1=20Petrov=C3=A1?= Date: Thu, 12 Sep 2024 10:47:34 +0200 Subject: [PATCH 19/33] Reword AD direct integration intro --- ...ory-as-an-external-identity-provider-for-project.adoc | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/guides/common/modules/con_configuring-active-directory-as-an-external-identity-provider-for-project.adoc b/guides/common/modules/con_configuring-active-directory-as-an-external-identity-provider-for-project.adoc index fd2f0ca37b2..eab72e8bd9f 100644 --- a/guides/common/modules/con_configuring-active-directory-as-an-external-identity-provider-for-project.adoc +++ b/guides/common/modules/con_configuring-active-directory-as-an-external-identity-provider-for-project.adoc @@ -1,12 +1,17 @@ [id="configuring-active-directory-as-an-external-identity-provider-for-project_{context}"] = Configuring Active Directory as an external identity provider for {Project} -This section shows how to use direct Active Directory (AD) as an external authentication source for {ProjectServer}. +If the base system of your {ProjectServer} is connected directly to Active Directory (AD), you can configure AD as an external authentication source for {Project}. Direct AD integration means that {ProjectServer} is joined directly to the AD domain where the identity is stored. [NOTE] ==== -You can attach Active Directory as an external authentication source with no single sign-on support. +You can also connect your {Project} deployment to AD in the following ways: + +* By using indirect AD integration. +With indirect integration, your {ProjectServer} is connected to a {FreeIPA} server which is then connected to AD. +For more information, see xref:configuring-{Freeipa-context}-server-as-an-external-identity-provider-for-project_{context}[]. +* By attaching the LDAP server of the AD domain as an external authentication source with no single sign-on support. For more information, see xref:configuring-an-ldap-server-as-an-external-identity-provider-for-project_{context}[]. ifndef::orcharhino[] For an example configuration, see https://access.redhat.com/solutions/1498773[How to configure Active Directory authentication with TLS on {Project}]. From 9902c61ff01a3f395211f7c59a09a3e52084287a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aneta=20=C5=A0teflov=C3=A1=20Petrov=C3=A1?= Date: Thu, 12 Sep 2024 10:47:54 +0200 Subject: [PATCH 20/33] Remove a link to RHEL docs for AD integration info The link is no longer necessary because the subsequent procedure links to the right resources now. --- ...irectory-as-an-external-identity-provider-for-project.adoc | 4 ---- 1 file changed, 4 deletions(-) diff --git a/guides/common/modules/con_configuring-active-directory-as-an-external-identity-provider-for-project.adoc b/guides/common/modules/con_configuring-active-directory-as-an-external-identity-provider-for-project.adoc index eab72e8bd9f..f8874cc23e2 100644 --- a/guides/common/modules/con_configuring-active-directory-as-an-external-identity-provider-for-project.adoc +++ b/guides/common/modules/con_configuring-active-directory-as-an-external-identity-provider-for-project.adoc @@ -17,7 +17,3 @@ ifndef::orcharhino[] For an example configuration, see https://access.redhat.com/solutions/1498773[How to configure Active Directory authentication with TLS on {Project}]. endif::[] ==== - -ifndef::orcharhino[] -For information about integrating {RHEL} systems with Active{nbsp}Directory, see link:{RHELDocsBaseURL}8/html/integrating_rhel_systems_directly_with_windows_active_directory/index[{RHEL}{nbsp}8 _Integrating RHEL systems directly with Windows Active Directory_]. -endif::[] From 950a31ac7d3c563e57cb28c31530e1330fc1f290 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aneta=20=C5=A0teflov=C3=A1=20Petrov=C3=A1?= Date: Thu, 12 Sep 2024 19:10:23 +0200 Subject: [PATCH 21/33] Apply suggestions from peer review --- ...s-an-external-identity-provider-for-project.adoc | 2 +- ...tory-authentication-source-on-projectserver.adoc | 13 ++++++++----- 2 files changed, 9 insertions(+), 6 deletions(-) diff --git a/guides/common/modules/con_configuring-active-directory-as-an-external-identity-provider-for-project.adoc b/guides/common/modules/con_configuring-active-directory-as-an-external-identity-provider-for-project.adoc index f8874cc23e2..29bf5f89183 100644 --- a/guides/common/modules/con_configuring-active-directory-as-an-external-identity-provider-for-project.adoc +++ b/guides/common/modules/con_configuring-active-directory-as-an-external-identity-provider-for-project.adoc @@ -2,7 +2,7 @@ = Configuring Active Directory as an external identity provider for {Project} If the base system of your {ProjectServer} is connected directly to Active Directory (AD), you can configure AD as an external authentication source for {Project}. -Direct AD integration means that {ProjectServer} is joined directly to the AD domain where the identity is stored. +Direct AD integration means that a Linux system is joined directly to the AD domain where the identity is stored. [NOTE] ==== diff --git a/guides/common/modules/proc_configuring-the-active-directory-authentication-source-on-projectserver.adoc