Configuring authentication for orcharhino users

Configuring external authentication and enabling single sign-on and two-factor authentication

If you store users in an external identity provider, you can connect the provider to your orcharhino Server to enable these users to log in to orcharhino. Some external identity providers also enable you to implement authentication features such as single sign-on or two-factor authentication in orcharhino, providing an additional layer of security.

orcharhino derives user and user group permissions based on user group membership defined in the external identity provider.

Configuring an LDAP server as an external identity provider for orcharhino

Lightweight Directory Access Protocol (LDAP) is a set of open protocols used to access centrally stored information over a network. With orcharhino, you can use one or multiple LDAP directories for external authentication.

While you can configure the LDAP server integrated with FreeIPA as an external authentication source, FreeIPA users will not be able to log in using single sign-on. Instead, consider configuring FreeIPA as an external identity provider. For more information, see Configuring Kerberos single sign-on with FreeIPA in orcharhino.

Users cannot use both FreeIPA and LDAP as an authentication method. After a user authenticates by using one of these methods, they cannot use the other method.

To change the authentication method for a user, remove the automatically created user from orcharhino.

Configuring TLS for secure LDAP

If orcharhino uses TLS to establish a secure LDAP connection (LDAPS), you must obtain the CA certificates of your LDAP server and add them to the trusted CA list on the base operating system of your orcharhino Server.

If your LDAP server uses a certificate chain with intermediate certificate authorities, you must obtain all root and intermediate certificates and add them to the trusted CA list.

Procedure

Obtain the CA certificate from the LDAP Server:
1. If you use Active Directory Certificate Services, export the Enterprise PKI CA Certificate using the Base64 encoded X.509 format. See How to configure Active Directory authentication with TLS on orcharhino for information on creating and exporting a CA certificate from an Active Directory server.
2. Download the LDAP server certificate to a temporary location on the orcharhino Server, such as /tmp/example.crt. You will remove the certificate when finished.
  
  The filename extensions .cer and .crt are only conventions and can refer to DER binary or PEM ASCII format certificates.
Add the LDAP certificate to your CA trust list:
1. Install the LDAP certificate in the /etc/pki/tls/certs/ directory with the correct permissions:
  $ install /tmp/example.crt /etc/pki/tls/certs/
  LDAP certificates must be individual files.
2. Create a symbolic link to the LDAP certificate:
  $ ln -s example.crt /etc/pki/tls/certs/$(openssl \ x509 -noout -hash -in \ /etc/pki/tls/certs/example.crt).0
3. Restart the httpd service:
  $ systemctl restart httpd
Delete the downloaded LDAP certificate from the temporary location on your orcharhino Server.

Configuring orcharhino to use LDAP

Configure an LDAP authentication source to enable users to log in to orcharhino with their existing LDAP credentials.

Prerequisites

Your LDAP server complies with the RFC 2307 schema.
Your user account has the following permissions:
- view_authenticators, create_authenticators, edit_authenticators
- view_locations, assign_locations
- view_organizations, assign_organizations

Procedure

On your orcharhino Server, enable the Network Information System (NIS) service so that SELinux does not block outgoing LDAP connections:
```
$ setsebool -P nis_enabled on
```
In the orcharhino management UI, navigate to Administer > Authentication Sources.
From the LDAP menu, select Create.
On the LDAP server tab, enter the details of your LDAP server.

For TLS encrypted connections, select LDAPS to enable encryption.
On the Account tab, enter the account information and domain name details.

See Example Settings for LDAP Connections and Example LDAP Filters.
On the Attribute mappings tab, map LDAP attributes to orcharhino attributes.
On the Locations tab, select the locations you want orcharhino to assign to users created from the LDAP authentication source. These locations are available to users after they log in for the first time.
On the Organizations tab, select the organizations you want orcharhino to assign to users created from the LDAP authentication source. These locations are available to users after they log in for the first time.
Click Submit.

Next steps

If you did not select Automatically Create Accounts In orcharhino on the Account tab, create user accounts manually. For more information, see Creating a User in Administering orcharhino.
If you selected Automatically Create Accounts In orcharhino, LDAP users can now log in to orcharhino using their LDAP accounts and passwords.
After users log in for the first time, the orcharhino administrator must assign roles to them manually. For more information about assigning appropriate roles to user accounts, see Assigning Roles to a User in Administering orcharhino.

Example settings for LDAP connections

Example 1. Example settings for Active Directory LDAP connections

This example uses a dedicated service account called redhat that has bind, read, and search permissions on the user and group entries.

Account Username: DOMAIN\redhat
Account password: P@ssword
Base DN: DC=example,DC=COM
Login name attribute: userPrincipalName
First name attribute: givenName
Last name attribute: sn
Email address attribute: mail
Photo attribute: thumbnailPhoto

The userPrincipalName attribute allows the use of whitespace in usernames. The sAMAccountName attribute, which provides backwards compatibility with legacy Microsoft systems, does not allow the use of whitespace in usernames.

Example 2. Example settings for FreeIPA LDAP connections

This example uses a dedicated service account called redhat that has bind, read, and search permissions on the user and group entries.

Account Username: uid=redhat,cn=users,cn=accounts,dc=example,dc=com
Base DN: dc=example,dc=com
Groups Base DN: cn=groups,cn=accounts,dc=example,dc=com
Login name attribute: uid
First name attribute: givenName
Last name attribute: sn
Email address attribute: mail

Example 3. Example settings for POSIX LDAP connections

This example uses a dedicated service account called redhat that has bind, read, and search permissions on the user and group entries.

Account Username: uid=redhat,ou=users,dc=example,dc=com
Base DN: dc=example,dc=com
Groups Base DN: cn=employee,ou=userclass,dc=example,dc=com
Login name attribute: uid
First name attribute: givenName
Last name attribute: sn
Email address attribute: mail

Example LDAP filters

Example 4. Example LDAP filters for allowing specific users to login

You are using the following LDAP directory structure:

DC=Domain,DC=Example
   |
   |----- CN=Users
         |
         |----- CN=Group1
         |----- CN=Group2
         |----- CN=User1
         |----- CN=User2
         |----- CN=User3

Group membership is defined as follows:

Group1 includes users User1 and User3
Group2 includes users User2 and User3

For example, you can define the following search filters:

Search result (users)	Filter
User1	(distinguishedName=cn=User1,cn=Users,dc=domain,dc=example)
User1, User3	(memberOf=cn=Group1,cn=Users,dc=domain,dc=example)
User2, User3	(memberOf=cn=Group2,cn=Users,dc=domain,dc=example)
User1, User2, User3	(\|(memberOf=cn=Group1,cn=Users,dc=domain,dc=example)(memberOf=cn=Group2,cn=Users,dc=domain,dc=example))
User1, User2, User3	(memberOf:1.2.840.113556.1.4.1941:=cn=Users,dc=domain,dc=example)

Search result (users)

Filter

User1

(distinguishedName=cn=User1,cn=Users,dc=domain,dc=example)

User1, User3

(memberOf=cn=Group1,cn=Users,dc=domain,dc=example)

User2, User3

(memberOf=cn=Group2,cn=Users,dc=domain,dc=example)

User1, User2, User3

(|(memberOf=cn=Group1,cn=Users,dc=domain,dc=example)(memberOf=cn=Group2,cn=Users,dc=domain,dc=example))

User1, User2, User3

(memberOf:1.2.840.113556.1.4.1941:=cn=Users,dc=domain,dc=example)

Because group Users is a nested group that contains groups Group1 and Group2, the filter must include memberOf:1.2.840.113556.1.4.1941:= before the nested group name. This enables you to filter all users from the nested group.

