External authentication in ManageIQ

Posted by cjung on Thu, Dec 11, 2014

ManageIQ and CloudForms provide multiple methods to authenticate users.

  • Database: All users and groups are managed in the internal database.

  • LDAP/LDAPS: Users are authenticated via an external system and group information can optionally be retrieved too. This is useful if you already have an enterprise directory like LDAP or Microsoft ActiveDirectory

  • Amazon: Use AWS to authenticate users

  • External: Beginning with CloudForms 3.1 and ManageIQ Anand you can also authenticate and retrieve user/group information via an external system. Primary use case is to establish a connection to IPA (or Red Hat IDM), but it can also be used to accomplish more complex needs, like two factor authentication or specific LDAP settings.

This article will focus on how to use external authentication in non-standard use cases. How to use the internal database or LDAP is pretty well described in the official documentation.

Use case

The built in LDAP/LDAPS authentication allows the user to specify different methods to lookup and authenticate a user. In Configure, Configuration you can choose one of the following options:

  • User principal name: Users will be looked up with @

  • eMail address: similar to User principal name but searching for different fields

  • Distinguish name: CN=,

  • Distinguish name: UID=,

In all these examples, is configurable. Obviously this doesn’t work well, if non of the above methods matches your requirements or you have more complex requirements. For example, you might have users in different OU’s of your ActiveDirectory, you might want to use two factor authentication, or you might have an LDAP proxy in the middle.

How external authentication works

You can also chose to use an external authentication method. ManageIQ/CloudForms will then completely rely on an external system to authenticate the user and make the necessary user information available. The following fields are used internally and have to be populated somehow:

  • user name

  • user ID

  • eMail address

  • group mapping

The standard method of using external authentication is based on PAM. There are existing articles on how to configure IPA for ManageIQ or CloudForms.


If you’re familiar with Linux you should already have heard about PAM, the Pluggable Authentication Modules. You should make yourself familiar with PAM to better understand how it works.

The following modifications can be used to reconfigure PAM to use an LDAP proxy with a non-default base DN for authentication.


base o=<base DN>
uri ldaps://<hostname of LDAP proxy>/
binddn uid=<bind DN>
bindpw <bind password>
ssl on
tls_cacertdir /etc/ssl/certs
pam_password md5

values between < > have to be adjusted to the local settings, of course.

/etc/pam.d/httpd-auth: This is the PAM module used for external authentication

auth    required pam_ldap.so
account required pam_permit.so

Password and Session module are not needed. We only want to use authentication, but we do not want users to actually be able to log into the appliance or to change their passwords.

This should give you an idea on where to start. If you know how to configure PAM, you can use any kind of external authentication method you like.