b/guides/common/modules/proc_configuring-the-active-directory-authentication-source-on-projectserver.adoc index 09ffb51af86..42f4b13bdef 100644 --- a/guides/common/modules/proc_configuring-the-active-directory-authentication-source-on-projectserver.adoc +++ b/guides/common/modules/proc_configuring-the-active-directory-authentication-source-on-projectserver.adoc @@ -9,7 +9,7 @@ For more information, see link:https://docs.redhat.com/en/documentation/red_hat_ .Procedure . Configure the System Security Services Daemon (SSSD) to use the AD access control provider to evaluate and enforce Group Policy Object (GPO) access control rules for the `foreman` PAM service: -.. In your `/etc/sssd/sssd.conf` file, add the following lines to the `domain` section for the AD domain: +.. In the `[domain/_ad.example.com_]` section of your `/etc/sssd/sssd.conf` file, configure the `ad_gpo_access_control` and `ad_gpo_map_service` options as follows: + [options="nowrap", subs="+quotes,verbatim,attributes"] ---- @@ -19,7 +19,10 @@ ad_gpo_map_service = +foreman ---- ifndef::orcharhino[] + -For more information on GPOs, see link:{RHELDocsBaseURL}9/html/integrating_rhel_systems_directly_with_windows_active_directory/managing-direct-connections-to-ad_integrating-rhel-systems-directly-with-active-directory#how-sssd-interprets-gpo-access-control-rules_applying-group-policy-object-access-control-in-rhel[How SSSD interprets GPO access control rules] in _{RHEL}{nbsp}9 Integrating RHEL systems directly with Windows Active Directory_ or link:{RHELDocsBaseURL}8/html/integrating_rhel_systems_directly_with_windows_active_directory/managing-direct-connections-to-ad_integrating-rhel-systems-directly-with-active-directory#applying-group-policy-object-access-control-in-rhel_managing-direct-connections-to-ad[How SSSD interprets GPO access control rules] in _{RHEL}{nbsp}8 Integrating RHEL systems directly with Windows Active Directory_. +For more information on GPOs, see the following documents: ++ +* link:{RHELDocsBaseURL}9/html/integrating_rhel_systems_directly_with_windows_active_directory/managing-direct-connections-to-ad_integrating-rhel-systems-directly-with-active-directory#how-sssd-interprets-gpo-access-control-rules_applying-group-policy-object-access-control-in-rhel[How SSSD interprets GPO access control rules] in _Integrating RHEL systems directly with Windows Active Directory (RHEL{nbsp}9)_ +* link:{RHELDocsBaseURL}8/html/integrating_rhel_systems_directly_with_windows_active_directory/managing-direct-connections-to-ad_integrating-rhel-systems-directly-with-active-directory#applying-group-policy-object-access-control-in-rhel_managing-direct-connections-to-ad[How SSSD interprets GPO access control rules] in _Integrating RHEL systems directly with Windows Active Directory (RHEL{nbsp}8)_ endif::[] .. Restart SSSD: + @@ -37,7 +40,7 @@ endif::[] + You can leave the file empty. The `{foreman-installer}` command fails to configure the authentication source if the file is missing. -.. Enable IPA authentication: +.. Enable the authentication source: + [options="nowrap", subs="+quotes,verbatim,attributes"] ---- @@ -52,7 +55,7 @@ The `{foreman-installer}` command fails to configure the authentication source i .Verification * Log in to {ProjectwebUI} by entering the credentials of a user defined in AD. -Enter the user name and the domain name, for example: _ad_user_@_ad.example.com_. +Enter the user name in the user principal name (UPN) format, for example _ad_user@ad.example.com_. .Additional resources -* For more information about the options to configure an AD provider for SSSD, see the `sssd-ad(5)` man page. +* `sssd-ad(5)` man page on your system From 313fea38b8c9a26f29f3cd8f11cae9d06ff7b5c8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aneta=20=C5=A0teflov=C3=A1=20Petrov=C3=A1?= Date: Mon, 16 Sep 2024 11:15:27 +0200 Subject: [PATCH 22/33] Drop steps related to GSS proxy from Samba-based joining --- ...uthentication-source-on-projectserver.adoc | 86 ++++++++++++++----- 1 file changed, 63 insertions(+), 23 deletions(-) diff --git a/guides/common/modules/proc_configuring-the-active-directory-authentication-source-on-projectserver.adoc b/guides/common/modules/proc_configuring-the-active-directory-authentication-source-on-projectserver.adoc index 42f4b13bdef..341b705b91b 100644 --- a/guides/common/modules/proc_configuring-the-active-directory-authentication-source-on-projectserver.adoc +++ b/guides/common/modules/proc_configuring-the-active-directory-authentication-source-on-projectserver.adoc @@ -5,57 +5,97 @@ Enable Active Directory (AD) users to access {Project} by configuring the corres .Prerequisites * The base system of your {ProjectServer} must be joined to an Active Directory (AD) domain. -For more information, see link:https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/8/html-single/integrating_rhel_systems_directly_with_windows_active_directory/index#connecting-rhel-systems-directly-to-ad-using-sssd_integrating-rhel-systems-directly-with-active-directory[Connecting RHEL systems directly