Fixes #32352 - use mod_auth_gssapi instead of mod_auth_kerb

theforeman · Jul 6, 2021 · 91850a2 · 91850a2
1 parent 88ee2c8
commit 91850a2
Show file tree

Hide file tree

Showing 4 changed files with 13 additions and 16 deletions.
diff --git a/manifests/config.pp b/manifests/config.pp
@@ -126,7 +126,7 @@
     $foreman_socket_override = template('foreman/foreman.socket-overrides.erb')
 
     if $foreman::ipa_authentication {
-      unless fact('foreman_ipa.default_server') and fact('foreman_ipa.default_realm') {
+      unless fact('foreman_ipa.default_server') {
         fail("${facts['networking']['hostname']}: The system does not seem to be IPA-enrolled")
       }
 
@@ -174,8 +174,8 @@
         ssl_content => template('foreman/lookup_identity.conf.erb'),
       }
 
-      foreman::config::apache::fragment { 'auth_kerb':
-        ssl_content => template('foreman/auth_kerb.conf.erb'),
+      foreman::config::apache::fragment { 'auth_gssapi':
+        ssl_content => template('foreman/auth_gssapi.conf.erb'),
       }
 
 

diff --git a/manifests/config/apache.pp b/manifests/config/apache.pp
@@ -225,7 +225,7 @@
     include apache::mod::authnz_pam
     include apache::mod::intercept_form_submit
     include apache::mod::lookup_identity
-    include apache::mod::auth_kerb
+    include apache::mod::auth_gssapi
   } elsif $keycloak {
     include apache::mod::auth_openidc
 

diff --git a/spec/classes/foreman_config_ipa_spec.rb b/spec/classes/foreman_config_ipa_spec.rb
@@ -41,17 +41,16 @@
           it { should contain_class('apache::mod::authnz_pam') }
           it { should contain_class('apache::mod::intercept_form_submit') }
           it { should contain_class('apache::mod::lookup_identity') }
-          it { should contain_class('apache::mod::auth_kerb') }
+          it { should contain_class('apache::mod::auth_gssapi') }
 
           it 'should contain Apache fragments' do
             should contain_foreman__config__apache__fragment('intercept_form_submit')
               .with_ssl_content(/^\s*InterceptFormPAMService foreman$/)
 
             should contain_foreman__config__apache__fragment('lookup_identity')
 
-            should contain_foreman__config__apache__fragment('auth_kerb')
-              .with_ssl_content(/^\s*KrbAuthRealms REALM$/)
-              .with_ssl_content(%r{^\s*Krb5KeyTab /etc/httpd/conf/http.keytab$})
+            should contain_foreman__config__apache__fragment('auth_gssapi')
+              .with_ssl_content(%r{^\s*GssapiCredStore keytab:/etc/httpd/conf/http.keytab$})
               .with_ssl_content(/^\s*require pam-account foreman$/)
           end
 

diff --git a/templates/auth_kerb.conf.erb → templates/auth_gssapi.conf.erb b/templates/auth_kerb.conf.erb → templates/auth_gssapi.conf.erb
@@ -1,15 +1,13 @@
 
 <Location /users/extlogin>
   SSLRequireSSL
-  AuthType Kerberos
-  AuthName "Kerberos Login"
-  KrbMethodNegotiate On
-  KrbMethodK5Passwd Off
-  KrbAuthRealms <%= @facts['foreman_ipa']['default_realm'] %>
-  Krb5KeyTab <%= scope.lookupvar('::foreman::http_keytab') %>
-  KrbLocalUserMapping On
+  AuthType GSSAPI
+  AuthName "GSSAPI Single Sign On Login"
+  GssapiCredStore keytab:<%= scope.lookupvar('foreman::http_keytab') %>
+  GssapiSSLonly On
+  GssapiLocalName On
   # require valid-user
-  require pam-account <%= scope.lookupvar('::foreman::pam_service') %>
+  require pam-account <%= scope.lookupvar('foreman::pam_service') %>
   ErrorDocument 401 '<html><meta http-equiv="refresh" content="0; URL=/users/login"><body>Kerberos authentication did not pass.</body></html>'
   # The following is needed as a workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1020087
   ErrorDocument 500 '<html><meta http-equiv="refresh" content="0; URL=/users/login"><body>Kerberos authentication did not pass.</body></html>'