Foreman 2.1 External Authentication

Problem:

PAM Based external authentication no longer works in Foreman 2.1

Expected outcome:

External PAM authentication allows successful login

Foreman and Proxy versions:

Foreman 2.1

For quite some time, I’ve had external authentication configured using the mod_intercept_form_submit and mod_authnz_pam apache modules. Since upgrading to Foreman 2.1, that no longer appears to function. Is this related to the switch from Passenger to Puma?

Possibly. You can confirm this by switching back using foreman-installer --foreman-passenger true.

I tried that out, but it had some trouble. At this point, I probably just need to re-think my config.

Here is the error output from running the suggested command:

# foreman-installer --foreman-passenger true
/usr/share/foreman-    installer/modules/foreman/lib/puppet/provider/foreman_smartproxy/rest_v3.rb:7:in `proxy'
/usr/share/foreman-    installer/modules/foreman/lib/puppet/provider/foreman_smartproxy/rest_v3.rb:13:in `id'
/usr/share/foreman-    installer/modules/foreman/lib/puppet/provider/foreman_smartproxy/rest_v3.rb:17:in `exists?'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/property/ensure.rb:82:in `retrieve'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/type.rb:1115:in `retrieve'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/type.rb:1143:in `retrieve_resource'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/transaction/resource_harness.rb:307:in     `from_resource'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/transaction/resource_harness.rb:20:in     `evaluate'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/transaction.rb:267:in `apply'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/transaction.rb:287:in `eval_resource'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/transaction.rb:191:in `call'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/transaction.rb:191:in `block (2 levels) in     evaluate'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/util.rb:545:in `block in thinmark'
/opt/puppetlabs/puppet/lib/ruby/2.5.0/benchmark.rb:308:in `realtime'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/util.rb:544:in `thinmark'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/transaction.rb:191:in `block in evaluate'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/graph/relationship_graph.rb:122:in `traverse'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/transaction.rb:178:in `evaluate'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/resource/catalog.rb:240:in `block (2 levels) in apply'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/util.rb:545:in `block in thinmark'
/opt/puppetlabs/puppet/lib/ruby/2.5.0/benchmark.rb:308:in `realtime'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/util.rb:544:in `thinmark'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/resource/catalog.rb:239:in `block in apply'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/util/log.rb:161:in `with_destination'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/transaction/report.rb:146:in     `as_logging_destination'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/resource/catalog.rb:238:in `apply'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/configurer.rb:185:in `block (2 levels) in     apply_catalog'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/util.rb:545:in `block in thinmark'
/opt/puppetlabs/puppet/lib/ruby/2.5.0/benchmark.rb:308:in `realtime'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/util.rb:544:in `thinmark'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/configurer.rb:184:in `block in apply_catalog'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/util.rb:232:in `block in benchmark'
/opt/puppetlabs/puppet/lib/ruby/2.5.0/benchmark.rb:308:in `realtime'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/util.rb:231:in `benchmark'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/configurer.rb:183:in `apply_catalog'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/configurer.rb:399:in `run_internal'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/configurer.rb:227:in `block in run'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/context.rb:62:in `override'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet.rb:314:in `override'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/configurer.rb:210:in `run'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/application/apply.rb:343:in `apply_catalog'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/application/apply.rb:260:in `block (2 levels) in     main'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/context.rb:62:in `override'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet.rb:314:in `override'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/application/apply.rb:243:in `block in main'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/context.rb:62:in `override'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet.rb:314:in `override'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/application/apply.rb:207:in `main'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/application/apply.rb:177:in `run_command'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/application.rb:382:in `block in run'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/util.rb:734:in `exit_on_fail'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/application.rb:382:in `run'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/util/command_line.rb:143:in `run'
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/util/command_line.rb:77:in `execute'
/opt/puppetlabs/puppet/bin/puppet:5:in `<main>'

It suggests the Smart Proxy can’t happen for some reason but you left out the part of the stack trace with the actual error. I’d suggest to look at the logs. The Apache log and Foreman’s production.log are usually the ones that contain the actual errors.