Configuring Kerberos single sign-on with FreeIPA in orcharhino

FreeIPA is an open-source identity management solution that provides centralized authentication, authorization, and account management services. With orcharhino, you can integrate orcharhino Server with your existing FreeIPA server to enable FreeIPA users to authenticate to orcharhino.

With your FreeIPA server configured as an external identity provider, users defined in FreeIPA can log in to orcharhino with their FreeIPA credentials. If a cross-forest trust is configured between FreeIPA and Active Directory, Active Directory users can also log in to orcharhino.

The following login methods are available for FreeIPA users:

Username and password
Kerberos single sign-on

When a cross-forest trust is configured between FreeIPA and Active Directory, Active Directory users can log in to orcharhino with their user principal name (UPN) and password.

For information about FreeIPA, including its cross-forest trust functionality, see AlmaLinux 8 Planning Identity Management and AlmaLinux 8 Installing Identity Management.

Enrolling orcharhino Server in a FreeIPA domain

Create a host entry for your orcharhino Server system in the FreeIPA LDAP and configure the system to be a client in your FreeIPA domain.

Prerequisites

An existing FreeIPA server
FreeIPA user account with privileges to enroll new FreeIPA hosts

Procedure

On the FreeIPA server:
1. Create a host entry for the orcharhino Server system.
  
  For more information, see AlmaLinux 8 Configuring and managing Identity Management or AlmaLinux 9 Managing IdM users, groups, hosts, and access control rules.
2. Create an entry for the HTTP service for orcharhino Server. This enables access to the keytab file by creating a service principal for your orcharhino Server.
  
  For more information on creating a service entry in FreeIPA, see AlmaLinux 8 Managing IdM users, groups, hosts, and access control rules or AlmaLinux 9 Managing IdM users, groups, hosts, and access control rules.
On your orcharhino Server, configure the system as client in the FreeIPA domain. This includes ensuring that the system meets the necessary prerequisites, installing the necessary packages, and running the ipa-client-install utility.

For more information, see AlmaLinux 8 Installing Identity Management or AlmaLinux 9 Installing Identity Management.

To install packages on your orcharhino Server, use the orcharhino-installer utility.

Verification

On your orcharhino Server, check that you are able to resolve a user defined on the FreeIPA server. For example, to check the admin user that FreeIPA creates by default:
```
$ id admin
```

Example 5. Enrolling a orcharhino Server system as a FreeIPA client from the command line by using a one-time password

On the FreeIPA server, a user named admin who has administrative privileges on the FreeIPA server prepares a host entry for the orcharhino Server system:

Authenticate as the FreeIPA admin user:
```
$ kinit admin
```
Optional: Verify that you have authenticated successfully:
```
$ klist
```

Create a host entry from the command line. Specify that you want to use a random password for the enrollment.

$ ipa host-add --random orcharhino-server.example.com
--------------------------------------------------
 Added host "orcharhino-server.example.com"
 --------------------------------------------------
  Host name: orcharhino-server.example.com
  Random password: W5YpARl=7M.n
  Password: True
  Keytab: False
  Managed by: ipa-server.example.com

Enable access to the keytab file by creating a service principal for your orcharhino Server:
```
$ ipa service-add HTTP/orcharhino-server.example.com
```

On the orcharhino Server system, a user with orcharhino administrative privileges enrolls the system into the FreeIPA domain:

Install the FreeIPA client packages:
```
$ dnf install ipa-client
```
Configure the orcharhino Server system a client in FreeIPA by using the random password produced by ipa host-add in a previous step:
```
$ ipa-client-install --password 'W5YpARl=7M.n'
```
Verify that you are able to resolve the FreeIPA admin user from your orcharhino Server:
```
$ id admin
```

Configuring the FreeIPA authentication source on orcharhino Server

Enable FreeIPA users to access orcharhino by configuring FreeIPA as an authentication provider on your orcharhino Server.

Prerequisites

orcharhino Server running on a system that is enrolled in the FreeIPA domain.

Procedure

To enable access to the orcharhino management UI only:

$ orcharhino-installer \
--foreman-ipa-authentication=true

To enable access to the orcharhino management UI and the orcharhino API, including Hammer CLI:

$ orcharhino-installer \
--foreman-ipa-authentication-api=true \
--foreman-ipa-authentication=true

Enabling access to both the orcharhino management UI and the orcharhino API poses a security risk. After the FreeIPA user enters kinit to receive a Kerberos ticket-granting ticket (TGT), an attacker might obtain an API session. The attack is possible even if the user did not previously enter the orcharhino login credentials anywhere, for example in the browser.

To disable external authentication with FreeIPA, reset the options. For example, to disable access to the orcharhino API and Hammer CLI:
```
$ orcharhino-installer --reset-foreman-ipa-authentication-api
```

Verification

Configuring host-based access control for FreeIPA users logging in to orcharhino

You can use host-based access control (HBAC) rules to manage access control within your FreeIPA domain. In FreeIPA, HBAC rules define which users can access which hosts and which services can be used to gain access.

For example, you can configure HBAC on the FreeIPA server to limit access to orcharhino Server only to selected users or user groups. By configuring a HBAC rule in the FreeIPA domain, you can ensure orcharhino does not create database entries for users who should not have access.

Prerequisites

FreeIPA user account with privileges to configure HBAC rules

Procedure

On the FreeIPA server, configure HBAC control. For more information, see AlmaLinux 9 Managing IdM users, groups, hosts, and access control rules or AlmaLinux 8 Managing IdM users, groups, hosts, and access control rules.
1. Create a HBAC service for orcharhino Server.
2. Create a new HBAC rule to define the required access control. Add the following FreeIPA entities to the HBAC rule:
  1. The HBAC service for orcharhino Server
  2. The orcharhino Server host
  3. The users or user groups to whom you want to grant access
3. Make sure the default FreeIPA allow_all rule is disabled.
On your orcharhino Server, load the host-based access control rules from FreeIPA:
```
$ orcharhino-installer --foreman-pam-service=foreman-prod
```

Verification

Log in to the orcharhino management UI as a user defined in FreeIPA.
- If the user is included in the HBAC rule, orcharhino management UI will grant access.
- If the user is not included in the HBAC rule, orcharhino management UI will not grant access.

Additional resources

For more information about the allow_all rule and configuring HBAC in FreeIPA, see Host-based access control (HBAC) in FreeIPA documentation.

Example 6. Configuring host-based access control to allow access to orcharhino only for selected FreeIPA users by using the command line

On the FreeIPA server, a user with administrative privileges configures a HBAC rule to allow selected users access to orcharhino Server:

Authenticate as the user with privileges required to configure HBAC rules:
```
$ kinit admin
```
Optional: Verify that you have authenticated successfully:
```
$ klist
```
Create a new HBAC service named orcharhino-prod:
```
$ ipa hbacsvc-add orcharhino-prod
```

Create a new HBAC rule:

$ ipa hbacrule-add allow-orcharhino-prod

Add the following FreeIPA entities to the HBAC rule:

The orcharhino-prod HBAC service:

$ ipa hbacrule-add-service allow-orcharhino-prod --hbacsvcs=orcharhino-prod

The orcharhino Server host:

$ ipa hbacrule-add-host allow-orcharhino-prod --hosts=orcharhino.example.com

The users or user groups to whom you want to grant access:

$ ipa hbacrule-add-user allow-orcharhino-prod --user=ipa-user

Optional: Verify the status of the rule:

$ ipa hbacrule-find orcharhino-prod
$ ipa hbactest --user=ipa-user --host=orcharhino.example.com --service=orcharhino-prod

Disable the default allow_all rule:

$ ipa hbacrule-disable allow_all

On orcharhino Server, a orcharhino administrator re-runs orcharhino-installer to load the host-based access control rules from FreeIPA:

$ orcharhino-installer --foreman-pam-service=orcharhino-prod

Configuring Hammer CLI to accept FreeIPA credentials

Configure the orcharhino Hammer CLI tool to use FreeIPA to authenticate users.

