From acc684c97894fb1577b3a3c8ea82f2444746fabc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aneta=20=C5=A0teflov=C3=A1=20Petrov=C3=A1?= Date: Fri, 26 Jul 2024 22:42:32 +0200 Subject: [PATCH 01/17] Redefine FreeIPA attributes for RH d/s --- guides/common/attributes-satellite.adoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/guides/common/attributes-satellite.adoc b/guides/common/attributes-satellite.adoc index 02ee22607f4..c65a27ef91c 100644 --- a/guides/common/attributes-satellite.adoc +++ b/guides/common/attributes-satellite.adoc @@ -68,8 +68,8 @@ :foreman-installer-package: satellite-installer :foreman-installer: satellite-installer :foreman-maintain: satellite-maintain -:FreeIPA: Red{nbsp}Hat Identity Management -:FreeIPA-context: Red_Hat_Identity_Management +:FreeIPA: Identity{nbsp}Management +:FreeIPA-context: Identity_Management :hammer-smart-proxy: hammer capsule :installer-log-file: /var/log/foreman-installer/satellite.log :installer-scenario-smartproxy: satellite-installer --scenario capsule From 5a2d3e968c4bb4a331afbb9e099199db6d8ee592 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aneta=20=C5=A0teflov=C3=A1=20Petrov=C3=A1?= Date: Fri, 26 Jul 2024 22:41:37 +0200 Subject: [PATCH 02/17] Review and edit the FreeIPA external authentication story --- guides/README.md | 2 +- guides/common/assembly_accessing-server.adoc | 2 +- ...xternal-identity-provider-for-project.adoc | 10 +- ...xternal-identity-provider-for-project.adoc | 3 - ...y_configuring-external-authentication.adoc | 4 - ...ive-directory-with-cross-forest-trust.adoc | 9 -- ...xternal-identity-provider-for-project.adoc | 12 +- ...xternal-identity-provider-for-project.adoc | 6 - ...xternal-identity-provider-for-project.adoc | 12 +- guides/common/modules/con_using-freeipa.adoc | 23 ---- ...ring-freeipa-authentication-on-server.adoc | 99 +++----------- ...ing-host-based-authentication-control.adoc | 110 +++++++++++----- ...ling-project-server-in-freeipa-domain.adoc | 124 ++++++++++++++++++ ...the-ProjectWebUI-with-Mozilla-Firefox.adoc | 32 +++++ ...he-ProjectWebUI-with-a-Chrome-browser.adoc | 35 ++--- ...e-ProjectWebUI-with-a-Firefox-browser.adoc | 36 ----- ...s-to-log-in-to-the-project-hammer-cli.adoc | 48 +++---- ...snip_do-not-use-both-ldap-and-freeipa.adoc | 4 - 18 files changed, 318 insertions(+), 253 deletions(-) delete mode 100644 guides/common/assembly_configuring-ad-integrated-with-freeipa-through-cross-forest-kerberos-trust-as-an-external-identity-provider-for-project.adoc delete mode 100644 guides/common/modules/con_active-directory-with-cross-forest-trust.adoc delete mode 100644 guides/common/modules/con_configuring-ad-integrated-with-freeipa-through-cross-forest-kerberos-trust-as-an-external-identity-provider-for-project.adoc delete mode 100644 guides/common/modules/con_using-freeipa.adoc create mode 100644 guides/common/modules/proc_enrolling-project-server-in-freeipa-domain.adoc create mode 100644 guides/common/modules/proc_using-freeipa-credentials-to-log-in-to-the-ProjectWebUI-with-Mozilla-Firefox.adoc delete mode 100644 guides/common/modules/proc_using-freeipa-credentials-to-log-in-to-the-ProjectWebUI-with-a-Firefox-browser.adoc delete mode 100644 guides/common/modules/snip_do-not-use-both-ldap-and-freeipa.adoc diff --git a/guides/README.md b/guides/README.md index 9676fc3b6ef..262935b291d 100644 --- a/guides/README.md +++ b/guides/README.md @@ -128,7 +128,7 @@ The basic structure of the file is a nested path parts in the documentation link "accessing_server_admin": [ "Logging_in_admin", "Using_FreeIPA_credentials_to_log_in_to_the_foreman_Hammer_CLI_admin", - "Using_FreeIPA_credentials_to_log_in_to_the_foreman_web_UI-with-a-Firefox-browser_admin", + "Using_FreeIPA_credentials_to_log_in_to_the_foreman_web_UI-with-Mozilla-Firefox_admin", "Using_FreeIPA_credentials_to_log_in_to_the_foreman_web_UI-with-a-Chrome-browser_admin", "Navigation_Tabs_in_the_Web_UI_admin", "Changing_the_Password_admin", diff --git a/guides/common/assembly_accessing-server.adoc b/guides/common/assembly_accessing-server.adoc index 1bdff63af6a..2a6b3d6f9cb 100644 --- a/guides/common/assembly_accessing-server.adoc +++ b/guides/common/assembly_accessing-server.adoc @@ -10,7 +10,7 @@ include::modules/proc_logging-in.adoc[leveloffset=+1] include::modules/proc_using-freeipa-credentials-to-log-in-to-the-project-hammer-cli.adoc[leveloffset=+1] -include::modules/proc_using-freeipa-credentials-to-log-in-to-the-ProjectWebUI-with-a-Firefox-browser.adoc[leveloffset=+1] +include::modules/proc_using-freeipa-credentials-to-log-in-to-the-ProjectWebUI-with-Mozilla-Firefox.adoc[leveloffset=+1] include::modules/proc_using-freeipa-credentials-to-log-in-to-the-ProjectWebUI-with-a-Chrome-browser.adoc[leveloffset=+1] diff --git a/guides/common/assembly_configuring-a-freeipa-server-as-an-external-identity-provider-for-project.adoc b/guides/common/assembly_configuring-a-freeipa-server-as-an-external-identity-provider-for-project.adoc index f6946b6858e..c3601e94f99 100644 --- a/guides/common/assembly_configuring-a-freeipa-server-as-an-external-identity-provider-for-project.adoc +++ b/guides/common/assembly_configuring-a-freeipa-server-as-an-external-identity-provider-for-project.adoc @@ -1,7 +1,15 @@ include::modules/con_configuring-a-freeipa-server-as-an-external-identity-provider-for-project.adoc[] -include::modules/con_using-freeipa.adoc[leveloffset=+1] +include::modules/proc_enrolling-project-server-in-freeipa-domain.adoc[leveloffset=+1] include::modules/proc_configuring-freeipa-authentication-on-server.adoc[leveloffset=+1] include::modules/proc_configuring-host-based-authentication-control.adoc[leveloffset=+1] + +include::modules/proc_configuring-the-hammer-cli-to-use-freeipa-user-authentication.adoc[leveloffset=+1] + +include::modules/proc_using-freeipa-credentials-to-log-in-to-the-project-hammer-cli.adoc[leveloffset=+1] + +include::modules/proc_using-freeipa-credentials-to-log-in-to-the-ProjectWebUI-with-Mozilla-Firefox.adoc[leveloffset=+1] + +include::modules/proc_using-freeipa-credentials-to-log-in-to-the-ProjectWebUI-with-a-Chrome-browser.adoc[leveloffset=+1] diff --git a/guides/common/assembly_configuring-ad-integrated-with-freeipa-through-cross-forest-kerberos-trust-as-an-external-identity-provider-for-project.adoc b/guides/common/assembly_configuring-ad-integrated-with-freeipa-through-cross-forest-kerberos-trust-as-an-external-identity-provider-for-project.adoc deleted file mode 100644 index 0a269888bc5..00000000000 --- a/guides/common/assembly_configuring-ad-integrated-with-freeipa-through-cross-forest-kerberos-trust-as-an-external-identity-provider-for-project.adoc +++ /dev/null @@ -1,3 +0,0 @@ -include::modules/con_configuring-ad-integrated-with-freeipa-through-cross-forest-kerberos-trust-as-an-external-identity-provider-for-project.adoc[] - -include::modules/con_active-directory-with-cross-forest-trust.adoc[leveloffset=+1] diff --git a/guides/common/assembly_configuring-external-authentication.adoc b/guides/common/assembly_configuring-external-authentication.adoc index d9146124e04..ea1f86a1a9d 100644 --- a/guides/common/assembly_configuring-external-authentication.adoc +++ b/guides/common/assembly_configuring-external-authentication.adoc @@ -4,8 +4,6 @@ include::assembly_configuring-an-ldap-server-as-an-external-identity-provider-fo include::assembly_configuring-a-freeipa-server-as-an-external-identity-provider-for-project.adoc[leveloffset=+1] -include::assembly_configuring-ad-integrated-with-freeipa-through-cross-forest-kerberos-trust-as-an-external-identity-provider-for-project.adoc[leveloffset=+1] - ifdef::context[:parent-context: {context}] :context: keycloak-wildfly-general include::assembly_configuring-keycloak-wildfly-authentication-for-project.adoc[leveloffset=+1] @@ -56,6 +54,4 @@ include::modules/proc_refreshing-external-user-groups-for-ldap.adoc[leveloffset= include::modules/con_refreshing-external-user-groups-for-freeipa-or-ad.adoc[leveloffset=+1] -include::modules/proc_configuring-the-hammer-cli-to-use-freeipa-user-authentication.adoc[leveloffset=+1] - include::modules/proc_disabling-keycloak-authentication.adoc[leveloffset=+1] diff --git a/guides/common/modules/con_active-directory-with-cross-forest-trust.adoc b/guides/common/modules/con_active-directory-with-cross-forest-trust.adoc deleted file mode 100644 index e68a4612830..00000000000 --- a/guides/common/modules/con_active-directory-with-cross-forest-trust.adoc +++ /dev/null @@ -1,9 +0,0 @@ -[id="Active_Directory_with_Cross_Forest_Trust_{context}"] -= Active Directory with cross-forest trust - -Kerberos can create `cross-forest trust` that defines a relationship between two otherwise separate domain forests. -A domain forest is a hierarchical structure of domains; both AD and {FreeIPA} constitute a forest. -With a trust relationship enabled between AD and {FreeIPA}, users of AD can access Linux hosts and services using a single set of credentials. - -From the {Project} point of view, the configuration process is the same as integration with {FreeIPA} server without cross-forest trust configured. -{ProjectServer} has to be enrolled in the IdM domain and integrated as described in xref:Using_FreeIPA_{context}[]. diff --git a/guides/common/modules/con_configuring-a-freeipa-server-as-an-external-identity-provider-for-project.adoc b/guides/common/modules/con_configuring-a-freeipa-server-as-an-external-identity-provider-for-project.adoc index a92867ce2c3..0449f3cb970 100644 --- a/guides/common/modules/con_configuring-a-freeipa-server-as-an-external-identity-provider-for-project.adoc +++ b/guides/common/modules/con_configuring-a-freeipa-server-as-an-external-identity-provider-for-project.adoc @@ -1,4 +1,12 @@ [id="configuring-a-freeipa-server-as-an-external-identity-provider-for-project_{context}"] -= Configuring a {FreeIPA} server as an external identity provider for {Project} += Configuring {FreeIPA} server as an external identity provider for {Project} -{FreeIPA} deals with the management of individual identities, their credentials, and privileges used in a networking environment. +{FreeIPA} is an open-source identity management solution that provides centralized authentication, authorization, and account management services. +With {Project}, you can integrate {ProjectServer} with your existing {FreeIPA} server to enable {FreeIPA} users to authenticate to {Project}. + +With your {FreeIPA} server configured as an external identity provider, users defined in {FreeIPA} can log in to {Project} with their {FreeIPA} credentials. +If a cross-forest trust is configured between {FreeIPA} and Active{nbsp}Directory, Active{nbsp}Directory users can also log in to {Project}. +The following login methods are available: + +* Username and password +* Kerberos single sign-on diff --git a/guides/common/modules/con_configuring-ad-integrated-with-freeipa-through-cross-forest-kerberos-trust-as-an-external-identity-provider-for-project.adoc b/guides/common/modules/con_configuring-ad-integrated-with-freeipa-through-cross-forest-kerberos-trust-as-an-external-identity-provider-for-project.adoc deleted file mode 100644 index 1428dcf9f7d..00000000000 --- a/guides/common/modules/con_configuring-ad-integrated-with-freeipa-through-cross-forest-kerberos-trust-as-an-external-identity-provider-for-project.adoc +++ /dev/null @@ -1,6 +0,0 @@ -[id="configuring-ad-integrated-with-freeipa-through-cross-forest-kerberos-trust-as-an-external-identity-provider-for-project_{context}"] -= Configuring Active Directory integrated with {FreeIPA} through cross-forest Kerberos trust as an external identity provider for {Project} - -Kerberos can create `cross-forest trust` that defines a relationship between two otherwise separate domain forests. -A domain forest is a hierarchical structure of domains; both AD and {FreeIPA} constitute a forest. -With a trust relationship enabled between AD and {FreeIPA}, AD users can access Linux hosts and services using a single set of credentials. diff --git a/guides/common/modules/con_configuring-an-ldap-server-as-an-external-identity-provider-for-project.adoc b/guides/common/modules/con_configuring-an-ldap-server-as-an-external-identity-provider-for-project.adoc index 8e4b9c16e2b..ffeb18902f9 100644 --- a/guides/common/modules/con_configuring-an-ldap-server-as-an-external-identity-provider-for-project.adoc +++ b/guides/common/modules/con_configuring-an-ldap-server-as-an-external-identity-provider-for-project.adoc @@ -7,9 +7,17 @@ Lightweight Directory Access Protocol (LDAP) is a set of open protocols used to access centrally stored information over a network. With {Project}, you can use one or multiple LDAP directories for external authentication. +[NOTE] +==== +While you can configure the LDAP server integrated with {FreeIPA} as an external authentication source, {FreeIPA} users will not be able to log in using single sign-on. +Instead, consider configuring {FreeIPA} as an external identity provider. +See xref:configuring-a-freeipa-server-as-an-external-identity-provider-for-project_{context}[]. +==== + [IMPORTANT] ==== -include::snip_do-not-use-both-ldap-and-freeipa.adoc[] +Users cannot use both {FreeIPA} and LDAP as an authentication method. +After a user authenticates by using one of these