RH362 - ch09s06

Bookmark this page

Guided Exercise: Configuring Automation Controller with IdM Authentication

Configure automation controller to use IdM user authentication.

Outcomes

Configure IdM as the LDAP back end for automation controller.
Manage IdM user access to automation controller.
Map IdM user attributes to automation controller user properties.

As the student user on the workstation machine, use the lab command to prepare your system for this exercise.

This command prepares your environment and ensures that all required resources are available:

[student@workstation ~]$ lab start products-controller

Instructions

On the idm machine, create an LDAP bind account named controller.

Open a terminal session to the idm machine as student, and change to the root user.

[student@workstation ~]$ ssh idm
[student@idm ~]$ sudo -i
[sudo] password for student: student
[root@idm ~]#

Use kinit to authenticate as the admin user with RedHat123^ as the password.

[root@idm ~]# kinit admin
Password for admin@LAB.EXAMPLE.COM: RedHat123^

Use the ldapmodify command to create the controller user, which has access to read the entire LDAP structure on the IdM server. Authenticate as the Directory Manger user with RedHat123^ as the password.

[root@idm ~]# ldapmodify -x -D 'cn=Directory Manager' -W <<EOF
dn: uid=controller,cn=sysaccounts,cn=etc,dc=lab,dc=example,dc=com
changetype: add
objectclass: account
objectclass: simplesecurityobject
uid: controller
userPassword: controller123
passwordExpirationTime: 20280101000000Z
nsIdleTimeout: 0
EOF
Enter LDAP Password: RedHat123^
adding new entry "uid=controller,cn=sysaccounts,cn=etc,dc=lab,dc=example,dc=com"

[root@idm ~]#

Use the newly created bind account to determine where the user accounts and groups reside in the LDAP tree structure on the IdM server.

Use the ldapsearch command to query LDAP starting at the base, dc=lab,dc=example,dc=com. Make the query using the new bind user account and its password to verify that the account is working properly. Query for the productsuser02 user account.

[root@idm ~]# ldapsearch \
  -D "uid=controller,cn=sysaccounts,cn=etc,dc=lab,dc=example,dc=com" \
  -W -h idm.lab.example.com \
  -b "cn=accounts,dc=lab,dc=example,dc=com" \
  uid=productsuser02
Enter LDAP Password: controller123
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <cn=accounts,dc=lab,dc=example,dc=com> with scope subtree
# filter: uid=productsuser02
# requesting: ALL
#

# productsuser02, users, accounts, lab.example.com
dn: uid=productsuser02,cn=users,cn=accounts,dc=lab,dc=example,dc=com
krbLastPwdChange: 20230706124435Z
krbPasswordExpiration: 20231004124435Z
memberOf: cn=ipausers,cn=groups,cn=accounts,dc=lab,dc=example,dc=com
memberOf: cn=productsgroup02,cn=groups,cn=accounts,dc=lab,dc=example,dc=com
ipaNTSecurityIdentifier: S-1-5-21-1272619754-3734590140-1170855531-1003
givenName: Product
sn: User02
uid: productsuser02
cn: Product User02
displayName: Product User02
initials: PU
gecos: Product User02
krbPrincipalName: productsuser02@LAB.EXAMPLE.COM
objectClass: top
objectClass: person
objectClass: organizationalperson
objectClass: inetorgperson
objectClass: inetuser
objectClass: posixaccount
objectClass: krbprincipalaux
objectClass: krbticketpolicyaux
objectClass: ipaobject
objectClass: ipasshuser
objectClass: ipaSshGroupOfPubKeys
objectClass: mepOriginEntry
objectClass: ipantuserattrs
loginShell: /bin/sh
homeDirectory: /home/productsuser02
mail: productsuser02@lab.example.com
krbCanonicalName: productsuser02@LAB.EXAMPLE.COM
ipaUniqueID: 61c2d1f0-1bf9-11ee-87c7-52540000fa08
uidNumber: 739000003
gidNumber: 739000003

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

In the output of the ldapsearch command, the user account information is under the cn=users,cn=accounts,dc=lab,dc=example,dc=com node of the directory.

The group information is under the cn=groups,cn=accounts,dc=lab,dc=example,dc=com node of the directory.

Use the newly created bind account to determine which object class can be used to search for user groups in the LDAP tree structure on the IdM server.

Use the ldapsearch command to query LDAP for the cn=ipausers,cn=groups,cn=accounts,dc=lab,dc=example,dc=com group. Make the query using the newly created bind user account and its password to verify that the account is working properly.

