[Spacewalk-list] Spacewalk & LDAP (Using Quest PAM Authentication)

Glen Collins glenc2004 at comcast.net
Mon Jan 5 20:09:37 UTC 2015 

Hi Jan,

   No, I did not use the IPA documentation. The reason, everything is handled for me using the Question authentication PAM module. All the encryption, kerberos and all that good stuff is done for me. I just followed the documentation on the Satellite product and did the changes to:

/etc/rhn/rhnf.conf and added pam_auth_service = rhn-satellite

Moved or created what I think is the correct pam configuration and created the file /etc/pam.d/rhn-satellite with those entries.

I then restarted everything, created my AD account in SW, checked the PAM checkbox.

Created the necessary DG with the appropriate permissions in spacewalk making sure it matched the AD group name as it's displayed.

Logged in to SW with my AD account, got in but only very limited persions. The group I gave the permissions too has complete access to SW, Org Admin and SW Admin. So I should see ever menu and option. I don't, just a standard user.

So I'm wondering if there is logging in tomcat what I can turn on to see what's being returned. I used quests tools and it does bring back the correct AD group with my ID in it. I'm just wondering how tomcat is doing everything in the backend. But there is no logging other than unable to authenticate if I get my password wrong.

I also kind of pieced this together using:

http://www.redhat.com/archives/spacewalk-list/2013-July/msg00037.html

It's using winbind so I started at step 4. No luck there either.

I think the issue is I have the PAM setup incorrect in /etc/pam.d/rhn-satellite, but without any kind of logging it's hard to diagnose. I did try and turn on the actual PAM logging/debugging, but it game not real low level logging.

I also looked at someone using centrify:

http://liniks.com/?p=253

And that gave me no luck either. Pretty much the same thing.

So if anyone has any good ideas it would be appreciated.

Thanks!

Glen Collins


----- Original Message -----
On Fri, Jan 02, 2015 at 05:18:04AM -0800, Glen Collins wrote:
> Hello all! Welcome 2015! 
> 
> I'm wondering if anyone can provide the debugging details on Spacewalk and LDAP authentication in Spacewalk. I can't seem to find anywhere in the logs to where the LDAP process is logged. While I have the login working just fine with LDAP/AD, I am unable to get the External group authentication to work properly. 
> 
> I have myself setup and in an AD security group. I created the "group role mapping" to match the AD group I belong to and the roles I created were Sat Admin and Org Admin. When I login as myself I do not see all the menu options I see when I login as the Admin user. So while the login with password is working just fine, the group matching is not working as expected. I just need to know what I need to do to enable the group role matching logging or maybe it's a debug level. Anyways, I'm stuck so if anyone can help it would be appreciated. 
> 

Can you be a little more specific about the way you have enabled
the authentication? Do you use pam_ldap or external authentication per

	https://fedorahosted.org/spacewalk/wiki/SpacewalkAndIPA

?

-- 
Jan Pazdziora
Principal Software Engineer, Identity Management Engineering, Red Hat

More information about the Spacewalk-list mailing list