RH362 - ch09s03

Bookmark this page

Integrating IdM with Red Hat Satellite

Objectives

Integrate Red Hat Satellite with an Identity Management server and enable host-based access control.

Enterprise Management with Red Hat Satellite Server

Red Hat Satellite 6 is a systems management tool that can be used to provision systems and provide software updates. Satellite serves as a local repository of software content and a central point of management for Red Hat entitlements. It also performs configuration management of systems to adhere to predefined standard operating environments.

Red Hat Satellite 6 uses Satellite servers and Capsule servers to scale effectively and meet the demands of large enterprises, even across a geographically distributed environment.

You can use a web browser to manage Satellite through its web UI. You can also use a command-line interface or an API to program custom workflows or task automation.

External Authentication for Red Hat Satellite

By default, Satellite maintains a local, internal database of user accounts, which it uses for local authentication of users. However, Satellite also supports various methods of external authentication, such as LDAP, Active Directory, and IdM.

For LDAP configuration, you have the option to select LDAPS (LDAP with TLS) as external authentication for Satellite. In an Active Directory or IdM integration, the Satellite server joins the domain where the identity information is stored.

Users must authenticate by using only one authentication method. When a user using an external authentication logs in to Satellite, Satellite creates that user internally. To change the authentication method for a user you must first delete the database record for that user.

Configuring External Authentication with IdM

To configure Identity Management as an external authentication method, the Satellite server must be an IdM client.

Install the ipa-client package on the Satellite server and configure it as an IdM client. Ensure that the Satellite server can resolve IdM DNS services and records:

[root@host ~]# satellite-maintain packages install ipa-client
...output omitted...
[root@host ~]# ipa-client-install
...output omitted...

Use the satellite-installer command to configure IdM as an authentication provider. You can enable authentication for the Satellite web UI and the API independently. The Satellite services must be restarted after configuring IdM as an authentication provider.

Note

In some scenarios, you might want to restrict the authentication to only the web interface. Enabling the authentication to the Satellite API can lead to security problems.

[root@host ~]# satellite-installer \
  --foreman-ipa-authentication=true \
  --foreman-ipa-authentication-api=true
[root@host ~]# satellite-maintain service restart

When the configuration of Satellite server for external authentication with IdM is complete, IdM users can log in to the Satellite server using their IdM credentials. If single sign-on is configured in IdM, users can also obtain a ticket on their client machine and then log in to the Satellite server automatically. If an IdM user is configured to use two-factor authentication with a one-time password, then that user can also authenticate to the Satellite server with a one-time password.

Managing Satellite Server Access with HBAC

To restrict Satellite server access to a subset of the IdM user population, use IdM's host-based access control (HBAC). HBAC rules dictate which systems within an IdM domain should be accessible to an IdM user. Therefore, HBAC rules can restrict access to the Satellite server to only a subset of IdM users.

To configure HBAC in Satellite, create the HBAC services and rules on IdM. Add the users or groups, and the Satellite server as a host to the HBAC rule. The following example shows the creation of the satellite-prod HBAC service and the allow_satellite_prod rule. After you configure all the appropriate rules, ensure that the allow_all rule is disabled.

[user@host ~]$ ipa hbacsvc-add satellite-prod
[user@host ~]$ ipa hbacrule-add allow_satellite_prod
[user@host ~]$ ipa hbacrule-add-service allow_satellite_prod \
  --hbacsvcs=satellite-prod
[user@host ~]$ ipa hbacrule-add-host allow_satellite_prod \
  --hosts=satellite.example.com
[user@host ~]$ ipa hbacrule-add-user allow_satellite_prod \
  --user=produser01

On the Satellite server, define the PAM service by using the satellite-installer command with the --foreman-pam-service option:

[root@host ~]# satellite-installer --foreman-pam-service=satellite-prod

Configuring External Authentication for Provisioned Hosts

In addition to using IdM as external authentication for Satellite, you can configure Satellite-provisioned hosts to use IdM authentication. To do so, you must enable and configure Satellite server's realm feature.

Enabling the Satellite Server Realm Feature

Use the foreman-prepare-realm command to enable the realm feature on a Satellite server. The following example uses the IdM admin user account to authenticate to IdM, and creates the realm-capsule realm proxy user. Upon execution, IdM creates a role with the permissions needed by the Satellite server for integration and assigns this role to the realm-capsule user.

[root@host ~]# foreman-prepare-realm admin realm-capsule

Satellite retrieves an IdM keytab and stores it in the /root/freeipa.keytab directory on the Satellite server. You must move the keytab to the /etc/foreman-proxy directory and set the ownership of the file to the foreman-proxy user and group. Copy the keytab file to all Satellite and Capsule servers that you want to configure for authentication:

[root@host ~]# mv /root/freeipa.keytab /etc/foreman-proxy
[root@host ~]# chown foreman-proxy:foreman-proxy /etc/foreman-proxy/freeipa.keytab

Configuring the Satellite Server Realm Feature

Use the satellite-installer command with the following options to configure a Satellite server for the provisioning of hosts configured to use IdM for external authentication.

