Red Hat Security: Identity Management and Authentication

Instructions

1. On the idm machine, create the controller LDAP bind account.

   1. Log in to the idm machine as student, and become the root user.

      [student@workstation ~]$ ssh idm
      [student@idm ~]$ sudo -i
      [sudo] password for student: student

   2. Authenticate as the admin user with RedHat123^ as the password.

      [root@idm ~]# kinit admin
      Password for admin@LAB.EXAMPLE.COM: RedHat123^

   3. Create the controller user such that it has access to read the entire IdM LDAP structure. Authenticate as the Directory Manager user with the password RedHat123^.

      [root@idm ~]# ldapmodify -x -D 'cn=Directory Manager' -W <<EOF
      dn: uid=controller,cn=sysaccounts,cn=etc,dc=lab,dc=example,dc=com
      changetype: add
      objectclass: account
      objectclass: simplesecurityobject
      uid: controller
      userPassword: controller123
      passwordExpirationTime: 20280101000000Z
      nsIdleTimeout: 0
      EOF
      Enter LDAP Password: RedHat123^
      adding new entry "uid=controller,cn=sysaccounts,cn=etc,dc=lab,dc=example,dc=com"

   4. Log out of the idm machine:

      [root@idm ~]# logout
      [student@idm ~]$ logout
      Connection to idm closed.

   Hide Solution

2. Configure the controller machine to trust the self-signed CA certificate of IdM.

   1. Log in to the controller machine and change to the root user.

      [student@workstation ~]$ ssh controller
      [student@controller ~]$ sudo -i
      [sudo] password for student: student
      [root@controller ~]#

   2. Copy the IdM CA certificate to the /etc/pki/ca-trust/source/anchors/ directory:

      [root@controller ~]# scp student@idm:/etc/ipa/ca.crt \
        /etc/pki/ca-trust/source/anchors/ipa_ca.crt
      Password: student
      ca.crt                              100% 1651     2.2MB/s   00:00

   3. Update the trust list:

      [root@controller ~]# update-ca-trust

   4. Log out of the controller machine:

      [root@controller ~]# logout
      [student@controller ~]$ logout
      Connection to controller closed.

   Hide Solution

3. Configure automation controller for LDAP authentication using IdM. Use the web UI at http://controller.lab.example.com.

   1. On the workstation machine, open Firefox and connect to the automation controller web UI at http://controller.lab.example.com.

   2. You might receive a warning because the automation controller is using a self-signed certificate. Click Advanced, and then Accept the Risk and Continue if required.

   3. Log in with the admin account, using redhat as the password.

   4. Navigate to Settings then under Authentication click LDAP settings. Click Edit at the bottom of the page.

   5. In LDAP Server URI, enter ldap://idm.lab.example.com:389. In LDAP Bind Password, enter controller123. In the LDAP Group Type field, select GroupOfNamesType. In the LDAP Bind DN field, enter uid=controller,cn=sysaccounts,cn=etc,dc=lab,dc=example,dc=com.

   6. Click Save.

   Hide Solution

4. Configure access to the automation controller web UI so that IdM users in the productsgroup04 group are denied. Configure automation controller for LDAP User Search and LDAP Group Search.

   1. In the LDAP Deny Group field, enter the following details to deny access to users of the productsgroup04 IdM user group:

      CN=productsgroup04,CN=groups,CN=accounts,DC=lab,DC=example,DC=com

   2. In the LDAP User Search field, enter the following details to indicate the location in the LDAP tree structure where user account information is kept and how user account information should be queried:

      [
        "CN=users,CN=accounts,DC=lab,DC=example,DC=com",
        "SCOPE_SUBTREE",
        "(uid=%(user)s)"
      ]

   3. In the LDAP Group Search field, enter the following details to indicate the location in the LDAP tree structure where user account information is kept and how user account information should be queried:

      [
        "CN=groups,CN=accounts,DC=lab,DC=example,DC=com",
        "SCOPE_SUBTREE",
        "(objectClass=ipausergroup)"
      ]

   Hide Solution

5. Map the givenName, sn, and mail IdM user attributes to automation controller's first_name, last_name, and email data elements. Configure automation controller so that IdM users in the productsgroup02 group are mapped to automation controller's superuser role.

   1. In the LDAP User Attribute Map field, enter the following details to create the user attributes mapping:

      {
        "first_name": "givenName",
        "last_name": "sn",
        "email": "mail"
      }

   2. In the LDAP User Flags By Group field, enter the following details:

      {
        "is_superuser": "CN=productsgroup02,CN=groups,CN=accounts,DC=lab,DC=example,DC=com"
      }

   3. Click Save, and then log out of the automation controller web UI.

   Hide Solution

6. As the productsuser02, verify that the LDAP authentication to the automation controller web UI and user attribute mapping are working correctly. Navigate to Access → Users to verify the automation controller users.