methods, they cannot use the other method. -For more information on using {FreeIPA} as an authentication method, see xref:Using_FreeIPA_{context}[]. +To change the authentication method for a user, remove the automatically created user from {Project}. ==== diff --git a/guides/common/modules/con_using-freeipa.adoc b/guides/common/modules/con_using-freeipa.adoc deleted file mode 100644 index cce3b4bc278..00000000000 --- a/guides/common/modules/con_using-freeipa.adoc +++ /dev/null @@ -1,23 +0,0 @@ -[id="Using_FreeIPA_{context}"] -= Using {FreeIPA} - -This section shows how to integrate {ProjectServer} with a {FreeIPA} server and how to enable host-based access control. - -[NOTE] -==== -You can attach {FreeIPA} as an external authentication source with no single sign-on support. -For more information, see xref:configuring-an-ldap-server-as-an-external-identity-provider-for-project_{context}[]. -==== - -[IMPORTANT] -==== -include::snip_do-not-use-both-ldap-and-freeipa.adoc[] -==== - -.Prerequisites -* The base operating system of {ProjectServer} must be enrolled in the {FreeIPA} domain by the {FreeIPA} administrator of your organization. - -The examples in this chapter assume separation between {FreeIPA} and {Project} configuration. -ifndef::orcharhino[] -However, if you have administrator privileges for both servers, you can configure {FreeIPA} as described in {RHELDocsBaseURL}9/html-single/installing_identity_management/index[_{RHEL}{nbsp}9 Installing Identity Management_] or {RHELDocsBaseURL}8/html-single/installing_identity_management/index[_{RHEL}{nbsp}8 Installing Identity Management Guide_]. -endif::[] diff --git a/guides/common/modules/proc_configuring-freeipa-authentication-on-server.adoc b/guides/common/modules/proc_configuring-freeipa-authentication-on-server.adoc index 1641c918fa0..c14948ea622 100644 --- a/guides/common/modules/proc_configuring-freeipa-authentication-on-server.adoc +++ b/guides/common/modules/proc_configuring-freeipa-authentication-on-server.adoc @@ -1,88 +1,22 @@ [id="Configuring_FreeIPA_Authentication_on_Server_{context}"] -= Configuring {FreeIPA} authentication on {ProjectServer} += Configuring the {FreeIPA} authentication source on {ProjectServer} -In the {Project} CLI, configure {FreeIPA} authentication by first creating a host entry on the {FreeIPA} server. +Enable {FreeIPA} users to access {Project} by configuring {FreeIPA} as an authentication provider on your {ProjectServer}. + +.Prerequisites + +* {ProjectServer} running on a system that is enrolled in the {FreeIPA} domain. .Procedure -. On the {FreeIPA} server, to authenticate, enter the following command and enter your password when prompted: -+ -[options="nowrap", subs="+quotes,verbatim,attributes"] ----- -# kinit _admin_ ----- -. To verify that you have authenticated, enter the following command: -+ -[options="nowrap", subs="+quotes,verbatim,attributes"] ----- -# klist ----- -. On the {FreeIPA} server, create a host entry for {ProjectServer} and generate a one-time password, for example: -+ -[options="nowrap", subs="+quotes,verbatim,attributes"] ----- -# ipa host-add --random _hostname_ ----- -+ -[NOTE] -==== -The generated one-time password must be used on the client to complete {FreeIPA}-enrollment. -==== -+ -ifdef::satellite[] -For more information on host configuration properties, see {RHELDocsBaseURL}8/html-single/configuring_and_managing_identity_management/index#con_host-entry-LDAP_managing-hosts-ui[Host entry in IdM LDAP] in _{RHEL}{nbsp}8 Configuring and managing Identity Management_. -endif::[] -. Create an HTTP service for {ProjectServer}, for example: -+ -[options="nowrap", subs="+quotes,verbatim,attributes"] ----- -# ipa service-add HTTP/_hostname_ ----- -+ -ifdef::satellite[] -For more information on managing services, see {RHELDocsBaseURL}9/html/accessing_identity_management_services/index[_{RHEL}{nbsp}9 Accessing Identity Management services_]. -endif::[] -. On {ProjectServer}, install the IPA client: -ifdef::satellite[] -+ -[WARNING] -==== -This command might restart {Project} services during the installation of the package. -For more information about installing and updating packages on {Project}, see {AdministeringDocURL}Managing_Packages_on_the_Base_Operating_System_admin[Managing Packages on the Base Operating System of {ProjectServer} or {SmartProxyServer}] in _{AdministeringDocTitle}_. -==== -endif::[] -+ -[options="nowrap", subs="+quotes,verbatim,attributes"] ----- -# {project-package-install} ipa-client ----- -. On {ProjectServer}, enter the following command as root to configure {FreeIPA}-enrollment: -+ -[options="nowrap", subs="+quotes,verbatim,attributes"] ----- -# ipa-client-install --password _OTP_ ----- -+ -Replace _OTP_ with the one-time password provided by the {FreeIPA} administrator. -ifdef::foreman-deb[] -. Ensure that the hostname is set to the fully qualified domain name (FQDN); the short name is not sufficient: -+ -[options="nowrap", subs="+quotes,verbatim,attributes"] ----- -# hostname -{foreman-example-com} ----- -+ -Otherwise, `{foreman-installer}` cannot generate the right principal name that is needed to join the realm. -endif::[] -. Set {FreeIPA} as the authentication provider, using one of the following commands: -* If you only want to enable access to the {ProjectWebUI} but not the {Project} API, enter: + +* To enable access to the {ProjectWebUI} only: + [options="nowrap", subs="+quotes,verbatim,attributes"] ---- # {foreman-installer} \ --foreman-ipa-authentication=true ---- -* If you want to enable access both to the {ProjectWebUI} and the {Project} API, enter: +* To enable access to the {ProjectWebUI} and the {Project} API, including Hammer CLI: + [options="nowrap", subs="+quotes,verbatim,attributes"] ---- @@ -93,17 +27,18 @@ endif::[] + [WARNING] ==== -Enabling access to both the {Project} API and the {ProjectWebUI} can lead to security problems. -After an IdM user receives a Kerberos ticket-granting ticket (TGT) by entering `kinit _user_name_`, an attacker can obtain an API session. +Enabling access to both the {ProjectWebUI} and the {Project} API poses a security risk. +After the {FreeIPA} user enters `kinit` to receive a Kerberos ticket-granting ticket (TGT), an attacker might obtain an API session. The attack is possible even if the user did not previously enter the {Project} login credentials anywhere, for example in the browser. ==== -. Restart {Project} services: +* To disable external authentication with {FreeIPA}, reset the options. +For example, to disable access to the {Project} API and Hammer CLI: + [options="nowrap", subs="+quotes,verbatim,attributes"] ---- -# {foreman-maintain} service restart +# {foreman-installer} --reset-foreman-ipa-authentication-api ---- -External users can now log in to {Project} using their {FreeIPA} credentials. -They can now choose to either log in to {ProjectServer} directly using their username and password or take advantage of the configured Kerberos single sign-on and obtain a ticket on their client machine and be logged in automatically. -The two-factor authentication with one-time password (2FA OTP) is also supported. +.Verification + +* Log in to {ProjectWebUI} by entering the credentials of a user defined in {FreeIPA}. diff --git a/guides/common/modules/proc_configuring-host-based-authentication-control.adoc b/guides/common/modules/proc_configuring-host-based-authentication-control.adoc index 336f241f2e4..eed11bb2017 100644 --- a/guides/common/modules/proc_configuring-host-based-authentication-control.adoc +++ b/guides/common/modules/proc_configuring-host-based-authentication-control.adoc @@ -1,62 +1,110 @@ -[id="Configuring_Host_Based_Authentication_Control_{context}"] -= Configuring host-based authentication control +[id="Configuring_Host_Based_Access_Control_{context}"] += Configuring host-based access control for {FreeIPA} users logging in to {Project} -HBAC rules define which machine within the domain a {FreeIPA} user is allowed to access. -You can configure HBAC on the {FreeIPA} server to prevent selected users from accessing {ProjectServer}. -With this approach, you can prevent {Project} from creating database entries for users that are not allowed to log in. +You can use host-based access control (HBAC) rules to manage access control within your {FreeIPA} domain. +In {FreeIPA}, HBAC rules define which users can access which hosts and which services can be used to gain access. + +For example, you can configure HBAC on the {FreeIPA} server to limit access to {ProjectServer} only to selected users or user groups. +By configuring a HBAC rule in the {FreeIPA} domain, you can ensure {Project} does not create database entries for users who should not have access. + +.Prerequisites + +* {FreeIPA} user account with privileges to configure HBAC rules + +.Procedure + +. On the {FreeIPA} server, configure HBAC control. For more information, see {RHELDocsBaseURL}9/html/managing_idm_users_groups_hosts_and_access_control_rules/configuring-host-based-access-control-rules_managing-users-groups-hosts[_{RHEL}{nbsp}9 Managing IdM users, groups, hosts, and access control rules_] or {RHELDocsBaseURL}8/html/managing_idm_users_groups_hosts_and_access_control_rules/configuring-host-based-access-control-rules_managing-users-groups-hosts[_{RHEL}{nbsp}8 Managing IdM users, groups, hosts, and access control rules_]. +.. Create a HBAC service for {ProjectServer}. +.. Create a new HBAC rule to define the required access control. +Add the following {FreeIPA} entities to the HBAC rule: +... The HBAC service for {ProjectServer} +... The {ProjectServer} host +... The users or user groups to whom you want to grant access +.. Make sure the default {FreeIPA} `allow_all` rule is disabled. ifndef::orcharhino[] -For more information on HBAC, see {RHELDocsBaseURL}9/html/managing_idm_users_groups_hosts_and_access_control_rules/index[_{RHEL}{nbsp}9 Managing IdM users, groups, hosts, and access control rules_] or {RHELDocsBaseURL}8/html/managing_idm_users_groups_hosts_and_access_control_rules/index[_{RHEL}{nbsp}8 Managing IdM users, groups, hosts, and access control rules_]. +For information about how to disable `allow_all` without disrupting other services, see the https://access.redhat.com/solutions/67895[How to configure HBAC rules in IdM] article on the Red{nbsp}Hat Customer Portal. endif::[] +. On your {ProjectServer}, load the host-based access control rules from {FreeIPA}: ++ +[options="nowrap", subs="+quotes,verbatim,attributes"] +---- +# {foreman-installer} --foreman-pam-service=satellite-prod +---- -On the {FreeIPA} server, configure Host-Based Authentication Control (HBAC). +.Verification -.Procedure -. On the {FreeIPA} server, to authenticate, enter the following command and enter your password when prompted: +* Log in to the {ProjectWebUI} as a user defined in {FreeIPA}. +** If the user is included in the HBAC rule, {ProjectWebUI} will grant access. +** If the user is not included in the HBAC rule, {ProjectWebUI} will not grant access. + +.Configuring host-based access control to allow access to {Project} only for selected {FreeIPA} users by using the command line +==== + +On the {FreeIPA} server, a user with administrative privileges configures a HBAC rule to allow selected users access to {ProjectServer}: + +. Authenticate as the user with privileges required to configure HBAC rules: ++ +[options="nowrap", subs="+quotes,verbatim,attributes"] +---- +$ kinit _admin_ +---- +. Optional: Verify that you have authenticated successfully: + [options="nowrap", subs="+quotes,verbatim,attributes"] ---- -# kinit _admin_ +$ klist ---- -. To verify that you have authenticated, enter the following command: +. Create a new HBAC service named `{project-context}-prod`: + [options="nowrap", subs="+quotes,verbatim,attributes"] ---- -# klist +$ ipa hbacsvc-add {project-context}-prod ---- -. Create HBAC service and rule on the {FreeIPA} server and link them together. -The following examples use the PAM service name _{project-context}-prod_. -Execute the following commands on the {FreeIPA} server: +. Create a new HBAC rule: + [options="nowrap", subs="+quotes,verbatim,attributes"] ---- -# ipa hbacsvc-add {project-context}-prod -# ipa hbacrule-add allow_{project-context}_prod -# ipa hbacrule-add-service allow_{project-context}_prod --hbacsvcs={project-context}-prod +$ ipa hbacrule-add _allow-{project-context}-prod_ ---- -. Add the user who is to have access to the service {project-context}-prod, and the hostname of {ProjectServer}: +. Add the following {FreeIPA} entities to the HBAC rule: +.. The `{project-context}-prod` HBAC service: + [options="nowrap", subs="+quotes,verbatim,attributes"] ---- -# ipa hbacrule-add-user allow_{project-context}_prod --user=_username_ -# ipa hbacrule-add-host allow_{project-context}_prod --hosts=_{foreman-example-com}_ +$ ipa hbacrule-add-service _allow-{project-context}-prod_ --hbacsvcs={project-context}-prod ---- + -Alternatively, host groups and user groups can be added to the _allow_{project-context}_prod_ rule. -. To check the status of the rule, execute: +.. The {ProjectServer} host: + [options="nowrap", subs="+quotes,verbatim,attributes"] ---- -# ipa hbacrule-find {project-context}-prod -# ipa hbactest --user=_username_ --host=_{foreman-example-com}_ --service={project-context}-prod +$ ipa hbacrule-add-host _allow-{project-context}-prod_ --hosts=_{foreman-example-com}_ ---- -. Ensure the allow_all rule is disabled on the {FreeIPA} server. -ifndef::orcharhino[] -For instructions on how to do so without disrupting other services see the https://access.redhat.com/solutions/67895[How to configure HBAC rules in IdM] article on the Red{nbsp}Hat Customer Portal. -endif::[] -. Configure the {FreeIPA} integration with {ProjectServer} as described in xref:Configuring_FreeIPA_Authentication_on_Server_{context}[]. -On {ProjectServer}, define the PAM service as root: + +.. The users or user groups to whom you want to grant access: ++ +[options="nowrap", subs="+quotes,verbatim,attributes"] +---- +$ ipa hbacrule-add-user _allow-{project-context}-prod_ --user=_ipa-user_ +---- ++ +. Optional: Verify the status of the rule: ++ +[options="nowrap", subs="+quotes,verbatim,attributes"] +---- +$ ipa hbacrule-find _{project-context}-prod_ +$ ipa hbactest --user=_ipa-user_ --host=_{foreman-example-com}_ --service={project-context}-prod +---- +. Disable the default `allow_all` rule: +[options="nowrap", subs="+quotes,verbatim,attributes"] +---- +$ ipa hbacrule-disable allow_all +---- + +On {ProjectServer}, a {Project} administrator re-runs {foreman-installer} to load the host-based access control rules from {FreeIPA}: + [options="nowrap", subs="+quotes,verbatim,attributes"] ---- # {foreman-installer} --foreman-pam-service={project-context}-prod ---- +==== diff --git a/guides/common/modules/proc_enrolling-project-server-in-freeipa-domain.adoc b/guides/common/modules/proc_enrolling-project-server-in-freeipa-domain.adoc new file mode 100644 index 00000000000..be0b1af94a1 --- /dev/null +++ b/guides/common/modules/proc_enrolling-project-server-in-freeipa-domain.adoc @@ -0,0 +1,124 @@ +[id="enrolling-project-server-in-freeipa-domain_{context}"] += Enrolling {ProjectServer} in a {FreeIPA} domain + +Create a host entry for your {ProjectServer} system in the {FreeIPA} LDAP and configure the system to be a client in your {FreeIPA} domain. + +.Prerequisites + +* An existing {FreeIPA} server +* {FreeIPA} user account with privileges to enroll new {FreeIPA} hosts + +.Procedure + +. On the {FreeIPA} server: +.. Create a host entry for the {ProjectServer} system. +ifdef::satellite[] ++ +For more information, see link:{RHELDocsBaseURL}8/html/configuring_and_managing_identity_management/index[{RHEL}{nbsp}8 Configuring and managing Identity Management] or link:{RHELDocsBaseURL}9/html/managing_idm_users_groups_hosts_and_access_control_rules[{RHEL}{nbsp}9 Managing IdM users, groups, hosts, and access control rules]. +endif::[] +.. Create an entry for the HTTP service for {ProjectServer}. +This enables access to the keytab file by creating a service principal for your {ProjectServer}. +ifdef::satellite[] ++ +For more information on creating a service entry in {FreeIPA}, see +link:{RHELDocsBaseURL}8/html-single/managing_idm_users_groups_hosts_and_access_control_rules/index[{RHEL}{nbsp}8 Managing IdM users, groups, hosts, and access control rules] or link:{RHELDocsBaseURL}9/html-single/managing_idm_users_groups_hosts_and_access_control_rules/index#[{RHEL}{nbsp}9 Managing IdM users, groups, hosts, and access control rules]. +endif::[] +. On your {ProjectServer}, configure the system as client in the {FreeIPA} domain. +This includes ensuring that the system meets the necessary prerequisites, installing the necessary packages, and running the `ipa-client-install` utility. +ifdef::satellite[] ++ +For more information, see link:{RHELDocsBaseURL}/8/html-single/installing_identity_management/index#assembly_installing-an-idm-client_installing-identity-management[{RHEL}{nbsp}8 Installing Identity Management] or link:{RHELDocsBaseURL}/9/html-single/installing_identity_management/index#assembly_installing-an-idm-client_installing-identity-management[{RHEL}{nbsp}9 Installing Identity Management]. +endif::[] ++ +[NOTE] +==== +To install packages on your {ProjectServer}, use the `{foreman-installer}` utility. +==== +ifdef::foreman-deb[] ++ +. Ensure that the hostname is set to the fully qualified domain name (FQDN); the short name is not sufficient: ++ +[options="nowrap", subs="+quotes,verbatim,attributes"] +---- +# hostname +{foreman-example-com} +---- ++ +Otherwise, `{foreman-installer}` cannot generate the right principal name that is needed to join the realm. +endif::[] + +.Verification + +* On your {ProjectServer}, check that you are able to resolve a user defined on the {FreeIPA} server. +For example, to check the `admin` user that {FreeIPA} creates by default: ++ +[options="nowrap", subs="+quotes,verbatim,attributes"] +---- +$ id admin +---- + +.Enrolling a {ProjectServer} system as a {FreeIPA} client from the command line by using a one-time password +==== +On the {FreeIPA} server, a user named _admin_ who has administrative privileges on the {FreeIPA} server prepares a host entry for the {ProjectServer} system: + +. Authenticate as the {FreeIPA} _admin_ user: ++ +[options="nowrap", subs="+quotes,verbatim,attributes"] +---- +# kinit _admin_ +---- +. Optional: Verify that you have authenticated successfully: ++ +[options="nowrap", subs="+quotes,verbatim,attributes"] +---- +# klist +---- +. Create a host entry from the command line. +Specify that you want to use a random password for the enrollment. ++ +[options="nowrap", subs="+quotes,verbatim,attributes"] +---- +# ipa host-add --random _{project-context}-server.example.com_ +-------------------------------------------------- + Added host "{project-context}-server.example.com" + -------------------------------------------------- + Host name: {project-context}-server.example.com + Random password: W5YpARl=7M.n + Password: True + Keytab: False + Managed by: ipa-server.example.com +---- +. Enable access to the keytab file by creating a service principal for your {ProjectServer}: ++ +[options="nowrap", subs="+quotes,verbatim,attributes"] +---- +# ipa service-add HTTP/_{project-context}-server.example.com_ +---- + +On the {ProjectServer} system, a user with {Project} administrative privileges enrolls the system into the {FreeIPA} domain: + +. Install the {FreeIPA} client packages: +ifdef::satellite[] +endif::[] ++ +[options="nowrap", subs="+quotes,verbatim,attributes"] +---- +# {project-package-install} ipa-client +---- ++ +WARNING: The {project-package-install} command might restart {Project} services during the installation of the package. +For more information about installing and updating packages on {Project}, see {AdministeringDocURL}Managing_Packages_on_the_Base_Operating_System_admin[Managing packages on the base operating system of {ProjectServer} or {SmartProxyServer}] in _{AdministeringDocTitle}_. +. Configure the {ProjectServer} system a client in {FreeIPA} by using the random password produced by `ipa host-add` in a previous step: ++ +[options="nowrap", subs="+quotes,verbatim,attributes"] +---- +# ipa-client-install --password 'W5YpARl=7M.n' +---- ++ +. Verify that you are able to resolve the {FreeIPA} `admin` user from your {ProjectServer}: ++ +[options="nowrap", subs="+quotes,verbatim,attributes"] +---- +$ id admin +---- +==== diff --git a/guides/common/modules/proc_using-freeipa-credentials-to-log-in-to-the-ProjectWebUI-with-Mozilla-Firefox.adoc b/guides/common/modules/proc_using-freeipa-credentials-to-log-in-to-the-ProjectWebUI-with-Mozilla-Firefox.adoc new file mode 100644 index 00000000000..24d1044d055 --- /dev/null +++ b/guides/common/modules/proc_using-freeipa-credentials-to-log-in-to-the-ProjectWebUI-with-Mozilla-Firefox.adoc @@ -0,0 +1,32 @@ +[id="Using_{FreeIPA-context}_credentials_to_log_in_to_the_{ProjectWebUI-context}-with-Mozilla-Firefox_{context}"] += Logging in to the {ProjectWebUI} with {FreeIPA} credentials in Mozilla Firefox + +You can use Mozilla Firefox to log in to the {ProjectWebUI} with your {FreeIPA} credentials. + +Use the latest stable Mozilla Firefox browser. + +.Prerequisites +* You have {FreeIPA} authentication configured in your {Project} environment. +ifndef::orcharhino[] +For more information, see {InstallingServerDocURL}configuring-a-freeipa-server-as-an-external-identity-provider-for-project_{project-context}[{InstallingServerDocTitle}]. +endif::[] +* Your Mozilla Firefox is configured for Single Sign-On (SSO). +ifdef::satellite[] +For more information, see {RHELDocsBaseURL}9/html/configuring_authentication_and_authorization_in_rhel/configuring_applications_for_sso#Configuring_Firefox_to_use_Kerberos_for_SSO[Configuring Firefox to use Kerberos for single sign-on] in _Configuring authentication and authorization in {RHEL}{nbsp}9_. +endif::[] + +.Procedure +. Obtain the Kerberos ticket granting ticket (TGT): ++ +[options="nowrap", subs="+quotes,verbatim,attributes"] +---- +$ kinit _user_ +Password for user@EXAMPLE.COM: +---- +. In Mozilla Firefox, go to the URL of your {ProjectServer}. +. You are logged in automatically. + +Alternatively: + +. In your browser address bar, enter the URL of your {ProjectServer}. +. Enter your login and password. diff --git a/guides/common/modules/proc_using-freeipa-credentials-to-log-in-to-the-ProjectWebUI-with-a-Chrome-browser.adoc b/guides/common/modules/proc_using-freeipa-credentials-to-log-in-to-the-ProjectWebUI-with-a-Chrome-browser.adoc index f878e42a749..11895f5c656 100644 --- a/guides/common/modules/proc_using-freeipa-credentials-to-log-in-to-the-ProjectWebUI-with-a-Chrome-browser.adoc +++ b/guides/common/modules/proc_using-freeipa-credentials-to-log-in-to-the-ProjectWebUI-with-a-Chrome-browser.adoc @@ -1,17 +1,15 @@ [id="Using_{FreeIPA-context}_credentials_to_log_in_to_the_{ProjectWebUI-context}-with-a-Chrome-browser_{context}"] -= Using {FreeIPA} credentials to log in to the {ProjectWebUI} with a Chrome browser += Logging in to the {ProjectWebUI} with {FreeIPA} credentials in Chrome -This section describes how to use a Chrome browser to log in to your {ProjectWebUI} with your {FreeIPA} login and password. +You can use Chrome to log in to the {ProjectWebUI} with your {FreeIPA} credentials. + +Use the latest stable Chrome browser. .Prerequisites -* You have enrolled your {ProjectServer} into {FreeIPA} and configured the server to use {FreeIPA} for authentication. +* You have {FreeIPA} authentication configured in your {Project} environment. ifndef::orcharhino[] -For more information, see {InstallingServerDocURL}Using_FreeIPA_{project-context}[Using {FreeIPA}] in _{InstallingServerDocTitle}_. +For more information, see {InstallingServerDocURL}configuring-a-freeipa-server-as-an-external-identity-provider-for-project_{project-context}[{InstallingServerDocTitle}]. endif::[] -* The host on which you are using the Chrome browser to log in to the {ProjectWebUI} is an {FreeIPA} client. -* You have a valid {FreeIPA} login and password. -* {Team} recommends using the latest stable Chrome browser. -* An {FreeIPA} server is running and reachable by the host. .Procedure . Enable the Chrome browser to use Kerberos authentication: @@ -20,27 +18,22 @@ endif::[] ---- $ google-chrome --auth-server-whitelist="*._example.com_" --auth-negotiate-delegate-whitelist=”*._example.com_" ---- - + [NOTE] ==== Instead of allowlisting the whole domain, you can also allowlist a specific {ProjectServer}. ==== - -. Obtain the Kerberos ticket-granting ticket (TGT) for yourself using your {FreeIPA} credentials: +. Obtain the Kerberos ticket-granting ticket (TGT): + [options="nowrap", subs="+quotes,verbatim,attributes"] ---- -$ kinit _idm_user_ -Password for _idm_user@_EXAMPLE.COM_: +$ kinit _user_ +Password for user@EXAMPLE.COM: ---- -. In your browser address bar, enter the URL of your {ProjectServer}. -+ -You are logged in automatically. +. In Chrome, go to the URL of your {ProjectServer}. +. You are logged in automatically. +Alternatively: -[NOTE] -==== -Alternatively, you can skip the first three steps and enter your login and password in the fields displayed on the {ProjectWebUI}. -This is also the only option if the host from which you are accessing the {ProjectWebUI} is not an {FreeIPA} client. -==== +. In your browser address bar, enter the URL of your {ProjectServer}. +. Enter your login and password. diff --git a/guides/common/modules/proc_using-freeipa-credentials-to-log-in-to-the-ProjectWebUI-with-a-Firefox-browser.adoc b/guides/common/modules/proc_using-freeipa-credentials-to-log-in-to-the-ProjectWebUI-with-a-Firefox-browser.adoc deleted file mode 100644 index e4161b11954..00000000000 --- a/guides/common/modules/proc_using-freeipa-credentials-to-log-in-to-the-ProjectWebUI-with-a-Firefox-browser.adoc +++ /dev/null @@ -1,36 +0,0 @@ -[id="Using_{FreeIPA-context}_credentials_to_log_in_to_the_{ProjectWebUI-context}-with-a-Firefox-browser_{context}"] -= Using {FreeIPA} credentials to log in to the {ProjectWebUI} with a Firefox browser - -This section describes how to use the Firefox browser to log in to your {ProjectWebUI} with your {FreeIPA} (IdM) login and password. - -.Prerequisites -* You have enrolled your {ProjectServer} into {FreeIPA} and configured the server to use {FreeIPA} for authentication. -ifndef::orcharhino[] -For more information, see {InstallingServerDocURL}Using_FreeIPA_{project-context}[Using {FreeIPA}] in _{InstallingServerDocTitle}_. -endif::[] -* The host on which you are using a Firefox browser to log in to the {ProjectWebUI} is an {FreeIPA} client. -* You have a valid {FreeIPA} login and password. -* {Team} recommends using the latest stable Firefox browser. -* Your Firefox browser is configured for Single Sign-On (SSO). -ifdef::satellite[] -For more information, see {RHELDocsBaseURL}9/html/configuring_authentication_and_authorization_in_rhel/configuring_applications_for_sso#Configuring_Firefox_to_use_Kerberos_for_SSO[Configuring Firefox to use Kerberos for single sign-on] in _Configuring authentication and authorization in {RHEL}{nbsp}9_. -endif::[] -* An {FreeIPA} server is running and reachable by the host. - -.Procedure -. Obtain the Kerberos ticket granting ticket (TGT) for yourself using your {FreeIPA} credentials: -+ -[options="nowrap", subs="+quotes,verbatim,attributes"] ----- -$ kinit _idm_user_ -Password for idm_user@_EXAMPLE.COM_: ----- -. In your browser address bar, enter the URL of your {ProjectServer}. -+ -You are logged in automatically. - -[NOTE] -==== -Alternatively, you can skip the first two steps and enter your login and password in the fields displayed on the {ProjectWebUI}. -This is also the only option if the host from which you are accessing the {ProjectWebUI} is not an {FreeIPA} client. -==== diff --git a/guides/common/modules/proc_using-freeipa-credentials-to-log-in-to-the-project-hammer-cli.adoc b/guides/common/modules/proc_using-freeipa-credentials-to-log-in-to-the-project-hammer-cli.adoc index 8d374052c5b..1cf28902f9b 100644 --- a/guides/common/modules/proc_using-freeipa-credentials-to-log-in-to-the-project-hammer-cli.adoc +++ b/guides/common/modules/proc_using-freeipa-credentials-to-log-in-to-the-project-hammer-cli.adoc @@ -1,60 +1,54 @@ [id="Using_{FreeIPA-context}_credentials_to_log_in_to_the_{project-context}_Hammer_CLI_{context}"] -= Using {FreeIPA} credentials to log in to the {Project} Hammer CLI += Logging in to Hammer CLI with {FreeIPA} credentials -This section describes how to log in to your {Project} Hammer CLI with your {FreeIPA} (IdM) login and password. +Authenticate to the {Project} Hammer CLI with your {FreeIPA} username and password. .Prerequisites -* You have enrolled your {ProjectServer} into {FreeIPA} and configured it to use {FreeIPA} for authentication. -More specifically, you have enabled access both to the {ProjectWebUI} and the {Project} API. +* You have configured Hammer CLI to accept {FreeIPA} credentials. +// See xref:configuring-hammer-cli-to-accept-{FreeIPA-context}-credentials_{context}[]. ifndef::orcharhino[] -For more information, see {InstallingServerDocURL}Using_FreeIPA_{project-context}[Using {FreeIPA}] in _{InstallingServerDocTitle}_. +For more information, see {InstallingServerDocURL}configuring-hammer-cli-to-accept-{FreeIPA-context}-credentials_{context}[Configuring Hammer CLI to accept {FreeIPA} credentials] in _{InstallingServerDocTitle}_. endif::[] -* The host on which you run this procedure is configured to use {FreeIPA} credentials to log users in to your {Project} Hammer CLI. -ifndef::orcharhino[] -For more information, see {InstallingServerDocURL}Configuring_the_Hammer_CLI_to_Use_FreeIPA_User_Authentication_{project-context}[Configuring the Hammer CLI to Use {FreeIPA} User Authentication] in _{InstallingServerDocTitle}_. -endif::[] -* The host is an {FreeIPA} client. -* An {FreeIPA} server is running and reachable by the host. .Procedure -. Obtain a Kerberos ticket-granting ticket (TGT) on behalf of a {Project} user: +. Authenticate as a user defined in {FreeIPA} to obtain a Kerberos ticket-granting ticket (TGT): + [options="nowrap", subs="+quotes,verbatim,attributes"] ---- -$ kinit idm_user +$ kinit _{FreeIPA-context}_user_ ---- + [WARNING] ==== -If, when you were setting {FreeIPA} to be the authentication provider, you enabled access to both the {Project} API and the {ProjectWebUI}, an attacker can now obtain an API session after the user receives the Kerberos TGT. +If you enabled access to the {Project} API and the {ProjectWebUI} when you were configuring {FreeIPA} as the authentication provider for {Project}, an attacker might now obtain an API session after the user receives the Kerberos TGT. The attack is possible even if the user did not previously enter the {Project} login credentials anywhere, for example in the browser. ==== -. If automatic negotiate authentication is not enabled, use the TGT to authenticate to Hammer manually: +. If Hammer is not configured to negotiate authentication, initiate an authentication session manually: + [options="nowrap", subs="+quotes,verbatim,attributes"] ---- $ hammer auth login negotiate ---- -. Optional: Destroy all cached Kerberos tickets in the collection: -+ -[options="nowrap", subs="+quotes,verbatim,attributes"] ----- -$ kdestroy -A ----- + [NOTE] ==== -You are still logged in, even after destroying the Kerberos ticket. +If you destroy the active Kerberos ticket, for example with `kdestroy`, you will still be logged in to Hammer. +To log out, enter `hammer auth logout`. ==== .Verification -* Use any `hammer` command to ensure that the system does not ask you to authenticate again: +* Use any `hammer` command to check that the system does not ask you to authenticate. +For example: + [options="nowrap", subs="+quotes,verbatim,attributes"] ---- $ hammer host list ---- -[NOTE] -==== -To log out of Hammer, enter: `hammer auth logout`. -==== +.Additional resources + +* For more information about authenticating with Hammer, see +ifdef::satellite[] +link:{HammerDocURL}sect-CLI_Guide-Authentication[{HammerDocTitle}] +endif::[] +or `$ hammer auth --help`. \ No newline at end of file diff --git a/guides/common/modules/snip_do-not-use-both-ldap-and-freeipa.adoc b/guides/common/modules/snip_do-not-use-both-ldap-and-freeipa.adoc deleted file mode 100644 index dac093cb38e..00000000000 --- a/guides/common/modules/snip_do-not-use-both-ldap-and-freeipa.adoc +++ /dev/null @@ -1,4 +0,0 @@ -Users cannot use both {FreeIPA} and LDAP as an authentication method. -After a user authenticates by using one of these methods, they cannot use the other method. - -To change the authentication method for a user, remove the automatically created user from {Project}. From b61ae60dbfc2ccc5a30463fc22e4a0eea8c6cb07 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aneta=20=C5=A0teflov=C3=A1=20Petrov=C3=A1?= Date: Fri, 26 Jul 2024 22:43:52 +0200 Subject: [PATCH 03/17] Review and clarify configuring Hammer for FreeIPA Based on https://github.com/theforeman/hammer-cli-foreman/blob/master/doc/configuration.md --- ...li-to-use-freeipa-user-authentication.adoc | 22 ++++++++++--------- 1 file changed, 12 insertions(+), 10 deletions(-) diff --git a/guides/common/modules/proc_configuring-the-hammer-cli-to-use-freeipa-user-authentication.adoc b/guides/common/modules/proc_configuring-the-hammer-cli-to-use-freeipa-user-authentication.adoc index 9c0eb353c9b..d9aebd2c69b 100644 --- a/guides/common/modules/proc_configuring-the-hammer-cli-to-use-freeipa-user-authentication.adoc +++ b/guides/common/modules/proc_configuring-the-hammer-cli-to-use-freeipa-user-authentication.adoc @@ -1,13 +1,17 @@ -[id="Configuring_the_Hammer_CLI_to_Use_{FreeIPA-context}_User_Authentication_{context}"] -= Configuring the Hammer CLI to use {FreeIPA} user authentication +[id="configuring-hammer-cli-to-accept-{FreeIPA-context}-credentials_{context}"] += Configuring Hammer CLI to accept {FreeIPA} credentials -This section describes how to configure the {Project} Hammer command-line interface (CLI) tool to use {FreeIPA} (IdM) to authenticate users. +Configure the {Project} Hammer CLI tool to use {FreeIPA} to authenticate users. .Prerequisites -* You are logged in to the host from which you want to access {Project} by using Hammer. +* You have enabled {FreeIPA} access to the {Project} API. +See xref:Configuring_FreeIPA_Authentication_on_Server_{context}[]. .Procedure -. Enable sessions in the `~/.hammer/cli.modules.d/foreman.yml` Hammer configuration file by adding the `:use_sessions: true` line to the `foreman` parameters: + +. Open the `~/.hammer/cli.modules.d/foreman.yml` file on your {ProjectServer} and update the list of `foreman` parameters: +.. Configure Hammer to enforce session usage. +Enable `:use_sessions:`: + [options="nowrap", subs="+quotes,verbatim,attributes"] ---- @@ -15,9 +19,8 @@ This section describes how to configure the {Project} Hammer command-line interf :use_sessions: true ---- + -Adding the line enforces session usage in Hammer. -This means that Hammer performs the authentication request only once instead of with each `hammer` command. -. Optional: Enable negotiate authentication in the `~/.hammer/cli.modules.d/foreman.yml` Hammer configuration file by adding the `:default_auth_type: 'Negotiate_Auth'` line to the `foreman` parameters: +With this configuration, you will need to initiate an authentication session manually with `hammer auth login negotiate`. +.. Alternatively, configure Hammer to enforce session usage and also negotiate authentication by default: + [options="nowrap", subs="+quotes,verbatim,attributes"] ---- @@ -26,5 +29,4 @@ This means that Hammer performs the authentication request only once instead of :use_sessions: true ---- + -Adding this line means that your authentication is negotiated when you enter the first `hammer` command. -If this entry is present, Hammer tries to communicate with {ProjectServer} using the negotiation protocol. +With this configuration, Hammer will negotiate authentication automatically when you enter the first `hammer` command: From b73c2761e172a058b0fd3193452b1a60e1495c28 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aneta=20=C5=A0teflov=C3=A1=20Petrov=C3=A1?= Date: Tue, 30 Jul 2024 06:36:31 +0200 Subject: [PATCH 04/17] Re-adding prereq about browser login from IPA client --- ...tials-to-log-in-to-the-ProjectWebUI-with-Mozilla-Firefox.adoc | 1 + ...ials-to-log-in-to-the-ProjectWebUI-with-a-Chrome-browser.adoc | 1 + 2 files changed, 2 insertions(+) diff --git a/guides/common/modules/proc_using-freeipa-credentials-to-log-in-to-the-ProjectWebUI-with-Mozilla-Firefox.adoc b/guides/common/modules/proc_using-freeipa-credentials-to-log-in-to-the-ProjectWebUI-with-Mozilla-Firefox.adoc index 24d1044d055..b3d640f627d 100644 --- a/guides/common/modules/proc_using-freeipa-credentials-to-log-in-to-the-ProjectWebUI-with-Mozilla-Firefox.adoc +++ b/guides/common/modules/proc_using-freeipa-credentials-to-log-in-to-the-ProjectWebUI-with-Mozilla-Firefox.adoc @@ -10,6 +10,7 @@ Use the latest stable Mozilla Firefox browser. ifndef::orcharhino[] For more information, see {InstallingServerDocURL}configuring-a-freeipa-server-as-an-external-identity-provider-for-project_{project-context}[{InstallingServerDocTitle}]. endif::[] +* The host on which you are using Mozilla Firefox is a client in the {FreeIPA} domain. * Your Mozilla Firefox is configured for Single Sign-On (SSO). ifdef::satellite[] For more information, see {RHELDocsBaseURL}9/html/configuring_authentication_and_authorization_in_rhel/configuring_applications_for_sso#Configuring_Firefox_to_use_Kerberos_for_SSO[Configuring Firefox to use Kerberos for single sign-on] in _Configuring authentication and authorization in {RHEL}{nbsp}9_. diff --git a/guides/common/modules/proc_using-freeipa-credentials-to-log-in-to-the-ProjectWebUI-with-a-Chrome-browser.adoc b/guides/common/modules/proc_using-freeipa-credentials-to-log-in-to-the-ProjectWebUI-with-a-Chrome-browser.adoc index 11895f5c656..0386ff125fc 100644 --- a/guides/common/modules/proc_using-freeipa-credentials-to-log-in-to-the-ProjectWebUI-with-a-Chrome-browser.adoc +++ b/guides/common/modules/proc_using-freeipa-credentials-to-log-in-to-the-ProjectWebUI-with-a-Chrome-browser.adoc @@ -10,6 +10,7 @@ Use the latest stable Chrome browser. ifndef::orcharhino[] For more information, see {InstallingServerDocURL}configuring-a-freeipa-server-as-an-external-identity-provider-for-project_{project-context}[{InstallingServerDocTitle}]. endif::[] +* The host on which you are using Chrome is a client in the {FreeIPA} domain. .Procedure . Enable the Chrome browser to use Kerberos authentication: From 4f7c635309de65bcd51a20fdeecf6e6c08e28183 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aneta=20=C5=A0teflov=C3=A1=20Petrov=C3=A1?= Date: Tue, 30 Jul 2024 07:05:57 +0200 Subject: [PATCH 05/17] Add FreeIPA upstream resource --- .../proc_configuring-host-based-authentication-control.adoc | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/guides/common/modules/proc_configuring-host-based-authentication-control.adoc b/guides/common/modules/proc_configuring-host-based-authentication-control.adoc index eed11bb2017..6551eb61576 100644 --- a/guides/common/modules/proc_configuring-host-based-authentication-control.adoc +++ b/guides/common/modules/proc_configuring-host-based-authentication-control.adoc @@ -37,6 +37,12 @@ endif::[] ** If the user is included in the HBAC rule, {ProjectWebUI} will grant access. ** If the user is not included in the HBAC rule, {ProjectWebUI} will not grant access. +ifndef::satellite[] +.Additional resources + +* For more information about the `allow_all` rule and configuring HBAC in {FreeIPA}, see link:https://www.freeipa.org/page/Howto/HBAC_and_allow_all[HBAC and `allow_all`] in {FreeIPA} documentation. + +endif::[] .Configuring host-based access control to allow access to {Project} only for selected {FreeIPA} users by using the command line ==== From afeae0cad6906f86dfd35ae42dbe2b737523bd72 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aneta=20=C5=A0teflov=C3=A1=20Petrov=C3=A1?