Foreman Ldap authentication with Active Directory

Hey,

Is anybody using AD with foreman? If so are you using LDAPS? I found
out today that AD requires LDAPS when a ldap query requests a password
to be sent for verification. This would also necessitate the need to
have a certificate signed by the Active Directory CA. However, where
does this certificate then get placed on the foreman server?

Corey

Hello!

I am indeed using Active Directory (Win2k3) but unfortunately not via
LDAPS.
Usually this is not necessary to implement authentication for foreman
(despite it would be more secure of course).

I created a normal AD useraccount with limited rights, which is used to do
the initial bind to LDAP. After that Foreman (or any other application will
do a bind the users credentials).

Currently I am using the settings like displayed on
LDAP Authentication - Foreman except for
the LDAPS part.

I hope this helps.

Kind regards
Hannes

··· On Mon, 25 Apr 2011 23:55:05 -0700 (PDT), Corey Osman wrote: > Hey, > > Is anybody using AD with foreman? If so are you using LDAPS? I found > out today that AD requires LDAPS when a ldap query requests a password > to be sent for verification. This would also necessitate the need to > have a certificate signed by the Active Directory CA. However, where > does this certificate then get placed on the foreman server? > > > Corey

I'm running into this same situation. The replies so far do not seem
to address the certificate issue. Is there a way to do this?

Thanks,
Jake

··· On Apr 26, 1:55 am, Corey Osman wrote: > Hey, > > Is anybody using AD with foreman? If so are you using LDAPS? I found > out today that AD requires LDAPS when a ldap query requests a password > to be sent for verification. This would also necessitate the need to > have a certificate signed by the Active Directory CA. However, where > does this certificate then get placed on the foreman server? > > Corey

note that its also possible to use the current user credentials in order
to bind to AD in the first place.

this binds to LDAP with the user name and password, if it works, then
the user is searched and if found - authenticated.

Ohad

··· On Tue, 2011-04-26 at 16:40 +0200, admin@cyberkov.at wrote: > > I created a normal AD useraccount with limited rights, which is used > to do > the initial bind to LDAP. After that Foreman (or any other application > will > do a bind the users credentials).

I think what we would need to do is the following:

  1. get a csr (cert signing request) from the foreman server
  2. Goto the CA (might be one of your ad servers)

http://myadserverthathatistheCA/certsrv/Default.asp (our win2k3 server)

  1. Request a certificate–> advanced certificate request

  2. Paste in the base64 encoded cert request in the saved request box

  3. Choose web server for certificate template

  4. download the signed certificate and use this cert for your SSL connection to foreman and for foreman to use with ldaps.
    This is a very rough example of what it might look in your apache configuration.

Server Certificate

SSLCertificateFile /etc/httpd/conf/ssl.crt/domainname.com.crt
This is just a quick writeup and how I configured my ilo/ldap integration with AD the other day. This probably won't work since this is
a foreman server but maybe someone else can chime in
and adjust a few steps to get us into the right direction.

Ideally, foreman should have a button to load the signed cert for ldaps but maybe this will suffice.

Corey

··· On Apr 29, 2011, at 9:01 AM, Jake - USPS wrote:

I’m running into this same situation. The replies so far do not seem
to address the certificate issue. Is there a way to do this?

Thanks,
Jake

On Apr 26, 1:55 am, Corey Osman co...@logicminds.biz wrote:

Hey,

Is anybody using AD with foreman? If so are you using LDAPS? I found
out today that AD requires LDAPS when a ldap query requests a password
to be sent for verification. This would also necessitate the need to
have a certificate signed by the Active Directory CA. However, where
does this certificate then get placed on the foreman server?

Corey


You received this message because you are subscribed to the Google Groups “Foreman users” group.
To post to this group, send email to foreman-users@googlegroups.com.
To unsubscribe from this group, send email to foreman-users+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/foreman-users?hl=en.

