Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Review adding AD as an external authentication source #3149

Merged
merged 33 commits into from
Sep 26, 2024
Merged

Review adding AD as an external authentication source #3149

merged 33 commits into from
Sep 26, 2024

Commits on Sep 18, 2024

  1. Implement suggestions from SAT-22855 

    GSS proxy is intended to enable privilege separation for the Apache
server by removing access to the keytab file.
Documentation recommends implementing GSS proxy for direct AD
integration but the procedures don't actually meet that goal.

The changes proposed in this commit are intended to ensure Apache does
not have access to the keytab.
    @adamlazik1 @asteflova
    adamlazik1 authored and asteflova committed Sep 18, 2024
    Configuration menu
    Copy the full SHA
    b26a164 View commit details
    Browse the repository at this point in the history

  2. The installer enforces certain keytab settings 

    Co-authored-by: Ewoud Kohl van Wijngaarden <[email protected]>
    @asteflova @ekohl
    asteflova and ekohl committed Sep 18, 2024
    Configuration menu
    Copy the full SHA
    dcff9e4 View commit details
    Browse the repository at this point in the history

  3. Drop GSS Proxy parts of the direct AD integration proc

    @asteflova
    asteflova committed Sep 18, 2024
    Configuration menu
    Copy the full SHA
    f87a7b8 View commit details
    Browse the repository at this point in the history

  4. Document bare minimum for AD direct integration 

    This is the simplest workflow that should work.

aka Burn it all and start again

Currently still untested, just based on information from the SSSD team.
    @asteflova
    asteflova committed Sep 18, 2024
    Configuration menu
    Copy the full SHA
    e85c958 View commit details
    Browse the repository at this point in the history

  5. foreman-installer expects http.keytab to exist

    @asteflova
    asteflova committed Sep 18, 2024
    Configuration menu
    Copy the full SHA
    4ff153b View commit details
    Browse the repository at this point in the history

  6. AD users must use the full name including the domain name

    @asteflova
    asteflova committed Sep 18, 2024
    Configuration menu
    Copy the full SHA
    03e402d View commit details
    Browse the repository at this point in the history

  7. Restart Apache manually after enabling IPA auth 

    foreman-installer in the previous step doesn't load the configuration on
its own
    @asteflova
    asteflova committed Sep 18, 2024
    Configuration menu
    Copy the full SHA
    90dde9a View commit details
    Browse the repository at this point in the history

  8. Remove internal notes

    @asteflova
    asteflova committed Sep 18, 2024
    Configuration menu
    Copy the full SHA
    070f288 View commit details
    Browse the repository at this point in the history

  9. Expand Active Directory on first use only

    @asteflova
    asteflova committed Sep 18, 2024
    Configuration menu
    Copy the full SHA
    0e2eb74 View commit details
    Browse the repository at this point in the history

  10. Make refering to services being restarted consistent

    @asteflova
    asteflova committed Sep 18, 2024
    Configuration menu
    Copy the full SHA
    13bd560 View commit details
    Browse the repository at this point in the history

  11. Add markup for replaceable values

    @asteflova
    asteflova committed Sep 18, 2024
    Configuration menu
    Copy the full SHA
    ce8375a View commit details
    Browse the repository at this point in the history

  12. Add example block with simplified realm join steps

    @asteflova
    asteflova committed Sep 18, 2024
    Configuration menu
    Copy the full SHA
    b53caf4 View commit details
    Browse the repository at this point in the history

  13. Fix command to install packages

    @asteflova
    asteflova committed Sep 18, 2024
    Configuration menu
    Copy the full SHA
    f28b7e5 View commit details
    Browse the repository at this point in the history

  14. ad_server does not need to be manually added to sssd.conf

    @asteflova
    asteflova committed Sep 18, 2024
    Configuration menu
    Copy the full SHA
    ba5ab6a View commit details
    Browse the repository at this point in the history

  15. Make AD domain and user example values consistent

    @asteflova
    asteflova committed Sep 18, 2024
    Configuration menu
    Copy the full SHA
    1880244 View commit details
    Browse the repository at this point in the history