= Date: Tue, 30 Jul 2024 07:07:47 +0200 Subject: [PATCH 06/17] Check conditionals for links to other, mostly RH, resources --- ...roc_configuring-host-based-authentication-control.adoc | 7 +++++-- .../proc_enrolling-project-server-in-freeipa-domain.adoc | 8 +++++--- ...a-credentials-to-log-in-to-the-project-hammer-cli.adoc | 4 ++-- 3 files changed, 12 insertions(+), 7 deletions(-) diff --git a/guides/common/modules/proc_configuring-host-based-authentication-control.adoc b/guides/common/modules/proc_configuring-host-based-authentication-control.adoc index 6551eb61576..3ff2025a9ca 100644 --- a/guides/common/modules/proc_configuring-host-based-authentication-control.adoc +++ b/guides/common/modules/proc_configuring-host-based-authentication-control.adoc @@ -13,7 +13,10 @@ By configuring a HBAC rule in the {FreeIPA} domain, you can ensure {Project} doe .Procedure -. On the {FreeIPA} server, configure HBAC control. For more information, see {RHELDocsBaseURL}9/html/managing_idm_users_groups_hosts_and_access_control_rules/configuring-host-based-access-control-rules_managing-users-groups-hosts[_{RHEL}{nbsp}9 Managing IdM users, groups, hosts, and access control rules_] or {RHELDocsBaseURL}8/html/managing_idm_users_groups_hosts_and_access_control_rules/configuring-host-based-access-control-rules_managing-users-groups-hosts[_{RHEL}{nbsp}8 Managing IdM users, groups, hosts, and access control rules_]. +. On the {FreeIPA} server, configure HBAC control. +ifndef::orcharhino[] +For more information, see {RHELDocsBaseURL}9/html/managing_idm_users_groups_hosts_and_access_control_rules/configuring-host-based-access-control-rules_managing-users-groups-hosts[_{RHEL}{nbsp}9 Managing IdM users, groups, hosts, and access control rules_] or {RHELDocsBaseURL}8/html/managing_idm_users_groups_hosts_and_access_control_rules/configuring-host-based-access-control-rules_managing-users-groups-hosts[_{RHEL}{nbsp}8 Managing IdM users, groups, hosts, and access control rules_]. +endif::[] .. Create a HBAC service for {ProjectServer}. .. Create a new HBAC rule to define the required access control. Add the following {FreeIPA} entities to the HBAC rule: @@ -21,7 +24,7 @@ Add the following {FreeIPA} entities to the HBAC rule: ... The {ProjectServer} host ... The users or user groups to whom you want to grant access .. Make sure the default {FreeIPA} `allow_all` rule is disabled. -ifndef::orcharhino[] +ifdef::satellite[] For information about how to disable `allow_all` without disrupting other services, see the https://access.redhat.com/solutions/67895[How to configure HBAC rules in IdM] article on the Red{nbsp}Hat Customer Portal. endif::[] . On your {ProjectServer}, load the host-based access control rules from {FreeIPA}: diff --git a/guides/common/modules/proc_enrolling-project-server-in-freeipa-domain.adoc b/guides/common/modules/proc_enrolling-project-server-in-freeipa-domain.adoc index be0b1af94a1..4d13d484086 100644 --- a/guides/common/modules/proc_enrolling-project-server-in-freeipa-domain.adoc +++ b/guides/common/modules/proc_enrolling-project-server-in-freeipa-domain.adoc @@ -12,20 +12,20 @@ Create a host entry for your {ProjectServer} system in the {FreeIPA} LDAP and co . On the {FreeIPA} server: .. Create a host entry for the {ProjectServer} system. -ifdef::satellite[] +ifndef::orcharhino[] + For more information, see link:{RHELDocsBaseURL}8/html/configuring_and_managing_identity_management/index[{RHEL}{nbsp}8 Configuring and managing Identity Management] or link:{RHELDocsBaseURL}9/html/managing_idm_users_groups_hosts_and_access_control_rules[{RHEL}{nbsp}9 Managing IdM users, groups, hosts, and access control rules]. endif::[] .. Create an entry for the HTTP service for {ProjectServer}. This enables access to the keytab file by creating a service principal for your {ProjectServer}. -ifdef::satellite[] +ifndef::orcharhino[] + For more information on creating a service entry in {FreeIPA}, see link:{RHELDocsBaseURL}8/html-single/managing_idm_users_groups_hosts_and_access_control_rules/index[{RHEL}{nbsp}8 Managing IdM users, groups, hosts, and access control rules] or link:{RHELDocsBaseURL}9/html-single/managing_idm_users_groups_hosts_and_access_control_rules/index#[{RHEL}{nbsp}9 Managing IdM users, groups, hosts, and access control rules]. endif::[] . On your {ProjectServer}, configure the system as client in the {FreeIPA} domain. This includes ensuring that the system meets the necessary prerequisites, installing the necessary packages, and running the `ipa-client-install` utility. -ifdef::satellite[] +ifndef::orcharhino[] + For more information, see link:{RHELDocsBaseURL}/8/html-single/installing_identity_management/index#assembly_installing-an-idm-client_installing-identity-management[{RHEL}{nbsp}8 Installing Identity Management] or link:{RHELDocsBaseURL}/9/html-single/installing_identity_management/index#assembly_installing-an-idm-client_installing-identity-management[{RHEL}{nbsp}9 Installing Identity Management]. endif::[] @@ -107,7 +107,9 @@ endif::[] ---- + WARNING: The {project-package-install} command might restart {Project} services during the installation of the package. +ifdef::satellite[] For more information about installing and updating packages on {Project}, see {AdministeringDocURL}Managing_Packages_on_the_Base_Operating_System_admin[Managing packages on the base operating system of {ProjectServer} or {SmartProxyServer}] in _{AdministeringDocTitle}_. +endif::[] . Configure the {ProjectServer} system a client in {FreeIPA} by using the random password produced by `ipa host-add` in a previous step: + [options="nowrap", subs="+quotes,verbatim,attributes"] diff --git a/guides/common/modules/proc_using-freeipa-credentials-to-log-in-to-the-project-hammer-cli.adoc b/guides/common/modules/proc_using-freeipa-credentials-to-log-in-to-the-project-hammer-cli.adoc index 1cf28902f9b..13815c5a219 100644 --- a/guides/common/modules/proc_using-freeipa-credentials-to-log-in-to-the-project-hammer-cli.adoc +++ b/guides/common/modules/proc_using-freeipa-credentials-to-log-in-to-the-project-hammer-cli.adoc @@ -49,6 +49,6 @@ $ hammer host list * For more information about authenticating with Hammer, see ifdef::satellite[] -link:{HammerDocURL}sect-CLI_Guide-Authentication[{HammerDocTitle}] +link:{HammerDocURL}sect-CLI_Guide-Authentication[{HammerDocTitle}] or endif::[] -or `$ hammer auth --help`. \ No newline at end of file +`hammer auth --help`. \ No newline at end of file From 00082128e096eab4aa7d0d5434908b184a9ef096 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aneta=20=C5=A0teflov=C3=A1=20Petrov=C3=A1?= Date: Tue, 30 Jul 2024 07:08:07 +0200 Subject: [PATCH 07/17] Remove a stray conditional --- .../proc_enrolling-project-server-in-freeipa-domain.adoc | 2 -- 1 file changed, 2 deletions(-) diff --git a/guides/common/modules/proc_enrolling-project-server-in-freeipa-domain.adoc b/guides/common/modules/proc_enrolling-project-server-in-freeipa-domain.adoc index 4d13d484086..6293f8c5d62 100644 --- a/guides/common/modules/proc_enrolling-project-server-in-freeipa-domain.adoc +++ b/guides/common/modules/proc_enrolling-project-server-in-freeipa-domain.adoc @@ -98,8 +98,6 @@ Specify that you want to use a random password for the enrollment. On the {ProjectServer} system, a user with {Project} administrative privileges enrolls the system into the {FreeIPA} domain: . Install the {FreeIPA} client packages: -ifdef::satellite[] -endif::[] + [options="nowrap", subs="+quotes,verbatim,attributes"] ---- From f7b3ea5e9dc543a7c709dcc0beb044ccce383aed Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aneta=20=C5=A0teflov=C3=A1=20Petrov=C3=A1?= Date: Tue, 30 Jul 2024 07:25:40 +0200 Subject: [PATCH 08/17] Use xrefs instead of links where appropriate --- ...-to-log-in-to-the-ProjectWebUI-with-Mozilla-Firefox.adoc | 2 ++ ...to-log-in-to-the-ProjectWebUI-with-a-Chrome-browser.adoc | 2 ++ ...ipa-credentials-to-log-in-to-the-project-hammer-cli.adoc | 6 +++++- 3 files changed, 9 insertions(+), 1 deletion(-) diff --git a/guides/common/modules/proc_using-freeipa-credentials-to-log-in-to-the-ProjectWebUI-with-Mozilla-Firefox.adoc b/guides/common/modules/proc_using-freeipa-credentials-to-log-in-to-the-ProjectWebUI-with-Mozilla-Firefox.adoc index b3d640f627d..c1dc7330785 100644 --- a/guides/common/modules/proc_using-freeipa-credentials-to-log-in-to-the-ProjectWebUI-with-Mozilla-Firefox.adoc +++ b/guides/common/modules/proc_using-freeipa-credentials-to-log-in-to-the-ProjectWebUI-with-Mozilla-Firefox.adoc @@ -7,9 +7,11 @@ Use the latest stable Mozilla Firefox browser. .Prerequisites * You have {FreeIPA} authentication configured in your {Project} environment. +ifeval::["{context}" != "{project-context}"] ifndef::orcharhino[] For more information, see {InstallingServerDocURL}configuring-a-freeipa-server-as-an-external-identity-provider-for-project_{project-context}[{InstallingServerDocTitle}]. endif::[] +endif::[] * The host on which you are using Mozilla Firefox is a client in the {FreeIPA} domain. * Your Mozilla Firefox is configured for Single Sign-On (SSO). ifdef::satellite[] diff --git a/guides/common/modules/proc_using-freeipa-credentials-to-log-in-to-the-ProjectWebUI-with-a-Chrome-browser.adoc b/guides/common/modules/proc_using-freeipa-credentials-to-log-in-to-the-ProjectWebUI-with-a-Chrome-browser.adoc index 0386ff125fc..1031c19e4de 100644 --- a/guides/common/modules/proc_using-freeipa-credentials-to-log-in-to-the-ProjectWebUI-with-a-Chrome-browser.adoc +++ b/guides/common/modules/proc_using-freeipa-credentials-to-log-in-to-the-ProjectWebUI-with-a-Chrome-browser.adoc @@ -7,9 +7,11 @@ Use the latest stable Chrome browser. .Prerequisites * You have {FreeIPA} authentication configured in your {Project} environment. +ifeval::["{context}" != "{project-context}"] ifndef::orcharhino[] For more information, see {InstallingServerDocURL}configuring-a-freeipa-server-as-an-external-identity-provider-for-project_{project-context}[{InstallingServerDocTitle}]. endif::[] +endif::[] * The host on which you are using Chrome is a client in the {FreeIPA} domain. .Procedure diff --git a/guides/common/modules/proc_using-freeipa-credentials-to-log-in-to-the-project-hammer-cli.adoc b/guides/common/modules/proc_using-freeipa-credentials-to-log-in-to-the-project-hammer-cli.adoc index 13815c5a219..d2fa865f0c1 100644 --- a/guides/common/modules/proc_using-freeipa-credentials-to-log-in-to-the-project-hammer-cli.adoc +++ b/guides/common/modules/proc_using-freeipa-credentials-to-log-in-to-the-project-hammer-cli.adoc @@ -5,10 +5,14 @@ Authenticate to the {Project} Hammer CLI with your {FreeIPA} username and passwo .Prerequisites * You have configured Hammer CLI to accept {FreeIPA} credentials. -// See xref:configuring-hammer-cli-to-accept-{FreeIPA-context}-credentials_{context}[]. +ifeval::["{context}" == "{project-context}"] +See xref:configuring-hammer-cli-to-accept-{FreeIPA-context}-credentials_{context}[]. +endif::[] +ifeval::["{context}" != "{project-context}"] ifndef::orcharhino[] For more information, see {InstallingServerDocURL}configuring-hammer-cli-to-accept-{FreeIPA-context}-credentials_{context}[Configuring Hammer CLI to accept {FreeIPA} credentials] in _{InstallingServerDocTitle}_. endif::[] +endif::[] .Procedure . Authenticate as a user defined in {FreeIPA} to obtain a Kerberos ticket-granting ticket (TGT): From c4657780753e73405553b136aa00c073faf5363d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aneta=20=C5=A0teflov=C3=A1=20Petrov=C3=A1?