Foreman login fails with Freeipa TwoFactor authentication

Problem:
Hi All,

We are currently using foreman 1.24 version and trying to upgrade to 2.3,. But we are facing issue with login with Redhat FreeIPA, here are the issue we are facing.

When i first upgraded to 2.0, 2.1 Forman Login fails if my user auth source have LDAP-FreeIAP(where our current auth source configured) and its work if we change back to EXTERNAL.

Second Issue when i upgraded to 2.2 and 2.3 my user logins completely fails with FreeIpa and complains invalid username. After some debug, Foreman allowing me to login if i disable Two Factor authentication on my IPA, with Just password with no OTP.

i have no clue whats the issue and where to look, could someone guide me on this.
Expected outcome:

Foreman and Proxy versions:
2.0 and 2.2
Foreman and Proxy plugin versions:
2.0 and 2.2
Distribution and version:

Other relevant data:

Could someone please provide me some pointers.

This sounds to me as if you have FreeIPA configured as LDAP and external Authentication Source. That can’t be good, because either you go through the Kerberos/IPA authentication or through the standard login and both are different accounts for foreman.

Either you use FreeIPA via LDAP only using the standard login form, then remove the external authentication source, only use FreeIPA via Kerberos and external authentication after you have set it up as describe in the chapter 5.7.

Mixing it makes it much harder to troubleshoot because it can either be LDAP or Kerberos and it results it completely different authentication and local accounts.

1 Like

Thanks gvde,
Could you please correct me about the understanding of your response,

We have httpd service which use below login form

<LocationMatch ^/users/(ext)?login$>
LookupUserAttr email REMOTE_USER_EMAIL " "
LookupUserAttr firstname REMOTE_USER_FIRSTNAME
LookupUserAttr lastname REMOTE_USER_LASTNAME
LookupUserGroupsIter REMOTE_USER_GROUP

and the auth source configured on to freeipa with necessary groups. And this setup working presently. This is configured as per documents you mention. I am still dont have clue authentication working even after the upgraded if user in the free ipa not enable two factor. Why it only fails if OTP enable. How foreman validate this.

Do you want me remove apache mod authentication ?

I can’t really tell you what to do. As I wrote before: from what you wrote initially, it sounds to me as if you have configured an LDAP authentication source connecting to your IPA and also configured it as external authentication source. You have two separate, distinct authentication source which however have the same accounts with the same username and same password. So basically, all accounts exist twice and depending on which way the user was authenticated it creates an LDAP source or a external source account in foreman.

I can’t tell you which source to use. Just don’t use both. It’s a mess. Decide to use one of them only: either connect to your IPA via LDAP or use external authentication.

So yes, if you want to use LDAP only, you have to remove the changes made in that chapter I have mentioned. If you want to use external only, remove the LDAP authentication source. Either way, make user that all users are only assigned to the authentication source you want to use.

If you go through LDAP, I think you have to enter the OTP code directly into the password field right after the password.

For external, I am not sure. I guess it the same, however I think you have to enable the otp indicator on the service principal you are using to allow for otp. But I am not sure. At this time I am using IPA only via LDAP and I only briefly tested kerberos and not with otp enabled…

Are you using the installer to set up your apache config or are you doing it manually?
In 2.1 we switched the default webserver from passenger to puma, which required a change in how the headers are passed from apache. This was fixed in 2.2 with Bug #30535: When using Puma with Foreman 2.1 FreeIPA external authentication does not work - Foreman but if you don’t use the installer to manage your apache config you may need to make similar changes on your own.