Authentication Methods
Authentication Via PAM
As security measures become increasingly complex, SUSE Manager supports network-based authentication systems via Pluggable Authentication Modules (PAM). PAM is a suite of libraries that allows to integrate SUSE Manager with a centralized authentication mechanism, thus eliminating the need to remember multiple passwords. SUSE Manager supports LDAP, Kerberos, and other network-based authentication systems via PAM. To enable SUSE Manager to use PAM in your organization’s authentication infrastructure, follow the steps below.
-
Set up a PAM service file (default location:
/etc/pam.d/susemanager
) then enforce its use by adding the following line to/etc/rhn/rhn.conf
:pam_auth_service = susemanager
This assumes the PAM service file is named susemanager. -
To enable a new or existing user to authenticate with PAM, proceed to the Create User page and select the checkbox labeled Pluggable Authentication Modules (PAM) positioned below the password and password confirmation fields.
-
To authenticate a SLES system against Kerberos add the following lines to
/etc/pam.d/susemanager
:#%PAM-1.0 auth include common-auth account include common-account password include common-password session include common-session
To register a Red Hat Enterprise Linux System against Kerberos add the following lines to /etc/pam.d/susemanager
#%PAM-1.0 auth required pam_env.so auth sufficient pam_krb5.so no_user_check auth required pam_deny.so account required pam_krb5.so no_user_check
+
-
YaST can now be used to configure PAM, when packages such as yast2-ldap-client and yast2-kerberos-client are installed; for detailed information on configuring PAM, see the SUSE Linux Enterprise Server Security Guide https://www.suse.com/documentation/sles-12/book_security/data/part_auth.html. This example is not limited to Kerberos; it is generic and uses the current server configuration. Note that only network based authentication services are supported.
Changing PasswordsChanging the password on the SUSE Manager Web interface changes only the local password on the SUSE Manager server. But this password may not be used at all if PAM is enabled for that user. In the above example, for instance, the Kerberos password will not be changed.
Authentication Via eDirectory and PAM
-
First check to ensure eDirectory authentication is working with your current OS for example:
#getent passwd
-
If users are returned from eDirectory then create the following file:
# cat /etc/pam.d/susemanager
-
And add the following content:
#%PAM-1.0 auth include common-auth account include common-account password include common-password session include common-session #
-
Finally add the following lines to the SUSE Manager conf file:
# grep -i pam /etc/rhn/rhn.conf pam_auth_service = susemanager
-
You may now create users with the same id that appears on eDirectory and mark the Use PAM check-box from the SUSE Manager WebUI.
Example Quest VAS Active Directory Authentication Template
If you are using Quest VAS for active directory authentication, you can use the following /etc/pam.d/susemanager
file.
#%PAM-1.0 auth required pam_env.so auth sufficient pam_vas3.so no_user_check auth requisite pam_vas3.so echo_return auth required pam_deny.so account required pam_vas3.so no_user_check
Authentication Via Single Sign-On (SSO)
This feature is provided as a technical preview. It is not supported for use in production environments. |
SUSE Manager supports single sign-on (SSO) by implementing the Security Assertion Markup Language (SAML) 2 protocol.
Single sign-on is an authentication process that allows a user to access multiple applications with one set of credentials. SAML is an XML-based standard for exchanging authentication and authorization data. A SAML identity service provider (IdP) provides authentication and authorization services to service providers (SP), such as SUSE Manager. SUSE Manager exposes three endpoints which must be enabled for single sign-on.
SSO in SUSE Manager supports:
-
Log in with SSO.
-
Log out with service provider-initiated single logout (SLO), and Identity service provider single logout service (SLS).
-
Assertion and nameId encryption.
-
Assertion signatures.
-
Message signatures with AuthNRequest, LogoutRequest, LogoutResponses.
-
Enable an Assertion consumer service endpoint.
-
Enable a single logout service endpoint.
-
Publish the SP metadata (which can be signed).
SSO in SUSE Manager does not support:
-
Product choosing and implementation for the Identity Service Provider (IdP).
-
SAML support for other products (please check with the respective product documentation).
Before you begin, you will need to have configured an external Identity Service Provider with these parameters. Check your IdP documentation for instructions.
You will need these endpoints:
-
Assertion Consumer Service (or ACS): an endpoint to accept SAML messages to establish a session into the Service Provider. The endpoint for ACS in SUSE Manager is: https://example.com/rhn/manager/sso/acs
-
Single Logout Service (or SLS): an endpoint to initiate a logout request from the IdP. The endpoint for SLS in SUSE Manager is: https://example.com/rhn/manager/sso/sls
-
Metadata: an endpoint to retrieve SUSE Manager metadata for SAML. The endpoint for Metadata in SUSE Manager is: https://example.com/rhn/manager/sso/metadata
Your IdP must have a SAML:Attribute containing the username of the IdP user domain, called |
After the authentication with the IdP using the user orgadmin
is successful, you will be logged in into SUSE Manager as the orgadmin
user, provided that the orgadmin
user exists in SUSE Manager.
Using SSO is mutually exclusive with other types of authentication: it is either enabled or disabled. SSO is disabled by default. |
-
If your users do not yet exist in SUSE Manager, create them first.
-
Edit
/etc/rhn/rhn.conf
and add this line at the end of the file:java.sso = true
-
Copy parameters you want to customize from
/usr/share/rhn/config-defaults/rhn_java_sso.conf
into/etc/rhn/rhn.conf
and proceed by inserting the parameters you want to customize by prefixing them withjava.sso.
.For example, in
/usr/share/rhn/config-defaults/rhn_java_sso.conf
:onelogin.saml2.sp.assertion_consumer_service.url = https://YOUR-PRODUCT-HOSTNAME-OR-IP/rhn/manager/sso/acs
In order to customize it, create the corresponding option in
/etc/rhn/rhn.conf
by prefixing the option name withjava.sso.
:java.sso.onelogin.saml2.sp.assertion_consumer_service.url = https://YOUR-PRODUCT-HOSTNAME-OR-IP/rhn/manager/sso/acs
To find all the occurrences you need to change, search in the file for the placeholders
YOUR-PRODUCT
and`YOUR-IDP-ENTITY
. Every parameter comes with a brief explanation of what it is meant for. -
Restart spacewalk-service to pick up the changes:
spacewalk-service restart
When you visit the SUSE Manager URL, you will be redirected to the IdP for SSO where you will be requested to authenticate. Upon successful authentication, you will be redirected to the SUSE Manager Web UI, logged in as the authenticated user. If you encounter problems with logging in using SSO, check the SUSE Manager logs for more information.