= Date: Tue, 30 Jul 2024 07:34:47 +0200 Subject: [PATCH 09/17] Rename files to match headings --- guides/common/assembly_accessing-server.adoc | 6 +++--- ...as-an-external-identity-provider-for-project.adoc | 12 ++++++------ ...ng-hammer-cli-to-accept-freeipa-credentials.adoc} | 0 ...rol-for-freeipa-users-logging-in-to-foreman.adoc} | 0 ...eipa-authentication-source-on-projectserver.adoc} | 0 ...g-in-to-hammer-cli-with-freeipa-credentials.adoc} | 0 ...ectwebui-with-freeipa-credentials-in-chrome.adoc} | 0 ...with-freeipa-credentials-in-mozilla-firefox.adoc} | 0 8 files changed, 9 insertions(+), 9 deletions(-) rename guides/common/modules/{proc_configuring-the-hammer-cli-to-use-freeipa-user-authentication.adoc => proc_configuring-hammer-cli-to-accept-freeipa-credentials.adoc} (100%) rename guides/common/modules/{proc_configuring-host-based-authentication-control.adoc => proc_configuring-host-based-access-control-for-freeipa-users-logging-in-to-foreman.adoc} (100%) rename guides/common/modules/{proc_configuring-freeipa-authentication-on-server.adoc => proc_configuring-the-freeipa-authentication-source-on-projectserver.adoc} (100%) rename guides/common/modules/{proc_using-freeipa-credentials-to-log-in-to-the-project-hammer-cli.adoc => proc_logging-in-to-hammer-cli-with-freeipa-credentials.adoc} (100%) rename guides/common/modules/{proc_using-freeipa-credentials-to-log-in-to-the-ProjectWebUI-with-a-Chrome-browser.adoc => proc_logging-in-to-the-projectwebui-with-freeipa-credentials-in-chrome.adoc} (100%) rename guides/common/modules/{proc_using-freeipa-credentials-to-log-in-to-the-ProjectWebUI-with-Mozilla-Firefox.adoc => proc_logging-in-to-the-projectwebui-with-freeipa-credentials-in-mozilla-firefox.adoc} (100%) diff --git a/guides/common/assembly_accessing-server.adoc b/guides/common/assembly_accessing-server.adoc index 2a6b3d6f9cb..6f40b305a59 100644 --- a/guides/common/assembly_accessing-server.adoc +++ b/guides/common/assembly_accessing-server.adoc @@ -8,11 +8,11 @@ endif::[] include::modules/proc_logging-in.adoc[leveloffset=+1] -include::modules/proc_using-freeipa-credentials-to-log-in-to-the-project-hammer-cli.adoc[leveloffset=+1] +include::modules/proc_logging-in-to-hammer-cli-with-freeipa-credentials.adoc[leveloffset=+1] -include::modules/proc_using-freeipa-credentials-to-log-in-to-the-ProjectWebUI-with-Mozilla-Firefox.adoc[leveloffset=+1] +include::modules/proc_logging-in-to-the-projectwebui-with-freeipa-credentials-in-mozilla-firefox.adoc[leveloffset=+1] -include::modules/proc_using-freeipa-credentials-to-log-in-to-the-ProjectWebUI-with-a-Chrome-browser.adoc[leveloffset=+1] +include::modules/proc_logging-in-to-the-projectwebui-with-freeipa-credentials-in-chrome.adoc[leveloffset=+1] include::modules/proc_changing-the-password.adoc[leveloffset=+1] diff --git a/guides/common/assembly_configuring-a-freeipa-server-as-an-external-identity-provider-for-project.adoc b/guides/common/assembly_configuring-a-freeipa-server-as-an-external-identity-provider-for-project.adoc index c3601e94f99..856d12d5f9d 100644 --- a/guides/common/assembly_configuring-a-freeipa-server-as-an-external-identity-provider-for-project.adoc +++ b/guides/common/assembly_configuring-a-freeipa-server-as-an-external-identity-provider-for-project.adoc @@ -2,14 +2,14 @@ include::modules/con_configuring-a-freeipa-server-as-an-external-identity-provid include::modules/proc_enrolling-project-server-in-freeipa-domain.adoc[leveloffset=+1] -include::modules/proc_configuring-freeipa-authentication-on-server.adoc[leveloffset=+1] +include::modules/proc_configuring-the-freeipa-authentication-source-on-projectserver.adoc[leveloffset=+1] -include::modules/proc_configuring-host-based-authentication-control.adoc[leveloffset=+1] +include::modules/proc_configuring-host-based-access-control-for-freeipa-users-logging-in-to-foreman.adoc[leveloffset=+1] -include::modules/proc_configuring-the-hammer-cli-to-use-freeipa-user-authentication.adoc[leveloffset=+1] +include::modules/proc_configuring-hammer-cli-to-accept-freeipa-credentials.adoc[leveloffset=+1] -include::modules/proc_using-freeipa-credentials-to-log-in-to-the-project-hammer-cli.adoc[leveloffset=+1] +include::modules/proc_logging-in-to-hammer-cli-with-freeipa-credentials.adoc[leveloffset=+1] -include::modules/proc_using-freeipa-credentials-to-log-in-to-the-ProjectWebUI-with-Mozilla-Firefox.adoc[leveloffset=+1] +include::modules/proc_logging-in-to-the-projectwebui-with-freeipa-credentials-in-mozilla-firefox.adoc[leveloffset=+1] -include::modules/proc_using-freeipa-credentials-to-log-in-to-the-ProjectWebUI-with-a-Chrome-browser.adoc[leveloffset=+1] +include::modules/proc_logging-in-to-the-projectwebui-with-freeipa-credentials-in-chrome.adoc[leveloffset=+1] diff --git a/guides/common/modules/proc_configuring-the-hammer-cli-to-use-freeipa-user-authentication.adoc b/guides/common/modules/proc_configuring-hammer-cli-to-accept-freeipa-credentials.adoc similarity index 100% rename from guides/common/modules/proc_configuring-the-hammer-cli-to-use-freeipa-user-authentication.adoc rename to guides/common/modules/proc_configuring-hammer-cli-to-accept-freeipa-credentials.adoc diff --git a/guides/common/modules/proc_configuring-host-based-authentication-control.adoc b/guides/common/modules/proc_configuring-host-based-access-control-for-freeipa-users-logging-in-to-foreman.adoc similarity index 100% rename from guides/common/modules/proc_configuring-host-based-authentication-control.adoc rename to guides/common/modules/proc_configuring-host-based-access-control-for-freeipa-users-logging-in-to-foreman.adoc diff --git a/guides/common/modules/proc_configuring-freeipa-authentication-on-server.adoc b/guides/common/modules/proc_configuring-the-freeipa-authentication-source-on-projectserver.adoc similarity index 100% rename from guides/common/modules/proc_configuring-freeipa-authentication-on-server.adoc rename to guides/common/modules/proc_configuring-the-freeipa-authentication-source-on-projectserver.adoc diff --git a/guides/common/modules/proc_using-freeipa-credentials-to-log-in-to-the-project-hammer-cli.adoc b/guides/common/modules/proc_logging-in-to-hammer-cli-with-freeipa-credentials.adoc similarity index 100% rename from guides/common/modules/proc_using-freeipa-credentials-to-log-in-to-the-project-hammer-cli.adoc rename to guides/common/modules/proc_logging-in-to-hammer-cli-with-freeipa-credentials.adoc diff --git a/guides/common/modules/proc_using-freeipa-credentials-to-log-in-to-the-ProjectWebUI-with-a-Chrome-browser.adoc b/guides/common/modules/proc_logging-in-to-the-projectwebui-with-freeipa-credentials-in-chrome.adoc similarity index 100% rename from guides/common/modules/proc_using-freeipa-credentials-to-log-in-to-the-ProjectWebUI-with-a-Chrome-browser.adoc rename to guides/common/modules/proc_logging-in-to-the-projectwebui-with-freeipa-credentials-in-chrome.adoc diff --git a/guides/common/modules/proc_using-freeipa-credentials-to-log-in-to-the-ProjectWebUI-with-Mozilla-Firefox.adoc b/guides/common/modules/proc_logging-in-to-the-projectwebui-with-freeipa-credentials-in-mozilla-firefox.adoc similarity index 100% rename from guides/common/modules/proc_using-freeipa-credentials-to-log-in-to-the-ProjectWebUI-with-Mozilla-Firefox.adoc rename to guides/common/modules/proc_logging-in-to-the-projectwebui-with-freeipa-credentials-in-mozilla-firefox.adoc From 219286c2dca2f262906ee02fd7c6f0288b74cddc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aneta=20=C5=A0teflov=C3=A1=20Petrov=C3=A1?= Date: Tue, 30 Jul 2024 10:11:23 +0200 Subject: [PATCH 10/17] Apply easy fixes from peer review Co-authored-by: Maximilian Kolb --- ...server-as-an-external-identity-provider-for-project.adoc | 2 +- ...onfiguring-hammer-cli-to-accept-freeipa-credentials.adoc | 6 ++---- ...ess-control-for-freeipa-users-logging-in-to-foreman.adoc | 5 ----- ...-the-freeipa-authentication-source-on-projectserver.adoc | 3 --- .../proc_enrolling-project-server-in-freeipa-domain.adoc | 3 --- 5 files changed, 3 insertions(+), 16 deletions(-) diff --git a/guides/common/modules/con_configuring-an-ldap-server-as-an-external-identity-provider-for-project.adoc b/guides/common/modules/con_configuring-an-ldap-server-as-an-external-identity-provider-for-project.adoc index ffeb18902f9..70dd6ae23c4 100644 --- a/guides/common/modules/con_configuring-an-ldap-server-as-an-external-identity-provider-for-project.adoc +++ b/guides/common/modules/con_configuring-an-ldap-server-as-an-external-identity-provider-for-project.adoc @@ -11,7 +11,7 @@ With {Project}, you can use one or multiple LDAP directories for external authen ==== While you can configure the LDAP server integrated with {FreeIPA} as an external authentication source, {FreeIPA} users will not be able to log in using single sign-on. Instead, consider configuring {FreeIPA} as an external identity provider. -See xref:configuring-a-freeipa-server-as-an-external-identity-provider-for-project_{context}[]. +For more information, see xref:configuring-a-freeipa-server-as-an-external-identity-provider-for-project_{context}[]. ==== [IMPORTANT] diff --git a/guides/common/modules/proc_configuring-hammer-cli-to-accept-freeipa-credentials.adoc b/guides/common/modules/proc_configuring-hammer-cli-to-accept-freeipa-credentials.adoc index d9aebd2c69b..0033d020e82 100644 --- a/guides/common/modules/proc_configuring-hammer-cli-to-accept-freeipa-credentials.adoc +++ b/guides/common/modules/proc_configuring-hammer-cli-to-accept-freeipa-credentials.adoc @@ -5,13 +5,11 @@ Configure the {Project} Hammer CLI tool to use {FreeIPA} to authenticate users. .Prerequisites * You have enabled {FreeIPA} access to the {Project} API. -See xref:Configuring_FreeIPA_Authentication_on_Server_{context}[]. +For more information, see xref:Configuring_FreeIPA_Authentication_on_Server_{context}[]. .Procedure - . Open the `~/.hammer/cli.modules.d/foreman.yml` file on your {ProjectServer} and update the list of `foreman` parameters: -.. Configure Hammer to enforce session usage. -Enable `:use_sessions:`: +.. Enable `:use_sessions:` to enforce session usage: + [options="nowrap", subs="+quotes,verbatim,attributes"] ---- diff --git a/guides/common/modules/proc_configuring-host-based-access-control-for-freeipa-users-logging-in-to-foreman.adoc b/guides/common/modules/proc_configuring-host-based-access-control-for-freeipa-users-logging-in-to-foreman.adoc index 3ff2025a9ca..a68dbf042db 100644 --- a/guides/common/modules/proc_configuring-host-based-access-control-for-freeipa-users-logging-in-to-foreman.adoc +++ b/guides/common/modules/proc_configuring-host-based-access-control-for-freeipa-users-logging-in-to-foreman.adoc @@ -8,11 +8,9 @@ For example, you can configure HBAC on the {FreeIPA} server to limit access to { By configuring a HBAC rule in the {FreeIPA} domain, you can ensure {Project} does not create database entries for users who should not have access. .Prerequisites - * {FreeIPA} user account with privileges to configure HBAC rules .Procedure - . On the {FreeIPA} server, configure HBAC control. ifndef::orcharhino[] For more information, see {RHELDocsBaseURL}9/html/managing_idm_users_groups_hosts_and_access_control_rules/configuring-host-based-access-control-rules_managing-users-groups-hosts[_{RHEL}{nbsp}9 Managing IdM users, groups, hosts, and access control rules_] or {RHELDocsBaseURL}8/html/managing_idm_users_groups_hosts_and_access_control_rules/configuring-host-based-access-control-rules_managing-users-groups-hosts[_{RHEL}{nbsp}8 Managing IdM users, groups, hosts, and access control rules_]. @@ -35,16 +33,13 @@ endif::[] ---- .Verification - * Log in to the {ProjectWebUI} as a user defined in {FreeIPA}. ** If the user is included in the HBAC rule, {ProjectWebUI} will grant access. ** If the user is not included in the HBAC rule, {ProjectWebUI} will not grant access. ifndef::satellite[] .Additional resources - * For more information about the `allow_all` rule and configuring HBAC in {FreeIPA}, see link:https://www.freeipa.org/page/Howto/HBAC_and_allow_all[HBAC and `allow_all`] in {FreeIPA} documentation. - endif::[] .Configuring host-based access control to allow access to {Project} only for selected {FreeIPA} users by using the command line ==== diff --git a/guides/common/modules/proc_configuring-the-freeipa-authentication-source-on-projectserver.adoc b/guides/common/modules/proc_configuring-the-freeipa-authentication-source-on-projectserver.adoc index c14948ea622..df6b1d9c8d5 100644 --- a/guides/common/modules/proc_configuring-the-freeipa-authentication-source-on-projectserver.adoc +++ b/guides/common/modules/proc_configuring-the-freeipa-authentication-source-on-projectserver.adoc @@ -4,11 +4,9 @@ Enable {FreeIPA} users to access {Project} by configuring {FreeIPA} as an authentication provider on your {ProjectServer}. .Prerequisites - * {ProjectServer} running on a system that is enrolled in the {FreeIPA} domain. .Procedure - * To enable access to the {ProjectWebUI} only: + [options="nowrap", subs="+quotes,verbatim,attributes"] @@ -40,5 +38,4 @@ For example, to disable access to the {Project} API and Hammer CLI: ---- .Verification - * Log in to {ProjectWebUI} by entering the credentials of a user defined in {FreeIPA}. diff --git a/guides/common/modules/proc_enrolling-project-server-in-freeipa-domain.adoc b/guides/common/modules/proc_enrolling-project-server-in-freeipa-domain.adoc index 6293f8c5d62..e8e589f2470 100644 --- a/guides/common/modules/proc_enrolling-project-server-in-freeipa-domain.adoc +++ b/guides/common/modules/proc_enrolling-project-server-in-freeipa-domain.adoc @@ -4,12 +4,10 @@ Create a host entry for your {ProjectServer} system in the {FreeIPA} LDAP and configure the system to be a client in your {FreeIPA} domain. .Prerequisites - * An existing {FreeIPA} server * {FreeIPA} user account with privileges to enroll new {FreeIPA} hosts .Procedure - . On the {FreeIPA} server: .. Create a host entry for the {ProjectServer} system. ifndef::orcharhino[] @@ -48,7 +46,6 @@ Otherwise, `{foreman-installer}` cannot generate the right principal name that i endif::[] .Verification - * On your {ProjectServer}, check that you are able to resolve a user defined on the {FreeIPA} server. For example, to check the `admin` user that {FreeIPA} creates by default: + From 0e797bd03ec1a9cc63cc299b1d8cc35fd001aeb7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aneta=20=C5=A0teflov=C3=A1=20Petrov=C3=A1?