LDAP integration with Windows Active Directory for Uyuni GUI Auth.

[barborek]

Question

Hi,

I want to auth with AD user to Uyuni GUI. But I do not understand exactly uyuni docs (https://www.uyuni-project.org/uyuni-docs/en/uyuni/administration/auth-methods-pam.html). How can I configure ? Please give me details about config files to configure ldap integration.

• My Uyuni server run as contaienr service on suse.
• Uyuni Server installed via docs/en/uyuni/index.html doc. Its version is 2024.10

[rjmateus]

@aaannz do you know if we have some more documentation on this one?

[aaannz]

Hmm.. not yet. I did not push my examples to the docs yet.

Use snipped below after changing:

$domain - set you domain name
$ad_server - set fqdn of the AD server if it is not auto-detected from the $domain
$uyuni-hostname - set the name of the machine this AD client is supposed to be known. If not set it will be uyuni-server.mgr.internal

/etc/sssd/sssd.conf:

[sssd]
config_file_version = 2
services = nss, pam
domains = $domain

[nss]

[pam]

[domain/$domain]
id_provider = ad
chpass_provider = ad
access_provider = ad
auth_provider = ad

ad_domain = $domain
ad_server = $ad_server
ad_hostname = $uyuni-hostname

ad_gpo_map_network = +susemanager

krb5_keytab = FILE:/etc/rhn/krb5.conf.d/krb5.keytab
krb5_ccname_template = FILE:/tmp/krb5cc_%{uid}

[barborek]

Hi again,

I did your suggested configuration in etc/sssd/sssd.conf file. But there is no any integration section in this configuration(service account, ad ldap or ldaps port etc.)

If you use uyuni server which it run in container, you must configure sssd.conf file which it is in volume path (/var/lib/containers/storage/volumes/etc-sssd/_data).

We realized that you do not distinction exaclty between container and legacy installation and configurations docs.

Actually we do not understand that how can we comminuicate between ad and uyuni server.

We want to use ad user to auth in uyuni gui. Is it possible ?

thanks for your help 🙏

[aaannz]

Actually we do not understand that how can we comminuicate between ad and uyuni server.

Communication between AD and uyuni is done through PAM. Uyuni asks PAM to authenticate the user, PAM asks SSSD, SSSD asks AD.

Note that this is done only for authentication. Authorization is not done through it so in other words, you will still need to create an user in the Uyuni WebUI, but without password and selected PAM auth.

But there is no any integration section in this configuration(service account, ad ldap or ldaps port etc.)

For details about sssd.conf and how to configure AD LDAP, etc. see sssd-ad man page and from there related sssd-ldap and sssd-krb5 configurations. Basically AD is wrapper around those other modules inheriting their configs + some overrides.

If you use uyuni server which it run in container, you must configure sssd.conf file which it is in volume path (/var/lib/containers/storage/volumes/etc-sssd/_data).

Yes, for anything uyuni server related it must be done in container volume.
If you also want to have AD auth in the host system, then of course you will need similar config in the host /etc/sssd/

[mendizy]

Actually we do not understand that how can we comminuicate between ad and uyuni server.

Communication between AD and uyuni is done through PAM. Uyuni asks PAM to authenticate the user, PAM asks SSSD, SSSD asks AD.

Note that this is done only for authentication. Authorization is not done through it so in other words, you will still need to create an user in the Uyuni WebUI, but without password and selected PAM auth.

But there is no any integration section in this configuration(service account, ad ldap or ldaps port etc.)

For details about sssd.conf and how to configure AD LDAP, etc. see sssd-ad man page and from there related sssd-ldap and sssd-krb5 configurations. Basically AD is wrapper around those other modules inheriting their configs + some overrides.

If you use uyuni server which it run in container, you must configure sssd.conf file which it is in volume path (/var/lib/containers/storage/volumes/etc-sssd/_data).

Yes, for anything uyuni server related it must be done in container volume. If you also want to have AD auth in the host system, then of course you will need similar config in the host /etc/sssd/

hi @aaannz

thank you for your reply 🙏
we use cyberark for as pam solution.
is there a known block for integration between uyuni and cyberark or was tested?
thanks

[aaannz]

No, only LDAP+KRB5 and AD sssd configurations were tested.
The rest is on your testing.