Well, I got it to work for me! :slight_smile:

This is what I did. We get a signed cert from our CA to we are
allowed to use. Its not tied to our host, so its nothing like you
dsecribed of generating a csr on our system to get signed. I then
modified in foreman the following file: vendor/plugins/ruby-net-ldap/
lib/net/ldap.rb

On line 1214 is where it will by default when using LDAPS try to use
simple_tls to make an encrypted connection. In this block after

ctx = OpenSSL::SSL::SSLContext.new

and before

@conn = OpenSSL::SSL::SSLSocket.new(@conn, ctx)

I added a line

ctx.cert = OpenSSL::X509::Certificate.new(File.read("/path/to/cert"))

So again the following:

ctx = OpenSSL::SSL::SSLContext.new
@conn = OpenSSL::SSL::SSLSocket.new(@conn, ctx)

Becomes:

ctx = OpenSSL::SSL::SSLContext.new
ctx.cert = OpenSSL::X509::Certificate.new(File.read("/path/to/cert"))
@conn = OpenSSL::SSL::SSLSocket.new(@conn, ctx)

This got OpenSSL connections using my cert to work. However, my
logins were still failing. I found out when changing my port to the
LDAPS port and checking to use LDAPS that foreman reset my 'Account
Password' from what it was to 'xxxxxxxxxxxxx'. So I had to set that
back. I think the fake masked password actually gets applied when you
make tweaks to other settings. :frowning: This took me a while to figure
out, this should get fixed.

So everything is working fine for me now after this hack. Seems
pretty simple to get to work, so it shouldn't be very hard to add this
functionality directly to foreman and have a text field to point to
what cert to use in the future. I believe the harder part is probably
everyone uses different tpyes of certs and whatnot so while this hack
is easy for my case, allowing a complete solution that works for
everyone could be more difficult.

Corey, if you are doing the private_key->csr->signed thingy, you may
need to have a block of code similar to mine with 1 extra line like:

ctx = OpenSSL::SSL::SSLContext.new
ctx.cert = OpenSSL::X509::Certificate.new(File.read("/path/to/cert"))
ctx.key = OpenSSL::PKey::RSA.new(File.open("/path/to/privkey"))
@conn = OpenSSL::SSL::SSLSocket.new(@conn, ctx)

Links to references that helped me out:

http://andyjeffries.co.uk/articles/x509-encrypted-authenticated-socket-ruby-client
http://www.spacevatican.org/2009/7/11/ruby-openssl-and-client-side-certificates
http://www.ruby-doc.org/stdlib/libdoc/openssl/rdoc/classes/OpenSSL.html

Regards,
Jake

··· On Apr 29, 5:35 pm, Corey Osman wrote: > I think what we would need to do is the following: > > 1. get a csr (cert signing request) from the foreman server > 2. Goto the CA (might be one of your ad servers) > > http://myadserverthathatistheCA/certsrv/Default.asp(our win2k3 server) > > 3. Request a certificate--> advanced certificate request > 4. Paste in the base64 encoded cert request in the saved request box > 5. Choose web server for certificate template > > 6. download the signed certificate and use this cert for your SSL connection to foreman and for foreman to use with ldaps. > This is a very rough example of what it might look in your apache configuration. > # Server Certificate > SSLCertificateFile /etc/httpd/conf/ssl.crt/domainname.com.crt > This is just a quick writeup and how I configured my ilo/ldap integration with AD the other day. This probably won't work since this is > a foreman server but maybe someone else can chime in > and adjust a few steps to get us into the right direction. > > Ideally, foreman should have a button to load the signed cert for ldaps but maybe this will suffice. > > Corey > > On Apr 29, 2011, at 9:01 AM, Jake - USPS wrote: > > > > > > > > > I'm running into this same situation. The replies so far do not seem > > to address the certificate issue. Is there a way to do this? > > > Thanks, > > Jake > > > On Apr 26, 1:55 am, Corey Osman wrote: > >> Hey, > > >> Is anybody using AD with foreman? If so are you using LDAPS? I found > >> out today that AD requires LDAPS when a ldap query requests a password > >> to be sent for verification. This would also necessitate the need to > >> have a certificate signed by the Active Directory CA. However, where > >> does this certificate then get placed on the foreman server? > > >> Corey > > > -- > > You received this message because you are subscribed to the Google Groups "Foreman users" group. > > To post to this group, send email to foreman-users@googlegroups.com. > > To unsubscribe from this group, send email to foreman-users+unsubscribe@googlegroups.com. > > For more options, visit this group athttp://groups.google.com/group/foreman-users?hl=en.

