A fresh Spacewalk installation usually defines user accounts in a local manner – including permissions. Especially for bigger system landscapes with requirements such as Single Sign-on, this is not a practical solution.
Fortunately, Spacewalk and Red Hat Satellite 5 support authentication using FreeIPA and Red Hat Identity Management. Beginning with Spacewalk 2.3 and Red Hat Satellite 5.7 there is an utility called spacewalk-setup-ipa-authentication which fully automates configuration all participating components (SSSD, Apache, Tomcat, SELinux). Prior to those versions, changes need to be made manually.
First of all, an appropriate Kerberos service specifying the Spacewalk server’s FQDN needs to be created. To ensure this, open the FreeIPA web interface and click Identity > Services > Add:
Alternatively, create the service using a registered system by utilizing the ipa command with a specified administrator Kerberos ticket:
# kinit admin # ipa service-add HTTP/spacewalk-fqdn
Afterwards it is a good idea to create user groups in FreeIPA for the Spacewalk accounts and their required permissions. For this, click Identity > User Groups > Add nötig. Spacewalk supports the following roles:
Administrative roles (system-wide)
- Organisation administrator
- Spacewalk administrator
- Activation key dministrator (per organisation)
- configuration administrator (client configuration files)
- channel administrator
- system group administrator
In a next step, these FreeIPA groups are assigned to the appropriate roles inside Spacewalk. Depending on your use-case it might be a good idea to create multiple groups – e.g. a group for all Spacewalk-wide administrators:
Of course, there is also an ipa command for that:
# ipa group-add spacewalk-admins --desc "Spacewalk administrators"
The next step is to configure IPA authentication on the Spacewalk system:
# spacewalk-setup-ipa-authentication Enabling authentication against [pinkepank.stankowic.loc]. Retrieving HTTP/ service keytab into [/etc/httpd/conf/http.keytab] ... Keytab successfully retrieved and stored in: /etc/httpd/conf/http.keytab changed ownership of `/etc/httpd/conf/http.keytab' to apache Configuring PAM service [spacewalk]. Will install additional packages ... ** /etc/sssd/sssd.conf has been backed up to sssd.conf-swsave Updated sssd configuration. Turning SELinux boolean [httpd_dbus_sssd] on ... ... done. Turning SELinux boolean [allow_httpd_mod_auth_pam] on ... ... done. Configuring Apache modules. ** /etc/tomcat6/server.xml has been backed up to server.xml-swsave.ipa Stopping sssd: [ OK ] Starting sssd: [ OK ] Stopping tomcat6: [ OK ] Starting tomcat6: [ OK ] Stopping httpd: [ OK ] Starting httpd: httpd: [ OK ] Waiting for tomcat to be ready ... Authentication against [pinkepank.stankowic.loc] sucessfully enabled. As admin, at Admin > Users > External Authentication, select Default organization to autopopulate new users into.
Afterwards, a default organization for FreeIPA users that have never logged in into Spacewalk needs to be configured. For this, open the Spacewalk web interface and click Admin > Users > External Authentication.
If organizations in Spacewalk match those defined in FreeIPA, check “Use organization unit name passed from IPA“. If names differ, it is possible to define a default organization next to “Default Organization“. Make sure to check “Keep temporary roles granted due to external authentication configuration” in any case as otherwise group memberships in FreeIPA won’t trigger permissions in Spacewalk.
Group and role memberships are defined in the Group Role Mapping pane:
Depending on the Spacewalk patch level it might be necessary to restart the service before authentication works:
# spacewalk-service restart