Bug 1388732

Summary: User permissions don't get assigned via external group mapping with IPA Integration
Product: Red Hat Satellite Reporter: Alexey Masolov <amasolov>
Component: Users & RolesAssignee: satellite6-bugs <satellite6-bugs>
Status: CLOSED NOTABUG QA Contact: Katello QA List <katello-qa-list>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.2.2CC: amasolov, bbuckingham, dhlavacd, mhulan, wpinheir
Target Milestone: Unspecified   
Target Release: Unused   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-11-28 08:24:30 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Alexey Masolov 2016-10-26 03:49:08 UTC 
Description of problem:
Integration with IPA is configured per https://access.redhat.com/documentation/en/red-hat-satellite/6.2/paged/server-administration-guide/92-using-identity-management
If you login with external user to Satellite then the user gets created but permissions from mapped external group are not applied. 

Version-Release number of selected component (if applicable):
Satellite 6.2.2

How reproducible:
100%

Steps to Reproduce:
1. Integrate IPA as in https://access.redhat.com/documentation/en/red-hat-satellite/6.2/paged/server-administration-guide/92-using-identity-management
2. Create a user in IPA, create a group in IPA, create a group in Satellite, check Admin in Roles tab, link the external IPA group to the satellite group
3. Login with the external user to Satellite

Actual results:
1. User will be created but won't be assigned to the organization
2. Admin permissions wont'be granted so the user can't access any functionality on login.


Expected results:
1. The user is assigned to the current organization
2. Group role permissions are assigned to the user

Additional info:
Comment 2 Alexey Masolov 2016-11-06 23:33:48 UTC 
Apparently customers are having a similar problem with Active Directory via External LDAP provider as well
Comment 3 Marek Hulan 2016-11-07 08:08:31 UTC 
Alexey, could you please better describe what is the issue? The mapping between external user group and internal user group is not related to organizations in any way in 6.2. It only means that if user is in external user group, he will be associated with all internal user groups according to linked external groups. If you add some permissions to these internal groups, user will automatically be granted these permissions based on external groups associations. BZ 1104822 covers automatic organization assignment.

If the issue is that user is not associated to internal user groups even if there's association between this internal group and external group and the user belongs to such external group according to LDAP, please enable debug log level, run "foreman-rake ldap:refresh_usergroups" manually and upload the output as well as foreman-debug output. Thank you.
Comment 4 Alexey Masolov 2016-11-09 01:16:20 UTC 
Marek,

Thanks for pointing out on the BZ that covers the problem with automatic organisation assignment.

I'm not able to reproduce the bug in 6.2.3 so I guess we can close this one as resolved.
Comment 5 Marek Hulan 2016-11-09 08:27:18 UTC 
Thanks for letting me know, could you make sure that if customers upgrade to 6.2.3, it resolves the issue for them too? Then we can close. Otherwise please ask for logs I mentioned in comment 3.
Comment 6 Alexey Masolov 2016-11-28 00:21:09 UTC 
Confirmed that it's gone with Sat 6.2.4.