> Well, I got it to work for me! :slight_smile:

great! would be awesome to get a patch for it :wink:
>
> This is what I did. We get a signed cert from our CA to we are
> allowed to use. Its not tied to our host, so its nothing like you
> dsecribed of generating a csr on our system to get signed. I then
> modified in foreman the following file: vendor/plugins/ruby-net-ldap/
> lib/net/ldap.rb
>
> On line 1214 is where it will by default when using LDAPS try to use
> simple_tls to make an encrypted connection. In this block after
>
> ctx = OpenSSL::SSL::SSLContext.new
>
> and before
>
> @conn = OpenSSL::SSL::SSLSocket.new(@conn, ctx)
>
> I added a line
>
> ctx.cert = OpenSSL::X509::Certificate.new(File.read("/path/to/cert"))
>
> So again the following:
>
> ctx = OpenSSL::SSL::SSLContext.new
> @conn = OpenSSL::SSL::SSLSocket.new(@conn, ctx)
>
> Becomes:
>
> ctx = OpenSSL::SSL::SSLContext.new
> ctx.cert = OpenSSL::X509::Certificate.new(File.read("/path/to/cert"))
> @conn = OpenSSL::SSL::SSLSocket.new(@conn, ctx)
>
> This got OpenSSL connections using my cert to work. However, my
> logins were still failing. I found out when changing my port to the
> LDAPS port and checking to use LDAPS that foreman reset my 'Account
> Password' from what it was to 'xxxxxxxxxxxxx'. So I had to set that
> back. I think the fake masked password actually gets applied when you
> make tweaks to other settings. :frowning: This took me a while to figure
> out, this should get fixed.

ouch - would you mind creating a bug?

>
> So everything is working fine for me now after this hack. Seems
> pretty simple to get to work, so it shouldn't be very hard to add this
> functionality directly to foreman and have a text field to point to
> what cert to use in the future. I believe the harder part is probably
> everyone uses different tpyes of certs and whatnot so while this hack
> is easy for my case, allowing a complete solution that works for
> everyone could be more difficult.
>
> Corey, if you are doing the private_key->csr->signed thingy, you may
> need to have a block of code similar to mine with 1 extra line like:
>
> ctx = OpenSSL::SSL::SSLContext.new
> ctx.cert = OpenSSL::X509::Certificate.new(File.read("/path/to/cert"))
> ctx.key = OpenSSL::PKey::RSA.new(File.open("/path/to/privkey"))
> @conn = OpenSSL::SSL::SSLSocket.new(@conn, ctx)
>
> Links to references that helped me out:
>
> http://andyjeffries.co.uk/articles/x509-encrypted-authenticated-socke...http://www.spacevatican.org/2009/7/11/ruby-openssl-and-client-side-ce...http://www.ruby-doc.org/stdlib/libdoc/openssl/rdoc/classes/OpenSSL.html
>
> Regards,
> Jake

Thanks!
Ohad

··· On May 2, 7:29 pm, Jake - USPS wrote: > > On Apr 29, 5:35 pm, Corey Osman wrote: > > > > > > > > > I think what we would need to do is the following: > > > 1. get a csr (cert signing request) from the foreman server > > 2. Goto the CA (might be one of your ad servers) > > >http://myadserverthathatistheCA/certsrv/Default.asp(ourwin2k3 server) > > > 3. Request a certificate--> advanced certificate request > > 4. Paste in the base64 encoded cert request in the saved request box > > 5. Choose web server for certificate template > > > 6. download the signed certificate and use this cert for your SSL connection to foreman and for foreman to use with ldaps. > > This is a very rough example of what it might look in your apache configuration. > > # Server Certificate > > SSLCertificateFile /etc/httpd/conf/ssl.crt/domainname.com.crt > > This is just a quick writeup and how I configured my ilo/ldap integration with AD the other day. This probably won't work since this is > > a foreman server but maybe someone else can chime in > > and adjust a few steps to get us into the right direction. > > > Ideally, foreman should have a button to load the signed cert for ldaps but maybe this will suffice. > > > Corey > > > On Apr 29, 2011, at 9:01 AM, Jake - USPS wrote: > > > > I'm running into this same situation. The replies so far do not seem > > > to address the certificate issue. Is there a way to do this? > > > > Thanks, > > > Jake > > > > On Apr 26, 1:55 am, Corey Osman wrote: > > >> Hey, > > > >> Is anybody using AD with foreman? If so are you using LDAPS? I found > > >> out today that AD requires LDAPS when a ldap query requests a password > > >> to be sent for verification. This would also necessitate the need to > > >> have a certificate signed by the Active Directory CA. However, where > > >> does this certificate then get placed on the foreman server? > > > >> Corey > > > > -- > > > You received this message because you are subscribed to the Google Groups "Foreman users" group. > > > To post to this group, send email to foreman-users@googlegroups.com. > > > To unsubscribe from this group, send email to foreman-users+unsubscribe@googlegroups.com. > > > For more options, visit this group athttp://groups.google.com/group/foreman-users?hl=en.

Did this functionality ever get built-in? I'm just looking at the same
thing with Foreman 1.2.0 and I see it's been awhile. The interface is a bit
different.

