Skip to content

Drop GSS proxy privilege separation from direct AD integration proc (3.10) #3325

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
aneta-petrova merged 1 commit into from
Oct 1, 2024
Merged

Drop GSS proxy privilege separation from direct AD integration proc (3.10) #3325

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 1 addition & 5 deletions guides/common/assembly_configuring-external-authentication.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,11 +20,7 @@ include::modules/proc_configuring-host-based-authentication-control.adoc[levelof

include::modules/con_using-active-directory.adoc[leveloffset=+1]

include::modules/con_gss-proxy.adoc[leveloffset=+2]

include::modules/proc_enrolling-server-with-the-ad-server.adoc[leveloffset=+2]

include::modules/proc_configuring-direct-ad-integration-with-gss-proxy.adoc[leveloffset=+2]
include::modules/proc_configuring-the-active-directory-authentication-source-on-projectserver.adoc[leveloffset=+2]

include::modules/con_kerberos-configuration-in-web-browsers.adoc[leveloffset=+2]

Expand Down
12 changes: 0 additions & 12 deletions guides/common/modules/con_gss-proxy.adoc
View file
Open in desktop

This file was deleted.

4 changes: 0 additions & 4 deletions guides/common/modules/con_using-active-directory.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,3 @@ endif::[]
====

Direct AD integration means that {ProjectServer} is joined directly to the AD domain where the identity is stored.
The recommended setup consists of two steps:

* Enrolling {ProjectServer} with the Active Directory server as described in xref:Enrolling_Server_with_the_AD_Server_{context}[].
* Configuring direct Active Directory integration with GSS-proxy as described in xref:Configuring_Direct_AD_Integration_with_GSS_Proxy_{context}[].
145 changes: 0 additions & 145 deletions guides/common/modules/proc_configuring-direct-ad-integration-with-gss-proxy.adoc
View file
Open in desktop

This file was deleted.

109 changes: 109 additions & 0 deletions ...oc_configuring-the-active-directory-authentication-source-on-projectserver.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,109 @@
[id="configuring-the-active-directory-authentication-source-on-projectserver_{context}"]
= Configuring the Active Directory authentication source on {ProjectServer}

Enable Active Directory (AD) users to access {Project} by configuring the corresponding authentication provider on your {ProjectServer}.

.Prerequisites
* The base system of your {ProjectServer} must be joined to an Active Directory (AD) domain.
To enable AD users to sign in with Kerberos single sign-on, use the System Security Services Daemon (SSSD) and Samba services to join the base system to the AD domain:
+
Install the following packages on {ProjectServer}:
+
[options="nowrap", subs="+quotes,verbatim,attributes"]
----
# {project-package-install} adcli krb5-workstation oddjob-mkhomedir oddjob realmd samba-winbind-clients samba-winbind samba-common-tools samba-winbind-krb5-locator sssd
----
+
Specify the required software when joining the AD domain:
+
[options="nowrap", subs="+quotes,verbatim,attributes"]
----
# realm join _AD.EXAMPLE.COM_ --membership-software=samba --client-software=sssd
----
+
For more information on direct AD integration, see link:{RHELDocsBaseURL}9/html-single/integrating_rhel_systems_directly_with_windows_active_directory/index#connecting-rhel-systems-directly-to-ad-using-samba-winbind_integrating-rhel-systems-directly-with-active-directory[Connecting RHEL systems directly to AD using Samba Winbind].

.Procedure
. Define AD realm configuration in a location where {foreman-installer} expects it:
.. Create a directory named `/etc/ipa/`:
+
[options="nowrap", subs="+quotes,verbatim,attributes"]
----
# mkdir /etc/ipa/
----
+
.. Create the `/etc/ipa/default.conf` file with the following contents to configure the Kerberos realm for the AD domain:
+
[options="nowrap", subs="+quotes,verbatim,attributes"]
----
[global]
realm = _AD.EXAMPLE.COM_
----
. Configure the Apache keytab for Kerberos connections:
.. Update the `/etc/samba/smb.conf` file with the following settings to configure how Samba interacts with AD:
+
[options="nowrap", subs="+quotes,verbatim,attributes"]
----
[global]
workgroup = _AD.EXAMPLE_
realm = _AD.EXAMPLE.COM_
kerberos method = system keytab
security = ads
----
+
.. Add the Kerberos service principal to the keytab file at `/etc/httpd/conf/http.keytab`:
+
[options="nowrap", subs="+quotes,verbatim,attributes"]
----
# KRB5_KTNAME=FILE:/etc/httpd/conf/http.keytab net ads keytab add HTTP -U Administrator -s /etc/samba/smb.conf
----
. Configure the System Security Services Daemon (SSSD) to use the AD access control provider to evaluate and enforce Group Policy Object (GPO) access control rules for the `foreman` PAM service:
.. In the `[domain/_ad.example.com_]` section of your `/etc/sssd/sssd.conf` file, configure the `ad_gpo_access_control` and `ad_gpo_map_service` options as follows:
+
[options="nowrap", subs="+quotes,verbatim,attributes"]
----
[domain/_ad.example.com_]
ad_gpo_access_control = enforcing
ad_gpo_map_service = +foreman
----
ifndef::orcharhino[]
+
For more information on GPOs, see the following documents:
+
* link:{RHELDocsBaseURL}9/html/integrating_rhel_systems_directly_with_windows_active_directory/managing-direct-connections-to-ad_integrating-rhel-systems-directly-with-active-directory#how-sssd-interprets-gpo-access-control-rules_applying-group-policy-object-access-control-in-rhel[How SSSD interprets GPO access control rules] in _Integrating RHEL systems directly with Windows Active Directory (RHEL{nbsp}9)_
* link:{RHELDocsBaseURL}8/html/integrating_rhel_systems_directly_with_windows_active_directory/managing-direct-connections-to-ad_integrating-rhel-systems-directly-with-active-directory#applying-group-policy-object-access-control-in-rhel_managing-direct-connections-to-ad[How SSSD interprets GPO access control rules] in _Integrating RHEL systems directly with Windows Active Directory (RHEL{nbsp}8)_
endif::[]
.. Restart SSSD:
+
[options="nowrap", subs="+quotes,verbatim,attributes"]
----
# systemctl restart sssd
----
. Enable the authentication source:
+
[options="nowrap", subs="+quotes,verbatim,attributes"]
----
# {foreman-installer} --foreman-ipa-authentication=true
----

.Verification
* To verify that AD users can log in to {Project} by entering their credentials, log in to {ProjectwebUI} at \https://{foreman-example-com}.
Enter the user name in the user principal name (UPN) format, for example: `_ad_user_@_AD.EXAMPLE.COM_`.
* To verify that AD users can authenticate by using Kerberos single sign-on:
** Obtain a Kerberos ticket-granting ticket (TGT) on behalf of an AD user:
+
[options="nowrap", subs="+quotes,verbatim,attributes"]
----
$ kinit _ad_user_@_AD.EXAMPLE.COM_
----
** Verify user authentication by using your TGT:
+
[options="nowrap", subs="+quotes,verbatim,attributes"]
----
$ curl -k -u : --negotiate https://{foreman-example-com}/users/extlogin

<html><body>You are being <a href="{foreman-example-com}/hosts">redirected</a>.</body></html>
----

.Additional resources
* `sssd-ad(5)` man page on your system
35 changes: 0 additions & 35 deletions guides/common/modules/proc_enrolling-server-with-the-ad-server.adoc
View file
Open in desktop

This file was deleted.