-
Notifications
You must be signed in to change notification settings - Fork 180
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add initial docs for a local KeyCloak/container-httpd setup for OIDC
- Loading branch information
Showing
11 changed files
with
2,441 additions
and
167 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,168 +1,4 @@ | ||
|
|
||
| # External Authentication (httpd) | ||
|
|
||
| This document describes the steps needed to enable External | ||
| Authentication (httpd) on the Appliance against an IPA Server. | ||
|
|
||
| Once external authentication is enabled, users will be able | ||
| to login to the Appliance using their IPA Server credentials. | ||
| User accounts will be automatically created on the Appliance | ||
| and relevant information imported from the IPA Server. | ||
|
|
||
| To allow IPA server defined users to login to the Appliance, | ||
| they must be members of at least one group on the IPA server | ||
| which needs to be defined in the Appliance under | ||
| *Configure->Configuration->Access Control->Groups* with the | ||
| appropriate role assigned to that group. | ||
|
|
||
| The Appliance comes pre-loaded with the necessary IPA Client | ||
| software to be able to connect to the IPA Server. The software | ||
| is just not configured by default. | ||
|
|
||
| Enabling External Authentication is done by first enabling it | ||
| in the Appliance Web UI then via the Appliance Console. | ||
| Disabling External Authentication and returning to Internal | ||
| Database Authentication also needs to be done in both the | ||
| Appliance Web UI and then the Appliance Console. | ||
|
|
||
| --- | ||
|
|
||
| ### Appliance Requirements | ||
|
|
||
| * For an Appliance to leverage an IPA Server on the network, | ||
| the Appliance **must** have time synchronization enabled. | ||
| This can be done by either configuring NTP in the Appliance UI, | ||
| from *Configure->Configuration->Zone->Server->NTP Settings* or by using | ||
| the Virtual Machine's hosting provider's Advanced Setting | ||
| to Synchronize Time. Both Appliance and IPA Server must have | ||
| their clocks synchronized otherwise Kerberos and LDAP based | ||
| authentication will fail. | ||
|
|
||
|
|
||
| * The IPA Server needs to be known by DNS and accessible by name. | ||
| If DNS is not configured accordingly, the hosts files need to be | ||
| updated to reflect both IPA server and the Appliance on | ||
| both virtual machines. | ||
|
|
||
| --- | ||
|
|
||
| ### Configuring Appliance for External Authentication: | ||
|
|
||
| * Appliance UI | ||
| 1. Login to the Appliance via an administrative account | ||
| 2. Select *Configure->Configuration* | ||
| 3. Click on *Authentication* | ||
