| Summary: | LDAP user groups - role is not assigned automatically | ||
|---|---|---|---|
| Product: | Red Hat Satellite | Reporter: | Michal Dekan <mdekan> |
| Component: | Users & Roles | Assignee: | satellite6-bugs <satellite6-bugs> |
| Status: | CLOSED DUPLICATE | QA Contact: | Katello QA List <katello-qa-list> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 6.2.2 | CC: | ahuchcha, bbuckingham, dhlavacd, dlobatog, jcallaha, mhulan, stbenjam, vijsingh |
| Target Milestone: | Unspecified | Keywords: | Triaged |
| Target Release: | Unused | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2017-11-22 12:36:36 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
Correction: Actual results: User role from LDAP is not assigned unless user logs out/in to the webui. That is not correct. Step 5.a has to be performed or wait for 5.b until the user gets the role in the LDAP group. This is a duplicate of https://bugzilla.redhat.com/show_bug.cgi?id=1493703 . The underlying reason is most likely that in when using POSIX LDAP, your auth source needs to provide memberUID for each of the groups. Foreman makes 2 types of queries, "users in group X", "groups for user Y". You can find a more detailed explanation in this comment; https://bugzilla.redhat.com/show_bug.cgi?id=1493703#c4 *** This bug has been marked as a duplicate of bug 1493703 *** |
Description of problem: Customer has added two LDAP Sources. One AD and LDAP. Then the users from AD can log in and they have an external group taken from LDAP which assigns the roles. Now they have updated to 6.2.2 but still have an issues with the LDAP groups connection. Here is more information and a test case 1. Create a new LDAP Authentication Server Type: Active Directory Enable -> Automatically create accounts in Satellite : True 2. Create a new LDAP Authentication Server Type: POSIX Enable -> Usergroup sync 3. Create a new User group Connect it to a group in the LDAP directory (Created in #2) Enable role -> Admin 4. Log in as an AD user This works and the user is created but the user have not got the role Admin Now do either one of these actions 5.a Login as an administrator Go to "User Groups" Click the name of your external group See that the new user is in the group (On the left side) Do nothing, just click "submit" Or 5.b Run cron job found in /etc/cron.d/foreman # Refreshes ldap usergroups. Can be disabled if you're not using LDAP authentication. */30 * * * * foreman /usr/sbin/foreman-rake ldap:refresh_usergroups >>/var/log/foreman/cron.log 2>&1 6. Now the user group is updated and the user is admin (user needs to log out/in again) Version-Release number of selected component (if applicable): Satellite 6.2.2 How reproducible: Described above. Actual results: User role from LDAP is not assigned unless user logs out/in to the webui. Expected results: User role assigned automatically without login out and login.