How to setup AD Active Directory Authentication on Cloudforms 5
So long story short. I ran into a problem configuring the new Cloudforms 5. At the time of this writing the Redhat KB article is actually incorrect.
What I found in Cloudforms 5 is that this doesnt work the way Cloudforms 4 did and actually switches to realmd and sssd to do the active directory integration with httpd. You have to do the external auth with httpd option if you want real AD integration in your automation
Reference link for this is:
I would recommend following the following article from manage IQ, but there is a slight different with Redhat.
To make this easier I have put this into a script that should do most of the work for you
Targets:
You really only need to do this on the UI nodes where users will be authenticating.
Run the following commands and replace the < strings > with your own info.
realm discover <your_ad_domain_fqdn>
realm join <your_ad_domain_fqdn> -U <user_to_join_domain>
systemctl enable httpd
realm permit --all
Verify that t your /etc/sssd/sssd.conf file like below. Obviously your domain should be in the place of “example.com” with your own domains FQDN.
[domain/example.com]
ad_domain = example.com
krb5_realm = EXAMPLE.COM
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%d/%u
access_provider = ad
ad_gpo_map_permit = +httpd-auth
ldap_user_extra_attrs = mail, givenname, sn, displayname, domainname
[sssd]
domains = example.com
config_file_version = 2
services = nss, pam, ifp
default_domain_suffix = example.com
[nss]
homedir_substring = /home
[pam]
default_domain_suffix = example.com
[ifp]
default_domain_suffix = example.com
allowed_uids = apache, root
user_attributes = +mail, +givenname, +sn, +displayname, +domainname
Next you can do or run this script to configure the rest
chmod 500 sssd.conf
systemctl restart sssd
systemctl enable sssd
#set apache rights to see krb5 file
chgrp apache /etc/krb5.keytab
chmod 640 /etc/krb5.keytab
#Copy to apache
TEMPLATE_DIR="/opt/rh/cfme-appliance/TEMPLATE"
cp ${TEMPLATE_DIR}/etc/pam.d/httpd-auth /etc/pam.d/httpd-auth
cp ${TEMPLATE_DIR}/etc/httpd/conf.d/manageiq-remote-user.conf /etc/httpd/conf.d/
cp ${TEMPLATE_DIR}/etc/httpd/conf.d/manageiq-external-auth.conf.erb /etc/httpd/conf.d/manageiq-external-auth.conf
Then you need to put in the auth config for apache
/etc/httpd/conf.d/manageiq-external-auth.conf
It should look something like this for what you need to have. This block of code should be right under
LoadModule lookup_identity_module modules/mod_lookup_identity.so
<Location /dashboard/kerberos_authenticate>
AuthType GSSAPI
AuthName "GSSAPI Single Sign On Login"
GssapiCredStore keytab:/etc/http.keytab
GssapiLocalName on
Require pam-account httpd-auth
ErrorDocument 401 /proxy_pages/invalid_sso_credentials.js
</Location>
Then you can run the following:
setsebool -P allow_httpd_mod_auth_pam on
setsebool -P httpd_dbus_sssd on
systemctl restart httpd
systemctl enable httpd
Reference Articles:
https://www.manageiq.org/docs/reference/latest/auth/active_directory
https://access.redhat.com/documentation/en-us/red_hat_cloudforms/5.0/html/managing_authentication_for_cloudforms/external_auth#external_active_directory
Ben Tuma
Over 20 years of experience in the Information Technology field. I love technology and seeing how it changes and impacts peoples lives for the better. I have healthy appetite for innovation and problem solving.
I am sharing my knowledge and challenges in hopes to help others as we constantly face ever changes problems in IT and technology.