| 4. In the Authentication section, set Mode to **External (httpd)** | ||
| 5. In the Role Settings section, select the *Get User Groups from | ||
| External Authentication (https)* | ||
| 6. Click on **Save** | ||
|
|
||
|
|
||
| * Appliance Console | ||
| 1. Login via the **admin** Username | ||
| 2. Summary screen should show **External Auth** as *not configured*, | ||
| Press any key | ||
| 3. From the Advanced Setting menu, select the menu item | ||
| **Configure External Authentication (httpd)** | ||
| 4. Enter the Fully qualified Hostname of the IPA Server, | ||
| i.e. *ipaserver.test.company.com* | ||
| 5. Enter the IPA Server domain, i.e. *test.company.com* | ||
| 6. Enter the IPA Server Realm, i.e. *TEST.COMPANY.COM* | ||
| 7. Press enter to select the default IPA Server Principal, i.e. *admin* | ||
| 8. Enter the Password of the IPA Server Principal | ||
| 9. Review details, and Enter **y** to proceed. | ||
|
|
||
| **Note:** If any of the following conditions are true, the Configuration will fail: | ||
|
|
||
| * The IPA server is not reachable by its FQDN | ||
| * The IPA Server cannot reach the appliance by its FQDN | ||
| * The time is not synchronized between the Appliance and the IPA Server | ||
| * The IPA server **admin** password specified is incorrect | ||
|
|
||
| --- | ||
|
|
||
| ### Configuring Appliance back to Internal Database Authentication: | ||
|
|
||
| * Appliance UI | ||
| 1. Login to the Appliance via an administrative account | ||
| 2. Select *Configure->Configuration* | ||
| 3. Click on *Authentication* | ||
| 4. In the Authentication section, set Mode to **Database** | ||
| 5. Click on **Save** | ||
|
|
||
|
|
||
| * Appliance Console | ||
| 1. Login via the **admin** Username | ||
| 2. Summary screen should have **External Auth** showing the fully qualified | ||
| host name of the IPA server, Press any key | ||
| 3. select the menu item **Configure External Authentication (httpd)** | ||
| 4. Configure External Authentication (httpd) would show the currently | ||
| configured IPA Server Hostname and Domain. | ||
| 5. Enter **y** to Un-Configure the IPA Client | ||
| 6. Enter **n** to not proceed with the Re-Configuration. | ||
|
|
||
| --- | ||
|
|
||
| ### Optional Configuration via the Appliance Console CLI | ||
|
|
||
| In addition to using the Appliance Console, External Authentication can be | ||
| optionally configured and un-configured via the Appliance Console Command Line Interface. | ||
|
|
||
| Appliance Console CLI command and relevant options include: | ||
|
|
||
| ```sh | ||
| /bin/appliance_console_cli --host <appliance_fqdn> | ||
| --ipaserver <ipa_server_fqdn> | ||
| --ipadomain <domain_of_ipa_server> | ||
| --iparealm <realm_of_ipa_server> | ||
| --ipaprincipal <ipa_server_principal> | ||
| --ipapassword <ipa_server_password> | ||
| --uninstall-ipa | ||
| ``` | ||
|
|
||
| Note: | ||
|
|
||
| * specifying \-\-host will update the hostname of the appliance. If this | ||
| step was already performed via the Appliance Console and the necessary updates | ||
| made to /etc/hosts if DNS is not properly configured, the \-\-host option | ||
| can be omitted. | ||
| * \-\-ipadomain will be based on the appliance domain name if not specified. | ||
| * \-\-iparealm will be based on the domain name of the ipaserver if not specified. | ||
| * \-\-ipaprincipal will default to **admin** if not specified. | ||
|
|
||
| #### Configuring External Authentication Example: | ||
|
|
||
| ```sh | ||
| $ ssh [email protected] | ||
| appliance# /bin/appliance_console_cli --host appliance.test.company.com \ | ||
| --ipaserver ipaserver.test.company.com \ | ||
| --ipadomain test.company.com \ | ||
| --iparealm TEST.COMPANY.COM \ | ||
| --ipaprincipal admin \ | ||
| --ipapassword smartvm1 | ||
| ``` | ||
|
|
||
| #### Un-Configuring External Authentication Example: | ||
|
|
||
| ```sh | ||
| $ ssh [email protected] | ||
| appliance# /bin/appliance_console_cli --uninstall-ipa | ||
| ``` | ||
|
|
||
| --- | ||
|
|
||
| ### Manual Configuration | ||
|
|
||
| The following Instructions are for informational purposes and describe how to manually install the | ||
| necessary packages and configure the External Authentication (i.e. what is currently done behind | ||
| the scene via the Appliance Console): | ||
|
|
||
| * Installing the required packages - [Installation](./external_auth/installation.md) | ||
| * The packages required for enabling External Authentication are | ||
| installed by default on the Appliance so these steps are intended | ||
| to assist when building an appliance from scratch. | ||
| * The installation instructions are targeted for the CentOS 6.x | ||
| based ManageIQ Appliance. | ||
|
|
||
|
|
||
| * Enabling External Authentication - [Configuration](./external_auth/configuration.md) | ||
| - [Development with an OIDC server](./external_auth/oidc) | ||
| - [Development with an IPA server](./external_auth/ipa) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,31 @@ | ||
| -----BEGIN CERTIFICATE----- | ||
| MIIFPjCCAyYCCQCRaqUN4f2NrTANBgkqhkiG9w0BAQsFADBhMQswCQYDVQQGEwJV | ||
| UzETMBEGA1UECAwKTmV3IEplcnNleTEPMA0GA1UEBwwGTWFod2FoMREwDwYDVQQK | ||
| DAhNYW5hZ2VJUTEZMBcGA1UEAwwQMTI3LjAuMC4xLm5pcC5pbzAeFw0yMTA0MjAy | ||
| MDQ5NTRaFw0zMTA0MTgyMDQ5NTRaMGExCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApO | ||
| ZXcgSmVyc2V5MQ8wDQYDVQQHDAZNYWh3YWgxETAPBgNVBAoMCE1hbmFnZUlRMRkw | ||
