I’m trying to get Foreman’s Web UI to prompt for smartcard(s) and verify that the smartcard owner is a valid user in FreeIPA and log the user in. Foreman only provides options, out of the box, for utilizing FreeIPA’s TOTP MFA which is not an acceptable solution due to organizational requirements.
I am looking for help / guidance with setting up the Apache web server that is installed with Foreman to leverage mod_auth_gssapi to prompt a user for their SmartCard and then request My FreeIPA instance to validate that their account is valid. I understand that there are several examples of individuals setting up mod_auth_kerb, which is now outdated, to do similar but can’t find any reference material for leveraging gssapi.
I’ve been experimenting with modifying /etc/httpd/conf.d/05-foreman-ssl.d/auth_gssapi.conf to a small degree of success. In edge, for example, it will at least prompt a user for a smartcard. I’ve tried configurations such as these:
<Location /users/extlogin>
SSLRequireSSL
AuthType GSSAPI
AuthName “GSSAPI Single Sign On Login”
GssapiCredStore keytab:/etc/httpd/httpd.keytab
GssapiPublishErrors On
GssapiUseS4U2Proxy On
GssapiCredStore client_keytab:/etc/httpd/httpd.keytab
GssapiCredStore ccache:FILE:/var/run/httpd/krb5ccache
GssapiDelegCcacheDir /var/run/httpd/clientcaches
GssapiImpersonate On
require pam-account foreman
ErrorDocument 401 ‘Kerberos authentication did not pass.’
# The following is needed as a workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1020087
ErrorDocument 500 ‘Kerberos authentication did not pass.’
</Location>
Or
<Location /users/extlogin>
SSLRequireSSL
AuthType GSSAPI
AuthName “GSSAPI Single Sign On Login”
GssapiCredStore keytab:/etc/httpd/httpd.keytab
GssapiSSLonly On
GssapiLocalName On
# require valid-user
require pam-account foreman
ErrorDocument 401 ‘Kerberos authentication did not pass.’
# The following is needed as a workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1020087
ErrorDocument 500 ‘Kerberos authentication did not pass.’
</Location>
With these configurations, I am generally getting the following error from Apache (/var/log/httpd/foreman-ssl_error_ssl.log):
[Wed Sep 20 11:27:07.504587 2023] [auth_gssapi:error] [pid 1822479:tid 140302866171648] [client REDACTEDIP:55064] GSS ERROR In Negotiate Auth: gss_accept_sec_context() failed: [An unsupported mechanism was requested (Unknown error)]
I followed the steps at Chapter 5. Configuring External Authentication Red Hat Satellite 6.12 | Red Hat Customer Portal to create an HTTP service for Foreman and have pulled that keytab. The keytab seems to check out as well:
[root@foreman 05-foreman-ssl.d]# kinit -V -kt /etc/httpd/httpd.keytab -P HTTP/foreman.freeipa.organization.com@FREEIPA.ORGANIZATION.COM
Using existing cache: 0:72770
Using principal: HTTP/foreman.freeipa.organization.COM@FREEIPA.ORGANIZATION.COM
Using keytab: /etc/httpd/httpd.keytab
Authenticated to Kerberos v5
[root@foreman 05-foreman-ssl.d]#
My FreeIPA instance is running on RHEL8.8 and is version 4.9.10.
My Foreman is running RHEL8.8.
The Foreman and FreeIPA instances are on the same realm.