[root@idm ~]# ldapsearch \
  -D "uid=controller,cn=sysaccounts,cn=etc,dc=lab,dc=example,dc=com" \
  -W -h idm.lab.example.com \
  -b "cn=ipausers,cn=groups,cn=accounts,dc=lab,dc=example,dc=com"
Enter LDAP Password: controller123
# extended LDIF
#
# LDAPv3
# base <cn=ipausers,cn=groups,cn=accounts,dc=lab,dc=example,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# ipausers, groups, accounts, lab.example.com
dn: cn=ipausers,cn=groups,cn=accounts,dc=lab,dc=example,dc=com
member: uid=productsuser02,cn=users,cn=accounts,dc=lab,dc=example,dc=com
member: uid=productsuser03,cn=users,cn=accounts,dc=lab,dc=example,dc=com
member: uid=productsuser04,cn=users,cn=accounts,dc=lab,dc=example,dc=com
objectClass: top
objectClass: groupofnames
objectClass: nestedgroup
objectClass: ipausergroup
objectClass: ipaobject
description: Default group for all users
cn: ipausers
ipaUniqueID: 625553e8-1be7-11ee-84b9-52540000fa08

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

Note that in the output of the ldapsearch command, the user group includes the groupofnames and ipausergroup object classes.

Use the new bind account to determine which attributes correspond to an IdM user's first name, last name, and email address.

Use the ldapsearch command to query LDAP starting at the base, cn=accounts,dc=lab,dc=example,dc=com. Make the query using the new bind user account and its password to verify that the account is working properly. Query for the productsuser02 user account.

[root@idm ~]# ldapsearch \
  -D "uid=controller,cn=sysaccounts,cn=etc,dc=lab,dc=example,dc=com" \
  -W -h idm.lab.example.com \
  -b "cn=accounts,dc=lab,dc=example,dc=com" \
  uid=productsuser02
Enter LDAP Password: controller123
# extended LDIF
#
# LDAPv3
# base <cn=accounts,dc=lab,dc=example,dc=com> with scope subtree
# filter: uid=productsuser02
# requesting: ALL
#

# productsuser02, users, accounts, lab.example.com
dn: uid=productsuser02,cn=users,cn=accounts,dc=lab,dc=example,dc=com
krbLastPwdChange: 20230706124435Z
krbPasswordExpiration: 20231004124435Z
memberOf: cn=ipausers,cn=groups,cn=accounts,dc=lab,dc=example,dc=com
memberOf: cn=productsgroup02,cn=groups,cn=accounts,dc=lab,dc=example,dc=com
ipaNTSecurityIdentifier: S-1-5-21-1272619754-3734590140-1170855531-1003
givenName: Product
sn: User02
uid: productsuser02
cn: Product User02
displayName: Product User02
initials: PU
gecos: Product User02
krbPrincipalName: productsuser02@LAB.EXAMPLE.COM
objectClass: top
objectClass: person
objectClass: organizationalperson
objectClass: inetorgperson
objectClass: inetuser
objectClass: posixaccount
objectClass: krbprincipalaux
objectClass: krbticketpolicyaux
objectClass: ipaobject
objectClass: ipasshuser
objectClass: ipaSshGroupOfPubKeys
objectClass: mepOriginEntry
objectClass: ipantuserattrs
loginShell: /bin/sh
homeDirectory: /home/productsuser02
mail: productsuser02@lab.example.com
krbCanonicalName: productsuser02@LAB.EXAMPLE.COM
ipaUniqueID: 61c2d1f0-1bf9-11ee-87c7-52540000fa08
uidNumber: 739000003
gidNumber: 739000003

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

Note that in the output of the ldapsearch command, the user's first name is stored as the givenName attribute, the user's last name is stored as the sn attribute, and the user's email address is stored as the mail attribute.
```
givenName: Products
sn: User02
mail: productsuser02@lab.example.com
```

Exit from the idm machine:

[root@idm ~]# exit
logout
[student@idm ~]$ exit
logout
Connection to idm closed.

Configure the controller machine to trust the self-signed CA certificate of IdM.

[student@workstation ~]$ ssh controller
[student@controller ~]$ sudo -i
[sudo] password for student: student
[root@controller ~]#

Copy the IdM CA certificate to the /etc/pki/ca-trust/source/anchors/ directory:

[root@controller ~]# scp student@idm:/etc/ipa/ca.crt \
  /etc/pki/ca-trust/source/anchors/ipa_ca.crt
Password: student
ca.crt                              100% 1651     2.2MB/s   00:00

Update the trust list:
```
[root@controller ~]# update-ca-trust
```

Log out of the controller machine:

[root@controller ~]# exit
logout
[student@controller ~]$ exit
logout
Connection to controller closed.