to AD using SSSD]. +To be able configure Kerberos single sign-on for AD users, use Samba Winbind for the integration. +For more information, see link:https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html-single/integrating_rhel_systems_directly_with_windows_active_directory/index#connecting-rhel-systems-directly-to-ad-using-samba-winbind_integrating-rhel-systems-directly-with-active-directory[Connecting RHEL systems directly to AD using Samba Winbind]. .Procedure -. Configure the System Security Services Daemon (SSSD) to use the AD access control provider to evaluate and enforce Group Policy Object (GPO) access control rules for the `foreman` PAM service: -.. In the `[domain/_ad.example.com_]` section of your `/etc/sssd/sssd.conf` file, configure the `ad_gpo_access_control` and `ad_gpo_map_service` options as follows: +. + [options="nowrap", subs="+quotes,verbatim,attributes"] ---- -[domain/_ad.example.com_] -ad_gpo_access_control = enforcing -ad_gpo_map_service = +foreman +mkdir /etc/ipa ---- -ifndef::orcharhino[] +. + -For more information on GPOs, see the following documents: +[options="nowrap", subs="+quotes,verbatim,attributes"] +---- +touch /etc/ipa/default.conf +---- +. + -* link:{RHELDocsBaseURL}9/html/integrating_rhel_systems_directly_with_windows_active_directory/managing-direct-connections-to-ad_integrating-rhel-systems-directly-with-active-directory#how-sssd-interprets-gpo-access-control-rules_applying-group-policy-object-access-control-in-rhel[How SSSD interprets GPO access control rules] in _Integrating RHEL systems directly with Windows Active Directory (RHEL{nbsp}9)_ -* link:{RHELDocsBaseURL}8/html/integrating_rhel_systems_directly_with_windows_active_directory/managing-direct-connections-to-ad_integrating-rhel-systems-directly-with-active-directory#applying-group-policy-object-access-control-in-rhel_managing-direct-connections-to-ad[How SSSD interprets GPO access control rules] in _Integrating RHEL systems directly with Windows Active Directory (RHEL{nbsp}8)_ -endif::[] -.. Restart SSSD: +[options="nowrap", subs="+quotes,verbatim,attributes"] +---- +[global] +server = unused +realm = AD.EXAMPLE.COM +---- +. + [options="nowrap", subs="+quotes,verbatim,attributes"] ---- -# systemctl restart sssd +vim /etc/net-keytab.conf ---- -. Configure AD as the authentication source for your {ProjectServer}: -.. Create an Apache keytab file if it does not already exist on your system: +. + [options="nowrap", subs="+quotes,verbatim,attributes"] ---- -# touch /etc/httpd/conf/http.keytab +[global] +workgroup = AD.EXAMPLE.COM +realm = AD.EXAMPLE.COM +kerberos method = system keytab +security = ads ---- +. + -You can leave the file empty. -The `{foreman-installer}` command fails to configure the authentication source if the file is missing. -.. Enable the authentication source: +[options="nowrap", subs="+quotes,verbatim,attributes"] +---- +KRB5_KTNAME=FILE:/etc/httpd/conf/http.keytab net ads keytab add HTTP -U administrator -d3 -s /etc/net-keytab.conf +---- +. + [options="nowrap", subs="+quotes,verbatim,attributes"] ---- -# {foreman-installer} --foreman-ipa-authentication=true +{foreman-installer} --foreman-ipa-authentication=true ---- -.. Restart Apache: +. + [options="nowrap", subs="+quotes,verbatim,attributes"] ---- -# systemctl restart httpd +systemctl restart httpd +---- +. Configure the System Security Services Daemon (SSSD) to use the AD access control provider to evaluate and enforce Group Policy Object (GPO) access control rules for the `foreman` PAM service: +.. In the `[domain/_ad.example.com_]` section of your `/etc/sssd/sssd.conf` file, configure the `ad_gpo_access_control` and `ad_gpo_map_service` options as follows: ++ +[options="nowrap", subs="+quotes,verbatim,attributes"] +---- +[domain/_ad.example.com_] +ad_gpo_access_control = enforcing +ad_gpo_map_service = +foreman +---- +ifndef::orcharhino[] ++ +For more information on GPOs, see the following documents: ++ +* link:{RHELDocsBaseURL}9/html/integrating_rhel_systems_directly_with_windows_active_directory/managing-direct-connections-to-ad_integrating-rhel-systems-directly-with-active-directory#how-sssd-interprets-gpo-access-control-rules_applying-group-policy-object-access-control-in-rhel[How SSSD interprets GPO access control rules] in _Integrating RHEL systems directly with Windows Active Directory (RHEL{nbsp}9)_ +* link:{RHELDocsBaseURL}8/html/integrating_rhel_systems_directly_with_windows_active_directory/managing-direct-connections-to-ad_integrating-rhel-systems-directly-with-active-directory#applying-group-policy-object-access-control-in-rhel_managing-direct-connections-to-ad[How SSSD interprets GPO access control rules] in _Integrating RHEL systems directly with Windows Active Directory (RHEL{nbsp}8)_ +endif::[] +.. Restart SSSD: ++ +[options="nowrap", subs="+quotes,verbatim,attributes"] +---- +# systemctl restart sssd ---- .Verification -* Log in to {ProjectwebUI} by entering the credentials of a user defined in AD. +. Log in to {ProjectwebUI} by entering the credentials of a user defined in AD. Enter the user name in the user principal name (UPN) format, for example _ad_user@ad.example.com_. +. ++ +[options="nowrap", subs="+quotes,verbatim,attributes"] +---- +curl -k -u : --negotiate https://{foreman-example-com}/users/extlogin +You are being redirected. +---- .Additional resources * `sssd-ad(5)` man page on your system From 1131440bebd2ba123bbca6b0ab47d08a9926a5ee Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aneta=20=C5=A0teflov=C3=A1=20Petrov=C3=A1?