How to setup AD Active Directory Authentication on Cloudforms 5

So long story short. I ran into a problem configuring the new Cloudforms 5. At the time of this writing the Redhat KB article is actually incorrect.
What I found in Cloudforms 5 is that this doesnt work the way Cloudforms 4 did and actually switches to realmd and sssd to do the active directory integration with httpd. You have to do the external auth with httpd option if you want real AD integration in your automation

Reference link for this is:
I would recommend following the following article from manage IQ, but there is a slight different with Redhat.



To make this easier I have put this into a script that should do most of the work for you

You really only need to do this on the UI nodes where users will be authenticating.


Run the following commands and replace the < strings > with your own info.

realm discover <your_ad_domain_fqdn>
realm join <your_ad_domain_fqdn> -U <user_to_join_domain>
systemctl enable httpd
realm permit --all

Verify that t your /etc/sssd/sssd.conf file like below. Obviously your domain should be in the place of “” with your own domains FQDN.

ad_domain =
krb5_realm = EXAMPLE.COM
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%d/%u
access_provider = ad
ad_gpo_map_permit = +httpd-auth
ldap_user_extra_attrs = mail, givenname, sn, displayname, domainname

domains =
config_file_version = 2
services = nss, pam, ifp
default_domain_suffix =

homedir_substring = /home

default_domain_suffix =

default_domain_suffix =
allowed_uids = apache, root
user_attributes = +mail, +givenname, +sn, +displayname, +domainname

Next you can do or run this script to configure the rest

chmod 500 sssd.conf

systemctl restart sssd 
systemctl enable sssd 

#set apache rights to see krb5 file
chgrp apache /etc/krb5.keytab 
chmod 640 /etc/krb5.keytab 

#Copy to apache
cp ${TEMPLATE_DIR}/etc/pam.d/httpd-auth /etc/pam.d/httpd-auth 
cp ${TEMPLATE_DIR}/etc/httpd/conf.d/manageiq-remote-user.conf /etc/httpd/conf.d/ 
cp ${TEMPLATE_DIR}/etc/httpd/conf.d/manageiq-external-auth.conf.erb /etc/httpd/conf.d/manageiq-external-auth.conf 

Then you need to put in the auth config for apache
It should look something like this for what you need to have. This block of code should be right under
LoadModule lookup_identity_module modules/

<Location /dashboard/kerberos_authenticate>
  AuthType           GSSAPI
  AuthName           "GSSAPI Single Sign On Login"
  GssapiCredStore    keytab:/etc/http.keytab
  GssapiLocalName    on
  Require            pam-account httpd-auth

  ErrorDocument 401 /proxy_pages/invalid_sso_credentials.js

Then you can run the following:

setsebool -P allow_httpd_mod_auth_pam on 
setsebool -P httpd_dbus_sssd on

systemctl restart httpd
systemctl enable httpd  

Reference Articles: