Skip to content

Latest commit

 

History

History
109 lines (106 loc) · 4.25 KB

proc_configuring-freeipa-authentication-on-server.adoc

File metadata and controls

109 lines (106 loc) · 4.25 KB

Configuring {FreeIPA} Authentication on {ProjectServer}

In the {Project} CLI, configure {FreeIPA} authentication by first creating a host entry on the {FreeIPA} server.

Procedure

  1. On the {FreeIPA} server, to authenticate, enter the following command and enter your password when prompted:

    # kinit admin

  2. To verify that you have authenticated, enter the following command:

    # klist

  3. On the {FreeIPA} server, create a host entry for {ProjectServer} and generate a one-time password, for example:

    # ipa host-add --random hostname
    Note

    The generated one-time password must be used on the client to complete {FreeIPA}-enrollment.

  4. Create an HTTP service for {ProjectServer}, for example:

    # ipa service-add HTTP/hostname

  5. On {ProjectServer}, install the IPA client:

    # {project-package-install} ipa-client

  6. On {ProjectServer}, enter the following command as root to configure {FreeIPA}-enrollment:

    # ipa-client-install --password OTP

    Replace OTP with the one-time password provided by the {FreeIPA} administrator.

  7. Set {FreeIPA} as the authentication provider, using one of the following commands:

    • If you only want to enable access to the {ProjectWebUI} but not the {Project} API, enter:

      # {foreman-installer} \
--foreman-ipa-authentication=true

    • If you want to enable access both to the {ProjectWebUI} and the {Project} API, enter:

      # {foreman-installer} \
--foreman-ipa-authentication-api=true \
--foreman-ipa-authentication=true
      Warning

      Enabling access to both the {Project} API and the {ProjectWebUI} can lead to security problems. After an IdM user receives a Kerberos ticket-granting ticket (TGT) by entering kinit user_name, an attacker can obtain an API session. The attack is possible even if the user did not previously enter the {Project} login credentials anywhere, for example in the browser.

  8. Restart {Project} services:

    # {foreman-maintain} service restart

External users can now log in to {Project} using their {FreeIPA} credentials. They can now choose to either log in to {ProjectServer} directly using their username and password or take advantage of the configured Kerberos single sign-on and obtain a ticket on their client machine and be logged in automatically. The two-factor authentication with one-time password (2FA OTP) is also supported.