= Date: Mon, 16 Sep 2024 12:24:39 +0200 Subject: [PATCH 23/33] Edit Samba-based AD integration based on testing --- ...uthentication-source-on-projectserver.adoc | 78 ++++++++++++------- 1 file changed, 49 insertions(+), 29 deletions(-) diff --git a/guides/common/modules/proc_configuring-the-active-directory-authentication-source-on-projectserver.adoc b/guides/common/modules/proc_configuring-the-active-directory-authentication-source-on-projectserver.adoc index 341b705b91b..e05683b39ce 100644 --- a/guides/common/modules/proc_configuring-the-active-directory-authentication-source-on-projectserver.adoc +++ b/guides/common/modules/proc_configuring-the-active-directory-authentication-source-on-projectserver.adoc @@ -5,63 +5,70 @@ Enable Active Directory (AD) users to access {Project} by configuring the corres .Prerequisites * The base system of your {ProjectServer} must be joined to an Active Directory (AD) domain. -To be able configure Kerberos single sign-on for AD users, use Samba Winbind for the integration. -For more information, see link:https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html-single/integrating_rhel_systems_directly_with_windows_active_directory/index#connecting-rhel-systems-directly-to-ad-using-samba-winbind_integrating-rhel-systems-directly-with-active-directory[Connecting RHEL systems directly to AD using Samba Winbind]. - -.Procedure -. +To enable AD users to sign in with Kerberos single sign-on, join the system by using the System Security Services Daemon (SSSD) and Samba services. ++ +Ensure you have the following packages installed: + [options="nowrap", subs="+quotes,verbatim,attributes"] ---- -mkdir /etc/ipa +# {foreman-maintain} packages install krb5-workstation oddjob-mkhomedir oddjob realmd samba-winbind-clients samba-winbind samba-common-tools samba-winbind-krb5-locator sssd ---- -. ++ +Specify the required software when joining the AD domain: + [options="nowrap", subs="+quotes,verbatim,attributes"] ---- -touch /etc/ipa/default.conf +# realm join _AD.EXAMPLE.COM_ --membership-software=samba --client-software=sssd ---- -. ++ +For more information on direct AD integration, see link:https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html-single/integrating_rhel_systems_directly_with_windows_active_directory/index#connecting-rhel-systems-directly-to-ad-using-samba-winbind_integrating-rhel-systems-directly-with-active-directory[Connecting RHEL systems directly to AD using Samba Winbind]. + +.Procedure +. Define AD realm configuration in a location where {foreman-installer} expects it: +.. Create a directory named `/etc/ipa/`: + [options="nowrap", subs="+quotes,verbatim,attributes"] ---- -[global] -server = unused -realm = AD.EXAMPLE.COM +# mkdir /etc/ipa ---- -. ++ +.. Create a file named `default.conf` in the `/etc/ipa/` directory: + [options="nowrap", subs="+quotes,verbatim,attributes"] ---- -vim /etc/net-keytab.conf +# touch /etc/ipa/default.conf ---- -. +.. Add the following lines to `/etc/ipa/default.conf` to configure the Kerberos realm for the AD domain: + [options="nowrap", subs="+quotes,verbatim,attributes"] ---- [global] -workgroup = AD.EXAMPLE.COM -realm = AD.EXAMPLE.COM -kerberos method = system keytab -security = ads +realm = _AD.EXAMPLE.COM_ ---- -. +. Configure the Apache keytab for Kerberos connections: +.. Create a file named `/etc/net-keytab.conf` to store configuration details for Samba: + [options="nowrap", subs="+quotes,verbatim,attributes"] ---- -KRB5_KTNAME=FILE:/etc/httpd/conf/http.keytab net ads keytab add HTTP -U administrator -d3 -s /etc/net-keytab.conf +# touch /etc/net-keytab.conf ---- -. ++ +.. Add the following lines to `/etc/net-keytab.conf` to provide Samba with details for how to interact with AD: + [options="nowrap", subs="+quotes,verbatim,attributes"] ---- -{foreman-installer} --foreman-ipa-authentication=true +[global] +workgroup = _AD.EXAMPLE_ +realm = _AD.EXAMPLE.COM_ +kerberos method = system keytab +security = ads ---- -. ++ +.. Add the Kerberos service principal to the keytab file at `/etc/httpd/conf/http.keytab`: + [options="nowrap", subs="+quotes,verbatim,attributes"] ---- -systemctl restart httpd +# KRB5_KTNAME=FILE:/etc/httpd/conf/http.keytab net ads keytab add HTTP -U Administrator -s /etc/net-keytab.conf -d3 ---- . Configure the System Security Services Daemon (SSSD) to use the AD access control provider to evaluate and enforce Group Policy Object (GPO) access control rules for the `foreman` PAM service: .. In the `[domain/_ad.example.com_]` section of your `/etc/sssd/sssd.conf` file, configure the `ad_gpo_access_control` and `ad_gpo_map_service` options as follows: @@ -85,15 +92,28 @@ endif::[] ---- # systemctl restart sssd ---- +. Enable the authentication source: ++ +[options="nowrap", subs="+quotes,verbatim,attributes"] +---- +# {foreman-installer} --foreman-ipa-authentication=true +---- .Verification -. Log in to {ProjectwebUI} by entering the credentials of a user defined in AD. -Enter the user name in the user principal name (UPN) format, for example _ad_user@ad.example.com_. -. +* To verify that AD users can log in to {ProjectWebUI}, log in to {ProjectwebUI} by entering the credentials of a user defined in AD. +Enter the user name in the user principal name (UPN) format, for example _ad_user_@_AD.EXAMPLE.COM_. +* To verify that AD users can authenticate by using Kerberos single sign-on: +** Obtain a Kerberos ticket-granting ticket (TGT) on behalf of an AD user: ++ +[options="nowrap", subs="+quotes,verbatim,attributes"] +---- +$ kinit _ad_user_@_AD.EXAMPLE.COM_ +---- +** Check that with the TGT, user authentication is successfully redirected: + [options="nowrap", subs="+quotes,verbatim,attributes"] ---- -curl -k -u : --negotiate https://{foreman-example-com}/users/extlogin +$ curl -k -u : --negotiate https://{foreman-example-com}/users/extlogin You are being redirected. ---- From 0824fee0aea5cda1287efdf944d31b8e40cc4446 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aneta=20=C5=A0teflov=C3=A1=20Petrov=C3=A1?= Date: Tue, 17 Sep 2024 11:27:43 +0200 Subject: [PATCH 24/33] List login methods for AD users with direct integration --- ...rectory-as-an-external-identity-provider-for-project.adoc | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/guides/common/modules/con_configuring-active-directory-as-an-external-identity-provider-for-project.adoc b/guides/common/modules/con_configuring-active-directory-as-an-external-identity-provider-for-project.adoc index 29bf5f89183..31e155f4fba 100644 --- a/guides/common/modules/con_configuring-active-directory-as-an-external-identity-provider-for-project.adoc +++ b/guides/common/modules/con_configuring-active-directory-as-an-external-identity-provider-for-project.adoc @@ -2,7 +2,10 @@ = Configuring Active Directory as an external identity provider for {Project} If the base system of your {ProjectServer} is connected directly to Active Directory (AD), you can configure AD as an external authentication source for {Project}. -Direct AD integration means that a Linux system is joined directly to the AD domain where the identity is stored. +Direct AD integration means that a Linux system is joined directly to the AD domain where the identity is stored. The following login methods are available for AD users: + +* Username and password +* Kerberos single sign-on [NOTE] ==== From 962eb31f7f564ec847558e3b2650ea46f9899c7b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aneta=20=C5=A0teflov=C3=A1=20Petrov=C3=A1?= Date: Tue, 17 Sep 2024 14:28:54 +0200 Subject: [PATCH 25/33] Apply suggestions from peer review Co-authored-by: Maximilian Kolb --- ...ectory-as-an-external-identity-provider-for-project.adoc | 3 ++- ...ve-directory-authentication-source-on-projectserver.adoc | 6 +++--- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/guides/common/modules/con_configuring-active-directory-as-an-external-identity-provider-for-project.adoc b/guides/common/modules/con_configuring-active-directory-as-an-external-identity-provider-for-project.adoc index 31e155f4fba..1db8144e052 100644 --- a/guides/common/modules/con_configuring-active-directory-as-an-external-identity-provider-for-project.adoc +++ b/guides/common/modules/con_configuring-active-directory-as-an-external-identity-provider-for-project.adoc @@ -2,7 +2,8 @@ = Configuring Active Directory as an external identity provider for {Project} If the base system of your {ProjectServer} is connected directly to Active Directory (AD), you can configure AD as an external authentication source for {Project}. -Direct AD integration means that a Linux system is joined directly to the AD domain where the identity is stored. The following login methods are available for AD users: +Direct AD integration means that a Linux system is joined directly to the AD domain where the identity is stored. +The following login methods are available for AD users: * Username and password * Kerberos single sign-on diff --git a/guides/common/modules/proc_configuring-the-active-directory-authentication-source-on-projectserver.adoc b/guides/common/modules/proc_configuring-the-active-directory-authentication-source-on-projectserver.adoc index e05683b39ce..399ec0cac16 100644 --- a/guides/common/modules/proc_configuring-the-active-directory-authentication-source-on-projectserver.adoc +++ b/guides/common/modules/proc_configuring-the-active-directory-authentication-source-on-projectserver.adoc @@ -7,11 +7,11 @@ Enable Active Directory (AD) users to access {Project} by configuring the corres * The base system of your {ProjectServer} must be joined to an Active Directory (AD) domain. To enable AD users to sign in with Kerberos single sign-on, join the system by using the System Security Services Daemon (SSSD) and Samba services. + -Ensure