= Date: Tue, 30 Jul 2024 10:11:38 +0200 Subject: [PATCH 11/17] Apply suggestions from peer review --- .../assembly_configuring-external-authentication.adoc | 2 +- ...erver-as-an-external-identity-provider-for-project.adoc} | 6 +++--- ...server-as-an-external-identity-provider-for-project.adoc | 2 +- ...erver-as-an-external-identity-provider-for-project.adoc} | 2 +- ...onfiguring-hammer-cli-to-accept-freeipa-credentials.adoc | 2 +- ...ss-control-for-freeipa-users-logging-in-to-project.adoc} | 2 +- ...-the-freeipa-authentication-source-on-projectserver.adoc | 2 +- ... => proc_enrolling-projectserver-in-freeipa-domain.adoc} | 2 +- ...the-projectwebui-with-freeipa-credentials-in-chrome.adoc | 2 +- ...ctwebui-with-freeipa-credentials-in-mozilla-firefox.adoc | 2 +- 10 files changed, 12 insertions(+), 12 deletions(-) rename guides/common/{assembly_configuring-a-freeipa-server-as-an-external-identity-provider-for-project.adoc => assembly_configuring-freeipa-server-as-an-external-identity-provider-for-project.adoc} (70%) rename guides/common/modules/{con_configuring-a-freeipa-server-as-an-external-identity-provider-for-project.adoc => con_configuring-freeipa-server-as-an-external-identity-provider-for-project.adoc} (89%) rename guides/common/modules/{proc_configuring-host-based-access-control-for-freeipa-users-logging-in-to-foreman.adoc => proc_configuring-host-based-access-control-for-freeipa-users-logging-in-to-project.adoc} (98%) rename guides/common/modules/{proc_enrolling-project-server-in-freeipa-domain.adoc => proc_enrolling-projectserver-in-freeipa-domain.adoc} (98%) diff --git a/guides/common/assembly_configuring-external-authentication.adoc b/guides/common/assembly_configuring-external-authentication.adoc index ea1f86a1a9d..0e0e6a14f28 100644 --- a/guides/common/assembly_configuring-external-authentication.adoc +++ b/guides/common/assembly_configuring-external-authentication.adoc @@ -2,7 +2,7 @@ include::modules/con_configuring-external-authentication.adoc[] include::assembly_configuring-an-ldap-server-as-an-external-identity-provider-for-project.adoc[leveloffset=+1] -include::assembly_configuring-a-freeipa-server-as-an-external-identity-provider-for-project.adoc[leveloffset=+1] +include::assembly_configuring-freeipa-server-as-an-external-identity-provider-for-project.adoc[leveloffset=+1] ifdef::context[:parent-context: {context}] :context: keycloak-wildfly-general diff --git a/guides/common/assembly_configuring-a-freeipa-server-as-an-external-identity-provider-for-project.adoc b/guides/common/assembly_configuring-freeipa-server-as-an-external-identity-provider-for-project.adoc similarity index 70% rename from guides/common/assembly_configuring-a-freeipa-server-as-an-external-identity-provider-for-project.adoc rename to guides/common/assembly_configuring-freeipa-server-as-an-external-identity-provider-for-project.adoc index 856d12d5f9d..7339a301f26 100644 --- a/guides/common/assembly_configuring-a-freeipa-server-as-an-external-identity-provider-for-project.adoc +++ b/guides/common/assembly_configuring-freeipa-server-as-an-external-identity-provider-for-project.adoc @@ -1,10 +1,10 @@ -include::modules/con_configuring-a-freeipa-server-as-an-external-identity-provider-for-project.adoc[] +include::modules/con_configuring-freeipa-server-as-an-external-identity-provider-for-project.adoc[] -include::modules/proc_enrolling-project-server-in-freeipa-domain.adoc[leveloffset=+1] +include::modules/proc_enrolling-projectserver-in-freeipa-domain.adoc[leveloffset=+1] include::modules/proc_configuring-the-freeipa-authentication-source-on-projectserver.adoc[leveloffset=+1] -include::modules/proc_configuring-host-based-access-control-for-freeipa-users-logging-in-to-foreman.adoc[leveloffset=+1] +include::modules/proc_configuring-host-based-access-control-for-freeipa-users-logging-in-to-project.adoc[leveloffset=+1] include::modules/proc_configuring-hammer-cli-to-accept-freeipa-credentials.adoc[leveloffset=+1] diff --git a/guides/common/modules/con_configuring-an-ldap-server-as-an-external-identity-provider-for-project.adoc b/guides/common/modules/con_configuring-an-ldap-server-as-an-external-identity-provider-for-project.adoc index 70dd6ae23c4..212fd1ae439 100644 --- a/guides/common/modules/con_configuring-an-ldap-server-as-an-external-identity-provider-for-project.adoc +++ b/guides/common/modules/con_configuring-an-ldap-server-as-an-external-identity-provider-for-project.adoc @@ -11,7 +11,7 @@ With {Project}, you can use one or multiple LDAP directories for external authen ==== While you can configure the LDAP server integrated with {FreeIPA} as an external authentication source, {FreeIPA} users will not be able to log in using single sign-on. Instead, consider configuring {FreeIPA} as an external identity provider. -For more information, see xref:configuring-a-freeipa-server-as-an-external-identity-provider-for-project_{context}[]. +For more information, see xref:configuring-freeipa-server-as-an-external-identity-provider-for-project_{context}[]. ==== [IMPORTANT] diff --git a/guides/common/modules/con_configuring-a-freeipa-server-as-an-external-identity-provider-for-project.adoc b/guides/common/modules/con_configuring-freeipa-server-as-an-external-identity-provider-for-project.adoc similarity index 89% rename from guides/common/modules/con_configuring-a-freeipa-server-as-an-external-identity-provider-for-project.adoc rename to guides/common/modules/con_configuring-freeipa-server-as-an-external-identity-provider-for-project.adoc index 0449f3cb970..06d5a574ac2 100644 --- a/guides/common/modules/con_configuring-a-freeipa-server-as-an-external-identity-provider-for-project.adoc +++ b/guides/common/modules/con_configuring-freeipa-server-as-an-external-identity-provider-for-project.adoc @@ -1,4 +1,4 @@ -[id="configuring-a-freeipa-server-as-an-external-identity-provider-for-project_{context}"] +[id="configuring-freeipa-server-as-an-external-identity-provider-for-project_{context}"] = Configuring {FreeIPA} server as an external identity provider for {Project} {FreeIPA} is an open-source identity management solution that provides centralized authentication, authorization, and account management services. diff --git a/guides/common/modules/proc_configuring-hammer-cli-to-accept-freeipa-credentials.adoc b/guides/common/modules/proc_configuring-hammer-cli-to-accept-freeipa-credentials.adoc index 0033d020e82..9c2a28b3704 100644 --- a/guides/common/modules/proc_configuring-hammer-cli-to-accept-freeipa-credentials.adoc +++ b/guides/common/modules/proc_configuring-hammer-cli-to-accept-freeipa-credentials.adoc @@ -5,7 +5,7 @@ Configure the {Project} Hammer CLI tool to use {FreeIPA} to authenticate users. .Prerequisites * You have enabled {FreeIPA} access to the {Project} API. -For more information, see xref:Configuring_FreeIPA_Authentication_on_Server_{context}[]. +For more information, see xref:configuring-the-freeipa-authentication-source-on-projectserver_{context}[]. .Procedure . Open the `~/.hammer/cli.modules.d/foreman.yml` file on your {ProjectServer} and update the list of `foreman` parameters: diff --git a/guides/common/modules/proc_configuring-host-based-access-control-for-freeipa-users-logging-in-to-foreman.adoc b/guides/common/modules/proc_configuring-host-based-access-control-for-freeipa-users-logging-in-to-project.adoc similarity index 98% rename from guides/common/modules/proc_configuring-host-based-access-control-for-freeipa-users-logging-in-to-foreman.adoc rename to guides/common/modules/proc_configuring-host-based-access-control-for-freeipa-users-logging-in-to-project.adoc index a68dbf042db..c963ac6dc0b 100644 --- a/guides/common/modules/proc_configuring-host-based-access-control-for-freeipa-users-logging-in-to-foreman.adoc +++ b/guides/common/modules/proc_configuring-host-based-access-control-for-freeipa-users-logging-in-to-project.adoc @@ -1,4 +1,4 @@ -[id="Configuring_Host_Based_Access_Control_{context}"] +[id="configuring-host-based-access-control-for-freeipa-users-logging-in-to-project_{context}"] = Configuring host-based access control for {FreeIPA} users logging in to {Project} You can use host-based access control (HBAC) rules to manage access control within your {FreeIPA} domain. diff --git a/guides/common/modules/proc_configuring-the-freeipa-authentication-source-on-projectserver.adoc b/guides/common/modules/proc_configuring-the-freeipa-authentication-source-on-projectserver.adoc index df6b1d9c8d5..f93fc060a04 100644 --- a/guides/common/modules/proc_configuring-the-freeipa-authentication-source-on-projectserver.adoc +++ b/guides/common/modules/proc_configuring-the-freeipa-authentication-source-on-projectserver.adoc @@ -1,4 +1,4 @@ -[id="Configuring_FreeIPA_Authentication_on_Server_{context}"] +[id="configuring-the-freeipa-authentication-source-on-projectserver_{context}"] = Configuring the {FreeIPA} authentication source on {ProjectServer} Enable {FreeIPA} users to access {Project} by configuring {FreeIPA} as an authentication provider on your {ProjectServer}. diff --git a/guides/common/modules/proc_enrolling-project-server-in-freeipa-domain.adoc b/guides/common/modules/proc_enrolling-projectserver-in-freeipa-domain.adoc similarity index 98% rename from guides/common/modules/proc_enrolling-project-server-in-freeipa-domain.adoc rename to guides/common/modules/proc_enrolling-projectserver-in-freeipa-domain.adoc index e8e589f2470..14d9a4ace38 100644 --- a/guides/common/modules/proc_enrolling-project-server-in-freeipa-domain.adoc +++ b/guides/common/modules/proc_enrolling-projectserver-in-freeipa-domain.adoc @@ -1,4 +1,4 @@ -[id="enrolling-project-server-in-freeipa-domain_{context}"] +[id="enrolling-projectserver-in-freeipa-domain_{context}"] = Enrolling {ProjectServer} in a {FreeIPA} domain Create a host entry for your {ProjectServer} system in the {FreeIPA} LDAP and configure the system to be a client in your {FreeIPA} domain. diff --git a/guides/common/modules/proc_logging-in-to-the-projectwebui-with-freeipa-credentials-in-chrome.adoc b/guides/common/modules/proc_logging-in-to-the-projectwebui-with-freeipa-credentials-in-chrome.adoc index 1031c19e4de..0d621cf0208 100644 --- a/guides/common/modules/proc_logging-in-to-the-projectwebui-with-freeipa-credentials-in-chrome.adoc +++ b/guides/common/modules/proc_logging-in-to-the-projectwebui-with-freeipa-credentials-in-chrome.adoc @@ -9,7 +9,7 @@ Use the latest stable Chrome browser. * You have {FreeIPA} authentication configured in your {Project} environment. ifeval::["{context}" != "{project-context}"] ifndef::orcharhino[] -For more information, see {InstallingServerDocURL}configuring-a-freeipa-server-as-an-external-identity-provider-for-project_{project-context}[{InstallingServerDocTitle}]. +For more information, see {InstallingServerDocURL}configuring-freeipa-server-as-an-external-identity-provider-for-project_{project-context}[{InstallingServerDocTitle}]. endif::[] endif::[] * The host on which you are using Chrome is a client in the {FreeIPA} domain. diff --git a/guides/common/modules/proc_logging-in-to-the-projectwebui-with-freeipa-credentials-in-mozilla-firefox.adoc b/guides/common/modules/proc_logging-in-to-the-projectwebui-with-freeipa-credentials-in-mozilla-firefox.adoc index c1dc7330785..471a0d2f825 100644 --- a/guides/common/modules/proc_logging-in-to-the-projectwebui-with-freeipa-credentials-in-mozilla-firefox.adoc +++ b/guides/common/modules/proc_logging-in-to-the-projectwebui-with-freeipa-credentials-in-mozilla-firefox.adoc @@ -9,7 +9,7 @@ Use the latest stable Mozilla Firefox browser. * You have {FreeIPA} authentication configured in your {Project} environment. ifeval::["{context}" != "{project-context}"] ifndef::orcharhino[] -For more information, see {InstallingServerDocURL}configuring-a-freeipa-server-as-an-external-identity-provider-for-project_{project-context}[{InstallingServerDocTitle}]. +For more information, see {InstallingServerDocURL}configuring-freeipa-server-as-an-external-identity-provider-for-project_{project-context}[{InstallingServerDocTitle}]. endif::[] endif::[] * The host on which you are using Mozilla Firefox is a client in the {FreeIPA} domain. From efc5b0d00c46176509562513e11e06121478d807 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aneta=20=C5=A0teflov=C3=A1=20Petrov=C3=A1?= Date: Tue, 30 Jul 2024 10:23:41 +0200 Subject: [PATCH 12/17] Reword FreeIPA hammer config to use bullets --- ...onfiguring-hammer-cli-to-accept-freeipa-credentials.adoc | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/guides/common/modules/proc_configuring-hammer-cli-to-accept-freeipa-credentials.adoc b/guides/common/modules/proc_configuring-hammer-cli-to-accept-freeipa-credentials.adoc index 9c2a28b3704..bb2d8443968 100644 --- a/guides/common/modules/proc_configuring-hammer-cli-to-accept-freeipa-credentials.adoc +++ b/guides/common/modules/proc_configuring-hammer-cli-to-accept-freeipa-credentials.adoc @@ -8,8 +8,8 @@ Configure the {Project} Hammer CLI tool to use {FreeIPA} to authenticate users. For more information, see xref:configuring-the-freeipa-authentication-source-on-projectserver_{context}[]. .Procedure -. Open the `~/.hammer/cli.modules.d/foreman.yml` file on your {ProjectServer} and update the list of `foreman` parameters: -.. Enable `:use_sessions:` to enforce session usage: +* Open the `~/.hammer/cli.modules.d/foreman.yml` file on your {ProjectServer} and update the list of `foreman` parameters: +** To enforce session usage, enable `:use_sessions:`: + [options="nowrap", subs="+quotes,verbatim,attributes"] ---- @@ -18,7 +18,7 @@ For more information, see xref:configuring-the-freeipa-authentication-source-on- ---- + With this configuration, you will need to initiate an authentication session manually with `hammer auth login negotiate`. -.. Alternatively, configure Hammer to enforce session usage and also negotiate authentication by default: +** Alternatively, to enforce session usage and also negotiate authentication by default: + [options="nowrap", subs="+quotes,verbatim,attributes"] ---- From f888c581e54567e37564911789e441d06315a274 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aneta=20=C5=A0teflov=C3=A1=20Petrov=C3=A1?