If you have a larger installation on your site, you may wish to have a single source of credentials not only for common system services, but for your RHN Satellite too.
This will show you how to configure your RHN Satellite Server to use PAM with SSSD. SSSD, the System Security Services Daemon is a common framework to provide authentication services. Needless to say that IPA is supported as well.
Assumptions:
- You have a RHN Satellite running on RHEL6
- You have an IPA infrastructure running (at least on RHEL 6.2)
Preparations
First you need to install the ipa-client on your satellite:
yum -y install ipa-client
And then join the server to your IPA environment:
ipa-client-install -p admin
Configuring PAM as follows:
cat << EOF > /etc/pam.d/rhn-satellite auth required pam_env.so auth sufficient pam_sss.so auth required pam_deny.so account sufficient pam_sss.so account required pam_deny.so EOF
Configure the RHN Satellite
Your Satellite now needs to be aware that there is the possibility to authenticate users with PAM against IPA.
echo "pam_auth_service = rhn-satellite" >> /etc/rhn/rhn.conf
If you have users in your IPA domain with usernames shorter than five characters, you will need to add one more line to be able to create the users in RHN Satellite:
echo "web.min_user_len = 3" >> /etc/rhn/rhn.conf
After this change, restart your RHN Satellite
rhn-satellite restart
Configuring users
Now you can log in to your RHN Satellite with your already configured admin user and select the checkbox “Pluggable Authentication Modules (PAM)” on existing users and/or new users.
Things to be considered
It is strongly recomended to have at leat one user per organization (ususally a “Organization Administrator”) plus the “RHN Satellite Administrator” not having PAM authentication enabled. Despite of the easy implementation of redundancy with IPA, this is important for a fallback scenario when your IPA environment has some service interruptions due to mainenance or failure.
SSSD caches users credentials on the RHN Satellite system, but this is only true for users logged in at least once. The default value for offline_credentials_expiration is 0, which means no cache time limit. However, depending on your organizations scurity policy this value can vary. Please check the PAM section in /etc/sssd/sssd.conf
Further documents to read
Hi, This work for webui auth but not for rhncfg-manager commands (and others that use xmlrpc to talk with spacewalk/rhn satellite)
You must run “setsebool -P allow_httpd_mod_auth_pam 1” to get this working (tested with IPA 2.2 and spacewalk 1.7 on CentOS 6.3). 🙂