Apache authentication and LDAP authorization

adam.winberg · December 4, 2020, 10:32am

Problem:
We use Apache for authentication and a LDAP auth source for authorization with AD groups. When a new user logged in it would be authenticated by apache and auto-created in our LDAP auth source in Foreman, get the correct groups and everything was fine and dandy.

Now, in more recent versions of Foreman, external authentication has been separated altogether from ldap authentication. As I understand it, a user authenticated by Apache (external auth) cannot use the ldap auth source for group permissions anymore. So now, when a new user is created it is associated with the ‘external’ auth source and I cant use my ldap groups for authorization for that user, unless I manually change the user to use ‘Authorised by: LDAP’. I am instead supposed to pass REMOTE_USER_GROUPS from apache which is a problem since I use mod_auth_cas for authentication which do pass groups but not in the format Foreman expects them.

Is there some way for me to retain the old behaviour where a user logged in via apache gets associated with the ldap auth source? I see a couple of alternatives:

Use Apache to modify the group header set by mod_auth_cas to work with Foreman, but since I use proxypass to Puma I can’t get that to work (the modified header is not sent to puma). This is also not ideal since I am using ldap groups heavily right now and dont want to manage the same groups in both the ldap and external auth source.
Somehow configure Foreman to use LDAP auth source groups for all users. I tried to do this by setting ‘Authorise login delegation auth source user autocreate’ to the name of my LDAP source, which seem to work for creating new users, they are assigned to my ldap source. BUT, for some reason my existing users, which are all associated with my ldap source, can no longer login, they get ‘User not found’.
Use Foreman hooks to change auth source to LDAP for the user once it’s created, but not sure that would work.

Any help regarding this would be greatly appreciated!

Foreman and Proxy versions:
Foreman 2.1.1

Distribution and version:
RHEL8

Thulium-Drake · December 4, 2020, 3:49pm

You’re incorrect with regards of not being able to use group permissions with EXTERNAL authentication.

You can still use it, but you’ll need to join the underlying OS to an AD/IPA domain. And you need to configure ‘External usergroups’, but this works exactly as you’d expect.

Check out https://access.redhat.com/documentation/en-us/red_hat_satellite/6.7/html/administering_red_hat_satellite/chap-red_hat_satellite-administering_red_hat_satellite-configuring_external_authentication

adam.winberg · December 5, 2020, 3:37pm

what I was looking for was a way to use the setup I already have, with apache authentication and authorization via my ldap source. But I will probably scrap this and instead use mod_lookup_identity in Apache to pass user information to Foreman and convert all my existing ldap users and groups to external groups.

Thulium-Drake · December 5, 2020, 5:25pm

One advantage of using External authentication is that useraccounts are automatically created. So just make sure you have set up AD/IPA with the correct groups. And map those groups in Foreman, you don’t have to touch your useraccounts, just remove them if they conflict with AD/IPA usernames.

Oh, and everyone that logs in via a Kerberos Enabled browser will do so passwordless as a bonus.