Créer un Bind DN pour Foreman

À traduire et mettre en forme

For setting up freeIPA authentication for Foreman I liked to have a seperate system account binddn.

In order to do this you first need to create a file like this:

 cat <<EOF >foreman-binddn.update
 dn: uid=foreman,cn=sysaccounts,cn=etc,dc=example,dc=com
 add:objectclass:account
 add:objectclass:simplesecurityobject
 add:uid:foreman
 add:userPassword:averysecurepassword
 add:passwordExpirationTime:20380119031407Z
 add:nsIdleTimeout:0
 EOF

and then you import it into the freeIPA (as root) like this:

ipa-ldap-updater foreman-binddn.update

You can check if the new user is present running:

ldapsearch -D "cn=Directory Manager" -x uid=foreman -W

Optional you can also add a group in freeIPA where you put all Foreman admins inside:

 ipa group-add --desc="Foreman Admins" foreman_admins

This one is used below as the optional LDAP filter.

On the Foreman you supply the following information: LDAP Server

 Server: <ipa-server>
 port: 389
 Server type: FreeIPA

Account

 Account Username: uid=foreman,cn=sysaccounts,cn=etc,dc=example,dc=com
 Account Password: averysecurepassword
 Base DN: cn=users,cn=accounts,dc=example,dc=com
 Groups Base DN: cn=groups,cn=accounts,dc=example,dc=com
 LDAP filter: (memberOf=cn=foreman_admins,cn=groups,cn=accounts,dc=example,dc=com)
 Check both boxes of: 
 Automatically create accounts in Foreman
 Usergroup sync

Atrribute mappings

 Login name attribue: uid
 First name attribute: givenName
 Surname attribute: sn
 Email address attribute: mail

• https://www.freeipa.org/page/Creating_a_binddn_for_Foreman
• https://nikhilkathole.wordpress.com/2018/12/16/freeipa-integration-with-foreman/
• https://cstan.io/?p=8960&lang=en
• https://cstan.io/?p=8444&lang=en
• https://computingforgeeks.com/how-to-subscribe-centos-server-to-katello-foreman/