Prerequisites

You have enabled FreeIPA access to the orcharhino API. For more information, see configuring the freeipa authentication source on projectserver.

Procedure

Open the ~/.hammer/cli.modules.d/foreman.yml file on your orcharhino Server and update the list of foreman parameters:
- To enforce session usage, enable :use_sessions::
  :foreman: :use_sessions: true
  With this configuration, you will need to initiate an authentication session manually with hammer auth login negotiate.
- Alternatively, to enforce session usage and also negotiate authentication by default:
  :foreman: :default_auth_type: 'Negotiate_Auth' :use_sessions: true
  With this configuration, Hammer will negotiate authentication automatically when you enter the first hammer command.

Logging in to Hammer CLI with FreeIPA credentials

Authenticate to the orcharhino Hammer CLI with your FreeIPA username and password.

Prerequisites

You have configured Hammer CLI to accept FreeIPA credentials. For more information, see Configuring Hammer CLI to accept FreeIPA credentials in Installing orcharhino Server.

Procedure

Authenticate as a user defined in FreeIPA to obtain a Kerberos ticket-granting ticket (TGT):

$ kinit FreeIPA_user

If you enabled access to the orcharhino API and the orcharhino management UI when you were configuring FreeIPA as the authentication provider for orcharhino, an attacker might now obtain an API session after the user receives the Kerberos TGT. The attack is possible even if the user did not previously enter the orcharhino login credentials anywhere, for example in the browser.

If Hammer is not configured to negotiate authentication, initiate an authentication session manually:
```
$ hammer auth login negotiate
```

If you destroy the active Kerberos ticket, for example with kdestroy, you will still be logged in to Hammer. To log out, enter hammer auth logout.

Verification

Use any hammer command to check that the system does not ask you to authenticate. For example:
```
$ hammer host list
```

Additional resources

For more information about authenticating with Hammer, see hammer auth --help.

Logging in to the orcharhino management UI with FreeIPA credentials in Mozilla Firefox

You can use Mozilla Firefox to log in to the orcharhino management UI with your FreeIPA credentials.

Use the latest stable Mozilla Firefox browser.

Prerequisites

You have FreeIPA authentication configured in your orcharhino environment. For more information, see Installing orcharhino Server.
The host on which you are using Mozilla Firefox is a client in the FreeIPA domain.
Your Mozilla Firefox is configured for Single Sign-On (SSO).

Procedure

Obtain the Kerberos ticket granting ticket (TGT):
```
$ kinit user
Password for user@EXAMPLE.COM:
```
In Mozilla Firefox, go to the URL of your orcharhino Server.
You are logged in automatically.

Alternatively:

In your browser address bar, enter the URL of your orcharhino Server.
Enter your username and password.

Logging in to the orcharhino management UI with FreeIPA credentials in Chrome

You can use Chrome to log in to the orcharhino management UI with your FreeIPA credentials.

Use the latest stable Chrome browser.

Prerequisites

You have FreeIPA authentication configured in your orcharhino environment. For more information, see Installing orcharhino Server.
The host on which you are using Chrome is a client in the FreeIPA domain.

Procedure

Enable the Chrome browser to use Kerberos authentication:
```
$ google-chrome --auth-server-whitelist="*.example.com" --auth-negotiate-delegate-whitelist="*.example.com"
```
Instead of allowlisting the whole domain, you can also allowlist a specific orcharhino Server.
Obtain the Kerberos ticket-granting ticket (TGT):
```
$ kinit user
Password for user@EXAMPLE.COM:
```
In Chrome, go to the URL of your orcharhino Server.
You are logged in automatically.

Alternatively:

In your browser address bar, enter the URL of your orcharhino Server.
Enter your username and password.

Configuring a cross-forest trust between FreeIPA and Active Directory for orcharhino

When your FreeIPA deployment includes a cross-forest trust with Active Directory (AD), configure host-based access control (HBAC) and the System Security Services Daemon (SSSD) to enable AD users to log in to orcharhino.

Prerequisites

An existing FreeIPA server with a cross-forest trust with AD established. For more information, see AlmaLinux 8 Installing trust between IdM and AD.

Procedure

On your FreeIPA server:

Enable HBAC:
1. Create an external group and add the AD group to it.
2. Add the new external group to a POSIX group.
3. Use the POSIX group in a HBAC rule.

On your FreeIPA server and all replicas in your FreeIPA topology, configure SSSD to transfer additional attributes of AD users:

Add the AD user attributes to the nss and domain sections in /etc/sssd/sssd.conf. For example:

[domain/EXAMPLE.com]
...
krb5_store_password_if_offline = True
ldap_user_extra_attrs=email:mail, lastname:sn, firstname:givenname

[nss]
user_attributes=+email, +firstname, +lastname

[ifp]
allowed_uids = ipaapi, root
user_attributes=+email, +firstname, +lastname

Clear the SSSD cache:
1. Stop SSSD:
  $ systemctl stop sssd
2. Clear the cache:
  $ sss_cache -E
3. Start SSSD:
  $ systemctl start sssd

Verify the AD attributes value by using the dbus-send command on your orcharhino Server and on your FreeIPA server. Make sure that both outputs match.

$ dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe org.freedesktop.sssd.infopipe.GetUserAttr string:ad-user@ad-domain array:string:email,firstname,lastname

Configuring Wildfly-based Keycloak authentication for orcharhino

The default Keycloak distribution is now based on Quarkus.

Quarkus-based Keycloak replaces Wildfly-based Keycloak in orcharhino deployments. For information about configuring Quarkus-based Keycloak authentication, see Configuring single sign-on and two-factor authentication with Quarkus-based Keycloak in orcharhino.

For information about migrating from Wildfly-based Keycloak to Quarkus-based Keycloak, see Migrating to Quarkus distribution.

Keycloak is an open-source identity and access management solution that provides authentication features, such as single sign-on functionality, user federation, or centralized authentication management. With Wildfly-based Keycloak, you can integrate orcharhino Server with your existing Keycloak server to delegate user authentication and authorization to Keycloak. The following login methods are available:

User name and password in orcharhino management UI and Hammer CLI
Time-based one-time password (TOTP)
PIV cards

Prerequisites for configuring orcharhino with Wildfly-based Keycloak authentication

A Keycloak account with administrative privileges.
A Keycloak server that uses HTTPS instead of HTTP.
If the certificates or the CA are self-signed, ensure that they are added to the end-user certificate truststore.
A Keycloak realm created for orcharhino user accounts, for example orcharhino_Realm.
Users imported or added to Keycloak. For more information about importing or creating users, see the Red Hat Single Sign-On Server Administration Guide.

Registering orcharhino as a client of Keycloak

Users defined in Keycloak can authenticate to orcharhino by using the orcharhino management UI or by using Hammer CLI. Each authentication method requires you to register a separate orcharhino client to Keycloak. If you want users to authenticate by using both orcharhino management UI and Hammer CLI, you must register two different orcharhino clients to Keycloak.