  16. Rename file to match ID

    @asteflova
    asteflova committed Sep 18, 2024
    Configuration menu
    Copy the full SHA
    d9c46ad View commit details
    Browse the repository at this point in the history

  17. Remove extra blank line

    @asteflova
    asteflova committed Sep 18, 2024
    Configuration menu
    Copy the full SHA
    595ff52 View commit details
    Browse the repository at this point in the history

  18. Drop a section on AD join and turn it into a prerequisite

    @asteflova
    asteflova committed Sep 18, 2024
    Configuration menu
    Copy the full SHA
    f2906b2 View commit details
    Browse the repository at this point in the history

  19. Reword AD direct integration intro

    @asteflova
    asteflova committed Sep 18, 2024
    Configuration menu
    Copy the full SHA
    cb7a862 View commit details
    Browse the repository at this point in the history

  20. Remove a link to RHEL docs for AD integration info 

    The link is no longer necessary because the subsequent procedure links
to the right resources now.
    @asteflova
    asteflova committed Sep 18, 2024
    Configuration menu
    Copy the full SHA
    9902c61 View commit details
    Browse the repository at this point in the history

  21. Apply suggestions from peer review

    @asteflova
    asteflova committed Sep 18, 2024
    Configuration menu
    Copy the full SHA
    950a31a View commit details
    Browse the repository at this point in the history

  22. Drop steps related to GSS proxy from Samba-based joining

    @asteflova
    asteflova committed Sep 18, 2024
    Configuration menu
    Copy the full SHA
    313fea3 View commit details
    Browse the repository at this point in the history

  23. Edit Samba-based AD integration based on testing

    @asteflova
    asteflova committed Sep 18, 2024
    Configuration menu
    Copy the full SHA
    1131440 View commit details
    Browse the repository at this point in the history

  24. List login methods for AD users with direct integration

    @asteflova
    asteflova committed Sep 18, 2024
    Configuration menu
    Copy the full SHA
    0824fee View commit details
    Browse the repository at this point in the history

  25. Apply suggestions from peer review 

    Co-authored-by: Maximilian Kolb <[email protected]>
    @asteflova @maximiliankolb
    asteflova and maximiliankolb committed Sep 18, 2024
    Configuration menu
    Copy the full SHA
    962eb31 View commit details
    Browse the repository at this point in the history

  26. Use attribute in RHEL docs URL

    @asteflova
    asteflova committed Sep 18, 2024
    Configuration menu
    Copy the full SHA
    444198f View commit details
    Browse the repository at this point in the history

  27. Tweak curl output

    @asteflova
    asteflova committed Sep 18, 2024
    Configuration menu
    Copy the full SHA
    3a3c1e1 View commit details
    Browse the repository at this point in the history

  28. Fix Vale error

    @asteflova
    asteflova committed Sep 18, 2024
    Configuration menu
    Copy the full SHA
    a97f9a1 View commit details
    Browse the repository at this point in the history

  29. Update xref after another PR has been merged

    @asteflova
    asteflova committed Sep 18, 2024
    Configuration menu
    Copy the full SHA
    83cebcc View commit details
    Browse the repository at this point in the history

Commits on Sep 19, 2024

  1. Apply suggestions from peer review 

    Co-authored-by: mmuehlfeldRH <[email protected]>
    @asteflova @mmuehlfeldRH
    asteflova and mmuehlfeldRH authored Sep 19, 2024
    Configuration menu
    Copy the full SHA
    c7b6c45 View commit details
    Browse the repository at this point in the history

  2. Apply easy fixes from peer review

    @asteflova
    asteflova committed Sep 19, 2024
    Configuration menu
    Copy the full SHA
    34225a7 View commit details
    Browse the repository at this point in the history

  3. Minor tweaks based on peer review and further testing

    @asteflova
    asteflova committed Sep 19, 2024
    Configuration menu
    Copy the full SHA
    88ff272 View commit details
    Browse the repository at this point in the history

  4. Use smb.conf to store settings for interacting with AD 

    /etc/samba/smb.conf is already present by default, it's better to use
that rather than create a separate configuration file for this
    @asteflova
    asteflova committed Sep 19, 2024
    Configuration menu
    Copy the full SHA
    503934f View commit details
    Browse the repository at this point in the history