Thanks,
JSR/

··· On Monday, May 2, 2011 12:29:39 PM UTC-4, jmccann wrote: > > Well, I got it to work for me! :) > > This is what I did. We get a signed cert from our CA to we are > allowed to use. Its not tied to our host, so its nothing like you > dsecribed of generating a csr on our system to get signed. I then > modified in foreman the following file: vendor/plugins/ruby-net-ldap/ > lib/net/ldap.rb > > On line 1214 is where it will by default when using LDAPS try to use > simple_tls to make an encrypted connection. In this block after > > ctx = OpenSSL::SSL::SSLContext.new > > and before > > @conn = OpenSSL::SSL::SSLSocket.new(@conn, ctx) > > I added a line > > ctx.cert = OpenSSL::X509::Certificate.new(File.read("/path/to/cert")) > > So again the following: > > ctx = OpenSSL::SSL::SSLContext.new > @conn = OpenSSL::SSL::SSLSocket.new(@conn, ctx) > > Becomes: > > ctx = OpenSSL::SSL::SSLContext.new > ctx.cert = OpenSSL::X509::Certificate.new(File.read("/path/to/cert")) > @conn = OpenSSL::SSL::SSLSocket.new(@conn, ctx) > > This got OpenSSL connections using my cert to work. However, my > logins were still failing. I found out when changing my port to the > LDAPS port and checking to use LDAPS that foreman reset my 'Account > Password' from what it was to 'xxxxxxxxxxxxx'. So I had to set that > back. I think the fake masked password actually gets applied when you > make tweaks to other settings. :( This took me a while to figure > out, this should get fixed. > > So everything is working fine for me now after this hack. Seems > pretty simple to get to work, so it shouldn't be very hard to add this > functionality directly to foreman and have a text field to point to > what cert to use in the future. I believe the harder part is probably > everyone uses different tpyes of certs and whatnot so while this hack > is easy for my case, allowing a complete solution that works for > everyone could be more difficult. > > Corey, if you are doing the private_key->csr->signed thingy, you may > need to have a block of code similar to mine with 1 extra line like: > > ctx = OpenSSL::SSL::SSLContext.new > ctx.cert = OpenSSL::X509::Certificate.new(File.read("/path/to/cert")) > ctx.key = OpenSSL::PKey::RSA.new(File.open("/path/to/privkey")) > @conn = OpenSSL::SSL::SSLSocket.new(@conn, ctx) > > Links to references that helped me out: > > > http://andyjeffries.co.uk/articles/x509-encrypted-authenticated-socket-ruby-client > > http://www.spacevatican.org/2009/7/11/ruby-openssl-and-client-side-certificates > http://www.ruby-doc.org/stdlib/libdoc/openssl/rdoc/classes/OpenSSL.html > > Regards, > Jake > > On Apr 29, 5:35 pm, Corey Osman wrote: > > I think what we would need to do is the following: > > > > 1. get a csr (cert signing request) from the foreman server > > 2. Goto the CA (might be one of your ad servers) > > > > http://myadserverthathatistheCA/certsrv/Default.asp(our win2k3 server) > > > > > 3. Request a certificate--> advanced certificate request > > 4. Paste in the base64 encoded cert request in the saved request box > > 5. Choose web server for certificate template > > > > 6. download the signed certificate and use this cert for your SSL > connection to foreman and for foreman to use with ldaps. > > This is a very rough example of what it might look in your apache > configuration. > > # Server Certificate > > SSLCertificateFile /etc/httpd/conf/ssl.crt/domainname.com.crt > > This is just a quick writeup and how I configured my ilo/ldap > integration with AD the other day. This probably won't work since this is > > a foreman server but maybe someone else can chime in > > and adjust a few steps to get us into the right direction. > > > > Ideally, foreman should have a button to load the signed cert for ldaps > but maybe this will suffice. > > > > Corey > > > > On Apr 29, 2011, at 9:01 AM, Jake - USPS wrote: > > > > > > > > > > > > > > > > > I'm running into this same situation. The replies so far do not seem > > > to address the certificate issue. Is there a way to do this? > > > > > Thanks, > > > Jake > > > > > On Apr 26, 1:55 am, Corey Osman wrote: > > >> Hey, > > > > >> Is anybody using AD with foreman? If so are you using LDAPS? I > found > > >> out today that AD requires LDAPS when a ldap query requests a > password > > >> to be sent for verification. This would also necessitate the need > to > > >> have a certificate signed by the Active Directory CA. However, where > > >> does this certificate then get placed on the foreman server? > > > > >> Corey > > > > > -- > > > You received this message because you are subscribed to the Google > Groups "Foreman users" group. > > > To post to this group, send email to forema...@googlegroups.com. > > > > To unsubscribe from this group, send email to > foreman-user...@googlegroups.com . > > > For more options, visit this group athttp:// > groups.google.com/group/foreman-users?hl=en.

Created Bug #872: LDAP Auth Source Account Password reset - Foreman for the masked password being
set as your password.

Yea, I won't be creating a patch for what I'm doing. :stuck_out_tongue: I had a
coworker help me and we are both not very familiar with ruby. This
simple change for us took over a day to figure out. :frowning: Also, I think
a complete solution would be more complex then what works for me.

