hi,
according to the satellite documentation ( https://access.redhat.com/documentation/en-us/red_hat_satellite/6.4/html/adm...) this should work, but it's a bit unclear as to how.
Let's see, we have a cross realm trust between an AD (2016) and RHEL 7.7. I have an external group mapped in IdM to an AD group, I can login using ssh with my AD user to the host running the foreman which is member of IdM (not satellite, I know, but we require some functionality in the foreman not available in satellite). So far so good.
But what exactly do I need to do now? According to the manual:
https://access.redhat.com/documentation/en-us/red_hat_satellite/6.4/html/adm... 13.3.6. Configuring the IdM Server to Use Cross-Forest Trust
On the IdM server, configure the server to use cross-forest trust.
*Procedure*
1.
Enable HBAC: 1. Create an external group and add the AD group to it. 2. Add the new external group to a POSIX group. 3. Use the POSIX group in a HBAC rule. 2.
Configure sssd to transfer additional attributes of AD users. -
Add the AD user attributes to the *nss* and *domain* sections in /etc/sssd/sssd.conf.
For example:
[nss] user_attributes=+mail, +sn, +givenname
[domain/EXAMPLE] ldap_user_extra_attrs=mail, sn, givenname
So I have the external group mapped to a posix group, I can login with my AD user so that takes care of 1. a) 1 b) and 1 c).
Point 2 means I need to modify sssd.conf in the foreman host, I think.
And then?
-- Groeten, natxo
On Wed, Mar 18, 2020 at 6:49 PM Natxo Asenjo natxo.asenjo@gmail.com wrote:
just for completeness, I had missed this piece:
From the Satellite point of view, the configuration process is the same as integration with IdM server without cross-forest trust configured. The Satellite Server has to be enrolled in the IPM domain and integrated as described in Section 13.2, “Using Identity Management” https://access.redhat.com/documentation/en-us/red_hat_satellite/6.4/html/administering_red_hat_satellite/chap-Red_Hat_Satellite-Administering_Red_Hat_Satellite-Configuring_External_Authentication#sect-Red_Hat_Satellite-Administering_Red_Hat_Satellite-Configuring_External_Authentication-Using_Identity_Management.
So I went ahead, created the service and followed https://theforeman.org/manuals/1.24/index.html#5.7ExternalAuthentication ; and it worked out of the box.
Amazing, very very nice.
-- Groeten, natxo
freeipa-users@lists.fedorahosted.org