you have the following packages installed: +Install the following packages on {ProjectServer}: + [options="nowrap", subs="+quotes,verbatim,attributes"] ---- -# {foreman-maintain} packages install krb5-workstation oddjob-mkhomedir oddjob realmd samba-winbind-clients samba-winbind samba-common-tools samba-winbind-krb5-locator sssd +# {project-package-install} krb5-workstation oddjob-mkhomedir oddjob realmd samba-winbind-clients samba-winbind samba-common-tools samba-winbind-krb5-locator sssd ---- + Specify the required software when joining the AD domain: @@ -109,7 +109,7 @@ Enter the user name in the user principal name (UPN) format, for example _ad_use ---- $ kinit _ad_user_@_AD.EXAMPLE.COM_ ---- -** Check that with the TGT, user authentication is successfully redirected: +** Verify user authentication by using your TGT: + [options="nowrap", subs="+quotes,verbatim,attributes"] ---- From 444198fff6584bc15f059074a19ba09d02613c9c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aneta=20=C5=A0teflov=C3=A1=20Petrov=C3=A1?= Date: Tue, 17 Sep 2024 14:28:01 +0200 Subject: [PATCH 26/33] Use attribute in RHEL docs URL --- ...active-directory-authentication-source-on-projectserver.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/guides/common/modules/proc_configuring-the-active-directory-authentication-source-on-projectserver.adoc b/guides/common/modules/proc_configuring-the-active-directory-authentication-source-on-projectserver.adoc index 399ec0cac16..3222bc6f53b 100644 --- a/guides/common/modules/proc_configuring-the-active-directory-authentication-source-on-projectserver.adoc +++ b/guides/common/modules/proc_configuring-the-active-directory-authentication-source-on-projectserver.adoc @@ -21,7 +21,7 @@ Specify the required software when joining the AD domain: # realm join _AD.EXAMPLE.COM_ --membership-software=samba --client-software=sssd ---- + -For more information on direct AD integration, see link:https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html-single/integrating_rhel_systems_directly_with_windows_active_directory/index#connecting-rhel-systems-directly-to-ad-using-samba-winbind_integrating-rhel-systems-directly-with-active-directory[Connecting RHEL systems directly to AD using Samba Winbind]. +For more information on direct AD integration, see link:{RHELDocsBaseURL}9/html-single/integrating_rhel_systems_directly_with_windows_active_directory/index#connecting-rhel-systems-directly-to-ad-using-samba-winbind_integrating-rhel-systems-directly-with-active-directory[Connecting RHEL systems directly to AD using Samba Winbind]. .Procedure . Define AD realm configuration in a location where {foreman-installer} expects it: From 3a3c1e184881d2d312a65845f38c006d91fbed55 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aneta=20=C5=A0teflov=C3=A1=20Petrov=C3=A1?= Date: Tue, 17 Sep 2024 14:28:34 +0200 Subject: [PATCH 27/33] Tweak curl output --- ...-active-directory-authentication-source-on-projectserver.adoc | 1 + 1 file changed, 1 insertion(+) diff --git a/guides/common/modules/proc_configuring-the-active-directory-authentication-source-on-projectserver.adoc b/guides/common/modules/proc_configuring-the-active-directory-authentication-source-on-projectserver.adoc index 3222bc6f53b..2abf083ce95 100644 --- a/guides/common/modules/proc_configuring-the-active-directory-authentication-source-on-projectserver.adoc +++ b/guides/common/modules/proc_configuring-the-active-directory-authentication-source-on-projectserver.adoc @@ -114,6 +114,7 @@ $ kinit _ad_user_@_AD.EXAMPLE.COM_ [options="nowrap", subs="+quotes,verbatim,attributes"] ---- $ curl -k -u : --negotiate https://{foreman-example-com}/users/extlogin + You are being redirected. ---- From a97f9a13515bd461b5193fe08513a27ed0f1f1f6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aneta=20=C5=A0teflov=C3=A1=20Petrov=C3=A1?= Date: Wed, 18 Sep 2024 10:57:35 +0200 Subject: [PATCH 28/33] Fix Vale error --- ...active-directory-authentication-source-on-projectserver.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/guides/common/modules/proc_configuring-the-active-directory-authentication-source-on-projectserver.adoc b/guides/common/modules/proc_configuring-the-active-directory-authentication-source-on-projectserver.adoc index 2abf083ce95..87e583e38cc 100644 --- a/guides/common/modules/proc_configuring-the-active-directory-authentication-source-on-projectserver.adoc +++ b/guides/common/modules/proc_configuring-the-active-directory-authentication-source-on-projectserver.adoc @@ -101,7 +101,7 @@ endif::[] .Verification * To verify that AD users can log in to {ProjectWebUI}, log in to {ProjectwebUI} by entering the credentials of a user defined in AD. -Enter the user name in the user principal name (UPN) format, for example _ad_user_@_AD.EXAMPLE.COM_. +Enter the user name in the user principal name (UPN) format, for example: `_ad_user_@_AD.EXAMPLE.COM_`. * To verify that AD users can authenticate by using Kerberos single sign-on: ** Obtain a Kerberos ticket-granting ticket (TGT) on behalf of an AD user: + From 83cebccb85b4fd11f38b9e3e7490c8125797789b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aneta=20=C5=A0teflov=C3=A1=20Petrov=C3=A1?