Configure automation controller for LDAP authentication against IdM.
1. From the workstation machine, use the Firefox web browser to connect to the automation controller web UI at http://controller.lab.example.com.
2. You might receive a warning because the automation controller is using a self-signed certificate. Click Advanced, and then Accept the Risk and Continue if required.
3. Log in with the admin account, using redhat as the password.
4. Navigate to Settings and then in the Authentication section click LDAP settings. Click Edit at the bottom of the page.
5. Enter ldap://idm.lab.example.com:389 into the LDAP Server URI field. Enter controller123 into the LDAP Bind Password field.
6. In the LDAP Group Type field, select GroupOfNamesType. Set LDAP Start TLS to On.
7. In the LDAP Bind DN field, enter uid=controller,cn=sysaccounts,cn=etc,dc=lab,dc=example,dc=com.
Configure access to the automation controller web UI so that IdM users in the productsgroup04 group are denied. In the LDAP Deny Group field, enter the following to deny access to users of the productsgroup04 IdM user group:
```
CN=productsgroup04,CN=groups,CN=accounts,DC=lab,DC=example,DC=com
```
Configure automation controller for LDAP User Search and LDAP Group Search.
1. In the LDAP User Search field, enter the following text to indicate the location in the LDAP tree structure where user account information is kept and how user account information should be queried:
```
[
  "CN=users,CN=accounts,DC=lab,DC=example,DC=com",
  "SCOPE_SUBTREE",
  "(uid=%(user)s)"
]
```
2. In the LDAP Group Search field, enter the following text to indicate the location in the LDAP tree structure where user account information is kept and how user account information should be queried:
```
[
  "CN=groups,CN=accounts,DC=lab,DC=example,DC=com",
  "SCOPE_SUBTREE",
  "(objectClass=ipausergroup)"
]
```
Map the IdM givenName, sn, and mail user attributes to automation controller's first_name, last_name, and email data elements. In the LDAP User Attribute Map field, enter the following text to create the user attributes mapping:
```
{
  "first_name": "givenName",
  "last_name": "sn",
  "email": "mail"
}
```
Configure automation controller so that IdM users in the productsgroup02 group are mapped to automation controller's superuser role. In the LDAP User Flags By Group field, enter the following text:
```
{
  "is_superuser": "CN=productsgroup02,CN=groups,CN=accounts,DC=lab,DC=example,DC=com"
}
```
Click Save to save all the changes made to the LDAP configuration, and then log out of the automation controller web UI.
Verify LDAP authentication to the automation controller web UI and user attribute mapping for the productsuser02 IdM user.
1. Log in to the automation controller web UI as the productsuser02 IdM user with controller123 as the password.
2. Navigate to Access → Users to see a list of user accounts created in automation controller.
3. Note the LDAP label showing that productsuser02 is an external user account.
4. Note the role for productsuser02 is System Administrator due to the LDAP User Flags By Group configuration.
5. Click productsuser02.
6. On the Details page, verify that the First Name, Last Name, and Email fields have been populated with information from IdM as configured by the user attribute mapping created earlier.
7. Log out of the automation controller web UI.
Verify LDAP authentication to the automation controller web UI and user attribute mapping for the productsuser03 IdM user.
1. Log in to the automation controller web UI as the productsuser03 IdM user with controller123 as the password.
2. Navigate to Access → Users to see a list of user accounts created in automation controller.
3. Note the role for productsuser03 is Normal User because it is not a member of productsgroup02.
4. Log out of the automation controller web UI.
Verify LDAP authentication to the automation controller web UI for the productsuser04 IdM user.
1. Try to log in to the automation controller web UI as the productsuser04 IdM user with controller123 as the password.
2. Due to the deny access configuration, automation controller should not allow productsuser04 access to the web UI.

Finish

On the workstation machine, change to the student user home directory and use the lab command to complete this exercise. This step is important to ensure that resources from previous exercises do not impact upcoming exercises.

[student@workstation ~]$ lab finish products-controller

Discuss Red Hat Security: Identity Management and Authentication

Go to community

Welcome to the Red Hat Security: Identity Management and Active Directory Integration group!

Syed

26 wrz 2023

We are excited to launch a space dedicated to the Red Hat Training course Red Hat Security: Identity Management and Active Directory Integration! To gain the most value from this group - click the "Join Group" button in the upper right hand corner of the group home page.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to RH362.Read more about Red Hat Security: Identity Management and Active Directory Integration here.

215

Revision: rh362-9.1-4c6fdb8