From a4b868f993990c997404c85787c32009a0ea5ba5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aneta=20=C5=A0teflov=C3=A1=20Petrov=C3=A1?= Date: Mon, 5 Aug 2024 08:50:58 +0200 Subject: [PATCH] Review & edit IPA external authentication user story (#3015) * Redefine FreeIPA attributes for RH d/s * Review and edit the FreeIPA external authentication story * Review and clarify configuring Hammer for FreeIPA Based on https://github.com/theforeman/hammer-cli-foreman/blob/master/doc/configuration.md * Drop warning about restart after satellite-maintain --------- Co-authored-by: Maximilian Kolb (cherry picked from commit e65c2fbb22eca67418ada3e230a184454205eba6) --- guides/common/assembly_accessing-server.adoc | 6 +- ...xternal-identity-provider-for-project.adoc | 7 -- ...xternal-identity-provider-for-project.adoc | 3 - ...y_configuring-external-authentication.adoc | 6 +- ...xternal-identity-provider-for-project.adoc | 15 +++ guides/common/attributes-satellite.adoc | 4 +- ...ive-directory-with-cross-forest-trust.adoc | 9 -- ...xternal-identity-provider-for-project.adoc | 4 - ...xternal-identity-provider-for-project.adoc | 6 - ...xternal-identity-provider-for-project.adoc | 12 +- ...xternal-identity-provider-for-project.adoc | 12 ++ guides/common/modules/con_using-freeipa.adoc | 23 ---- ...ring-freeipa-authentication-on-server.adoc | 109 ---------------- ...mer-cli-to-accept-freeipa-credentials.adoc | 30 +++++ ...r-freeipa-users-logging-in-to-project.adoc | 115 +++++++++++++++++ ...ing-host-based-authentication-control.adoc | 62 ---------- ...uthentication-source-on-projectserver.adoc | 41 +++++++ ...li-to-use-freeipa-user-authentication.adoc | 30 ----- ...lling-projectserver-in-freeipa-domain.adoc | 116 ++++++++++++++++++ ...o-hammer-cli-with-freeipa-credentials.adoc | 58 +++++++++ ...ui-with-freeipa-credentials-in-chrome.adoc | 42 +++++++ ...reeipa-credentials-in-mozilla-firefox.adoc | 35 ++++++ ...he-ProjectWebUI-with-a-Chrome-browser.adoc | 46 ------- ...e-ProjectWebUI-with-a-Firefox-browser.adoc | 36 ------ ...s-to-log-in-to-the-project-hammer-cli.adoc | 60 --------- ...snip_do-not-use-both-ldap-and-freeipa.adoc | 4 - 26 files changed, 480 insertions(+), 411 deletions(-) delete mode 100644 guides/common/assembly_configuring-a-freeipa-server-as-an-external-identity-provider-for-project.adoc delete mode 100644 guides/common/assembly_configuring-ad-integrated-with-freeipa-through-cross-forest-kerberos-trust-as-an-external-identity-provider-for-project.adoc create mode 100644 guides/common/assembly_configuring-freeipa-server-as-an-external-identity-provider-for-project.adoc delete mode 100644 guides/common/modules/con_active-directory-with-cross-forest-trust.adoc delete mode 100644 guides/common/modules/con_configuring-a-freeipa-server-as-an-external-identity-provider-for-project.adoc delete mode 100644 guides/common/modules/con_configuring-ad-integrated-with-freeipa-through-cross-forest-kerberos-trust-as-an-external-identity-provider-for-project.adoc create mode 100644 guides/common/modules/con_configuring-freeipa-server-as-an-external-identity-provider-for-project.adoc delete mode 100644 guides/common/modules/con_using-freeipa.adoc delete mode 100644 guides/common/modules/proc_configuring-freeipa-authentication-on-server.adoc create mode 100644 guides/common/modules/proc_configuring-hammer-cli-to-accept-freeipa-credentials.adoc create mode 100644 guides/common/modules/proc_configuring-host-based-access-control-for-freeipa-users-logging-in-to-project.adoc delete mode 100644 guides/common/modules/proc_configuring-host-based-authentication-control.adoc create mode 100644 guides/common/modules/proc_configuring-the-freeipa-authentication-source-on-projectserver.adoc delete mode 100644 guides/common/modules/proc_configuring-the-hammer-cli-to-use-freeipa-user-authentication.adoc create mode 100644 guides/common/modules/proc_enrolling-projectserver-in-freeipa-domain.adoc create mode 100644 guides/common/modules/proc_logging-in-to-hammer-cli-with-freeipa-credentials.adoc create mode 100644 guides/common/modules/proc_logging-in-to-the-projectwebui-with-freeipa-credentials-in-chrome.adoc create mode 100644 guides/common/modules/proc_logging-in-to-the-projectwebui-with-freeipa-credentials-in-mozilla-firefox.adoc delete mode 100644 guides/common/modules/proc_using-freeipa-credentials-to-log-in-to-the-ProjectWebUI-with-a-Chrome-browser.adoc delete mode 100644 guides/common/modules/proc_using-freeipa-credentials-to-log-in-to-the-ProjectWebUI-with-a-Firefox-browser.adoc delete mode 100644 guides/common/modules/proc_using-freeipa-credentials-to-log-in-to-the-project-hammer-cli.adoc delete mode 100644 guides/common/modules/snip_do-not-use-both-ldap-and-freeipa.adoc diff --git a/guides/common/assembly_accessing-server.adoc b/guides/common/assembly_accessing-server.adoc index 1bdff63af6a..6f40b305a59 100644 --- a/guides/common/assembly_accessing-server.adoc +++ b/guides/common/assembly_accessing-server.adoc @@ -8,11 +8,11 @@ endif::[] include::modules/proc_logging-in.adoc[leveloffset=+1] -include::modules/proc_using-freeipa-credentials-to-log-in-to-the-project-hammer-cli.adoc[leveloffset=+1] +include::modules/proc_logging-in-to-hammer-cli-with-freeipa-credentials.adoc[leveloffset=+1] -include::modules/proc_using-freeipa-credentials-to-log-in-to-the-ProjectWebUI-with-a-Firefox-browser.adoc[leveloffset=+1] +include::modules/proc_logging-in-to-the-projectwebui-with-freeipa-credentials-in-mozilla-firefox.adoc[leveloffset=+1] -include::modules/proc_using-freeipa-credentials-to-log-in-to-the-ProjectWebUI-with-a-Chrome-browser.adoc[leveloffset=+1] +include::modules/proc_logging-in-to-the-projectwebui-with-freeipa-credentials-in-chrome.adoc[leveloffset=+1] include::modules/proc_changing-the-password.adoc[leveloffset=+1] diff --git a/guides/common/assembly_configuring-a-freeipa-server-as-an-external-identity-provider-for-project.adoc b/guides/common/assembly_configuring-a-freeipa-server-as-an-external-identity-provider-for-project.adoc deleted file mode 100644 index f6946b6858e..00000000000 --- a/guides/common/assembly_configuring-a-freeipa-server-as-an-external-identity-provider-for-project.adoc +++ /dev/null @@ -1,7 +0,0 @@ -include::modules/con_configuring-a-freeipa-server-as-an-external-identity-provider-for-project.adoc[] - -include::modules/con_using-freeipa.adoc[leveloffset=+1] - -include::modules/proc_configuring-freeipa-authentication-on-server.adoc[leveloffset=+1] - -include::modules/proc_configuring-host-based-authentication-control.adoc[leveloffset=+1] diff --git a/guides/common/assembly_configuring-ad-integrated-with-freeipa-through-cross-forest-kerberos-trust-as-an-external-identity-provider-for-project.adoc b/guides/common/assembly_configuring-ad-integrated-with-freeipa-through-cross-forest-kerberos-trust-as-an-external-identity-provider-for-project.adoc deleted file mode 100644 index 0a269888bc5..00000000000 --- a/guides/common/assembly_configuring-ad-integrated-with-freeipa-through-cross-forest-kerberos-trust-as-an-external-identity-provider-for-project.adoc +++ /dev/null @@ -1,3 +0,0 @@ -include::modules/con_configuring-ad-integrated-with-freeipa-through-cross-forest-kerberos-trust-as-an-external-identity-provider-for-project.adoc[] - -include::modules/con_active-directory-with-cross-forest-trust.adoc[leveloffset=+1] diff --git a/guides/common/assembly_configuring-external-authentication.adoc b/guides/common/assembly_configuring-external-authentication.adoc index d9146124e04..0e0e6a14f28 100644 --- a/guides/common/assembly_configuring-external-authentication.adoc +++ b/guides/common/assembly_configuring-external-authentication.adoc @@ -2,9 +2,7 @@ include::modules/con_configuring-external-authentication.adoc[] include::assembly_configuring-an-ldap-server-as-an-external-identity-provider-for-project.adoc[leveloffset=+1] -include::assembly_configuring-a-freeipa-server-as-an-external-identity-provider-for-project.adoc[leveloffset=+1] - -include::assembly_configuring-ad-integrated-with-freeipa-through-cross-forest-kerberos-trust-as-an-external-identity-provider-for-project.adoc[leveloffset=+1] +include::assembly_configuring-freeipa-server-as-an-external-identity-provider-for-project.adoc[leveloffset=+1] ifdef::context[:parent-context: {context}] :context: keycloak-wildfly-general @@ -56,6 +54,4 @@ include::modules/proc_refreshing-external-user-groups-for-ldap.adoc[leveloffset= include::modules/con_refreshing-external-user-groups-for-freeipa-or-ad.adoc[leveloffset=+1] -include::modules/proc_configuring-the-hammer-cli-to-use-freeipa-user-authentication.adoc[leveloffset=+1] - include::modules/proc_disabling-keycloak-authentication.adoc[leveloffset=+1] diff --git a/guides/common/assembly_configuring-freeipa-server-as-an-external-identity-provider-for-project.adoc b/guides/common/assembly_configuring-freeipa-server-as-an-external-identity-provider-for-project.adoc new file mode 100644 index 00000000000..7339a301f26 --- /dev/null +++ b/guides/common/assembly_configuring-freeipa-server-as-an-external-identity-provider-for-project.adoc @@ -0,0 +1,15 @@ +include::modules/con_configuring-freeipa-server-as-an-external-identity-provider-for-project.adoc[] + +include::modules/proc_enrolling-projectserver-in-freeipa-domain.adoc[leveloffset=+1] + +include::modules/proc_configuring-the-freeipa-authentication-source-on-projectserver.adoc[leveloffset=+1] + +include::modules/proc_configuring-host-based-access-control-for-freeipa-users-logging-in-to-project.adoc[leveloffset=+1] + +include::modules/proc_configuring-hammer-cli-to-accept-freeipa-credentials.adoc[leveloffset=+1] + +include::modules/proc_logging-in-to-hammer-cli-with-freeipa-credentials.adoc[leveloffset=+1] + +include::modules/proc_logging-in-to-the-projectwebui-with-freeipa-credentials-in-mozilla-firefox.adoc[leveloffset=+1] + +include::modules/proc_logging-in-to-the-projectwebui-with-freeipa-credentials-in-chrome.adoc[leveloffset=+1] diff --git a/guides/common/attributes-satellite.adoc b/guides/common/attributes-satellite.adoc index 02ee22607f4..c65a27ef91c 100644 --- a/guides/common/attributes-satellite.adoc +++ b/guides/common/attributes-satellite.adoc @@ -68,8 +68,8 @@ :foreman-installer-package: satellite-installer :foreman-installer: satellite-installer :foreman-maintain: satellite-maintain -:FreeIPA: Red{nbsp}Hat Identity Management -:FreeIPA-context: Red_Hat_Identity_Management +:FreeIPA: Identity{nbsp}Management +:FreeIPA-context: Identity_Management :hammer-smart-proxy: hammer capsule :installer-log-file: /var/log/foreman-installer/satellite.log :installer-scenario-smartproxy: satellite-installer --scenario capsule diff --git a/guides/common/modules/con_active-directory-with-cross-forest-trust.adoc b/guides/common/modules/con_active-directory-with-cross-forest-trust.adoc deleted file mode 100644 index e68a4612830..00000000000 --- a/guides/common/modules/con_active-directory-with-cross-forest-trust.adoc +++ /dev/null @@ -1,9 +0,0 @@ -[id="Active_Directory_with_Cross_Forest_Trust_{context}"] -= Active Directory with cross-forest trust - -Kerberos can create `cross-forest trust` that defines a relationship between two otherwise separate domain forests. -A domain forest is a hierarchical structure of domains; both AD and {FreeIPA} constitute a forest. -With a trust relationship enabled between AD and {FreeIPA}, users of AD can access Linux hosts and services using a single set of credentials. - -From the {Project} point of view, the configuration process is the same as integration with {FreeIPA} server without cross-forest trust configured. -{ProjectServer} has to be enrolled in the IdM domain and integrated as described in xref:Using_FreeIPA_{context}[]. diff --git a/guides/common/modules/con_configuring-a-freeipa-server-as-an-external-identity-provider-for-project.adoc b/guides/common/modules/con_configuring-a-freeipa-server-as-an-external-identity-provider-for-project.adoc deleted file mode 100644 index a92867ce2c3..00000000000 --- a/guides/common/modules/con_configuring-a-freeipa-server-as-an-external-identity-provider-for-project.adoc +++ /dev/null @@ -1,4 +0,0 @@ -[id="configuring-a-freeipa-server-as-an-external-identity-provider-for-project_{context}"] -= Configuring a {FreeIPA} server as an external identity provider for {Project} - -{FreeIPA} deals with the management of individual identities, their credentials, and privileges used in a networking environment. diff --git a/guides/common/modules/con_configuring-ad-integrated-with-freeipa-through-cross-forest-kerberos-trust-as-an-external-identity-provider-for-project.adoc b/guides/common/modules/con_configuring-ad-integrated-with-freeipa-through-cross-forest-kerberos-trust-as-an-external-identity-provider-for-project.adoc deleted file mode 100644 index 1428dcf9f7d..00000000000 --- a/guides/common/modules/con_configuring-ad-integrated-with-freeipa-through-cross-forest-kerberos-trust-as-an-external-identity-provider-for-project.adoc +++ /dev/null @@ -1,6 +0,0 @@ -[id="configuring-ad-integrated-with-freeipa-through-cross-forest-kerberos-trust-as-an-external-identity-provider-for-project_{context}"] -= Configuring Active Directory integrated with {FreeIPA} through cross-forest Kerberos trust as an external identity provider for {Project} - -Kerberos can create `cross-forest trust` that defines a relationship between two otherwise separate domain forests. -A domain forest is a hierarchical structure of domains; both AD and {FreeIPA} constitute a forest. -With a trust relationship enabled between AD and {FreeIPA}, AD users can access Linux hosts and services using a single set of credentials. diff --git a/guides/common/modules/con_configuring-an-ldap-server-as-an-external-identity-provider-for-project.adoc b/guides/common/modules/con_configuring-an-ldap-server-as-an-external-identity-provider-for-project.adoc index 8e4b9c16e2b..95287c882e1 100644 --- a/guides/common/modules/con_configuring-an-ldap-server-as-an-external-identity-provider-for-project.adoc +++ b/guides/common/modules/con_configuring-an-ldap-server-as-an-external-identity-provider-for-project.adoc @@ -7,9 +7,17 @@ Lightweight Directory Access Protocol (LDAP) is a set of open protocols used to access centrally stored information over a network. With {Project}, you can use one or multiple LDAP directories for external authentication. +[NOTE] +==== +While you can configure the LDAP server integrated with {FreeIPA} as an external authentication source, {FreeIPA} users will not be able to log in using single sign-on. +Instead, consider configuring {FreeIPA} as an external identity provider. +For more information, see xref:configuring-{Freeipa-context}-server-as-an-external-identity-provider-for-project_{context}[]. +==== + [IMPORTANT] ==== -include::snip_do-not-use-both-ldap-and-freeipa.adoc[] +Users cannot use both {FreeIPA} and LDAP as an authentication method. +After a user authenticates by using one of these methods, they cannot use the other method. -For more information on using {FreeIPA} as an authentication method, see xref:Using_FreeIPA_{context}[]. +To change the authentication method for a user, remove the automatically created user from {Project}. ==== diff --git a/guides/common/modules/con_configuring-freeipa-server-as-an-external-identity-provider-for-project.adoc b/guides/common/modules/con_configuring-freeipa-server-as-an-external-identity-provider-for-project.adoc new file mode 100644 index 00000000000..8c7504c1124 --- /dev/null +++ b/guides/common/modules/con_configuring-freeipa-server-as-an-external-identity-provider-for-project.adoc @@ -0,0 +1,12 @@ +[id="configuring-{Freeipa-context}-server-as-an-external-identity-provider-for-project_{context}"] += Configuring {FreeIPA} server as an external identity provider for {Project} + +{FreeIPA} is an open-source identity management solution that provides centralized authentication, authorization, and account management services. +With {Project}, you can integrate {ProjectServer} with your existing {FreeIPA} server to enable {FreeIPA} users to authenticate to {Project}. + +With your {FreeIPA} server configured as an external identity provider, users defined in {FreeIPA} can log in to {Project} with their {FreeIPA} credentials. +If a cross-forest trust is configured between {FreeIPA} and Active{nbsp}Directory, Active{nbsp}Directory users can also log in to {Project}. +The following login methods are available: + +* Username and password +* Kerberos single sign-on diff --git a/guides/common/modules/con_using-freeipa.adoc b/guides/common/modules/con_using-freeipa.adoc deleted file mode 100644 index cce3b4bc278..00000000000 --- a/guides/common/modules/con_using-freeipa.adoc +++ /dev/null @@ -1,23 +0,0 @@ -[id="Using_FreeIPA_{context}"] -= Using {FreeIPA} - -This section shows how to integrate {ProjectServer} with a {FreeIPA} server and how to enable host-based access control. - -[NOTE] -==== -You can attach {FreeIPA} as an external authentication source with no single sign-on support. -For more information, see xref:configuring-an-ldap-server-as-an-external-identity-provider-for-project_{context}[]. -==== - -[IMPORTANT] -==== -include::snip_do-not-use-both-ldap-and-freeipa.adoc[] -==== - -.Prerequisites -* The base operating system of {ProjectServer} must be enrolled in the {FreeIPA} domain by the {FreeIPA} administrator of your organization. - -The examples in this chapter assume separation between {FreeIPA} and {Project} configuration. -ifndef::orcharhino[] -However, if you have administrator privileges for both servers, you can configure {FreeIPA} as described in {RHELDocsBaseURL}9/html-single/installing_identity_management/index[_{RHEL}{nbsp}9 Installing Identity Management_] or {RHELDocsBaseURL}8/html-single/installing_identity_management/index[_{RHEL}{nbsp}8 Installing Identity Management Guide_]. -endif::[] diff --git a/guides/common/modules/proc_configuring-freeipa-authentication-on-server.adoc b/guides/common/modules/proc_configuring-freeipa-authentication-on-server.adoc deleted file mode 100644 index 1641c918fa0..00000000000 --- a/guides/common/modules/proc_configuring-freeipa-authentication-on-server.adoc +++ /dev/null @@ -1,109 +0,0 @@ -[id="Configuring_FreeIPA_Authentication_on_Server_{context}"] -= Configuring {FreeIPA} authentication on {ProjectServer} - -In the {Project} CLI, configure {FreeIPA} authentication by first creating a host entry on the {FreeIPA} server. - -.Procedure -. On the {FreeIPA} server, to authenticate, enter the following command and enter your password when prompted: -+ -[options="nowrap", subs="+quotes,verbatim,attributes"] ----- -# kinit _admin_ ----- -. To verify that you have authenticated, enter the following command: -+ -[options="nowrap", subs="+quotes,verbatim,attributes"] ----- -# klist ----- -. On the {FreeIPA} server, create a host entry for {ProjectServer} and generate a one-time password, for example: -+ -[options="nowrap", subs="+quotes,verbatim,attributes"] ----- -# ipa host-add --random _hostname_ ----- -+ -[NOTE] -==== -The generated one-time password must be used on the client to complete {FreeIPA}-enrollment. -==== -+ -ifdef::satellite[] -For more information on host configuration properties, see {RHELDocsBaseURL}8/html-single/configuring_and_managing_identity_management/index#con_host-entry-LDAP_managing-hosts-ui[Host entry in IdM LDAP] in _{RHEL}{nbsp}8 Configuring and managing Identity Management_. -endif::[] -. Create an HTTP service for {ProjectServer}, for example: -+ -[options="nowrap", subs="+quotes,verbatim,attributes"] ----- -# ipa service-add HTTP/_hostname_ ----- -+ -ifdef::satellite[] -For more information on managing services, see {RHELDocsBaseURL}9/html/accessing_identity_management_services/index[_{RHEL}{nbsp}9 Accessing Identity Management services_]. -endif::[] -. On {ProjectServer}, install the IPA client: -ifdef::satellite[] -+ -[WARNING] -==== -This command might restart {Project} services during the installation of the package. -For more information about installing and updating packages on {Project}, see {AdministeringDocURL}Managing_Packages_on_the_Base_Operating_System_admin[Managing Packages on the Base Operating System of {ProjectServer} or {SmartProxyServer}] in _{AdministeringDocTitle}_. -==== -endif::[] -+ -[options="nowrap", subs="+quotes,verbatim,attributes"] ----- -# {project-package-install} ipa-client ----- -. On {ProjectServer}, enter the following command as root to configure {FreeIPA}-enrollment: -+ -[options="nowrap", subs="+quotes,verbatim,attributes"] ----- -# ipa-client-install --password _OTP_ ----- -+ -Replace _OTP_ with the one-time password provided by the {FreeIPA} administrator. -ifdef::foreman-deb[] -. Ensure that the hostname is set to the fully qualified domain name (FQDN); the short name is not sufficient: -+ -[options="nowrap", subs="+quotes,verbatim,attributes"] ----- -# hostname -{foreman-example-com} ----- -+ -Otherwise, `{foreman-installer}` cannot generate the right principal name that is needed to join the realm. -endif::[] -. Set {FreeIPA} as the authentication provider, using one of the following commands: -* If you only want to enable access to the {ProjectWebUI} but not the {Project} API, enter: -+ -[options="nowrap", subs="+quotes,verbatim,attributes"] ----- -# {foreman-installer} \ ---foreman-ipa-authentication=true ----- -* If you want to enable access both to the {ProjectWebUI} and the {Project} API, enter: -+ -[options="nowrap", subs="+quotes,verbatim,attributes"] ----- -# {foreman-installer} \ ---foreman-ipa-authentication-api=true \ ---foreman-ipa-authentication=true ----- -+ -[WARNING] -==== -Enabling access to both the {Project} API and the {ProjectWebUI} can lead to security problems. -After an IdM user receives a Kerberos ticket-granting ticket (TGT) by entering `kinit _user_name_`, an attacker can obtain an API session. -The attack is possible even if the user did not previously enter the {Project} login credentials anywhere, for example in the browser. -==== -. Restart {Project} services: -+ -[options="nowrap", subs="+quotes,verbatim,attributes"] ----- -# {foreman-maintain} service restart ----- - -External users can now log in to {Project} using their {FreeIPA} credentials. -They can now choose to either log in to {ProjectServer} directly using their username and password or take advantage of the configured Kerberos single sign-on and obtain a ticket on their client machine and be logged in automatically. -The two-factor authentication with one-time password (2FA OTP) is also supported. diff --git a/guides/common/modules/proc_configuring-hammer-cli-to-accept-freeipa-credentials.adoc b/guides/common/modules/proc_configuring-hammer-cli-to-accept-freeipa-credentials.adoc new file mode 100644 index 00000000000..0cbf95672df --- /dev/null +++ b/guides/common/modules/proc_configuring-hammer-cli-to-accept-freeipa-credentials.adoc @@ -0,0 +1,30 @@ +[id="configuring-hammer-cli-to-accept-{FreeIPA-context}-credentials_{context}"] += Configuring Hammer CLI to accept {FreeIPA} credentials + +Configure the {Project} Hammer CLI tool to use {FreeIPA} to authenticate users. + +.Prerequisites +* You have enabled {FreeIPA} access to the {Project} API. +For more information, see xref:configuring-the-freeipa-authentication-source-on-projectserver_{context}[]. + +.Procedure +* Open the `~/.hammer/cli.modules.d/foreman.yml` file on your {ProjectServer} and update the list of `foreman` parameters: +** To enforce session usage, enable `:use_sessions:`: ++ +[options="nowrap", subs="+quotes,verbatim,attributes"] +---- +:foreman: + :use_sessions: true +---- ++ +With this configuration, you will need to initiate an authentication session manually with `hammer auth login negotiate`. +** Alternatively, to enforce session usage and also negotiate authentication by default: ++ +[options="nowrap", subs="+quotes,verbatim,attributes"] +---- +:foreman: + :default_auth_type: 'Negotiate_Auth' + :use_sessions: true +---- ++ +With this configuration, Hammer will negotiate authentication automatically when you enter the first `hammer` command. diff --git a/guides/common/modules/proc_configuring-host-based-access-control-for-freeipa-users-logging-in-to-project.adoc b/guides/common/modules/proc_configuring-host-based-access-control-for-freeipa-users-logging-in-to-project.adoc new file mode 100644 index 00000000000..a26a69e405c --- /dev/null +++ b/guides/common/modules/proc_configuring-host-based-access-control-for-freeipa-users-logging-in-to-project.adoc @@ -0,0 +1,115 @@ +[id="configuring-host-based-access-control-for-{Freeipa-context}-users-logging-in-to-project_{context}"] += Configuring host-based access control for {FreeIPA} users logging in to {Project} + +You can use host-based access control (HBAC) rules to manage access control within your {FreeIPA} domain. +In {FreeIPA}, HBAC rules define which users can access which hosts and which services can be used to gain access. + +For example, you can configure HBAC on the {FreeIPA} server to limit access to {ProjectServer} only to selected users or user groups. +By configuring a HBAC rule in the {FreeIPA} domain, you can ensure {Project} does not create database entries for users who should not have access. + +.Prerequisites +* {FreeIPA} user account with privileges to configure HBAC rules + +.Procedure +. On the {FreeIPA} server, configure HBAC control. +ifndef::orcharhino[] +For more information, see {RHELDocsBaseURL}9/html/managing_idm_users_groups_hosts_and_access_control_rules/configuring-host-based-access-control-rules_managing-users-groups-hosts[_{RHEL}{nbsp}9 Managing IdM users, groups, hosts, and access control rules_] or {RHELDocsBaseURL}8/html/managing_idm_users_groups_hosts_and_access_control_rules/configuring-host-based-access-control-rules_managing-users-groups-hosts[_{RHEL}{nbsp}8 Managing IdM users, groups, hosts, and access control rules_]. +endif::[] +.. Create a HBAC service for {ProjectServer}. +.. Create a new HBAC rule to define the required access control. +Add the following {FreeIPA} entities to the HBAC rule: +... The HBAC service for {ProjectServer} +... The {ProjectServer} host +... The users or user groups to whom you want to grant access +.. Make sure the default {FreeIPA} `allow_all` rule is disabled. +ifdef::satellite[] +For information about how to disable `allow_all` without disrupting other services, see the https://access.redhat.com/solutions/67895[How to configure HBAC rules in IdM] article on the Red{nbsp}Hat Customer Portal. +endif::[] +. On your {ProjectServer}, load the host-based access control rules from {FreeIPA}: ++ +[options="nowrap", subs="+quotes,verbatim,attributes"] +---- +# {foreman-installer} --foreman-pam-service=foreman-prod +---- + +.Verification +* Log in to the {ProjectWebUI} as a user defined in {FreeIPA}. +** If the user is included in the HBAC rule, {ProjectWebUI} will grant access. +** If the user is not included in the HBAC rule, {ProjectWebUI} will not grant access. + +ifndef::satellite[] +.Additional resources +* For more information about the `allow_all` rule and configuring HBAC in {FreeIPA}, see link:https://freeipa.readthedocs.io/en/latest/workshop/4-hbac.html[Host-based access control (HBAC)] in {FreeIPA} documentation. +endif::[] + +.Configuring host-based access control to allow access to {Project} only for selected {FreeIPA} users by using the command line +==== + +On the {FreeIPA} server, a user with administrative privileges configures a HBAC rule to allow selected users access to {ProjectServer}: + +. Authenticate as the user with privileges required to configure HBAC rules: ++ +[options="nowrap", subs="+quotes,verbatim,attributes"] +---- +$ kinit _admin_ +---- +. Optional: Verify that you have authenticated successfully: ++ +[options="nowrap", subs="+quotes,verbatim,attributes"] +---- +$ klist +---- +. Create a new HBAC service named `{project-context}-prod`: ++ +[options="nowrap", subs="+quotes,verbatim,attributes"] +---- +$ ipa hbacsvc-add {project-context}-prod +---- +. Create a new HBAC rule: ++ +[options="nowrap", subs="+quotes,verbatim,attributes"] +---- +$ ipa hbacrule-add _allow-{project-context}-prod_ +---- +. Add the following {FreeIPA} entities to the HBAC rule: +.. The `{project-context}-prod` HBAC service: ++ +[options="nowrap", subs="+quotes,verbatim,attributes"] +---- +$ ipa hbacrule-add-service _allow-{project-context}-prod_ --hbacsvcs={project-context}-prod +---- ++ +.. The {ProjectServer} host: ++ +[options="nowrap", subs="+quotes,verbatim,attributes"] +---- +$ ipa hbacrule-add-host _allow-{project-context}-prod_ --hosts=_{foreman-example-com}_ +---- ++ +.. The users or user groups to whom you want to grant access: ++ +[options="nowrap", subs="+quotes,verbatim,attributes"] +---- +$ ipa hbacrule-add-user _allow-{project-context}-prod_ --user=_ipa-user_ +---- ++ +. Optional: Verify the status of the rule: ++ +[options="nowrap", subs="+quotes,verbatim,attributes"] +---- +$ ipa hbacrule-find _{project-context}-prod_ +$ ipa hbactest --user=_ipa-user_ --host=_{foreman-example-com}_ --service={project-context}-prod +---- +. Disable the default `allow_all` rule: +[options="nowrap", subs="+quotes,verbatim,attributes"] +---- +$ ipa hbacrule-disable allow_all +---- + +On {ProjectServer}, a {Project} administrator re-runs {foreman-installer} to load the host-based access control rules from {FreeIPA}: + +[options="nowrap", subs="+quotes,verbatim,attributes"] +---- +# {foreman-installer} --foreman-pam-service={project-context}-prod +---- +==== diff --git a/guides/common/modules/proc_configuring-host-based-authentication-control.adoc b/guides/common/modules/proc_configuring-host-based-authentication-control.adoc deleted file mode 100644 index 336f241f2e4..00000000000 --- a/guides/common/modules/proc_configuring-host-based-authentication-control.adoc +++ /dev/null @@ -1,62 +0,0 @@ -[id="Configuring_Host_Based_Authentication_Control_{context}"] -= Configuring host-based authentication control - -HBAC rules define which machine within the domain a {FreeIPA} user is allowed to access. -You can configure HBAC on the {FreeIPA} server to prevent selected users from accessing {ProjectServer}. -With this approach, you can prevent {Project} from creating database entries for users that are not allowed to log in. -ifndef::orcharhino[] -For more information on HBAC, see {RHELDocsBaseURL}9/html/managing_idm_users_groups_hosts_and_access_control_rules/index[_{RHEL}{nbsp}9 Managing IdM users, groups, hosts, and access control rules_] or {RHELDocsBaseURL}8/html/managing_idm_users_groups_hosts_and_access_control_rules/index[_{RHEL}{nbsp}8 Managing IdM users, groups, hosts, and access control rules_]. -endif::[] - -On the {FreeIPA} server, configure Host-Based Authentication Control (HBAC). - -.Procedure -. On the {FreeIPA} server, to authenticate, enter the following command and enter your password when prompted: -+ -[options="nowrap", subs="+quotes,verbatim,attributes"] ----- -# kinit _admin_ ----- -. To verify that you have authenticated, enter the following command: -+ -[options="nowrap", subs="+quotes,verbatim,attributes"] ----- -# klist ----- -. Create HBAC service and rule on the {FreeIPA} server and link them together. -The following examples use the PAM service name _{project-context}-prod_. -Execute the following commands on the {FreeIPA} server: -+ -[options="nowrap", subs="+quotes,verbatim,attributes"] ----- -# ipa hbacsvc-add {project-context}-prod -# ipa hbacrule-add allow_{project-context}_prod -# ipa hbacrule-add-service allow_{project-context}_prod --hbacsvcs={project-context}-prod ----- -. Add the user who is to have access to the service {project-context}-prod, and the hostname of {ProjectServer}: -+ -[options="nowrap", subs="+quotes,verbatim,attributes"] ----- -# ipa hbacrule-add-user allow_{project-context}_prod --user=_username_ -# ipa hbacrule-add-host allow_{project-context}_prod --hosts=_{foreman-example-com}_ ----- -+ -Alternatively, host groups and user groups can be added to the _allow_{project-context}_prod_ rule. -. To check the status of the rule, execute: -+ -[options="nowrap", subs="+quotes,verbatim,attributes"] ----- -# ipa hbacrule-find {project-context}-prod -# ipa hbactest --user=_username_ --host=_{foreman-example-com}_ --service={project-context}-prod ----- -. Ensure the allow_all rule is disabled on the {FreeIPA} server. -ifndef::orcharhino[] -For instructions on how to do so without disrupting other services see the https://access.redhat.com/solutions/67895[How to configure HBAC rules in IdM] article on the Red{nbsp}Hat Customer Portal. -endif::[] -. Configure the {FreeIPA} integration with {ProjectServer} as described in xref:Configuring_FreeIPA_Authentication_on_Server_{context}[]. -On {ProjectServer}, define the PAM service as root: -+ -[options="nowrap", subs="+quotes,verbatim,attributes"] ----- -# {foreman-installer} --foreman-pam-service={project-context}-prod ----- diff --git a/guides/common/modules/proc_configuring-the-freeipa-authentication-source-on-projectserver.adoc b/guides/common/modules/proc_configuring-the-freeipa-authentication-source-on-projectserver.adoc new file mode 100644 index 00000000000..f93fc060a04 --- /dev/null +++ b/guides/common/modules/proc_configuring-the-freeipa-authentication-source-on-projectserver.adoc @@ -0,0 +1,41 @@ +[id="configuring-the-freeipa-authentication-source-on-projectserver_{context}"] += Configuring the {FreeIPA} authentication source on {ProjectServer} + +Enable {FreeIPA} users to access {Project} by configuring {FreeIPA} as an authentication provider on your {ProjectServer}. + +.Prerequisites +* {ProjectServer} running on a system that is enrolled in the {FreeIPA} domain. + +.Procedure +* To enable access to the {ProjectWebUI} only: ++ +[options="nowrap", subs="+quotes,verbatim,attributes"] +---- +# {foreman-installer} \ +--foreman-ipa-authentication=true +---- +* To enable access to the {ProjectWebUI} and the {Project} API, including Hammer CLI: ++ +[options="nowrap", subs="+quotes,verbatim,attributes"] +---- +# {foreman-installer} \ +--foreman-ipa-authentication-api=true \ +--foreman-ipa-authentication=true +---- ++ +[WARNING] +==== +Enabling access to both the {ProjectWebUI} and the {Project} API poses a security risk. +After the {FreeIPA} user enters `kinit` to receive a Kerberos ticket-granting ticket (TGT), an attacker might obtain an API session. +The attack is possible even if the user did not previously enter the {Project} login credentials anywhere, for example in the browser. +==== +* To disable external authentication with {FreeIPA}, reset the options. +For example, to disable access to the {Project} API and Hammer CLI: ++ +[options="nowrap", subs="+quotes,verbatim,attributes"] +---- +# {foreman-installer} --reset-foreman-ipa-authentication-api +---- + +.Verification +* Log in to {ProjectWebUI} by entering the credentials of a user defined in {FreeIPA}. diff --git a/guides/common/modules/proc_configuring-the-hammer-cli-to-use-freeipa-user-authentication.adoc b/guides/common/modules/proc_configuring-the-hammer-cli-to-use-freeipa-user-authentication.adoc deleted file mode 100644 index 9c0eb353c9b..00000000000 --- a/guides/common/modules/proc_configuring-the-hammer-cli-to-use-freeipa-user-authentication.adoc +++ /dev/null @@ -1,30 +0,0 @@ -[id="Configuring_the_Hammer_CLI_to_Use_{FreeIPA-context}_User_Authentication_{context}"] -= Configuring the Hammer