Thanks,
Jake

··· On May 2, 12:19 pm, ohad wrote: > On May 2, 7:29 pm, Jake - USPS wrote: > > > Well, I got it to work for me! :) > > great! would be awesome to get a patch for it ;) > > > > > > > > > > > > > This is what I did. We get a signed cert from our CA to we are > > allowed to use. Its not tied to our host, so its nothing like you > > dsecribed of generating a csr on our system to get signed. I then > > modified in foreman the following file: vendor/plugins/ruby-net-ldap/ > > lib/net/ldap.rb > > > On line 1214 is where it will by default when using LDAPS try to use > > simple_tls to make an encrypted connection. In this block after > > > ctx = OpenSSL::SSL::SSLContext.new > > > and before > > > @conn = OpenSSL::SSL::SSLSocket.new(@conn, ctx) > > > I added a line > > > ctx.cert = OpenSSL::X509::Certificate.new(File.read("/path/to/cert")) > > > So again the following: > > > ctx = OpenSSL::SSL::SSLContext.new > > @conn = OpenSSL::SSL::SSLSocket.new(@conn, ctx) > > > Becomes: > > > ctx = OpenSSL::SSL::SSLContext.new > > ctx.cert = OpenSSL::X509::Certificate.new(File.read("/path/to/cert")) > > @conn = OpenSSL::SSL::SSLSocket.new(@conn, ctx) > > > This got OpenSSL connections using my cert to work. However, my > > logins were still failing. I found out when changing my port to the > > LDAPS port and checking to use LDAPS that foreman reset my 'Account > > Password' from what it was to 'xxxxxxxxxxxxx'. So I had to set that > > back. I think the fake masked password actually gets applied when you > > make tweaks to other settings. :( This took me a while to figure > > out, this should get fixed. > > ouch - would you mind creating a bug? > > > > > > > > > > > > > So everything is working fine for me now after this hack. Seems > > pretty simple to get to work, so it shouldn't be very hard to add this > > functionality directly to foreman and have a text field to point to > > what cert to use in the future. I believe the harder part is probably > > everyone uses different tpyes of certs and whatnot so while this hack > > is easy for my case, allowing a complete solution that works for > > everyone could be more difficult. > > > Corey, if you are doing the private_key->csr->signed thingy, you may > > need to have a block of code similar to mine with 1 extra line like: > > > ctx = OpenSSL::SSL::SSLContext.new > > ctx.cert = OpenSSL::X509::Certificate.new(File.read("/path/to/cert")) > > ctx.key = OpenSSL::PKey::RSA.new(File.open("/path/to/privkey")) > > @conn = OpenSSL::SSL::SSLSocket.new(@conn, ctx) > > > Links to references that helped me out: > > >http://andyjeffries.co.uk/articles/x509-encrypted-authenticated-socke... > > > Regards, > > Jake > > Thanks! > Ohad > > > > > > > > > > > On Apr 29, 5:35 pm, Corey Osman wrote: > > > > I think what we would need to do is the following: > > > > 1. get a csr (cert signing request) from the foreman server > > > 2. Goto the CA (might be one of your ad servers) > > > >http://myadserverthathatistheCA/certsrv/Default.asp(ourwin2k3server) > > > > 3. Request a certificate--> advanced certificate request > > > 4. Paste in the base64 encoded cert request in the saved request box > > > 5. Choose web server for certificate template > > > > 6. download the signed certificate and use this cert for your SSL connection to foreman and for foreman to use with ldaps. > > > This is a very rough example of what it might look in your apache configuration. > > > # Server Certificate > > > SSLCertificateFile /etc/httpd/conf/ssl.crt/domainname.com.crt > > > This is just a quick writeup and how I configured my ilo/ldap integration with AD the other day. This probably won't work since this is > > > a foreman server but maybe someone else can chime in > > > and adjust a few steps to get us into the right direction. > > > > Ideally, foreman should have a button to load the signed cert for ldaps but maybe this will suffice. > > > > Corey > > > > On Apr 29, 2011, at 9:01 AM, Jake - USPS wrote: > > > > > I'm running into this same situation. The replies so far do not seem > > > > to address the certificate issue. Is there a way to do this? > > > > > Thanks, > > > > Jake > > > > > On Apr 26, 1:55 am, Corey Osman wrote: > > > >> Hey, > > > > >> Is anybody using AD with foreman? If so are you using LDAPS? I found > > > >> out today that AD requires LDAPS when a ldap query requests a password > > > >> to be sent for verification. This would also necessitate the need to > > > >> have a certificate signed by the Active Directory CA. However, where > > > >> does this certificate then get placed on the foreman server? > > > > >> Corey > > > > > -- > > > > You received this message because you are subscribed to the Google Groups "Foreman users" group. > > > > To post to this group, send email to foreman-users@googlegroups.com. > > > > To unsubscribe from this group, send email to foreman-users+unsubscribe@googlegroups.com. > > > > For more options, visit this group athttp://groups.google.com/group/foreman-users?hl=en.