Authenticate Spacewalk users with FreeIPA

A fresh Spacewalk installation usually defines user accounts in a local manner - including permissions. Especially for bigger system landscapes with requirements such as Single Sign-on, this is not a practical solution.

Fortunately, Spacewalk and Red Hat Satellite 5 support authentication using FreeIPA and Red Hat Identity Management. Beginning with Spacewalk 2.3 and Red Hat Satellite 5.7 there is an utility called spacewalk-setup-ipa-authentication which fully automates configuration all participating components (SSSD, Apache, Tomcat, SELinux). Prior to those versions, changes need to be made manually.

Preparation

First of all, an appropriate Kerberos service specifying the Spacewalk server's FQDN needs to be created. To ensure this, open the FreeIPA web interface and click Identity > Services > Add:

Creating a Kerberos service using the FreeIPA web interface

Alternatively, create the service using a registered system by utilizing the ipa command with a specified administrator Kerberos ticket:

1# kinit admin
2# ipa service-add HTTP/spacewalk-fqdn

Afterwards it is a good idea to create user groups in FreeIPA for the Spacewalk accounts and their required permissions. For this, click Identity > User Groups > Add nötig. Spacewalk supports the following roles:

  • Administrative roles (system-wide)
    • Organisation administrator
    • Spacewalk administrator
  • Roles
    • Activation key dministrator (per organisation)
    • configuration administrator (client configuration files)
    • channel administrator
    • system group administrator

In a next step, these FreeIPA groups are assigned to the appropriate roles inside Spacewalk. Depending on your use-case it might be a good idea to create multiple groups - e.g. a group for all Spacewalk-wide administrators:

Creating a user group using the FreeIPA web interface

Of course, there is also an ipa command for that:

1# ipa group-add spacewalk-admins --desc "Spacewalk administrators"

Configuration

The next step is to configure IPA authentication on the Spacewalk system:

 1# spacewalk-setup-ipa-authentication
 2Enabling authentication against [pinkepank.stankowic.loc].
 3Retrieving HTTP/ service keytab into [/etc/httpd/conf/http.keytab] ...
 4Keytab successfully retrieved and stored in: /etc/httpd/conf/http.keytab
 5changed ownership of `/etc/httpd/conf/http.keytab' to apache
 6Configuring PAM service [spacewalk].
 7Will install additional packages ...
 8
 9** /etc/sssd/sssd.conf has been backed up to sssd.conf-swsave
10Updated sssd configuration.
11Turning SELinux boolean [httpd_dbus_sssd] on ...
12        ... done.
13Turning SELinux boolean [allow_httpd_mod_auth_pam] on ...
14        ... done.
15Configuring Apache modules.
16** /etc/tomcat6/server.xml has been backed up to server.xml-swsave.ipa
17Stopping sssd: [  OK  ]
18Starting sssd: [  OK  ]
19Stopping tomcat6: [  OK  ]
20Starting tomcat6: [  OK  ]
21Stopping httpd: [  OK  ]
22Starting httpd: httpd: [  OK  ]
23Waiting for tomcat to be ready ...
24Authentication against [pinkepank.stankowic.loc] sucessfully enabled.
25As admin, at Admin > Users > External Authentication, select
26          Default organization to autopopulate new users into.

Afterwards, a default organization for FreeIPA users that have never logged in into Spacewalk needs to be configured. For this, open the Spacewalk web interface and click Admin > Users > External Authentication.

External FreeIPA authentication under Spacewalk

If organizations in Spacewalk match those defined in FreeIPA, check "Use organization unit name passed from IPA". If names differ, it is possible to define a default organization next to "Default Organization". Make sure to check "Keep temporary roles granted due to external authentication configuration" in any case as otherwise group memberships in FreeIPA won't trigger permissions in Spacewalk.

Group and role memberships are defined in the Group Role Mapping pane:

Mapping FreeIPA groups to Spacewalk roles

Depending on the Spacewalk patch level it might be necessary to restart the service before authentication works:

1# spacewalk-service restart

Spacewalk administrator authenticated using FreeIPA

Translations: