You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The deployment utility supports setting up necessary services to allow leveraging kerberos for user authentication if the host machine is enrolled in a FreeIPA/IDM or Active Directory realm.
220
+
221
+
### Prerequisites
222
+
223
+
Before configuring external authentication support, ensure the following requirements are met:
224
+
- the host machine is enrolled in FreeIPA/IDM or Active Directory realm
225
+
- a keytab for the Kerberos service principal is available at the host machine
226
+
227
+
### External Database Configuration Parameters
228
+
229
+
The external authentication configuration is managed through `foremanctl` command line parameters:
230
+
-`--external-authentication`: Set to `ipa` to enable kerberos authentication in WebUI, set to `ipa_with_api` to enable kerberos authentication in WebUI, API and hammer CLI
231
+
-`--external-authentication-pam-server`: PAM service name to use when authenticating users, can be changed in case a specific FreeIPA/IDM HBAC service should be used (default: `foreman`)
232
+
233
+
If `hammer` feature is enabled and `--external-authentication` is set to `ipa_with_api`, `hammer` will be configured to use negotiate-based authentication.
0 commit comments