Procedure

On your orcharhino Server:

Install the packages required for registering a Keycloak client:

$ dnf install mod_auth_openidc keycloak-httpd-client-install python3-lxml

Choose the authentication method you want Keycloak users to use when authenticating to orcharhino:

If you want users to authenticate by using the orcharhino management UI:

Create a client for orcharhino. Use foreman-openidc as the application name.

$ keycloak-httpd-client-install --app-name foreman-openidc \
--keycloak-server-url "https://keycloak.example.com" \
--keycloak-admin-username "admin" \
--keycloak-realm "orcharhino_Realm" \
--keycloak-admin-realm master \
--keycloak-auth-role root-admin \
-t openidc -l /users/extlogin --force

Configure orcharhino to use Keycloak as an authentication source for orcharhino management UI:

$ orcharhino-installer --foreman-keycloak true \
--foreman-keycloak-app-name "foreman-openidc" \
--foreman-keycloak-realm "orcharhino_Realm"

If you want users to authenticate by using the Hammer CLI:

Create a client for orcharhino. Use hammer-openidc as the application name.

$ keycloak-httpd-client-install --app-name hammer-openidc \
--keycloak-server-url "https://keycloak.example.com" \
--keycloak-admin-username "admin" \
--keycloak-realm "orcharhino_Realm" \
--keycloak-admin-realm master \
--keycloak-auth-role root-admin \
-t openidc -l /users/extlogin --force

Configure orcharhino to use Keycloak as an authentication source for Hammer CLI:

$ orcharhino-installer --foreman-keycloak true \
--foreman-keycloak-app-name "hammer-openidc" \
--foreman-keycloak-realm "orcharhino_Realm"

Reset Keycloak support to the default value to ensure that users are not authenticated also in orcharhino management UI:
```
$ orcharhino-installer --reset-foreman-keycloak
```

Restart the httpd service:
```
$ systemctl restart httpd
```

To disable Keycloak authentication in orcharhino, reset Keycloak support to the default value by using orcharhino-installer --reset-foreman-keycloak.

Configuring the orcharhino client in Wildfly-based Keycloak

Configure the orcharhino client in Wildfly-based Keycloak with valid redirect URIs and mappers.

Procedure

In the Keycloak web UI:

Go to the realm created for orcharhino users. Navigate to Clients and click the orcharhino client.
Configure access type:
- If you are configuring a client that will provide orcharhino management UI authentication, select confidential from the Access Type list.
- If you are configuring a client that will provide Hammer CLI authentication, select public from the Access Type list.
Configure Valid redirect URI addresses:
- If you are configuring a client that will provide orcharhino management UI authentication:
  - You will see a pre-defined URI: https://orcharhino.example.com/users/extlogin/redirect_uri. Do not change or remove this URI.
  - Add another URI below the pre-defined URI: https://orcharhino.example.com/users/extlogin
- If you are configuring a client that will provide Hammer CLI authentication:
  - You will see a pre-defined URI: https://orcharhino.example.com/users/extlogin/redirect_uri. Do not change or remove this URI.
  - Add another URI below the pre-defined URI: urn:ietf:wg:oauth:2.0:oob
Click Save.
On the Mappers tab, click Create to add an audience mapper.
1. From the Mapper Type list, select Audience.
2. From the Included Client Audience list, select the orcharhino client.
Click Save.
On the Mappers tab, click Create to add a group mapper so that you can specify authorization in orcharhino based on group membership.
1. From the Mapper Type list, select Group Membership.
2. In the Token Claim Name field, enter groups.
3. Set the Full group path setting to OFF.
Click Save.

Additional resources

For more information about configuring Wildfly-based Keycloak clients, see Red Hat Single Sign-On Server Administration Guide.

Configuring a orcharhino client to provide orcharhino management UI authentication with Keycloak

If you are configuring a client that will provide orcharhino management UI authentication to your orcharhino deployment, delegate authentication to the Keycloak server and add Keycloak as an external authentication source in orcharhino.

Prerequisites

Ensure that the Access Type setting in the orcharhino client in the Wildfly-based Keycloak web UI is set to confidential. For more information, see Configuring the orcharhino client in Wildfly-based Keycloak.

Procedure

In the orcharhino management UI:

Navigate to Administer > Settings.
On the Authentication tab, configure the following settings:
1. Authorize login delegation: Set to Yes.
2. Authorize login delegation auth source user autocreate: Set to External.
3. Login delegation logout URL: Set to https://orcharhino.example.com/users/extlogout.
4. OIDC Algorithm: For example, set to RS256.
5. OIDC Audience: Set to the client ID for Keycloak.
6. OIDC Issuer: Set to https://keycloak.example.com/auth/realms/orcharhino_Realm.
7. OIDC JWKs URL: Set to https://keycloak.example.com/auth/realms/orcharhino_Realm/protocol/openid-connect/certs.
Navigate to Administer > Authentication Sources.
1. From the External menu, select Edit.
2. On the Locations tab, add the locations that you want to be able to use the Keycloak authentication source.
3. On the Organizations tab, add the organizations that you want to be able to use the Keycloak authentication source.
4. Click Submit.

Configuring a orcharhino client to provide Hammer CLI authentication with Keycloak

If you are configuring a client that will provide Hammer CLI authentication to your orcharhino deployment, delegate authentication to the Keycloak server and add Keycloak as an external authentication source in orcharhino.

Prerequisites

Ensure that the Access Type setting in the orcharhino client in the Wildfly-based Keycloak web UI is set to public. For more information, see Configuring the orcharhino client in Wildfly-based Keycloak.
Obtain the values to configure orcharhino settings from the following URL: https://keycloak.example.com/auth/realms/orcharhino_Realm/.well-known/openid-configuration. Replace orcharhino_Realm with the name of the Keycloak realm created for your orcharhino server.

Procedure

On the orcharhino client registered to Keycloak:

Set the login delegation to true so that users can authenticate using the Open IDC protocol:
```
$ hammer settings set --name authorize_login_delegation --value true
```

Set the login delegation logout URL:

$ hammer settings set --name login_delegation_logout_url \
--value https://orcharhino.example.com/users/extlogout

Set the algorithm for encoding: For example, to use the RS256 algorithm:
```
$ hammer settings set --name oidc_algorithm --value 'RS256'
```

Add the value for the Hammer client in the Open IDC audience:

$ hammer settings set --name oidc_audience \
--value "['orcharhino.example.com-hammer-openidc']"

If you register several Keycloak clients to orcharhino, ensure that you append all audiences in the array. For example:

$ hammer settings set --name oidc_audience \
--value "['orcharhino.example.com-foreman-openidc', 'orcharhino.example.com-hammer-openidc']"

Set the value for the Open IDC issuer:

$ hammer settings set --name oidc_issuer \
--value "https://keycloak.example.com/auth/realms/KEYCLOAK_REALM"

Set the value for Open IDC Java Web Token (JWT):

$ hammer settings set --name oidc_jwks_url \
--value "https://keycloak.example.com/auth/realms/KEYCLOAK_REALM/protocol/openid-connect/certs"

Retrieve the ID of the Keycloak authentication source:
```
$ hammer auth-source external list
```

Set the location and organization:

$ hammer auth-source external update \
--id My_Authentication_Source_ID \
--location-ids My_Location_ID \
--organization-ids My_Organization_ID

Configuring orcharhino with Keycloak for TOTP authentication

If you want users to authenticate with time-based one-time passwords (TOTP), configure an OTP policy for the orcharhino realm in Keycloak.

