This blog post provides a high level overview of the ways ManageIQ Authentication can be configured. It also gives a brief summary of the steps used to configure them.

Contents:

Authentication Using Mode LDAP and LDAPS


  • Authentication Using Mode LDAP and LDAPS is implemented using MiqLdap
  • MiqLdap is a legacy solution implemented by an LDAP client built into ManageIQ.
  • MiqLdap is enabled by configuring authentication Mode LDAP or secure Mode LDAPS.
  • MiqLdap is being deprecated in the MangeIQ Gaprindashvili release.
  • Note: In order to retrieve user group membership information, MiqLdap requires the memberof overlay be used on the LDAP server.
  • Configuring MiqLdap is currently only documented downstream in the Cloudforms documentation. See: Configuring LDAP Authentication
  • For users currently using MiqLdap it is recommended they convert to using Authentication Mode: External (httpd) with LDAP
  • The tool miqldap_to_sssd can be used to help convert an MiqLdap Configuration to SSSD.
  • See this blog post describing how to use the miqldap_to_sssd conversion tool.

External Authentication Using SSSD Directly


External authentication is supported through Apache modules over SSSD

Both direct to LDAP and direct to Active Directory configurations are supported.

The instructions for manually configuring ManageIQ external Authentication can be found here: Active Directory and LDAP

  • Active Directory

    A summary of the steps involved for manually configuring ManageIQ external authentication to work against Active Directory are:

    1. Joining an AD Domain with realm(8) join
    2. Allowing AD Users login access with realm(8) permit
    3. Configure SSSD by modifying the /etc/sssd/sssd.conf configuration file.
    4. Configure the Apache module(s)
    5. Configure SELinux
    6. Configure ManageIQ Authentication with the ManageIQ Administrative UI
  • LDAP

    A summary of the steps involved for manually configuring ManageIQ external authentication to work against LDAP are:

    1. Install and test LDAPS SSL certificate
    2. Configure SSSD by modifying the /etc/sssd/sssd.conf configuration file.
    3. Configure the Apache module(s)
    4. Configure SELinux
    5. Configure ManageIQ Authentication with the ManageIQ Administrative UI

External Authentication Using IPA


External authentication using IPA is configured using the IPA client to connect to a preconfigured IPA server. ManageIQ makes configuration of the IPA Client simple by providing a wrapper around the ipa-client-install(1) command in the appliance_console.

Note: Under the covers IPA uses SSSD

  • The Appliance Console option: Configure External Authentication (httpd) is used to configure the IPA client.

  • Note: The Appliance Console can not be used to configure external authentication for anything except for IPA.

  • Note: The ManageIQ Appliance hostname must be resolvable by FQDN on the IPA server and conversely the IPA server hostname must be resolvable by FQDN on the ManageIQ Appliance.

  • The instructions for configuring ManageIQ external Authentication using IPA can be found here: External Authentication (httpd)

Additional Features of External Authentication Using IPA


IPA provides two useful features usable with ManageIQ: Both of these features are provided and configured on the IPA server, then leveraged on the ManageIQ Appliance.

2 Factor Authentication with IPA


Here are the instructions for configuring 2 Factor Authentication with IPA

A summary of how to configure 2 Factor Authentication with IPA is as follows:

  1. Configure the ManageIQ Authentication with the ManageIQ Administrative UI
  2. Enable the ManageIQ Appliance to use the configured IPA server with the appliance_console as above
  3. Enabling 2 Factor Authentication using the IPA Server’s administrative UI

IPA AD Trust


Here are the instructions for configuring IPA AD Trust

A summary of how to configure IPA AD Trust with IPA is as follows:

  1. Set up and configure an IPA server for AD Trust Authentication
  2. Enable the ManageIQ Appliance to use the configured IPA server with the appliance_console as above
  3. Configure the ManageIQ appliance to use external authentication
  4. Create groups on the ManageIQ appliance

External Authentication with SAML


Configuring ManageIQ for external authentication using SAML is documented here

The identity provider tool, Keycloak, has been used to test the SAML functionality.

A summary of how to configure a ManageIQ appliance to work with SAML is as follows:

  1. Configuration Apache
  2. Configure SAML with mellon_create_metadata script
  3. Configure a Client on the Keycloak Administration Console and configure the required SAML Assertions
  4. Copy the Client Metadata file from the Keycloak server onto the ManageIQ appliance
  5. Configure the ManageIQ appliance to use external authentication