| FwYDVQQDDBAxMjcuMC4wLjEubmlwLmlvMIICIjANBgkqhkiG9w0BAQEFAAOCAg8A | ||
| MIICCgKCAgEA1IAqMNZf6YdAkTXSIRv2lxUamDcnfB32dEPZVbp/sArPl6HtsgDH | ||
| m9QOZ+MZT6MGSijzIM0GDUYQDsoGWRxMSpE7AQV32pZzMWcDxABK0JpBdpHLnHWj | ||
| 0wJgb4aVIRg+fV3bmUuLchkP8rNGGKfIHRNzesNDCKRqt2sTgatC7+JRV/cA9xqy | ||
| NDdY5lIKxfGb6QrweuWa/Ztmc0ZQxQ7kpbB/kSv3g3DP27mV8lsZ9dbMdl6o4BUR | ||
| gNTCUQrOWzNuAa0DunHNmhg/ue+XaVK+UTwdrrxSPTVwioueYU5DJmbC5Vr4QoBF | ||
| JqkiDwmcbHZzSyYnQGReQI/vrxmAjR6gAm+/ApOHTZytLno7PbqA/ZL7LeAkzDpO | ||
| xgloSC+33lA+880jWh8T/I/jtOTm/FtFiUubOTxPdCB07RxSwKRKQwIYQ9Jc91KE | ||
| zyfPn8cLtHJ/oqZeHxO3AIw0kF2FiYew1V8bIaep1sPc1IHIiZppr9KXHvjKMRoe | ||
| 0KbaqFVn4PK650y9NDM9VmHwGZnY3CimopMqgP4MstD9QyOvfm7VSzaZg6nDTqAy | ||
| AW77RND5qOLl2j/hbPUVw+K06JNaetZGAkW21CcdY4qr/jaQUUy74JdFGwP1uBPl | ||
| xOqA9DfhcCV/rgRKfptQu/ressf3WBNMfVBGA24SM9VE+kFhMqIX4V0CAwEAATAN | ||
| BgkqhkiG9w0BAQsFAAOCAgEAxDASTraWbGtGROeCY/nPu4fpVsinvC2GBzM3F+We | ||
| I8xZzxrrtWrC1UOayStZpy4SSEhkLsOFCGI3QOw7C6lblxxnuoevJjDTDxrUbRGw | ||
| B5uytbDVe20JF4A/5YkegKyUNZVkH1veVw9EtxtwUFm0WkueyyVlsd+Gw3FZ93Yc | ||
| sFmiGGU4ircc5MdRdShL6ismw6YBkhn99BdZdBLKWlZw8uTSQi/INt1x0p/PpMBQ | ||
| Haqk9YEYhHx/2wzb6t7F+EqF4FDlG0nbHIlZHwwAxbBCi46WEoG9ZfnEBkYM1Eh1 | ||
| H9Gez3hPiqSpmS+j5Qck1CqufBtpyGCunfejfJq1YHNVi0vvxrk7Xpf7Go5osXqY | ||
| oZcQYvMV73m5jE/cgEAudnXmW2pqsiXjVofnkKCTLMYbyGSo+VSwHEZkjgPREaQ7 | ||
| 3HasCkZeENjn3zs9VEtXOtLZ/2YrvtU3ujfApzhAHbA/w0QH1c8CQmClGk7WuZNm | ||
| 3pTBjsuECgVEegnyAsVZoHOcqohSY6c6W5utrz4ggKgfSEdrvlRG41zqaiORw3Zs | ||
| lOvBWlHh1e0s939zODYhNcN8lNL9GDyY6lH2+8me1/Oyrv2c/ykrj7Q0eKKxRifp | ||
| OFtAU+KjTNaEB7aCpRdMtUl5I9+M7C2aQjii4D3nLN6BBdo7fdwToCC75ZFthJgG | ||
| DIw= | ||
| -----END CERTIFICATE----- |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,52 @@ | ||
| -----BEGIN PRIVATE KEY----- | ||
| MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQDUgCow1l/ph0CR | ||
| NdIhG/aXFRqYNyd8HfZ0Q9lVun+wCs+Xoe2yAMeb1A5n4xlPowZKKPMgzQYNRhAO | ||
| ygZZHExKkTsBBXfalnMxZwPEAErQmkF2kcucdaPTAmBvhpUhGD59XduZS4tyGQ/y | ||
| s0YYp8gdE3N6w0MIpGq3axOBq0Lv4lFX9wD3GrI0N1jmUgrF8ZvpCvB65Zr9m2Zz | ||
| RlDFDuSlsH+RK/eDcM/buZXyWxn11sx2XqjgFRGA1MJRCs5bM24BrQO6cc2aGD+5 | ||
| 75dpUr5RPB2uvFI9NXCKi55hTkMmZsLlWvhCgEUmqSIPCZxsdnNLJidAZF5Aj++v | ||
| GYCNHqACb78Ck4dNnK0uejs9uoD9kvst4CTMOk7GCWhIL7feUD7zzSNaHxP8j+O0 | ||
| 5Ob8W0WJS5s5PE90IHTtHFLApEpDAhhD0lz3UoTPJ8+fxwu0cn+ipl4fE7cAjDSQ | ||
| XYWJh7DVXxshp6nWw9zUgciJmmmv0pce+MoxGh7QptqoVWfg8rrnTL00Mz1WYfAZ | ||
| mdjcKKaikyqA/gyy0P1DI69+btVLNpmDqcNOoDIBbvtE0Pmo4uXaP+Fs9RXD4rTo | ||
| k1p61kYCRbbUJx1jiqv+NpBRTLvgl0UbA/W4E+XE6oD0N+FwJX+uBEp+m1C7+t6y | ||
| x/dYE0x9UEYDbhIz1UT6QWEyohfhXQIDAQABAoICAFe2/7NhCf4vYiuOd8pK7KK4 | ||
| h13FhnrpM04So6eLcCGOlNoWcTNEtyBPjBK93zjMJlB+Tr1/Y7we64nvQmeOEr/E | ||