Procedure

In the Keycloak web UI, navigate to the orcharhino realm.
Navigate to Authentication.
On the Policies tab, click the OTP Policy tab. Ensure that the Supported Applications field includes FreeOTP or Google Authenticator.
Configure the OTP settings to suit your requirements.
On Required Actions tab, enable the Set as default action setting for the Configure OTP action.

Additional resources

For more information, see Red Hat Single Sign-On Server Administration Guide or Red Hat build of Keycloak Server Administration Guide.

Optional: Configuring external group mapping for Keycloak authentication

To implement the role-based access control (RBAC), create a group in orcharhino, assign a role to this group, and then map an Keycloak group to the orcharhino group. As a result, anyone in the given group in Keycloak will log in under the corresponding orcharhino group.

For example, you can configure users of the orcharhino-admin user group defined in Active Directory to authenticate as users with administrator privileges on orcharhino.

If you do not configure group mapping, every user will receive the Default role permissions.

Procedure

In the orcharhino management UI, navigate to Administer > User Groups.
Click Create User Group.
1. In the Name field, enter a name for the user group. Enter a name that is different from the Active Directory user group name.
2. Do not add any users or user groups to the new group in orcharhino management UI.
On the Roles tab, select Administer.
On the External Groups tab, click Add external user group.
1. In the Name field, enter the name of the Active Directory group.
2. From the Auth Source drop-down menu, select EXTERNAL.
Click Submit.

Logging in to orcharhino configured with Keycloak as an authentication source

With Keycloak configured as an external authentication source for orcharhino, users defined in a Keycloak realm can log in to orcharhino Server. The particular login methods available to users depend on how you configured integration between Keycloak and orcharhino.

Procedure

To authenticate to the orcharhino management UI:

In your browser, go to https://orcharhino.example.com and enter your credentials.

To authenticate to the orcharhino management UI by using Keycloak TOTP:

In your browser, log in to orcharhino. orcharhino redirects you to the Keycloak login screen.
Enter your username and password, and click Log In.
On your first login attempt, Keycloak requests you to configure your client by scanning the bar code and entering your PIN. Once authenticated, your browser redirects you back to orcharhino and logs you in.

To authenticate to the orcharhino CLI with Hammer:

Ensure that Hammer is configured to enforce session usage in ~/.hammer/cli.modules.d/foreman.yml:
```
:foreman:
  :use_sessions: true
```

Initiate an authentication session with hammer auth login oauth:

$ hammer auth login oauth \
--oidc-token-endpoint 'https://keycloak.example.com/auth/realms/orcharhino_realm/protocol/openid-connect/token' \
--oidc-authorization-endpoint 'https://keycloak.example.com/auth' \
--oidc-client-id 'orcharhino.example.com-hammer-openidc' \
--oidc-redirect-uri urn:ietf:wg:oauth:2.0:oob

To authenticate to the orcharhino CLI with Hammer by using Keycloak TOTP:

Ensure that Hammer is configured to enforce session usage in ~/.hammer/cli.modules.d/foreman.yml:
```
:foreman:
  :use_sessions: true
```

Initiate an authentication session by using --two-factor with hammer auth login oauth:

$ hammer auth login oauth \
--two-factor \
--oidc-token-endpoint 'https://keycloak.example.com/auth/realms/orcharhino_realm/protocol/openid-connect/token' \
--oidc-authorization-endpoint 'https://keycloak.example.com/auth' \
--oidc-client-id 'orcharhino.example.com-hammer-openidc' \
--oidc-redirect-uri urn:ietf:wg:oauth:2.0:oob

You will be prompted to enter a success code. To retrieve the success code, navigate to the URL that the command returns.
Enter the success code in CLI.

To log in to the orcharhino management UI using the Keycloak PIV cards:

In Mozilla Firefox, log in to orcharhino and enter your credentials.
When prompted, enter the PIN of the PIV card.
Choose the certificate for authentication. Browser verifies this certificate with Keycloak. Once authenticated, browser redirects you back to orcharhino and logs you in.

Configuring single sign-on and two-factor authentication with Quarkus-based Keycloak in orcharhino

Quarkus-based Keycloak is an open-source identity and access management solution that provides authentication features, such as single sign-on functionality, user federation, or centralized authentication management. With Quarkus-based Keycloak, you can integrate orcharhino Server with your existing Quarkus-based Keycloak server to delegate user authentication and authorization to Quarkus-based Keycloak. The following login methods are available:

User name and password in orcharhino management UI and Hammer CLI
Time-based one-time password (TOTP)
PIV cards

For information about Keycloak, see Keycloak documentation.

Prerequisites for configuring orcharhino with Quarkus-based Keycloak authentication

A Keycloak account with administrative privileges.

A Keycloak server that uses HTTPS instead of HTTP and has been initialized with the --http-relative-path=/auth context path. To access a Keycloak server initialized with --http-relative-path=/auth from its web UI, go to https://keycloak.example.com:8443/auth.

To use a different context path, make manual adjustments after the initialisation with /auth or configure the foreman-openidc_oidc_keycloak_Foreman_Realm.conf file of the HTTPd service manually. For more information about configuring a different context path, see the Red Hat build of Keycloak Administration Guide.

If the certificates or the CA are self-signed, add them to the end-user certificate truststore.
A Keycloak realm created for orcharhino user accounts, for example orcharhino_Realm.
Users imported or added to Keycloak. For more information on importing or creating users, see the Red Hat build of Keycloak Administration Guide.

Registering orcharhino as a client of Keycloak

Users defined in Keycloak can authenticate to orcharhino by using one of the following methods:

The orcharhino management UI
Hammer CLI

Choose one of these methods to enable in your orcharhino deployment.

Procedure

On your orcharhino Server:

Install the packages required for registering a Keycloak client:

$ dnf install mod_auth_openidc keycloak-httpd-client-install python3-lxml

Choose the authentication method you want Keycloak users to use when authenticating to orcharhino:

If you want users to authenticate by using the orcharhino management UI:

Create a client for orcharhino. Use foreman-openidc as the application name.

$ keycloak-httpd-client-install --app-name foreman-openidc \
--keycloak-server-url "https://keycloak.example.com" \
--keycloak-admin-username "admin" \
--keycloak-realm "orcharhino_Realm" \
--keycloak-admin-realm master \
--keycloak-auth-role root-admin \
-t openidc -l /users/extlogin --force

Configure orcharhino to use Keycloak as an authentication source for orcharhino management UI:

$ orcharhino-installer --foreman-keycloak true \
--foreman-keycloak-app-name "foreman-openidc" \
--foreman-keycloak-realm "orcharhino_Realm"

If you want users to authenticate by using the Hammer CLI:

Create a client for orcharhino. Use hammer-openidc as the application name.

$ keycloak-httpd-client-install --app-name hammer-openidc \
--keycloak-server-url "https://keycloak.example.com" \
--keycloak-admin-username "admin" \
--keycloak-realm "orcharhino_Realm" \
--keycloak-admin-realm master \
--keycloak-auth-role root-admin \
-t openidc -l /users/extlogin --force

Configure orcharhino to use Keycloak as an authentication source for Hammer CLI:

$ orcharhino-installer --foreman-keycloak true \
--foreman-keycloak-app-name "hammer-openidc" \
--foreman-keycloak-realm "orcharhino_Realm"

Reset Keycloak support to the default value to ensure that users are not authenticated also in orcharhino management UI:
```
$ orcharhino-installer --reset-foreman-keycloak
```

Restart the httpd service:
```
$ systemctl restart httpd
```

To disable Keycloak authentication in orcharhino, reset Keycloak support to the default value by using orcharhino-installer --reset-foreman-keycloak.

