Bug 1374242

Summary: Groupsync doesn't work with AD LDS
Product: Red Hat Satellite Reporter: Sean O'Keeffe <sokeeffe>
Component: Users & RolesAssignee: satellite6-bugs <satellite6-bugs>
Status: CLOSED ERRATA QA Contact: Sanket Jagtap <sjagtap>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.2.0CC: bbuckingham, bkearney, ehelms, jcallaha, mhulan, sjagtap, sokeeffe
Target Milestone: UnspecifiedKeywords: Triaged
Target Release: Unused   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-02-21 16:54:37 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Attachments:
Description Flags
AD LDS user and group none

Description Sean O'Keeffe 2016-09-08 10:08:29 UTC 
Description of problem:
The groupsync feature doesn't work with AD LDS, authentication does though.


Version-Release number of selected component (if applicable):
ldap_fluff-0.4.3


How reproducible:
100%


Steps to Reproduce:
1. add AD LDS server with Satellite
2. setup groupsync
3. login and the user will have no permissions, because they arent part of a group. 

Actual results:
no permssions

Expected results:
user to have relevant permissions 

Additional info:
Comment 1 Sean O'Keeffe 2016-09-08 10:17:01 UTC 
Fixed in https://github.com/theforeman/ldap_fluff/pull/54
Comment 9 Sanket Jagtap 2018-01-08 10:57:39 UTC 
Satellite 6.3.0 snap 30

Steps:
1. Created a AD LDS instance 
2. Added the auth source in satellite 
3. Tried to associated the external group with user group

I get the error:

Unable to save
Could not refresh external usergroups: LdapFluff::Generic::UnauthenticatedException - Could not bind to ActiveDirectory user foobar - The authentication source of your external user groups could not connect to LDAP with the provided credentials. Please verify the credentials are still valid.

Tried with admin account same issue
Comment 10 Sean O'Keeffe 2018-01-11 13:28:05 UTC 
At a customer we managed to backport this fix to 6.2.x and it worked, though we had no management of their AD server, we were just told it was AD LDS.

Sorry I can't provide any more info right now, I'm no longer on-site with that customer.
Comment 15 Sanket Jagtap 2018-01-19 10:32:51 UTC 
Satellite 6.3.0 snap 32

Mhulan, Sean Thank you for looking into this, 

I put some time today and recreated the AD LDS setup,

I am now able to add associate External Group with usergroup and also the user from external user group are able to inhert the permissions from the user group.
Comment 16 Sanket Jagtap 2018-01-19 10:33:38 UTC 
Created attachment 1383261 [details]
AD LDS user and group
Comment 18 Marek Hulan 2018-01-19 13:57:14 UTC 
out of curiosity, how did you create bindable user in LDS? what needed to be changed? thanks!
Comment 19 Sanket Jagtap 2018-01-19 14:10:40 UTC 
The missing thing was the userProxy.ldf user.ldf files which are to be imported when we deploy a LDS instance.
Only then we can create userProxy type objects which are basically objects redirected or binded with any AD user which have the msDS-bindableObject attribute.
Comment 20 Satellite Program 2018-02-21 16:54:37 UTC 
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA.
> > 
> > For information on the advisory, and where to find the updated files, follow the link below.
> > 
> > If the solution does not work for you, open a new bug report.
> > 
> > https://access.redhat.com/errata/RHSA-2018:0336