CLI to use {FreeIPA} user authentication - -This section describes how to configure the {Project} Hammer command-line interface (CLI) tool to use {FreeIPA} (IdM) to authenticate users. - -.Prerequisites -* You are logged in to the host from which you want to access {Project} by using Hammer. - -.Procedure -. Enable sessions in the `~/.hammer/cli.modules.d/foreman.yml` Hammer configuration file by adding the `:use_sessions: true` line to the `foreman` parameters: -+ -[options="nowrap", subs="+quotes,verbatim,attributes"] ----- -:foreman: - :use_sessions: true ----- -+ -Adding the line enforces session usage in Hammer. -This means that Hammer performs the authentication request only once instead of with each `hammer` command. -. Optional: Enable negotiate authentication in the `~/.hammer/cli.modules.d/foreman.yml` Hammer configuration file by adding the `:default_auth_type: 'Negotiate_Auth'` line to the `foreman` parameters: -+ -[options="nowrap", subs="+quotes,verbatim,attributes"] ----- -:foreman: - :default_auth_type: 'Negotiate_Auth' - :use_sessions: true ----- -+ -Adding this line means that your authentication is negotiated when you enter the first `hammer` command. -If this entry is present, Hammer tries to communicate with {ProjectServer} using the negotiation protocol. diff --git a/guides/common/modules/proc_enrolling-projectserver-in-freeipa-domain.adoc b/guides/common/modules/proc_enrolling-projectserver-in-freeipa-domain.adoc new file mode 100644 index 00000000000..3dc0a1a72e1 --- /dev/null +++ b/guides/common/modules/proc_enrolling-projectserver-in-freeipa-domain.adoc @@ -0,0 +1,116 @@ +[id="enrolling-projectserver-in-freeipa-domain_{context}"] += Enrolling {ProjectServer} in a {FreeIPA} domain + +Create a host entry for your {ProjectServer} system in the {FreeIPA} LDAP and configure the system to be a client in your {FreeIPA} domain. + +.Prerequisites +* An existing {FreeIPA} server +* {FreeIPA} user account with privileges to enroll new {FreeIPA} hosts + +.Procedure +. On the {FreeIPA} server: +.. Create a host entry for the {ProjectServer} system. +ifndef::orcharhino[] ++ +For more information, see link:{RHELDocsBaseURL}8/html/configuring_and_managing_identity_management/index[{RHEL}{nbsp}8 Configuring and managing Identity Management] or link:{RHELDocsBaseURL}9/html/managing_idm_users_groups_hosts_and_access_control_rules[{RHEL}{nbsp}9 Managing IdM users, groups, hosts, and access control rules]. +endif::[] +.. Create an entry for the HTTP service for {ProjectServer}. +This enables access to the keytab file by creating a service principal for your {ProjectServer}. +ifndef::orcharhino[] ++ +For more information on creating a service entry in {FreeIPA}, see +link:{RHELDocsBaseURL}8/html-single/managing_idm_users_groups_hosts_and_access_control_rules/index[{RHEL}{nbsp}8 Managing IdM users, groups, hosts, and access control rules] or link:{RHELDocsBaseURL}9/html-single/managing_idm_users_groups_hosts_and_access_control_rules/index#[{RHEL}{nbsp}9 Managing IdM users, groups, hosts, and access control rules]. +endif::[] +. On your {ProjectServer}, configure the system as client in the {FreeIPA} domain. +This includes ensuring that the system meets the necessary prerequisites, installing the necessary packages, and running the `ipa-client-install` utility. +ifndef::orcharhino[] ++ +For more information, see link:{RHELDocsBaseURL}/8/html-single/installing_identity_management/index#assembly_installing-an-idm-client_installing-identity-management[{RHEL}{nbsp}8 Installing Identity Management] or link:{RHELDocsBaseURL}/9/html-single/installing_identity_management/index#assembly_installing-an-idm-client_installing-identity-management[{RHEL}{nbsp}9 Installing Identity Management]. +endif::[] ++ +[NOTE] +==== +To install packages on your {ProjectServer}, use the `{foreman-installer}` utility. +==== +ifdef::foreman-deb[] ++ +. Ensure that the hostname is set to the fully qualified domain name (FQDN); the short name is not sufficient: ++ +[options="nowrap", subs="+quotes,verbatim,attributes"] +---- +# hostname +{foreman-example-com} +---- ++ +Otherwise, `{foreman-installer}` cannot generate the right principal name that is needed to join the realm. +endif::[] + +.Verification +* On your {ProjectServer}, check that you are able to resolve a user defined on the {FreeIPA} server. +For example, to check the `admin` user that {FreeIPA} creates by default: ++ +[options="nowrap", subs="+quotes,verbatim,attributes"] +---- +$ id admin +---- + +.Enrolling a {ProjectServer} system as a {FreeIPA} client from the command line by using a one-time password +==== +On the {FreeIPA} server, a user named _admin_ who has administrative privileges on the {FreeIPA} server prepares a host entry for the {ProjectServer} system: + +. Authenticate as the {FreeIPA} _admin_ user: ++ +[options="nowrap", subs="+quotes,verbatim,attributes"] +---- +# kinit _admin_ +---- +. Optional: Verify that you have authenticated successfully: ++ +[options="nowrap", subs="+quotes,verbatim,attributes"] +---- +# klist +---- +. Create a host entry from the command line. +Specify that you want to use a random password for the enrollment. ++ +[options="nowrap", subs="+quotes,verbatim,attributes"] +---- +# ipa host-add --random _{project-context}-server.example.com_ +-------------------------------------------------- + Added host "{project-context}-server.example.com" + -------------------------------------------------- + Host name: {project-context}-server.example.com + Random password: W5YpARl=7M.n + Password: True + Keytab: False + Managed by: ipa-server.example.com +---- +. Enable access to the keytab file by creating a service principal for your {ProjectServer}: ++ +[options="nowrap", subs="+quotes,verbatim,attributes"] +---- +# ipa service-add HTTP/_{project-context}-server.example.com_ +---- + +On the {ProjectServer} system, a user with {Project} administrative privileges enrolls the system into the {FreeIPA} domain: + +. Install the {FreeIPA} client packages: ++ +[options="nowrap", subs="+quotes,verbatim,attributes"] +---- +# {project-package-install} ipa-client +---- +. Configure the {ProjectServer} system a client in {FreeIPA} by using the random password produced by `ipa host-add` in a previous step: ++ +[options="nowrap", subs="+quotes,verbatim,attributes"] +---- +# ipa-client-install --password 'W5YpARl=7M.n' +---- ++ +. Verify that you are able to resolve the {FreeIPA} `admin` user from your {ProjectServer}: ++ +[options="nowrap", subs="+quotes,verbatim,attributes"] +---- +$ id admin +---- +==== diff --git a/guides/common/modules/proc_logging-in-to-hammer-cli-with-freeipa-credentials.adoc b/guides/common/modules/proc_logging-in-to-hammer-cli-with-freeipa-credentials.adoc new file mode 100644 index 00000000000..d2fa865f0c1 --- /dev/null +++ b/guides/common/modules/proc_logging-in-to-hammer-cli-with-freeipa-credentials.adoc @@ -0,0 +1,58 @@ +[id="Using_{FreeIPA-context}_credentials_to_log_in_to_the_{project-context}_Hammer_CLI_{context}"] += Logging in to Hammer CLI with {FreeIPA} credentials + +Authenticate to the {Project} Hammer CLI with your {FreeIPA} username and password. + +.Prerequisites +* You have configured Hammer CLI to accept {FreeIPA} credentials. +ifeval::["{context}" == "{project-context}"] +See xref:configuring-hammer-cli-to-accept-{FreeIPA-context}-credentials_{context}[]. +endif::[] +ifeval::["{context}" != "{project-context}"] +ifndef::orcharhino[] +For more information, see {InstallingServerDocURL}configuring-hammer-cli-to-accept-{FreeIPA-context}-credentials_{context}[Configuring Hammer CLI to accept {FreeIPA} credentials] in _{InstallingServerDocTitle}_. +endif::[] +endif::[] + +.Procedure +. Authenticate as a user defined in {FreeIPA} to obtain a Kerberos ticket-granting ticket (TGT): ++ +[options="nowrap", subs="+quotes,verbatim,attributes"] +---- +$ kinit _{FreeIPA-context}_user_ +---- ++ +[WARNING] +==== +If you enabled access to the {Project} API and the {ProjectWebUI} when you were configuring {FreeIPA} as the authentication provider for {Project}, an attacker might now obtain an API session after the user receives the Kerberos TGT. +The attack is possible even if the user did not previously enter the {Project} login credentials anywhere, for example in the browser. +==== +. If Hammer is not configured to negotiate authentication, initiate an authentication session manually: ++ +[options="nowrap", subs="+quotes,verbatim,attributes"] +---- +$ hammer auth login negotiate +---- + +[NOTE] +==== +If you destroy the active Kerberos ticket, for example with `kdestroy`, you will still be logged in to Hammer. +To log out, enter `hammer auth logout`. +==== + +.Verification +* Use any `hammer` command to check that the system does not ask you to authenticate. +For example: ++ +[options="nowrap", subs="+quotes,verbatim,attributes"] +---- +$ hammer host list +---- + +.Additional resources + +* For more information about authenticating with Hammer, see +ifdef::satellite[] +link:{HammerDocURL}sect-CLI_Guide-Authentication[{HammerDocTitle}] or +endif::[] +`hammer auth --help`. \ No newline at end of file diff --git a/guides/common/modules/proc_logging-in-to-the-projectwebui-with-freeipa-credentials-in-chrome.adoc b/guides/common/modules/proc_logging-in-to-the-projectwebui-with-freeipa-credentials-in-chrome.adoc new file mode 100644 index 00000000000..846ed858275 --- /dev/null +++ b/guides/common/modules/proc_logging-in-to-the-projectwebui-with-freeipa-credentials-in-chrome.adoc @@ -0,0 +1,42 @@ +[id="Using_{FreeIPA-context}_credentials_to_log_in_to_the_{ProjectWebUI-context}-with-a-Chrome-browser_{context}"] += Logging in to the {ProjectWebUI} with {FreeIPA} credentials in Chrome + +You can use Chrome to log in to the {ProjectWebUI} with your {FreeIPA} credentials. + +Use the latest stable Chrome browser. + +.Prerequisites +* You have {FreeIPA} authentication configured in your {Project} environment. +ifeval::["{context}" != "{project-context}"] +ifndef::orcharhino[] +For more information, see {InstallingServerDocURL}configuring-{Freeipa-context}-server-as-an-external-identity-provider-for-project_{project-context}[{InstallingServerDocTitle}]. +endif::[] +endif::[] +* The host on which you are using Chrome is a client in the {FreeIPA} domain. + +.Procedure +. Enable the Chrome browser to use Kerberos authentication: ++ +[options="nowrap", subs="+quotes,verbatim,attributes"] +---- +$ google-chrome --auth-server-whitelist="*._example.com_" --auth-negotiate-delegate-whitelist="*._example.com_" +---- ++ +[NOTE] +==== +Instead of allowlisting the whole domain, you can also allowlist a specific {ProjectServer}. +==== +. Obtain the Kerberos ticket-granting ticket (TGT): ++ +[options="nowrap", subs="+quotes,verbatim,attributes"] +---- +$ kinit _user_ +Password for user@EXAMPLE.COM: +---- +. In Chrome, go to the URL of your {ProjectServer}. +. You are logged in automatically. + +Alternatively: + +. In your browser address bar, enter the URL of your {ProjectServer}. +. Enter your username and password. diff --git a/guides/common/modules/proc_logging-in-to-the-projectwebui-with-freeipa-credentials-in-mozilla-firefox.adoc b/guides/common/modules/proc_logging-in-to-the-projectwebui-with-freeipa-credentials-in-mozilla-firefox.adoc new file mode 100644 index 00000000000..1d4107ada6f --- /dev/null +++ b/guides/common/modules/proc_logging-in-to-the-projectwebui-with-freeipa-credentials-in-mozilla-firefox.adoc @@ -0,0 +1,35 @@ +[id="Using_{FreeIPA-context}_credentials_to_log_in_to_the_{ProjectWebUI-context}-with-Mozilla-Firefox_{context}"] += Logging in to the {ProjectWebUI} with {FreeIPA} credentials in Mozilla Firefox + +You can use Mozilla Firefox to log in to the {ProjectWebUI} with your {FreeIPA} credentials. + +Use the latest stable Mozilla Firefox browser. + +.Prerequisites +* You have {FreeIPA} authentication configured in your {Project} environment. +ifeval::["{context}" != "{project-context}"] +ifndef::orcharhino[] +For more information, see {InstallingServerDocURL}configuring-{Freeipa-context}-server-as-an-external-identity-provider-for-project_{project-context}[{InstallingServerDocTitle}]. +endif::[] +endif::[] +* The host on which you are using Mozilla Firefox is a client in the {FreeIPA} domain. +* Your Mozilla Firefox is configured for Single Sign-On (SSO). +ifdef::satellite[] +For more information, see {RHELDocsBaseURL}9/html/configuring_authentication_and_authorization_in_rhel/configuring_applications_for_sso#Configuring_Firefox_to_use_Kerberos_for_SSO[Configuring Firefox to use Kerberos for single sign-on] in _Configuring authentication and authorization in {RHEL}{nbsp}9_. +endif::[] + +.Procedure +. Obtain the Kerberos ticket granting ticket (TGT): ++ +[options="nowrap", subs="+quotes,verbatim,attributes"] +---- +$ kinit _user_ +Password for user@EXAMPLE.COM: +---- +. In Mozilla Firefox, go to the URL of your {ProjectServer}. +. You are logged in automatically. + +Alternatively: + +. In your browser address bar, enter the URL of your {ProjectServer}. +. Enter your username and password. diff --git a/guides/common/modules/proc_using-freeipa-credentials-to-log-in-to-the-ProjectWebUI-with-a-Chrome-browser.adoc b/guides/common/modules/proc_using-freeipa-credentials-to-log-in-to-the-ProjectWebUI-with-a-Chrome-browser.adoc deleted file mode 100644 index f878e42a749..00000000000 --- a/guides/common/modules/proc_using-freeipa-credentials-to-log-in-to-the-ProjectWebUI-with-a-Chrome-browser.adoc +++ /dev/null @@ -1,46 +0,0 @@ -[id="Using_{FreeIPA-context}_credentials_to_log_in_to_the_{ProjectWebUI-context}-with-a-Chrome-browser_{context}"] -= Using {FreeIPA} credentials to log in to the {ProjectWebUI} with a Chrome browser - -This section describes how to use a Chrome browser to log in to your {ProjectWebUI} with your {FreeIPA} login and password. - -.Prerequisites -* You have enrolled your {ProjectServer} into {FreeIPA} and configured the server to use {FreeIPA} for authentication. -ifndef::orcharhino[] -For more information, see {InstallingServerDocURL}Using_FreeIPA_{project-context}[Using {FreeIPA}] in _{InstallingServerDocTitle}_. -endif::[] -* The