Configuring the orcharhino client in Quarkus-based Keycloak

Configure the orcharhino client in Quarkus-based Keycloak with valid redirect URIs and mappers.

Procedure

In the Quarkus-based Keycloak web UI:

Go to the realm created for orcharhino users.
Navigate to Clients and click the orcharhino client.
On the Settings tab for the orcharhino client, configure the access type and redirect addresses:
- If you are configuring a client that will provide orcharhino management UI authentication:
  1. Enable Client authentication.
  2. You will see a pre-defined URI: https://orcharhino.example.com/users/extlogin/redirect_uri. Do not change or remove this URI.
  3. Add another URI below the pre-defined URI: https://orcharhino.example.com/users/extlogin
- If you are configuring a client that will provide Hammer CLI authentication:
  1. Ensure Client authentication is disabled.
  2. You will see a pre-defined URI: https://orcharhino.example.com/users/extlogin/redirect_uri. Do not change or remove this URI.
  3. Add another URI below the pre-defined URI: urn:ietf:wg:oauth:2.0:oob
On the Client Scopes tab for the orcharhino client, locate the client scope dedicated to the orcharhino client named client-name-dedicated. Start editing the client scope.
1. On the Mappers tab for client-name-dedicated, add a new mapper by configuration. Select the Audience mapper type.
  1. From the Included Client Audience list, select the orcharhino client.
  2. Enable Add to ID token.
  3. Click Save.
2. Add another mapper by configuration. Select the Group Membership mapper type. This adds a group mapper so that you can specify authorization in orcharhino based on group membership.
  1. In the Token Claim Name field, enter groups.
  2. Disable Full group path.
  3. Click Save.

Additional resources

For more information about configuring Quarkus-based Keycloak clients, see Red Hat build of Keycloak Server Administration Guide.

Configuring a orcharhino client to provide orcharhino management UI authentication with Keycloak

Prerequisites

Ensure that the Client authentication setting in the orcharhino client in the Quarkus-based Keycloak web UI is enabled. For more information, see Configuring the orcharhino client in Quarkus-based Keycloak.

Procedure

In the orcharhino management UI:

Navigate to Administer > Settings.
On the Authentication tab, configure the following settings:
1. Authorize login delegation: Set to Yes.
2. Authorize login delegation auth source user autocreate: Set to External.
3. Login delegation logout URL: Set to https://orcharhino.example.com/users/extlogout.
4. OIDC Algorithm: For example, set to RS256.
5. OIDC Audience: Set to the client ID for Keycloak.
6. OIDC Issuer: Set to https://keycloak.example.com:8443/auth/realms/orcharhino_Realm.
7. OIDC JWKs URL: Set to https://keycloak.example.com:8443/auth/realms/orcharhino_Realm/protocol/openid-connect/certs.
Navigate to Administer > Authentication Sources.
1. From the External menu, select Edit.
2. On the Locations tab, add the locations that you want to be able to use the Keycloak authentication source.
3. On the Organizations tab, add the organizations that you want to be able to use the Keycloak authentication source.
4. Click Submit.

Configuring a orcharhino client to provide Hammer CLI authentication with Keycloak

Prerequisites

Ensure that the Client authentication setting in the orcharhino client in the Quarkus-based Keycloak web UI is disabled. For more information, see Configuring the orcharhino client in Quarkus-based Keycloak.
Obtain the values to configure orcharhino settings from the following URL: https://keycloak.example.com/auth/realms/orcharhino_Realm/.well-known/openid-configuration. Replace orcharhino_Realm with the name of the Keycloak realm created for your orcharhino server.

Procedure

On the orcharhino client registered to Keycloak:

Set the login delegation to true so that users can authenticate using the Open IDC protocol:
```
$ hammer settings set --name authorize_login_delegation --value true
```

Set the login delegation logout URL:

$ hammer settings set --name login_delegation_logout_url \
--value https://orcharhino.example.com/users/extlogout

Set the algorithm for encoding: For example, to use the RS256 algorithm:
```
$ hammer settings set --name oidc_algorithm --value 'RS256'
```

Add the value for the Hammer client in the Open IDC audience:

$ hammer settings set --name oidc_audience \
--value "['orcharhino.example.com-hammer-openidc']"

If you register several Keycloak clients to orcharhino, ensure that you append all audiences in the array. For example:

$ hammer settings set --name oidc_audience \
--value "['orcharhino.example.com-foreman-openidc', 'orcharhino.example.com-hammer-openidc']"

Set the value for the Open IDC issuer:

$ hammer settings set --name oidc_issuer \
--value "https://keycloak.example.com/auth/realms/KEYCLOAK_REALM"

Set the value for Open IDC Java Web Token (JWT):

$ hammer settings set --name oidc_jwks_url \
--value "https://keycloak.example.com/auth/realms/KEYCLOAK_REALM/protocol/openid-connect/certs"

Retrieve the ID of the Keycloak authentication source:
```
$ hammer auth-source external list
```

Set the location and organization:

$ hammer auth-source external update \
--id My_Authentication_Source_ID \
--location-ids My_Location_ID \
--organization-ids My_Organization_ID

Configuring orcharhino with Keycloak for TOTP authentication

If you want users to authenticate with time-based one-time passwords (TOTP), configure an OTP policy for the orcharhino realm in Keycloak.

Procedure

In the Keycloak web UI, navigate to the orcharhino realm.
Navigate to Authentication.
On the Policies tab, click the OTP Policy tab. Ensure that the Supported Applications field includes FreeOTP or Google Authenticator.
Configure the OTP settings to suit your requirements.
On Required Actions tab, enable the Set as default action setting for the Configure OTP action.

Additional resources

For more information, see Red Hat Single Sign-On Server Administration Guide or Red Hat build of Keycloak Server Administration Guide.

Optional: Configuring external group mapping for Keycloak authentication

For example, you can configure users of the orcharhino-admin user group defined in Active Directory to authenticate as users with administrator privileges on orcharhino.

If you do not configure group mapping, every user will receive the Default role permissions.

Procedure

In the orcharhino management UI, navigate to Administer > User Groups.
Click Create User Group.
1. In the Name field, enter a name for the user group. Enter a name that is different from the Active Directory user group name.
2. Do not add any users or user groups to the new group in orcharhino management UI.
On the Roles tab, select Administer.
On the External Groups tab, click Add external user group.
1. In the Name field, enter the name of the Active Directory group.
2. From the Auth Source drop-down menu, select EXTERNAL.
Click Submit.

Logging in to orcharhino configured with Keycloak as an authentication source

Procedure

To authenticate to the orcharhino management UI:

In your browser, go to https://orcharhino.example.com and enter your credentials.

To authenticate to the orcharhino management UI by using Keycloak TOTP:

In your browser, log in to orcharhino. orcharhino redirects you to the Keycloak login screen.
Enter your username and password, and click Log In.
On your first login attempt, Keycloak requests you to configure your client by scanning the bar code and entering your PIN. Once authenticated, your browser redirects you back to orcharhino and logs you in.

To authenticate to the orcharhino CLI with Hammer:

Ensure that Hammer is configured to enforce session usage in ~/.hammer/cli.modules.d/foreman.yml:
```
:foreman:
  :use_sessions: true
```

Initiate an authentication session with hammer auth login oauth:

$ hammer auth login oauth \
--oidc-token-endpoint 'https://keycloak.example.com/auth/realms/orcharhino_realm/protocol/openid-connect/token' \
--oidc-authorization-endpoint 'https://keycloak.example.com/auth' \
--oidc-client-id 'orcharhino.example.com-hammer-openidc' \
--oidc-redirect-uri urn:ietf:wg:oauth:2.0:oob

To authenticate to the orcharhino CLI with Hammer by using Keycloak TOTP:

Ensure that Hammer is configured to enforce session usage in ~/.hammer/cli.modules.d/foreman.yml:
```
:foreman:
  :use_sessions: true
```

Initiate an authentication session by using --two-factor with hammer auth login oauth:

$ hammer auth login oauth \
--two-factor \
--oidc-token-endpoint 'https://keycloak.example.com/auth/realms/orcharhino_realm/protocol/openid-connect/token' \
--oidc-authorization-endpoint 'https://keycloak.example.com/auth' \
--oidc-client-id 'orcharhino.example.com-hammer-openidc' \
--oidc-redirect-uri urn:ietf:wg:oauth:2.0:oob

You will be prompted to enter a success code. To retrieve the success code, navigate to the URL that the command returns.
Enter the success code in CLI.

To log in to the orcharhino management UI using the Keycloak PIV cards:

In Mozilla Firefox, log in to orcharhino and enter your credentials.
When prompted, enter the PIN of the PIV card.
Choose the certificate for authentication. Browser verifies this certificate with Keycloak. Once authenticated, browser redirects you back to orcharhino and logs you in.

Configuring Active Directory as an external identity provider for orcharhino

If the base system of your orcharhino Server is connected directly to Active Directory (AD), you can configure AD as an external authentication source for orcharhino. Direct AD integration means that a Linux system is joined directly to the AD domain where the identity is stored. The following login methods are available for AD users:

Username and password
Kerberos single sign-on

You can also connect your orcharhino deployment to AD in the following ways:

By using indirect AD integration. With indirect integration, your orcharhino Server is connected to a FreeIPA server which is then connected to AD. For more information, see Configuring Kerberos single sign-on with FreeIPA in orcharhino.
By attaching the LDAP server of the AD domain as an external authentication source with no single sign-on support. For more information, see configuring an ldap server as an external identity provider for project. For an example configuration, see How to configure Active Directory authentication with TLS on orcharhino.

Configuring the Active Directory authentication source on orcharhino Server

Enable Active Directory (AD) users to access orcharhino by configuring the corresponding authentication provider on your orcharhino Server.

Prerequisites

The base system of your orcharhino Server must be joined to an Active Directory (AD) domain. To enable AD users to sign in with Kerberos single sign-on, use the System Security Services Daemon (SSSD) and Samba services to join the base system to the AD domain:

Install the following packages on orcharhino Server:
```
$ dnf install adcli krb5-workstation oddjob-mkhomedir oddjob realmd samba-winbind-clients samba-winbind samba-common-tools samba-winbind-krb5-locator sssd
```
Specify the required software when joining the AD domain:
```
$ realm join AD.EXAMPLE.COM --membership-software=samba --client-software=sssd
```
For more information on direct AD integration, see Connecting RHEL systems directly to AD using Samba Winbind.

Procedure

Define AD realm configuration in a location where orcharhino-installer expects it:
1. Create a directory named /etc/ipa/:
  $ mkdir /etc/ipa/
2. Create the /etc/ipa/default.conf file with the following contents to configure the Kerberos realm for the AD domain:
  [global] realm = AD.EXAMPLE.COM
Configure the Apache keytab for Kerberos connections:
1. Update the /etc/samba/smb.conf file with the following settings to configure how Samba interacts with AD:
  [global] workgroup = AD.EXAMPLE realm = AD.EXAMPLE.COM kerberos method = system keytab security = ads
2. Add the Kerberos service principal to the keytab file at /etc/httpd/conf/http.keytab:
  $ KRB5_KTNAME=FILE:/etc/httpd/conf/http.keytab net ads keytab add HTTP -U Administrator -s /etc/samba/smb.conf
Configure the System Security Services Daemon (SSSD) to use the AD access control provider to evaluate and enforce Group Policy Object (GPO) access control rules for the foreman PAM service:
1. In the [domain/ad.example.com] section of your /etc/sssd/sssd.conf file, configure the ad_gpo_access_control and ad_gpo_map_service options as follows:
  [domain/ad.example.com] ad_gpo_access_control = enforcing ad_gpo_map_service = +foreman
  For more information on GPOs, see the following documents:
  - How SSSD interprets GPO access control rules in Integrating RHEL systems directly with Windows Active Directory (RHEL 9)
  - How SSSD interprets GPO access control rules in Integrating RHEL systems directly with Windows Active Directory (RHEL 8)
2. Restart SSSD:
  $ systemctl restart sssd

Enable the authentication source:

$ orcharhino-installer --foreman-ipa-authentication=true

Verification

To verify that AD users can log in to orcharhino by entering their credentials, log in to orcharhino management UI at https://orcharhino.example.com. Enter the user name in the user principal name (UPN) format, for example: ad_user@AD.EXAMPLE.COM.

To verify that AD users can authenticate by using Kerberos single sign-on:

Obtain a Kerberos ticket-granting ticket (TGT) on behalf of an AD user:
```
$ kinit ad_user@AD.EXAMPLE.COM
```

Verify user authentication by using your TGT:

$ curl -k -u : --negotiate https://orcharhino.example.com/users/extlogin

<html><body>You are being <a href="orcharhino.example.com/hosts">redirected</a>.</body></html>

Additional resources

sssd-ad(5) man page on your system
For information about configuring Mozilla Firefox for Kerberos, see Configuring Firefox to use Kerberos for single sign-on in AlmaLinux 9 Configuring authentication and authorization in RHEL.

Configuring orcharhino to manage the lifecycle of a host registered to a FreeIPA realm

As well as providing access to orcharhino Server, hosts provisioned with orcharhino can also be integrated with FreeIPA realms. orcharhino has a realm feature that automatically manages the lifecycle of any system registered to a realm or domain provider.

Use this section to configure orcharhino Server or orcharhino Proxy Server for FreeIPA realm support, then add hosts to the FreeIPA realm group.

Prerequisites

orcharhino Server that is registered to the Content Delivery Network or an external orcharhino Proxy Server that is registered to orcharhino Server.
A deployed realm or domain provider such as FreeIPA.

To install and configure FreeIPA packages on orcharhino Server or orcharhino Proxy Server:

To use FreeIPA for provisioned hosts, complete the following steps to install and configure FreeIPA packages on orcharhino Server or orcharhino Proxy Server:

Install the ipa-client package on orcharhino Server or orcharhino Proxy Server:
```
$ dnf install ipa-client
```
Configure the server as a FreeIPA client:
```
$ ipa-client-install
```
Create a realm proxy user, realm-orcharhino-proxy, and the relevant roles in FreeIPA:
```
$ foreman-prepare-realm admin realm-orcharhino-proxy
```
Note the principal name that returns and your FreeIPA server configuration details because you require them for the following procedure.