| 6wIk67BC4hHGX/uL01YAFn2G+PEAbjsvg/cFKpGanFDLaVYBpPHX/olEDu8mcqft | ||
| 24EVEJqEo7hKbqbbtqmmVcVlo/RcBKshHYUU4HWMobq0VUeldzCv8L4sjDKLTz5F | ||
| eKLH70dGTcZ4+Lgteq3LmGJT+IlmqO7w47ToLP3gYMw4So2vZBrzX3q0t182VHDb | ||
| y7TQ73FsmaPWte2cjINRb6mUv11T7TdkITbr1LHAwx6GBTXDOFSWFW3FrRaTSaB2 | ||
| /MxSp8cLVymvp9uy6mhOEY1zdL5ClncUsheUgfvbIVJbuY8MRAgjRtJKtgpz+wRr | ||
| sqcWKP8pmJgCKa/bz0NPbGBvImLlHmvPDyEne/shlkLfpX6GdX1r6IqULZoCX754 | ||
| uMWeXTgCvex/pKoJHBIkVDR5I7lrLz5r+UcC9V6iMo8DTbTxF4xvjS/LM9kWost8 | ||
| Y0KC88m+VmG84oIx0qA0n66nErXedPDDi0K2xYLJAOqtzvwB9rUa1GZZZV6aNWvf | ||
| gU8ADEGVihHvytyfQWTdPlsqbdTTj67be1030u5YqQlPw6SGMU92xd/JSAt8FfgP | ||
| gb0XD1ePpNX85Jh/gCFRAoIBAQD2tHMmMxtjtczCtnsf7DwRU+a8HO0pICgMeEoU | ||
| z9yNhyb9tVMl/Aev4TmePYk5jf1daVaVtFNFwGjEraX2ag1Y6vAULTCaymU1wRsw | ||
| tXkAANg5GpdYkXlzG5F2F45U+zBqUIZTb2NT3DmtaQ/U/Dlkwk5QIxm2BvBykcWa | ||
| tNEz7aK3c+0KD/2hR+dAiBOxPR2I1xi37faYsMM6dcVr/5KkkjGyniHnAUVH49mc | ||
| UvDuwXQox9rYUROMT/FBOesNjI1d/M2ABLQ5nmYEwFCRm1auYv7QvKwOAo8ZG9tB | ||
| gEo5JPVkdz0ThQ2SqRdXx4coeMCEQEZEdq3Ou2WuYZDu4djvAoIBAQDcgc3Gsu0c | ||
| et+W3+qWlinwPg0QjbQSibatGCbshYKGrAN/fCh0p5EtPV2yxFoq3Q4egQwq+iot | ||
| 8j10liIVkEW5FArrF2rkFFgG7Hxskv/aDEft7Dh3nd0WPXZmMptkboxinDbzcvsa | ||
| Zft9ysXqKbZ4+co2CCkAwrqpVEBMu5npt0OLIoOfnVbeUYT6dZLOInMRYNsF+auo | ||
| dMZJaF3IOwjJv9KaDT4f70tiSxrJX6dZqrROgD+yhuvnUcNx9tj+7gPKpPS8Q2fL | ||
| lixVbLXgINckjAdMO/f8Tk+3okLpR+rgXF45RbiF4rfU6R6uwmnhT+6PSgUmw7La | ||
| ZaR0xHRGh3JzAoIBAE7QfU0B3MkxBlZaR+F97f63KCqGrzmJPWImd7xIX7STLeC1 | ||
| sfebmbUVpfuouxM5Cm1yPqga8NOC0bWrqC6d2N/ERqibe0CoUkcnBxG7mAlpO6qa | ||
| lSlFaGBeuUzZ363EhcYhLZiwKDJdU8vTmaw4W/mVncE6RXeCpgRkD5YKGB+X1nj3 | ||
| Pw4M58FDoFxcXLYtySazWQFBs5s6NVSS1VxYTLfowJnIrRoIrOJ3p0iqsrAD+6Ef | ||
| oAmldTJJQ9DLuQ0eDves0NYKKq2RrhPsgJDT6JBTrgZvkCP1q1OhM52sZ4n0BbVv | ||
| 5oI66oglHwD7DHHgidh2VDyBEavO8IASSWQXoN8CggEAJ5McTVb7eysKSdeyEIiu | ||
| yjE4wwnLkbApmvNEuRpVDLp+fjjYQed5BLeIw3a+AAdga1UZy/TN8SUSpoPzZg9Y | ||
| lBjmxL6VLo4AJm32/r17MbUWi7rjf4RTk5RAVaMrhGDazS/gJN0z987pze/AiYAn | ||
| AZtDEWNxiHNqcM1wJNVekDWV57iwCsuANbJHvXOwf1JreGj7phzjE/6xP6d9fVwq | ||
| /Zpxv7g0uCKIUwHLsux56nvalGQsCmxwljl0bFWzKD2rbIkia09lp4IyPrqeAbWj | ||
| JyoCfUod/ahIYlq6y4devhmVx42dylmgSJP2L8MwoYFo/Up5ljV1OgEX/OTtQWM5 | ||
| xQKCAQEAs7/hnB7dM1QPCM8gv3zF+5n9ged5OU6XgTiTI5H86EuUtlt4/ngcpG61 | ||
| 9AW8yh/S8irGrE0z4aI0MrPE12kVfTEDcDt2uuWmF+rN88RmRhwp5EjfTinG5XWV | ||
| tnSJozBU9kGpSib7efvmtwym23Dyo6wPl/3FqHQ1+vO0bkYrkPoja5ajtT7uFqR7 | ||
| RKkzRsTpq1gFwmVucmDVCB4orkl6dVaVmQSwip/+TIR1bmTx9Uz9fHMB3ZU7ce5x | ||
| AeL/GqSYO0szkzkVp0bpNkyJTWH76V7/aB2NRwiKsnw0mP8lInroJSPAhBuy7Ych | ||
| 2Zc5diAShxXVrMDhsJoH03LiRz/0/Q== | ||
| -----END PRIVATE KEY----- |
File renamed without changes.
File renamed without changes.
Oops, something went wrong.