[Spacewalk-list] Spacewalk & LDAP (Using Quest PAM Authentication)

Jan Pazdziora jpazdziora at redhat.com
Tue Jan 6 07:47:00 UTC 2015 

On Mon, Jan 05, 2015 at 12:09:37PM -0800, Glen Collins wrote:
> Hi Jan,
> 
>    No, I did not use the IPA documentation. The reason, everything is handled for me using the Question authentication PAM module. All the encryption, kerberos and all that good stuff is done for me. I just followed the documentation on the Satellite product and did the changes to:
> 
> /etc/rhn/rhnf.conf and added pam_auth_service = rhn-satellite
> 
> Moved or created what I think is the correct pam configuration and created the file /etc/pam.d/rhn-satellite with those entries.
> 
> I then restarted everything, created my AD account in SW, checked the PAM checkbox.
> 
> Created the necessary DG with the appropriate permissions in spacewalk making sure it matched the AD group name as it's displayed.
> 
> Logged in to SW with my AD account, got in but only very limited persions. The group I gave the permissions too has complete access to SW, Org Admin and SW Admin. So I should see ever menu and option. I don't, just a standard user.
> 
> So I'm wondering if there is logging in tomcat what I can turn on to see what's being returned. I used quests tools and it does bring back the correct AD group with my ID in it. I'm just wondering how tomcat is doing everything in the backend. But there is no logging other than unable to authenticate if I get my password wrong.
> 
> I also kind of pieced this together using:
> 
> http://www.redhat.com/archives/spacewalk-list/2013-July/msg00037.html
> 
> It's using winbind so I started at step 4. No luck there either.
> 
> I think the issue is I have the PAM setup incorrect in /etc/pam.d/rhn-satellite, but without any kind of logging it's hard to diagnose. I did try and turn on the actual PAM logging/debugging, but it game not real low level logging.
> 
> I also looked at someone using centrify:
> 
> http://liniks.com/?p=253
> 
> And that gave me no luck either. Pretty much the same thing.
> 
> So if anyone has any good ideas it would be appreciated.

The external group role mapping (and auto-provisioning of users alike)
only works when you use the external authentication. When PAM is
used, that part will not work because the PAM stack does not have
means to retrieve the additional attributes and group information.

-- 
Jan Pazdziora
Principal Software Engineer, Identity Management Engineering, Red Hat

More information about the Spacewalk-list mailing list