Option	Value	Description
`--foreman-proxy-realm`	`true`	Enables realm support.
`--foreman-proxy-realm-keytab`	`/etc/foreman-proxy/freeipa.keytab`	Specifies the file containing the keytab previously retrieved from the IdM server.
`--foreman-proxy-realm-principal`	`'realm-capsule@LAB.EXAMPLE.COM'`	Specifies `realm-capsule@LAB.EXAMPLE.COM` as the principal to use for the integration with IdM.
`--foreman-proxy-realm-provider`	`freeipa`	Specifies `freeipa` as the realm provider.

[root@host ~]# satellite-installer \
  --foreman-proxy-realm true
  --foreman-proxy-realm-keytab /etc/foreman-proxy/freeipa.keytab \
  --foreman-proxy-realm-principal 'realm-capsule@LAB.EXAMPLE.COM' \
  --foreman-proxy-realm-provider freeipa

Ensure that the IdM CA certificates are installed and restart the foreman-proxy service. Also ensure that the principal is correctly defined in the /etc/foreman-proxy/settings.d/realm_freeipa.yml file:

[root@host ~]# cp /etc/ipa/ca.crt /etc/pki/ca-trust/source/anchors/ipa.crt
[root@host ~]# update-ca-trust enable
[root@host ~]# update-ca-trust
[root@host ~]# systemctl restart foreman-proxy

To create a Satellite realm, navigate to Infrastructure → Realms and complete the required information. To associate host groups with the new realm, navigate to Configure → Host Groups, select the host group and click Network. Select the realm and click Submit.

Enrolling Hosts into IdM Host Groups

In Satellite server, host groups provide a means of grouping hosts into logical units. Hosts placed in a host group inherit that group's configurations for software, network, operating system, and subscription profiles.

Likewise, IdM also uses host groups to group systems into logical units. When integrating hosts provisioned by Satellite server into an organization's IdM realm, you might want to enroll the host into an IdM host group based on its Satellite host group membership.

You can automate these host enrollments by creating automember rules within IdM. The userclass attribute identifies the Satellite host group that a host belongs to. Therefore, to enroll provisioned hosts into IdM host groups based on their Satellite host group membership, you can create an automember rule based on the value of the userclass attribute.

For example, you can create the production_servers IdM host group to enroll hosts provisioned from the Prod Satellite host group. Create the add_production_servers automember rule as well. Use the --type=hostgroup option to specify that the rule is for host group enrollment:

[user@host ~]$ ipa hostgroup-add production_servers
[user@host ~]$ ipa automember-add --type=hostgroup add_production_servers

Then, create the condition to act as a trigger for the new automember rule. This condition defines the criteria for triggering the rule and the action to be taken.

The --key=userclass option specifies that the condition evaluates the host's userclass attribute, which contains its Satellite host group name. Use the --inclusive-regex='^Prod$' to define the regular expression to use when evaluating the userclass attribute, including only Satellite-provisioned hosts belonging to the Satellite Prod host group:

[user@host ~]$ ipa automember-add-condition \
  --type=hostgroup production_servers \
  --key=userclass \
  --inclusive-regex='^Prod$'

Provisioning Hosts for IdM Integration

With realm configuration and automember rules in place, Satellite server automatically integrates systems into an organization's IdM realm during their provisioning. During host provisioning, the integration of Satellite server and IdM causes the following actions to automatically take place:

Satellite server configures the new host as an IdM client.
The IdM server creates a host principal for the host.
The IdM server creates DNS records for the new host.
The IdM server enrolls the new host into the appropriate IdM host group based on the host's Satellite host group membership.

After the provisioning of the new host completes, it is reachable on the network by DNS resolution. It is also a member of the IdM realm, so it can authenticate using the IdM server without any further manual configuration. Due to its automatic enrollment into an IdM host group, it is available for management using IdM features, such as host-based access controls and Sudo policies.

References

For more information, refer to the Configuring External Authentication section of the Installing Satellite Server in a Connected Network Environment at https://access.redhat.com/documentation/en-us/red_hat_satellite/6.13/html-single/installing_satellite_server_in_a_connected_network_environment/index#Configuring_External_Authentication_satellite

For more information, refer to the Automating Group Membership Using IdM CLI section of the Managing IdM Users, Groups, Hosts, and Access Control Rules at https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html-single/managing_idm_users_groups_hosts_and_access_control_rules/index#automating-group-membership-using-idm-cli_managing-users-groups-hosts

Discuss Red Hat Security: Identity Management and Authentication

Go to community

Welcome to the Red Hat Security: Identity Management and Active Directory Integration group!

Syed

26 wrz 2023

We are excited to launch a space dedicated to the Red Hat Training course Red Hat Security: Identity Management and Active Directory Integration! To gain the most value from this group - click the "Join Group" button in the upper right hand corner of the group home page.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to RH362.Read more about Red Hat Security: Identity Management and Active Directory Integration here.

215

Revision: rh362-9.1-4c6fdb8