host on which you are using the Chrome browser to log in to the {ProjectWebUI} is an {FreeIPA} client. -* You have a valid {FreeIPA} login and password. -* {Team} recommends using the latest stable Chrome browser. -* An {FreeIPA} server is running and reachable by the host. - -.Procedure -. Enable the Chrome browser to use Kerberos authentication: -+ -[options="nowrap", subs="+quotes,verbatim,attributes"] ----- -$ google-chrome --auth-server-whitelist="*._example.com_" --auth-negotiate-delegate-whitelist=”*._example.com_" ----- - -+ -[NOTE] -==== -Instead of allowlisting the whole domain, you can also allowlist a specific {ProjectServer}. -==== - -. Obtain the Kerberos ticket-granting ticket (TGT) for yourself using your {FreeIPA} credentials: -+ -[options="nowrap", subs="+quotes,verbatim,attributes"] ----- -$ kinit _idm_user_ -Password for _idm_user@_EXAMPLE.COM_: ----- -. In your browser address bar, enter the URL of your {ProjectServer}. -+ -You are logged in automatically. - - -[NOTE] -==== -Alternatively, you can skip the first three steps and enter your login and password in the fields displayed on the {ProjectWebUI}. -This is also the only option if the host from which you are accessing the {ProjectWebUI} is not an {FreeIPA} client. -==== diff --git a/guides/common/modules/proc_using-freeipa-credentials-to-log-in-to-the-ProjectWebUI-with-a-Firefox-browser.adoc b/guides/common/modules/proc_using-freeipa-credentials-to-log-in-to-the-ProjectWebUI-with-a-Firefox-browser.adoc deleted file mode 100644 index e4161b11954..00000000000 --- a/guides/common/modules/proc_using-freeipa-credentials-to-log-in-to-the-ProjectWebUI-with-a-Firefox-browser.adoc +++ /dev/null @@ -1,36 +0,0 @@ -[id="Using_{FreeIPA-context}_credentials_to_log_in_to_the_{ProjectWebUI-context}-with-a-Firefox-browser_{context}"] -= Using {FreeIPA} credentials to log in to the {ProjectWebUI} with a Firefox browser - -This section describes how to use the Firefox browser to log in to your {ProjectWebUI} with your {FreeIPA} (IdM) login and password. - -.Prerequisites -* You have enrolled your {ProjectServer} into {FreeIPA} and configured the server to use {FreeIPA} for authentication. -ifndef::orcharhino[] -For more information, see {InstallingServerDocURL}Using_FreeIPA_{project-context}[Using {FreeIPA}] in _{InstallingServerDocTitle}_. -endif::[] -* The host on which you are using a Firefox browser to log in to the {ProjectWebUI} is an {FreeIPA} client. -* You have a valid {FreeIPA} login and password. -* {Team} recommends using the latest stable Firefox browser. -* Your Firefox browser is configured for Single Sign-On (SSO). -ifdef::satellite[] -For more information, see {RHELDocsBaseURL}9/html/configuring_authentication_and_authorization_in_rhel/configuring_applications_for_sso#Configuring_Firefox_to_use_Kerberos_for_SSO[Configuring Firefox to use Kerberos for single sign-on] in _Configuring authentication and authorization in {RHEL}{nbsp}9_. -endif::[] -* An {FreeIPA} server is running and reachable by the host. - -.Procedure -. Obtain the Kerberos ticket granting ticket (TGT) for yourself using your {FreeIPA} credentials: -+ -[options="nowrap", subs="+quotes,verbatim,attributes"] ----- -$ kinit _idm_user_ -Password for idm_user@_EXAMPLE.COM_: ----- -. In your browser address bar, enter the URL of your {ProjectServer}. -+ -You are logged in automatically. - -[NOTE] -==== -Alternatively, you can skip the first two steps and enter your login and password in the fields displayed on the {ProjectWebUI}. -This is also the only option if the host from which you are accessing the {ProjectWebUI} is not an {FreeIPA} client. -==== diff --git a/guides/common/modules/proc_using-freeipa-credentials-to-log-in-to-the-project-hammer-cli.adoc b/guides/common/modules/proc_using-freeipa-credentials-to-log-in-to-the-project-hammer-cli.adoc deleted file mode 100644 index 8d374052c5b..00000000000 --- a/guides/common/modules/proc_using-freeipa-credentials-to-log-in-to-the-project-hammer-cli.adoc +++ /dev/null @@ -1,60 +0,0 @@ -[id="Using_{FreeIPA-context}_credentials_to_log_in_to_the_{project-context}_Hammer_CLI_{context}"] -= Using {FreeIPA} credentials to log in to the {Project} Hammer CLI - -This section describes how to log in to your {Project} Hammer CLI with your {FreeIPA} (IdM) login and password. - -.Prerequisites -* You have enrolled your {ProjectServer} into {FreeIPA} and configured it to use {FreeIPA} for authentication. -More specifically, you have enabled access both to the {ProjectWebUI} and the {Project} API. -ifndef::orcharhino[] -For more information, see {InstallingServerDocURL}Using_FreeIPA_{project-context}[Using {FreeIPA}] in _{InstallingServerDocTitle}_. -endif::[] -* The host on which you run this procedure is configured to use {FreeIPA} credentials to log users in to your {Project} Hammer CLI. -ifndef::orcharhino[] -For more information, see {InstallingServerDocURL}Configuring_the_Hammer_CLI_to_Use_FreeIPA_User_Authentication_{project-context}[Configuring the Hammer CLI to Use {FreeIPA} User Authentication] in _{InstallingServerDocTitle}_. -endif::[] -* The host is an {FreeIPA} client. -* An {FreeIPA} server is running and reachable by the host. - -.Procedure -. Obtain a Kerberos ticket-granting ticket (TGT) on behalf of a {Project} user: -+ -[options="nowrap", subs="+quotes,verbatim,attributes"] ----- -$ kinit idm_user ----- -+ -[WARNING] -==== -If, when you were setting {FreeIPA} to be the authentication provider, you enabled access to both the {Project} API and the {ProjectWebUI}, an attacker can now obtain an API session after the user receives the Kerberos TGT. -The attack is possible even if the user did not previously enter the {Project} login credentials anywhere, for example in the browser. -==== -. If automatic negotiate authentication is not enabled, use the TGT to authenticate to Hammer manually: -+ -[options="nowrap", subs="+quotes,verbatim,attributes"] ----- -$ hammer auth login negotiate ----- -. Optional: Destroy all cached Kerberos tickets in the collection: -+ -[options="nowrap", subs="+quotes,verbatim,attributes"] ----- -$ kdestroy -A ----- -[NOTE] -==== -You are still logged in, even after destroying the Kerberos ticket. -==== - -.Verification -* Use any `hammer` command to ensure that the system does not ask you to authenticate again: -+ -[options="nowrap", subs="+quotes,verbatim,attributes"] ----- -$ hammer host list ----- - -[NOTE] -==== -To log out of Hammer, enter: `hammer auth logout`. -==== diff --git a/guides/common/modules/snip_do-not-use-both-ldap-and-freeipa.adoc b/guides/common/modules/snip_do-not-use-both-ldap-and-freeipa.adoc deleted file mode 100644 index dac093cb38e..00000000000 --- a/guides/common/modules/snip_do-not-use-both-ldap-and-freeipa.adoc +++ /dev/null @@ -1,4 +0,0 @@ -Users cannot use both {FreeIPA} and LDAP as an authentication method. -After a user authenticates by using one of these methods, they cannot use the other method. - -To change the authentication method for a user, remove the automatically created user from {Project}.