ManageIQ and CloudForms provide multiple methods to authenticate users.
Database: All users and groups are managed in the internal database.
LDAP/LDAPS: Users are authenticated via an external system and group information can optionally be retrieved too. This is useful if you already have an enterprise directory like LDAP or Microsoft ActiveDirectory
Amazon: Use AWS to authenticate users
External: Beginning with CloudForms 3.1 and ManageIQ Anand you can also authenticate and retrieve user/group information via an external system. Primary use case is to establish a connection to IPA (or Red Hat IDM), but it can also be used to accomplish more complex needs, like two factor authentication or specific LDAP settings.
This article will focus on how to use external authentication in non-standard use cases. How to use the internal database or LDAP is pretty well described in the official documentation.
The built in LDAP/LDAPS authentication allows the user to specify different methods to lookup and authenticate a user. In Configure, Configuration you can choose one of the following options:
User principal name: Users will be looked up with
eMail address: similar to User principal name but searching for different fields
Distinguish name: CN=
Distinguish name: UID=
In all these examples,
How external authentication works
You can also chose to use an external authentication method. ManageIQ/CloudForms will then completely rely on an external system to authenticate the user and make the necessary user information available. The following fields are used internally and have to be populated somehow:
The standard method of using external authentication is based on PAM. There are existing articles on how to configure IPA for ManageIQ or CloudForms.
If you’re familiar with Linux you should already have heard about PAM, the Pluggable Authentication Modules. You should make yourself familiar with PAM to better understand how it works.
The following modifications can be used to reconfigure PAM to use an LDAP proxy with a non-default base DN for authentication.
base o=<base DN> uri ldaps://<hostname of LDAP proxy>/ binddn uid=<bind DN> bindpw <bind password> ssl on tls_cacertdir /etc/ssl/certs pam_password md5
values between < > have to be adjusted to the local settings, of course.
/etc/pam.d/httpd-auth: This is the PAM module used for external authentication
auth required pam_ldap.so account required pam_permit.so
Password and Session module are not needed. We only want to use authentication, but we do not want users to actually be able to log into the appliance or to change their passwords.
This should give you an idea on where to start. If you know how to configure PAM, you can use any kind of external authentication method you like.