To configure orcharhino Server or orcharhino Proxy Server for FreeIPA realm support:

Complete the following procedure on orcharhino and every orcharhino Proxy that you want to use:

Copy the /root/freeipa.keytab file to any orcharhino Proxy Server that you want to include in the same principal and realm:
```
$ scp /root/freeipa.keytab root@orcharhino-proxy.network2.example.com:/etc/foreman-proxy/freeipa.keytab
```
Move the /root/freeipa.keytab file to the /etc/foreman-proxy directory and set the ownership settings to the foreman-proxy user:
```
$ mv /root/freeipa.keytab /etc/foreman-proxy
$ chown foreman-proxy:foreman-proxy /etc/foreman-proxy/freeipa.keytab
```
Enter the following command on all orcharhino Proxies that you want to include in the realm. If you use the integrated orcharhino Proxy on orcharhino, enter this command on orcharhino Server:
```
$ orcharhino-installer --foreman-proxy-realm true \
--foreman-proxy-realm-keytab /etc/foreman-proxy/freeipa.keytab \
--foreman-proxy-realm-principal realm-orcharhino-proxy@EXAMPLE.COM \
--foreman-proxy-realm-provider freeipa
```
You can also use these options when you first configure the orcharhino Server.
Ensure that the most updated versions of the ca-certificates package is installed and trust the FreeIPA Certificate Authority:
```
$ cp /etc/ipa/ca.crt /etc/pki/ca-trust/source/anchors/ipa.crt
$ update-ca-trust enable
$ update-ca-trust
```
Optional: If you configure FreeIPA on an existing orcharhino Server or orcharhino Proxy Server, complete the following steps to ensure that the configuration changes take effect:
1. Restart the foreman-proxy service:
  $ systemctl restart foreman-proxy
2. In the orcharhino management UI, navigate to Infrastructure > orcharhino Proxies.
3. Locate the orcharhino Proxy you have configured for FreeIPA and from the list in the Actions column, select Refresh.

To create a realm for the FreeIPA-enabled orcharhino Proxy

After you configure your integrated or external orcharhino Proxy with FreeIPA, you must create a realm and add the FreeIPA-configured orcharhino Proxy to the realm.

Procedure

In the orcharhino management UI, navigate to Infrastructure > Realms and click Create Realm.
In the Name field, enter a name for the realm.
From the Realm Type list, select the type of realm.
From the Realm orcharhino Proxy list, select orcharhino Proxy Server where you have configured FreeIPA.
Click the Locations tab and from the Locations list, select the location where you want to add the new realm.
Click the Organizations tab and from the Organizations list, select the organization where you want to add the new realm.
Click Submit.

Updating host groups with realm information

You must update any host groups that you want to use with the new realm information.

In the orcharhino management UI, navigate to Configure > Host Groups, select the host group that you want to update, and click the Network tab.
From the Realm list, select the realm you create as part of this procedure, and then click Submit.

Adding hosts to a FreeIPA host group

FreeIPA supports the ability to set up automatic membership rules based on a system’s attributes. orcharhino’s realm feature provides administrators with the ability to map the orcharhino host groups to the FreeIPA parameter userclass which allow administrators to configure automembership.

When nested host groups are used, they are sent to the FreeIPA server as they are displayed in the orcharhino User Interface. For example, "Parent/Child/Child".

orcharhino Server or orcharhino Proxy Server sends updates to the FreeIPA server, however automembership rules are only applied at initial registration.

To add hosts to a FreeIPA host group:

On the FreeIPA server, create a host group:

$ ipa hostgroup-add hostgroup_name --desc=hostgroup_description

Create an automembership rule:
```
$ ipa automember-add --type=hostgroup hostgroup_name automember_rule
```
Where you can use the following options:
- automember-add flags the group as an automember group.
- --type=hostgroup identifies that the target group is a host group, not a user group.
- automember_rule adds the name you want to identify the automember rule by.
Define an automembership condition based on the userclass attribute:
```
$ ipa automember-add-condition --key=userclass --type=hostgroup --inclusive-regex=^webserver hostgroup_name
----------------------------------
Added condition(s) to "hostgroup_name"
----------------------------------
Automember Rule: automember_rule
Inclusive Regex: userclass=^webserver
----------------------------
Number of conditions added 1
----------------------------
```
Where you can use the following options:
- automember-add-condition adds regular expression conditions to identify group members.
- --key=userclass specifies the key attribute as userclass.
- --type=hostgroup identifies that the target group is a host group, not a user group.
- --inclusive-regex= ^webserver identifies matching values with a regular expression pattern.
- hostgroup_name – identifies the target host group’s name.

When a system is added to orcharhino Server’s hostgroup_name host group, it is added automatically to the FreeIPA server’s "hostgroup_name" host group. FreeIPA host groups allow for Host-Based Access Controls (HBAC), sudo policies and other FreeIPA functions.

Important user and group account information for Active Directory accounts

All user and group accounts must be local accounts. This is to ensure that there are no authentication conflicts between local accounts on your orcharhino Server and accounts in your Active Directory domain.

Your system is not affected by this conflict if your user and group accounts exist in both /etc/passwd and /etc/group files. For example, to check if entries for puppet, apache, foreman and foreman-proxy groups exist in both /etc/passwd and /etc/group files, enter the following commands:

$ grep 'puppet\|apache\|foreman\|foreman-proxy' /etc/passwd /etc/group

Configuring external user groups

orcharhino does not associate external users with their user group automatically. You must create a user group with the same name as in the external source on orcharhino. Members of the external user group then automatically become members of the orcharhino user group and receive the associated permissions.

The configuration of external user groups depends on the type of external authentication.

To assign additional permissions to an external user, add this user to an internal user group that has no external mapping specified. Then assign the required roles to this group.

Prerequisites

If you use an LDAP server, configure orcharhino to use LDAP authentication. For more information, see configuring an ldap server as an external identity provider for project.

When using external user groups from an LDAP source, you cannot use the $login variable as a substitute for the account user name. You must use either an anonymous or dedicated service user.
If you use a FreeIPA or AD server, configure orcharhino to use FreeIPA or AD authentication. For more information, see Configuring External Authentication in Installing orcharhino Server.
Ensure that at least one external user authenticates for the first time.
Retain a copy of the external group names you want to use. To find the group membership of external users, enter the following command:
```
$ id username
```

Procedure

In the orcharhino management UI, navigate to Administer > User Groups, and click Create User Group.
Specify the name of the new user group. Do not select any users to avoid adding users automatically when you refresh the external user group.
Click the Roles tab and select the roles you want to assign to the user group. Alternatively, select the Administrator checkbox to assign all available permissions.
Click the External groups tab, then click Add external user group, and select an authentication source from the Auth source drop-down menu.

Specify the exact name of the external group in the Name field.
Click Submit.

Refreshing external user groups for LDAP

To set the LDAP source to synchronize user group membership automatically on user login, in the Auth Source page, select the Usergroup Sync option. If this option is not selected, LDAP user groups are refreshed automatically through a scheduled cron job synchronizing the LDAP Authentication source every 30 minutes by default.

If the user groups in the LDAP Authentication source change in the lapse of time between scheduled tasks, the user can be assigned to incorrect external user groups. This is corrected automatically when the scheduled task runs.

Use this procedure to refresh the LDAP source manually.

Procedure

In the orcharhino management UI, navigate to Administer > Usergroups and select a user group.
On the External Groups tab, click Refresh to the right of the required user group.

CLI procedure

Enter the following command:
```
$ foreman-rake ldap:refresh_usergroups
```

Refreshing external user groups for FreeIPA or AD

External user groups based on FreeIPA or AD are refreshed only when a group member logs in to orcharhino. It is not possible to alter user membership of external user groups in the orcharhino management UI, such changes are overwritten on the next group refresh.

The text and illustrations on this page are licensed by ATIX AG under a Creative Commons Attribution Share Alike 4.0 International ("CC BY-SA 4.0") license. This page also contains text from the official Foreman documentation which uses the same license ("CC BY-SA 4.0").