Not sure if this was followed up in the mean time. I am currently running into the same issue with Foreman 2.1 (with Katello 3.16). I have the system joined up to a IPA domain and ‘local’ authentication with SSH works. The system also knows who my users are (all info below is from a lab and is not secret in any form)

1. Logging in as user ‘sam’ on the Foreman server via SSH

$ ssh foreman.infra.htm.lab -o preferredauthentications=password -l sam
sam@foreman.infra.htm.lab's password: 
Could not chdir to home directory /home/sam: No such file or directory
-bash-4.2$  id
uid=146600006(sam) gid=146600006(sam) groups=146600006(sam),146600005(ipa_foreman_admins) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

2. Foreman’s log shows the following when trying to log in with user ‘sam’ on the Admin console:

==> foreman/production.log <==
2020-10-05T11:02:35 [I|app|7c8ffbc9] Started POST "/users/login" for 127.0.0.1 at 2020-10-05 11:02:35 +0200
2020-10-05T11:02:35 [I|app|7c8ffbc9] Processing by UsersController#login as HTML
2020-10-05T11:02:35 [I|app|7c8ffbc9]   Parameters: {"login"=>{"login"=>"sam@infra.htm.lab", "password"=>"[FILTERED]"}, "authenticity_token"=>"0BBf6CmyA9GlMEUvL7ogYJI8Z2VSzZvuBO/WYbgDsP+GVJ4F/T3X3CIjf+wcfJ8b3RY1JGtBjxavXuInjmzVdQ=="}
2020-10-05T11:02:35 [I|app|7c8ffbc9] invalid user
2020-10-05T11:02:35 [W|app|7c8ffbc9] Failed login attempt from 192.168.255.11 with username 'sam@infra.htm.lab'
2020-10-05T11:02:35 [I|app|7c8ffbc9] Redirected to https://foreman.infra.htm.lab/users/login
2020-10-05T11:02:35 [I|app|7c8ffbc9] Completed 302 Found in 16ms (ActiveRecord: 6.9ms | Allocations: 2996)
2020-10-05T11:02:35 [I|app|307e6564] Started GET "/users/login" for 127.0.0.1 at 2020-10-05 11:02:35 +0200
2020-10-05T11:02:35 [I|app|307e6564] Processing by UsersController#login as HTML
2020-10-05T11:02:35 [I|app|307e6564]   Rendering users/login.html.erb within layouts/login
2020-10-05T11:02:35 [I|app|307e6564]   Rendered common/_login.html.erb (Duration: 3.8ms | Allocations: 5657)
2020-10-05T11:02:35 [I|app|307e6564]   Rendered users/login.html.erb within layouts/login (Duration: 7.7ms | Allocations: 11337)
2020-10-05T11:02:35 [I|app|307e6564]   Rendering layouts/base.html.erb
2020-10-05T11:02:35 [I|app|307e6564]   Rendered layouts/base.html.erb (Duration: 4.6ms | Allocations: 6757)
2020-10-05T11:02:35 [I|app|307e6564] Completed 200 OK in 18ms (Views: 16.7ms | ActiveRecord: 0.0ms | Allocations: 24656)

Trying to run ‘foreman-installer --foreman-passenger true’ seems to break the installation. I will try to do this again after I reset my snapshot

scratch my remark about it breaking. I ran the installer command, then restarted all services again for good measure.

And now it works again (including IPA authentication)!

So I started again from scratch and installed a Foreman 2.1 (with Katello 3.16) server. When configuring IPA authentication I used the command below and it worked straight away:

Note that it requires a full restart of the Foreman services to start functioning, if you don’t you can get HTTP errors 500/502.

foreman-installer --foreman-ipa-authentication true --foreman-passenger true
foreman-maintain service restart