RH362 - ch11s04

As the student user on the workstation machine, use the lab command to prepare your environment for this exercise, and to ensure that all required resources are available:

[student@workstation ~]$ lab start compreview-sso

Specifications

Register the utility machine as an IdM client. Do not use DNS discovery. Use the following values:
Description Value
Realm LAB.EXAMPLE.COM
Domain lab.example.com
Server idm.lab.example.com

Description	Value
Realm	`LAB.EXAMPLE.COM`
Domain	`lab.example.com`
Server	`idm.lab.example.com`

Configure the SSO server on the utility machine to use IdM as an identity provider with the following settings:

Setting	Value
Console Display Name	`review`
Priority	0
Import Users	`ON`
Edit Mode	`READ_ONLY`
Sync Registrations	Off
Vendor	`Red Hat Directory Server`
Username LDAP attribute	`uid`
RDN LDAP attribute	`uid`
UUID LDAP attribute	`ipaUniqueID`
User Object Classes	`inetOrgPerson`, `organizationalPerson`
Connection URL	`ldaps://idm.lab.example.com:636`
Users DN	`cn=users,cn=accounts,dc=lab,dc=example,dc=com`
Search Scope	One Level
Bind Type	simple
Bind DN	`uid=admin,cn=users,cn=accounts,dc=lab,dc=example,dc=com`
Bind Credential	`RedHat123^`

Verify that the idmuser03 user can authenticate to IdM using kinit, with RedHat123^ as the password.
From workstation, verify that the SSO server on utility is using idm as an identity provider. Use the following curl command to confirm that the idmuser03 user can get an OpenID Connect token from the SSO server on utility by authenticating with their IdM password:
```
[student@workstation ~]$ curl -d 'client_id=admin-cli' -d "username=idmuser03" \
  -d "password=RedHat123^" -d 'grant_type=password' \
  "http://utility:8080/auth/realms/review/protocol/openid-connect/token"
```

[student@workstation ~]$ ssh utility
[student@utility ~]$ sudo -i
[sudo] password for student: student

[root@utility ~]# ipa-client-install --domain lab.example.com \
  --server idm.lab.example.com --realm LAB.EXAMPLE.COM
This program will set up IPA client.
Version 4.10.0

...output omitted...
Proceed with fixed values and no DNS discovery? [no]: yes
Do you want to configure chrony with NTP server or pool address? [no]: Enter
Client hostname: utility.lab.example.com
Realm: LAB.EXAMPLE.COM
...output omitted...

Continue to configure the system with these values? [no]: yes
...output omitted...

Time synchronization was successful.
User authorized to enroll computers: admin
Password for admin@LAB.EXAMPLE.COM: RedHat123^
Successfully retrieved CA cert
...output omitted...

Client configuration complete.
The ipa-client-install command was successful

Navigate to the SSO web console at http://utility.lab.example.com:8080 and configure the ldap realm to use the IdM LDAP server. Use the admin user and RedHat123^ as the password to authenticate.

Navigate to the SSO web console at http://utility.lab.example.com:8080 and click Administration Console. Use the admin user and RedHat123^ as the password to authenticate.
Navigate to Configure → Realm Settings and verify you are in the review realm.
Navigate to Configure → User Federation under the Configure section.
Figure 11.1: User Federation

Click Add provider, choose ldap, and add the following configuration settings:

Setting	Value
Console Display Name	`review`
Priority	0
Import Users	`ON`
Edit Mode	`READ_ONLY`
Sync Registrations	`Off`
Vendor	`Red Hat Directory Server`
Username LDAP attribute	`uid`
RDN LDAP attribute	`uid`
UUID LDAP attribute	`ipaUniqueID`
User Object Classes	`inetOrgPerson`, `organizationalPerson`
Connection URL	`ldaps://idm.lab.example.com:636`
Users DN	`cn=users,cn=accounts,dc=lab,dc=example,dc=com`
Search Scope	One Level
Bind Type	simple
Bind DN	`uid=admin,cn=users,cn=accounts,dc=lab,dc=example,dc=com`
Bind Credential	`RedHat123^`

Click Save and then click Synchronize all users.
The console shows a synchronization success message.

Exit the utility machine and log in to the client machine as the student user:

[root@utility ~]# exit
logout
[student@utility ~]$ exit
logout
Connection to utility closed.
[student@workstation ~]$ ssh client

Start a Kerberos session as the idmuser03 user with RedHat123^ as the password:

[student@client ~]$ kinit idmuser03
Password for idmuser03@LAB.EXAMPLE.COM: RedHat123^

Verify that SSO uses IdM as an identity provider by obtaining an OpenID Connect token.

Exit the client machine:

[student@client ~]$ exit
logout
Connection to client closed.
[student@workstation ~]$

From the workstation machine, use the following curl command to get an OpenID Connect token from the SSO server for the idmuser03 in the review SSO realm:

[student@workstation ~]$ curl -d 'client_id=admin-cli' -d "username=idmuser03" \
  -d "password=RedHat123^" -d 'grant_type=password' \
  "http://utility:8080/auth/realms/review/protocol/openid-connect/token"
{"access_token":"eyJhbGciOi
...output omitted...

Evaluation

As the student user on the workstation machine, use the lab command to grade your work. Correct any reported failures and rerun the command until successful.

[student@workstation ~]$ lab grade compreview-sso

Finish

On the workstation machine, change to the student user home directory and use the lab command to complete this exercise. This step is important to ensure that resources from previous exercises do not impact upcoming exercises.

[student@workstation ~]$ lab finish compreview-sso

Discuss Red Hat Security: Identity Management and Authentication

Go to community

Welcome to the Red Hat Security: Identity Management and Active Directory Integration group!

Syed

26 wrz 2023

We are excited to launch a space dedicated to the Red Hat Training course Red Hat Security: Identity Management and Active Directory Integration! To gain the most value from this group - click the "Join Group" button in the upper right hand corner of the group home page.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to RH362.Read more about Red Hat Security: Identity Management and Active Directory Integration here.

215

Revision: rh362-9.1-4c6fdb8