= Date: Tue, 30 Jul 2024 16:24:44 +0200 Subject: [PATCH 13/17] Peer review Co-authored-by: Maximilian Kolb --- ...c_configuring-hammer-cli-to-accept-freeipa-credentials.adoc | 2 +- ...access-control-for-freeipa-users-logging-in-to-project.adoc | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/guides/common/modules/proc_configuring-hammer-cli-to-accept-freeipa-credentials.adoc b/guides/common/modules/proc_configuring-hammer-cli-to-accept-freeipa-credentials.adoc index bb2d8443968..0cbf95672df 100644 --- a/guides/common/modules/proc_configuring-hammer-cli-to-accept-freeipa-credentials.adoc +++ b/guides/common/modules/proc_configuring-hammer-cli-to-accept-freeipa-credentials.adoc @@ -27,4 +27,4 @@ With this configuration, you will need to initiate an authentication session man :use_sessions: true ---- + -With this configuration, Hammer will negotiate authentication automatically when you enter the first `hammer` command: +With this configuration, Hammer will negotiate authentication automatically when you enter the first `hammer` command. diff --git a/guides/common/modules/proc_configuring-host-based-access-control-for-freeipa-users-logging-in-to-project.adoc b/guides/common/modules/proc_configuring-host-based-access-control-for-freeipa-users-logging-in-to-project.adoc index c963ac6dc0b..0954d382d18 100644 --- a/guides/common/modules/proc_configuring-host-based-access-control-for-freeipa-users-logging-in-to-project.adoc +++ b/guides/common/modules/proc_configuring-host-based-access-control-for-freeipa-users-logging-in-to-project.adoc @@ -29,7 +29,7 @@ endif::[] + [options="nowrap", subs="+quotes,verbatim,attributes"] ---- -# {foreman-installer} --foreman-pam-service=satellite-prod +# {foreman-installer} --foreman-pam-service=foreman-prod ---- .Verification @@ -41,6 +41,7 @@ ifndef::satellite[] .Additional resources * For more information about the `allow_all` rule and configuring HBAC in {FreeIPA}, see link:https://www.freeipa.org/page/Howto/HBAC_and_allow_all[HBAC and `allow_all`] in {FreeIPA} documentation. endif::[] + .Configuring host-based access control to allow access to {Project} only for selected {FreeIPA} users by using the command line ==== From 8ca745acd4e1e7e65767b9b72b657051f872de22 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aneta=20=C5=A0teflov=C3=A1=20Petrov=C3=A1?= Date: Tue, 30 Jul 2024 16:24:31 +0200 Subject: [PATCH 14/17] Peer review --- ...p-server-as-an-external-identity-provider-for-project.adoc | 2 +- ...a-server-as-an-external-identity-provider-for-project.adoc | 2 +- ...ccess-control-for-freeipa-users-logging-in-to-project.adoc | 2 +- ...o-the-projectwebui-with-freeipa-credentials-in-chrome.adoc | 4 ++-- ...jectwebui-with-freeipa-credentials-in-mozilla-firefox.adoc | 4 ++-- 5 files changed, 7 insertions(+), 7 deletions(-) diff --git a/guides/common/modules/con_configuring-an-ldap-server-as-an-external-identity-provider-for-project.adoc b/guides/common/modules/con_configuring-an-ldap-server-as-an-external-identity-provider-for-project.adoc index 212fd1ae439..95287c882e1 100644 --- a/guides/common/modules/con_configuring-an-ldap-server-as-an-external-identity-provider-for-project.adoc +++ b/guides/common/modules/con_configuring-an-ldap-server-as-an-external-identity-provider-for-project.adoc @@ -11,7 +11,7 @@ With {Project}, you can use one or multiple LDAP directories for external authen ==== While you can configure the LDAP server integrated with {FreeIPA} as an external authentication source, {FreeIPA} users will not be able to log in using single sign-on. Instead, consider configuring {FreeIPA} as an external identity provider. -For more information, see xref:configuring-freeipa-server-as-an-external-identity-provider-for-project_{context}[]. +For more information, see xref:configuring-{Freeipa-context}-server-as-an-external-identity-provider-for-project_{context}[]. ==== [IMPORTANT] diff --git a/guides/common/modules/con_configuring-freeipa-server-as-an-external-identity-provider-for-project.adoc b/guides/common/modules/con_configuring-freeipa-server-as-an-external-identity-provider-for-project.adoc index 06d5a574ac2..8c7504c1124 100644 --- a/guides/common/modules/con_configuring-freeipa-server-as-an-external-identity-provider-for-project.adoc +++ b/guides/common/modules/con_configuring-freeipa-server-as-an-external-identity-provider-for-project.adoc @@ -1,4 +1,4 @@ -[id="configuring-freeipa-server-as-an-external-identity-provider-for-project_{context}"] +[id="configuring-{Freeipa-context}-server-as-an-external-identity-provider-for-project_{context}"] = Configuring {FreeIPA} server as an external identity provider for {Project} {FreeIPA} is an open-source identity management solution that provides centralized authentication, authorization, and account management services. diff --git a/guides/common/modules/proc_configuring-host-based-access-control-for-freeipa-users-logging-in-to-project.adoc b/guides/common/modules/proc_configuring-host-based-access-control-for-freeipa-users-logging-in-to-project.adoc index 0954d382d18..2085e1886df 100644 --- a/guides/common/modules/proc_configuring-host-based-access-control-for-freeipa-users-logging-in-to-project.adoc +++ b/guides/common/modules/proc_configuring-host-based-access-control-for-freeipa-users-logging-in-to-project.adoc @@ -1,4 +1,4 @@ -[id="configuring-host-based-access-control-for-freeipa-users-logging-in-to-project_{context}"] +[id="configuring-host-based-access-control-for-{Freeipa-context}-users-logging-in-to-project_{context}"] = Configuring host-based access control for {FreeIPA} users logging in to {Project} You can use host-based access control (HBAC) rules to manage access control within your {FreeIPA} domain. diff --git a/guides/common/modules/proc_logging-in-to-the-projectwebui-with-freeipa-credentials-in-chrome.adoc b/guides/common/modules/proc_logging-in-to-the-projectwebui-with-freeipa-credentials-in-chrome.adoc index 0d621cf0208..ac410a6d344 100644 --- a/guides/common/modules/proc_logging-in-to-the-projectwebui-with-freeipa-credentials-in-chrome.adoc +++ b/guides/common/modules/proc_logging-in-to-the-projectwebui-with-freeipa-credentials-in-chrome.adoc @@ -9,7 +9,7 @@ Use the latest stable Chrome browser. * You have {FreeIPA} authentication configured in your {Project} environment. ifeval::["{context}" != "{project-context}"] ifndef::orcharhino[] -For more information, see {InstallingServerDocURL}configuring-freeipa-server-as-an-external-identity-provider-for-project_{project-context}[{InstallingServerDocTitle}]. +For more information, see {InstallingServerDocURL}configuring-{Freeipa-context}-server-as-an-external-identity-provider-for-project_{project-context}[{InstallingServerDocTitle}]. endif::[] endif::[] * The host on which you are using Chrome is a client in the {FreeIPA} domain. @@ -39,4 +39,4 @@ Password for user@EXAMPLE.COM: Alternatively: . In your browser address bar, enter the URL of your {ProjectServer}. -. Enter your login and password. +. Enter your username and password. diff --git a/guides/common/modules/proc_logging-in-to-the-projectwebui-with-freeipa-credentials-in-mozilla-firefox.adoc b/guides/common/modules/proc_logging-in-to-the-projectwebui-with-freeipa-credentials-in-mozilla-firefox.adoc index 471a0d2f825..1d4107ada6f 100644 --- a/guides/common/modules/proc_logging-in-to-the-projectwebui-with-freeipa-credentials-in-mozilla-firefox.adoc +++ b/guides/common/modules/proc_logging-in-to-the-projectwebui-with-freeipa-credentials-in-mozilla-firefox.adoc @@ -9,7 +9,7 @@ Use the latest stable Mozilla Firefox browser. * You have {FreeIPA} authentication configured in your {Project} environment. ifeval::["{context}" != "{project-context}"] ifndef::orcharhino[] -For more information, see {InstallingServerDocURL}configuring-freeipa-server-as-an-external-identity-provider-for-project_{project-context}[{InstallingServerDocTitle}]. +For more information, see {InstallingServerDocURL}configuring-{Freeipa-context}-server-as-an-external-identity-provider-for-project_{project-context}[{InstallingServerDocTitle}]. endif::[] endif::[] * The host on which you are using Mozilla Firefox is a client in the {FreeIPA} domain. @@ -32,4 +32,4 @@ Password for user@EXAMPLE.COM: Alternatively: . In your browser address bar, enter the URL of your {ProjectServer}. -. Enter your login and password. +. Enter your username and password. From b00fbaf83aad38a625d8fc878b7d1bcfc0ccc522 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aneta=20=C5=A0teflov=C3=A1=20Petrov=C3=A1?= Date: Tue, 30 Jul 2024 16:30:57 +0200 Subject: [PATCH 15/17] Update link to FreeIPA docs --- ...-access-control-for-freeipa-users-logging-in-to-project.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/guides/common/modules/proc_configuring-host-based-access-control-for-freeipa-users-logging-in-to-project.adoc b/guides/common/modules/proc_configuring-host-based-access-control-for-freeipa-users-logging-in-to-project.adoc index 2085e1886df..a26a69e405c 100644 --- a/guides/common/modules/proc_configuring-host-based-access-control-for-freeipa-users-logging-in-to-project.adoc +++ b/guides/common/modules/proc_configuring-host-based-access-control-for-freeipa-users-logging-in-to-project.adoc @@ -39,7 +39,7 @@ endif::[] ifndef::satellite[] .Additional resources -* For more information about the `allow_all` rule and configuring HBAC in {FreeIPA}, see link:https://www.freeipa.org/page/Howto/HBAC_and_allow_all[HBAC and `allow_all`] in {FreeIPA} documentation. +* For more information about the `allow_all` rule and configuring HBAC in {FreeIPA}, see link:https://freeipa.readthedocs.io/en/latest/workshop/4-hbac.html[Host-based access control (HBAC)] in {FreeIPA} documentation. endif::[] .Configuring host-based access control to allow access to {Project} only for selected {FreeIPA} users by using the command line From 2f38bd24ae29f06a2668015d3720993b228d2b55 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aneta=20=C5=A0teflov=C3=A1=20Petrov=C3=A1?= Date: Wed, 31 Jul 2024 15:59:43 +0200 Subject: [PATCH 16/17] Fix quotation marks --- ...-to-the-projectwebui-with-freeipa-credentials-in-chrome.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/guides/common/modules/proc_logging-in-to-the-projectwebui-with-freeipa-credentials-in-chrome.adoc b/guides/common/modules/proc_logging-in-to-the-projectwebui-with-freeipa-credentials-in-chrome.adoc index ac410a6d344..846ed858275 100644 --- a/guides/common/modules/proc_logging-in-to-the-projectwebui-with-freeipa-credentials-in-chrome.adoc +++ b/guides/common/modules/proc_logging-in-to-the-projectwebui-with-freeipa-credentials-in-chrome.adoc @@ -19,7 +19,7 @@ endif::[] + [options="nowrap", subs="+quotes,verbatim,attributes"] ---- -$ google-chrome --auth-server-whitelist="*._example.com_" --auth-negotiate-delegate-whitelist=”*._example.com_" +$ google-chrome --auth-server-whitelist="*._example.com_" --auth-negotiate-delegate-whitelist="*._example.com_" ---- + [NOTE] From 1a0342d7073057782e24e1807da270205bb37e31 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aneta=20=C5=A0teflov=C3=A1=20Petrov=C3=A1?= Date: Mon, 5 Aug 2024 08:44:48 +0200 Subject: [PATCH 17/17] Drop warning about restart after satellite-maintain --- .../proc_enrolling-projectserver-in-freeipa-domain.adoc | 5 ----- 1 file changed, 5 deletions(-) diff --git a/guides/common/modules/proc_enrolling-projectserver-in-freeipa-domain.adoc b/guides/common/modules/proc_enrolling-projectserver-in-freeipa-domain.adoc index 14d9a4ace38..3dc0a1a72e1 100644 --- a/guides/common/modules/proc_enrolling-projectserver-in-freeipa-domain.adoc +++ b/guides/common/modules/proc_enrolling-projectserver-in-freeipa-domain.adoc @@ -100,11 +100,6 @@ On the {ProjectServer} system, a user with {Project} administrative privileges e ---- # {project-package-install} ipa-client ---- -+ -WARNING: The {project-package-install} command might restart {Project} services during the installation of the package. -ifdef::satellite[] -For more information about installing and updating packages on {Project}, see {AdministeringDocURL}Managing_Packages_on_the_Base_Operating_System_admin[Managing packages on the base operating system of {ProjectServer} or {SmartProxyServer}] in _{AdministeringDocTitle}_. -endif::[] . Configure the {ProjectServer} system a client in {FreeIPA} by using the random password produced by `ipa host-add` in a previous step: + [options="nowrap", subs="+quotes,verbatim,attributes"]