   1. Log in to the automation controller web UI as the productsuser02 IdM user with the controller123 password.

   2. Navigate to Access → Users to see a list of user accounts created in automation controller.

   3. Note the LDAP label against productsuser02, indicating that it is an external user account.

   4. Note that the role for productsuser02 is System Administrator, due to the LDAP User Flags By Group configuration.

   5. Click productsuser02.

   6. On the Details page, verify that the First Name, Last Name, and Email fields have been populated with information from IdM as configured by the user attribute mapping created earlier.

   7. Log out of the automation controller web UI.

   Hide Solution

7. Verify LDAP authentication to the automation controller web UI and user attribute mapping for the productsuser03 IdM user.

   1. Log in to the automation controller web UI as the productsuser03 IdM user with controller123 as the password.

   2. Navigate to Access → Users to display a list of user accounts created in automation controller.

   3. Note that the role for productsuser03 is Normal User because it is not a member of productsgroup02.

   4. Log out of the automation controller web UI.

   Hide Solution

8. Verify LDAP authentication to the automation controller web UI for the productsuser04 IdM user.

   1. Log in to the automation controller web UI as the productsuser04 IdM user with controller123 as the password.

   2. Due to the deny access configuration, automation controller should not allow productsuser04 access to the web UI.

   Hide Solution

9. Configure the SSO server on the utility machine as an IdM client.

   1. Log in to the utility machine and become the root user:

      [student@workstation ~]$ ssh utility
      [student@utility ~]$ sudo -i
      [sudo] password for student: student

   2. Verify that the utility machine is an IdM client:

      [root@utility ~]# ipa-client-install
      This program will set up IPA client.
      Version 4.10.0
      
      IPA client is already configured on this system.
      If you want to reinstall the IPA client, uninstall it first using 'ipa-client-install --uninstall'.
      The ipa-client-install command failed. See /var/log/ipaclient-install.log for more information

   3. Verify that the SSO server has access to the realm:

      [root@utility ~]# kinit admin
      Password for admin@LAB.EXAMPLE.COM: RedHat123^
      [root@utility ~]# ipa host-find
      ...output omitted...
        Host name: idm.lab.example.com
        Principal name: host/idm.lab.example.com@LAB.EXAMPLE.COM
        Principal alias: host/idm.lab.example.com@LAB.EXAMPLE.COM
      ...output omitted...

   4. Log out of the utility machine:

      [root@utility ~]# logout
      [student@utility ~]$ logout
      Connection to utility closed.

   Hide Solution

10. Navigate to the SSO web console at http://utility.lab.example.com:8080 and configure the idm realm to use the IdM LDAP server. Use the admin user and RedHat123^ as the password to authenticate.

    1. Navigate to Configure → Realm Settings and verify you are in the idm realm.

    2. Navigate to Configure → User Federation.

       User Federation

    3. Click Add provider, choose ldap from the list, and add the following configuration settings:

       Property	Value
       Enabled	ON
       Console Display Name	ldap
       Priority	0
       Import Users	ON
       Edit Mode	READ_ONLY
       Sync Registrations	Off
       Vendor	Red Hat Directory Server
       Username LDAP attribute	uid
       RDN LDAP attribute	uid
       UUID LDAP attribute	ipaUniqueID
       User Object Classes	inetOrgPerson, organizationalPerson
       Connection URL	ldaps://idm.lab.example.com:636
       Users DN	cn=users,cn=accounts,dc=lab,dc=example,dc=com
       Search Scope	One Level
       Bind Type	simple
       Bind DN	uid=admin,cn=users,cn=accounts,dc=lab,dc=example,dc=com
       Bind Credential	RedHat123^

    4. Click Save and then click Synchronize all users.

    Hide Solution

11. Log in to the client machine and authenticate as the admin user.

    1. Log in to the client machine as the student user:

       [student@workstation ~]$ ssh client

    2. Authenticate as the admin user with RedHat123^ as the password.

       [student@client ~]$ kinit admin
       Password for admin@LAB.EXAMPLE.COM: RedHat123^

    Hide Solution

12. Verify that the idmuser04 user exists in IdM.

    [student@client ~]$ ipa user-find idmuser04
    --------------
    1 user matched
    --------------
      User login: idmuser04
    ...output omitted...

    Hide Solution

13. Verify that SSO uses IdM as the identity provider by getting an OpenID Connect token.

    1. Log out of the client machine to return to the workstation machine:

       [student@client ~]$ logout
       Connection to client closed.
       [student@workstation ~]$

    2. On the workstation machine, change to the ~/materials/labs/products-review/ directory and run the get_token.sh script to get an OpenID Connect token from the SSO server for the idmuser04 user in the idm SSO realm.

       [student@workstation ~]$ cd materials/labs/products-review
       [student@workstation products-sso]$ ./get_token.sh idmuser04 RedHat123^ idm
       {"access_token":"eyJhbGciOiJS...
       ...output omitted...

    3. Return to the student user home directory:

       [student@workstation products-sso]$ cd
       [student@workstation ~]$

    Hide Solution