= Date: Wed, 18 Sep 2024 11:04:59 +0200 Subject: [PATCH 29/33] Update xref after another PR has been merged --- ...-directory-as-an-external-identity-provider-for-project.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/guides/common/modules/con_configuring-active-directory-as-an-external-identity-provider-for-project.adoc b/guides/common/modules/con_configuring-active-directory-as-an-external-identity-provider-for-project.adoc index 1db8144e052..376e14846d4 100644 --- a/guides/common/modules/con_configuring-active-directory-as-an-external-identity-provider-for-project.adoc +++ b/guides/common/modules/con_configuring-active-directory-as-an-external-identity-provider-for-project.adoc @@ -14,7 +14,7 @@ You can also connect your {Project} deployment to AD in the following ways: * By using indirect AD integration. With indirect integration, your {ProjectServer} is connected to a {FreeIPA} server which is then connected to AD. -For more information, see xref:configuring-{Freeipa-context}-server-as-an-external-identity-provider-for-project_{context}[]. +For more information, see xref:configuring-kerberos-single-sign-on-with-{Freeipa-context}-in-project_{context}[]. * By attaching the LDAP server of the AD domain as an external authentication source with no single sign-on support. For more information, see xref:configuring-an-ldap-server-as-an-external-identity-provider-for-project_{context}[]. ifndef::orcharhino[] From c7b6c45066c3d3e5f1da863fc42c0925cc08a3e5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aneta=20=C5=A0teflov=C3=A1=20Petrov=C3=A1?= Date: Thu, 19 Sep 2024 11:14:13 +0200 Subject: [PATCH 30/33] Apply suggestions from peer review Co-authored-by: mmuehlfeldRH <43061675+mmuehlfeldRH@users.noreply.github.com> --- ...active-directory-authentication-source-on-projectserver.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/guides/common/modules/proc_configuring-the-active-directory-authentication-source-on-projectserver.adoc b/guides/common/modules/proc_configuring-the-active-directory-authentication-source-on-projectserver.adoc index 87e583e38cc..647f9d4f106 100644 --- a/guides/common/modules/proc_configuring-the-active-directory-authentication-source-on-projectserver.adoc +++ b/guides/common/modules/proc_configuring-the-active-directory-authentication-source-on-projectserver.adoc @@ -29,7 +29,7 @@ For more information on direct AD integration, see link:{RHELDocsBaseURL}9/html- + [options="nowrap", subs="+quotes,verbatim,attributes"] ---- -# mkdir /etc/ipa +# mkdir /etc/ipa/ ---- + .. Create a file named `default.conf` in the `/etc/ipa/` directory: From 34225a7b08f98e5ce88b16ffc2fde12fa1ec7f0d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aneta=20=C5=A0teflov=C3=A1=20Petrov=C3=A1?= Date: Thu, 19 Sep 2024 11:13:58 +0200 Subject: [PATCH 31/33] Apply easy fixes from peer review --- ...uthentication-source-on-projectserver.adoc | 21 ++++--------------- 1 file changed, 4 insertions(+), 17 deletions(-) diff --git a/guides/common/modules/proc_configuring-the-active-directory-authentication-source-on-projectserver.adoc b/guides/common/modules/proc_configuring-the-active-directory-authentication-source-on-projectserver.adoc index 647f9d4f106..f20fbc6ae39 100644 --- a/guides/common/modules/proc_configuring-the-active-directory-authentication-source-on-projectserver.adoc +++ b/guides/common/modules/proc_configuring-the-active-directory-authentication-source-on-projectserver.adoc @@ -5,7 +5,7 @@ Enable Active Directory (AD) users to access {Project} by configuring the corres .Prerequisites * The base system of your {ProjectServer} must be joined to an Active Directory (AD) domain. -To enable AD users to sign in with Kerberos single sign-on, join the system by using the System Security Services Daemon (SSSD) and Samba services. +To enable AD users to sign in with Kerberos single sign-on, use the System Security Services Daemon (SSSD) and Samba services to join the base system to the AD domain: + Install the following packages on {ProjectServer}: + @@ -32,13 +32,7 @@ For more information on direct AD integration, see link:{RHELDocsBaseURL}9/html- # mkdir /etc/ipa/ ---- + -.. Create a file named `default.conf` in the `/etc/ipa/` directory: -+ -[options="nowrap", subs="+quotes,verbatim,attributes"] ----- -# touch /etc/ipa/default.conf ----- -.. Add the following lines to `/etc/ipa/default.conf` to configure the Kerberos realm for the AD domain: +.. Create the `/etc/ipa/default.conf` file with the following contents to configure the Kerberos realm for the AD domain: + [options="nowrap", subs="+quotes,verbatim,attributes"] ---- @@ -46,14 +40,7 @@ For more information on direct AD integration, see link:{RHELDocsBaseURL}9/html- realm = _AD.EXAMPLE.COM_ ---- . Configure the Apache keytab for Kerberos connections: -.. Create a file named `/etc/net-keytab.conf` to store configuration details for Samba: -+ -[options="nowrap", subs="+quotes,verbatim,attributes"] ----- -# touch /etc/net-keytab.conf ----- -+ -.. Add the following lines to `/etc/net-keytab.conf` to provide Samba with details for how to interact with AD: +.. Create the `/etc/net-keytab.conf` file with the following contents to provide Samba with details for how to interact with AD: + [options="nowrap", subs="+quotes,verbatim,attributes"] ---- @@ -100,7 +87,7 @@ endif::[] ---- .Verification -* To verify that AD users can log in to {ProjectWebUI}, log in to {ProjectwebUI} by entering the credentials of a user defined in AD. +* To verify that AD users can log in to {Project} by entering their credentials, log in to {ProjectwebUI} at \https://{foreman-example-com}. Enter the user name in the user principal name (UPN) format, for example: `_ad_user_@_AD.EXAMPLE.COM_`. * To verify that AD users can authenticate by using Kerberos single sign-on: ** Obtain a Kerberos ticket-granting ticket (TGT) on behalf of an AD user: From 88ff27221a746689da6ff4a8b480e435dd259520 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aneta=20=C5=A0teflov=C3=A1=20Petrov=C3=A1?= Date: Thu, 19 Sep 2024 13:22:13 +0200 Subject: [PATCH 32/33] Minor tweaks based on peer review and further testing --- ...tive-directory-authentication-source-on-projectserver.adoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/guides/common/modules/proc_configuring-the-active-directory-authentication-source-on-projectserver.adoc b/guides/common/modules/proc_configuring-the-active-directory-authentication-source-on-projectserver.adoc index f20fbc6ae39..20f3780c7a5 100644 --- a/guides/common/modules/proc_configuring-the-active-directory-authentication-source-on-projectserver.adoc +++ b/guides/common/modules/proc_configuring-the-active-directory-authentication-source-on-projectserver.adoc @@ -11,7 +11,7 @@ Install the following packages on {ProjectServer}: + [options="nowrap", subs="+quotes,verbatim,attributes"] ---- -# {project-package-install} krb5-workstation oddjob-mkhomedir oddjob realmd samba-winbind-clients samba-winbind samba-common-tools samba-winbind-krb5-locator sssd +# {project-package-install} adcli krb5-workstation oddjob-mkhomedir oddjob realmd samba-winbind-clients samba-winbind samba-common-tools samba-winbind-krb5-locator sssd ---- + Specify the required software when joining the AD domain: @@ -55,7 +55,7 @@ security = ads + [options="nowrap", subs="+quotes,verbatim,attributes"] ---- -# KRB5_KTNAME=FILE:/etc/httpd/conf/http.keytab net ads keytab add HTTP -U Administrator -s /etc/net-keytab.conf -d3 +# KRB5_KTNAME=FILE:/etc/httpd/conf/http.keytab net ads keytab add HTTP -U Administrator -s /etc/net-keytab.conf ---- . Configure the System Security Services Daemon (SSSD) to use the AD access control provider to evaluate and enforce Group Policy Object (GPO) access control rules for the `foreman` PAM service: .. In the `[domain/_ad.example.com_]` section of your `/etc/sssd/sssd.conf` file, configure the `ad_gpo_access_control` and `ad_gpo_map_service` options as follows: From 503934f6e775547484eb0700d5260b69cec6c7a3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aneta=20=C5=A0teflov=C3=A1=20Petrov=C3=A1?= Date: Thu, 19 Sep 2024 13:24:01 +0200 Subject: [PATCH 33/33] Use smb.conf to store settings for interacting with AD /etc/samba/smb.conf is already present by default, it's better to use that rather than create a separate configuration file for this --- ...tive-directory-authentication-source-on-projectserver.adoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/guides/common/modules/proc_configuring-the-active-directory-authentication-source-on-projectserver.adoc b/guides/common/modules/proc_configuring-the-active-directory-authentication-source-on-projectserver.adoc index 20f3780c7a5..a32c5f39c2e 100644 --- a/guides/common/modules/proc_configuring-the-active-directory-authentication-source-on-projectserver.adoc +++ b/guides/common/modules/proc_configuring-the-active-directory-authentication-source-on-projectserver.adoc @@ -40,7 +40,7 @@ For more information on direct AD integration, see link:{RHELDocsBaseURL}9/html- realm = _AD.EXAMPLE.COM_ ---- . Configure the Apache keytab for Kerberos connections: -.. Create the `/etc/net-keytab.conf` file with the following contents to provide Samba with details for how to interact with AD: +.. Update the `/etc/samba/smb.conf` file with the following settings to configure how Samba interacts with AD: + [options="nowrap", subs="+quotes,verbatim,attributes"] ---- @@ -55,7 +55,7 @@ security = ads + [options="nowrap", subs="+quotes,verbatim,attributes"] ---- -# KRB5_KTNAME=FILE:/etc/httpd/conf/http.keytab net ads keytab add HTTP -U Administrator -s /etc/net-keytab.conf +# KRB5_KTNAME=FILE:/etc/httpd/conf/http.keytab net ads keytab add HTTP -U Administrator -s /etc/samba/smb.conf ---- . Configure the System Security Services Daemon (SSSD) to use the AD access control provider to evaluate and enforce Group Policy Object (GPO) access control rules for the `foreman` PAM service: .. In the `[domain/_ad.example.com_]` section of your `/etc/sssd/sssd.conf` file, configure the `ad_gpo_access_control` and `ad_gpo_map_service` options as follows: